News around last year's groundbreaking SolarWinds attack altered the industry. Now, on the heels of that incident, two government agencies are issuing guidance to software vendors and customers on how they can be better equipped to defend against future attacks.

This week the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute for Standards and Technology (NIST) released Defending Against Software Supply Chain Attacks (.PDF)

For the uninitiated, a supply chain attack is an attack usually carried out by targeting lesser known or less secure elements in the software supply chain. Third-party providers, vendors, or partners with weaker security are often a common target.

As CISA and NIST point out, attacks, especially lately, have been carried out by either hijacking a vendor's updates, usually by hacking their network, taking advantage of the codesigning system to falsify trust and validate code, and by compromising open source code that makes its way into third party code.

The document, released Monday, gives an overview on software supply chain risks, examples of common attack techniques, and recommendations for developing and overseeing a risk management program.

The document encourages readers to think of any product they're considering purchasing and implementing through the lens of one of these programs, like NIST's Cyber Supply Chain Risk Management (C-SCRM) or Secure Software Development Framework (SSDF).

NIST's C-SCRM can help organizations identify, assess, and mitigate risks in a distributed supply chain ecosystem. It's not a new concept, it actually dates back to 2016, but NIST's C-SCRM was last updated this month, so its directives are timely.

The SSDF is newer, it was originally published in April 2020. That framework relies on secure software development practice guidance from BSA, OWASP, and SAFECode. The guide's aim is to help reduce the number of vulnerabilities in software and mitigate the impact of exploited vulnerabilities.

Of course, the guidance is just that, guidance; as we saw in SolarWinds, malicious, barely detectable vulnerabilities can still find their way into an environment, even after you’ve done your due diligence.

That's why in their document CISA and NIST are also encouraging organizations to have a vulnerability management program in place. By having a way to scan, identify, triage, and mitigate vulnerabilities, businesses can help remedy any issues that arise in software. Ensuring software follows a software development life cycle, or SDLC, one that has SSDF roles and security requirements can help organizations increase the resilience of their software too.

Organizations should also follow steps to mitigate vulnerabilities post-deployment by doing the following:

• Archiving and protecting each release of software so that the vendor can analyze, identify, and develop mechanisms to eliminate vulnerabilities discovered post-release.
• Maintaining processes, and even a formal program, to identify and confirm suspected vulnerabilities in software, whether identified by the vendor, its customers, or third-party researchers.
• Establishing an assessment, prioritization, and remediation approach that enables vulnerabilities to be remediated quickly

There are of course a handful of additional variables to consider around software procurement and deployment. This new guide is by no means exhaustive but it should give organizations a good baseline on best practices to follow if they're not already.