The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

CISA, NIST Issue Guidance to Defend Against Supply Chain Attacks

by Chris Brook on Wednesday April 28, 2021

Contact Us
Free Demo

The new guidance highlights software supply chain risks and tips on how to identify, assess, and mitigate risks.

News around last year's groundbreaking SolarWinds attack altered the industry. Now, on the heels of that incident, two government agencies are issuing guidance to software vendors and customers on how they can be better equipped to defend against future attacks.

This week the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute for Standards and Technology (NIST) released Defending Against Software Supply Chain Attacks (.PDF)

For the uninitiated, a supply chain attack is an attack usually carried out by targeting lesser known or less secure elements in the software supply chain. Third-party providers, vendors, or partners with weaker security are often a common target.

As CISA and NIST point out, attacks, especially lately, have been carried out by either hijacking a vendor's updates, usually by hacking their network, taking advantage of the codesigning system to falsify trust and validate code, and by compromising open source code that makes its way into third party code.

The document, released Monday, gives an overview on software supply chain risks, examples of common attack techniques, and recommendations for developing and overseeing a risk management program.

The document encourages readers to think of any product they're considering purchasing and implementing through the lens of one of these programs, like NIST's Cyber Supply Chain Risk Management (C-SCRM) or Secure Software Development Framework (SSDF).

NIST's C-SCRM can help organizations identify, assess, and mitigate risks in a distributed supply chain ecosystem. It's not a new concept, it actually dates back to 2016, but NIST's C-SCRM was last updated this month, so its directives are timely.

The SSDF is newer, it was originally published in April 2020. That framework relies on secure software development practice guidance from BSA, OWASP, and SAFECode. The guide's aim is to help reduce the number of vulnerabilities in software and mitigate the impact of exploited vulnerabilities.

Of course, the guidance is just that, guidance; as we saw in SolarWinds, malicious, barely detectable vulnerabilities can still find their way into an environment, even after you’ve done your due diligence.

That's why in their document CISA and NIST are also encouraging organizations to have a vulnerability management program in place. By having a way to scan, identify, triage, and mitigate vulnerabilities, businesses can help remedy any issues that arise in software. Ensuring software follows a software development life cycle, or SDLC, one that has SSDF roles and security requirements can help organizations increase the resilience of their software too.

Organizations should also follow steps to mitigate vulnerabilities post-deployment by doing the following:

  • Archiving and protecting each release of software so that the vendor can analyze, identify, and develop mechanisms to eliminate vulnerabilities discovered post-release.
  • Maintaining processes, and even a formal program, to identify and confirm suspected vulnerabilities in software, whether identified by the vendor, its customers, or third-party researchers.
  • Establishing an assessment, prioritization, and remediation approach that enables vulnerabilities to be remediated quickly

There are of course a handful of additional variables to consider around software procurement and deployment. This new guide is by no means exhaustive but it should give organizations a good baseline on best practices to follow if they're not already.

Tags: Cyber Resilience

Recommended Resources

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.