CISA, NSA and npm Release Software Supply Chain Guidance

Written by

The US government has issued new guidance for developers designed to improve the security of the software supply chain, and in so doing make the nation’s critical infrastructure more resilient.

The document, Securing the Software Supply Chain for Developers, was published by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) under the Enduring Security Framework (ESF) initiative.

“As the cyber-threat continues to become more sophisticated, adversaries have begun to attack the software supply chain, rather than rely on publicly known vulnerabilities. This supply chain compromise allows malicious actors to move throughout networks seemingly undetected. In order to counter this threat, the cybersecurity community needs to focus on securing the software development lifecycle,” they said.

“Developers will find helpful guidance from NSA and partners on developing secure code, verifying third-party components, hardening the build environment, and delivering the code. Until all DevOps are DevSecOps, the software development lifecycle will be at risk.”

The document was spurred by the government’s experience of the SolarWinds campaign, in which Russian state actors managed to compromise at least nine US government agencies in a highly sophisticated software supply chain attack.

Leveraging industry and government recommendations, the document consolidates useful resources in a single location to help optimize security in software development.

Although the SolarWinds attack was made possible by the compromise of a private software vendor, an increasingly targeted weak link in the supply chain is open source repositories.

One vendor observed a 650% year-on-year increase in threat actors deliberately injecting new vulnerabilities into these third-party libraries, so they could be exploited downstream.

To that end, the Open Source Security Foundation (OpenSSF) yesterday published a new npm Best Practices guide for the popular open source ecosystem that now includes over two million packages.

“npm is the largest package ecosystem in existence; in fact, the npm ecosystem is considered larger than most other significant programming language ecosystems combined,” the OpenSSF wrote.

“The guide provides an overview of supply chain security features available in npm, describes the risks associated with using dependencies, and lays out best practices to reduce those risks at different project stages.”

What’s hot on Infosecurity Magazine?