US security agency, the National Security Agency (NSA), has released new software supply chain guidance to help developers avoid cyberattacks targeting proprietary and open-source software.
The new guidance is meant to help US private and public sector organizations defend themselves against supply chain attacks, including the one Russian Foreign Intelligence Service (SVR) hackers deployed against SolarWinds and its customers.
More on tech security: The next challenges
“Recent cyberattacks such as those executed against SolarWinds and its customers, and exploits that take advantage of vulnerabilities such as Log4j, highlight weaknesses within software supply chains, an issue which spans both commercial and open source software and impacts both private and government enterprises,” the NSA says in its guidance.
The spy agency says there needs to be greater awareness that the software supply chain has the potential to be weaponized by nation-state adversaries using similar tactics, techniques, and procedures.
The Enduring Security Framework (ESF) – a public-private cross-industry working group led by the NSA and the Cybersecurity and Infrastructure Security Agency (CISA) – developed the guidance after examining the events that led up to the SolarWinds attack. ESF was established to cater to developers, vendors and customers in response to president Joe Biden’s cybersecurity executive order aimed at federal agencies.
The incident demonstrated an awareness by state-backed hackers that the software supply chain was as valuable as publicly known and previously undisclosed software vulnerabilities.
“As ESF examined the events that led up the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer,” the NSA said in a joint press release with CISA and the Office of the Director of National Intelligence.
While this guidance acknowledges the key role developers play in the software supply chain, the agencies will release versions of the best-practice guidance aimed directly at software vendors and software customers.
The agencies note vendor responsibilities include ensuing the integrity and security of software via contractual agreements, software updates, notifications and mitigations of vulnerabilities.
The guidance covers secure development practices, insider threats, open source, verification of third-party components, hardening build environments, and code delivery.
The attack on SolarWinds was the highest profile recent supply chain attack, but others have occurred before and after, including the NotPetya destructive malware in 2017 that launched via a Ukraine-specific accounting package, and the ransomware attack on IT firm Kaseya in 2021, affecting its managed service-provider customers and their clients.
The UK’s National Cyber Security Centre (NCSC) expects supply chain attacks to continue to be an attractive attack vector in coming years due to the breadth of the supply chain, widespread use of third-party software components, and human factors, which range from malicious behavior to foreign spies compromising developers to infiltrate a software build system.
The NSA’s and CISA’s section on “compromised engineers” – insider threats – illustrates the complexity of securing the supply chain.
“The compromised engineer is a difficult threat to detect and assess. A compromised employee may be under pressure from outside influences or may have a grudge to avenge. Poor performance reviews, lack of promotion, or disciplinary actions are only a few of the events that might cause a developer to take action against an organization and sabotage its development effort. Additionally, nation states or competitors can leverage an insider’s struggles with controlled substances, failing relationships, or debt, among other things.”
Beyond compromised engineers, the guidance also highlights intentionally placed backdoors that make it easier for engineers to troubleshoot problems, poorly trained engineers, as well accounts that remain open after a developer contract has been terminated, and compromised remote development systems.
The guidance recommends developers perform static and dynamic code analysis, conduct nightly builds with security and regression tests, map features to requirements, prioritize code reviews, and review critical code.