"CISA, NIST Provide New Resource on Software Supply Chain Attacks"

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have released a joint document providing information on software supply chain attacks, the risks presented by such attacks, and what organizations can do to mitigate them. CISA and NIST have highlighted the software supply chain as a component of the Information and Communications Technology (ICT) supply chain framework that represents the network of suppliers, retailers, and distributors participating in the production, sale, and delivery of hardware, software, and managed services. The joint document titled "Defending Against Software Supply Chain Attacks" emphasizes the impact that software supply chain attacks can have on all users of compromised software and the widespread consequences they pose to government, critical infrastructure, and private sector software customers. In the document, CISA and NIST point out the common techniques that attackers use to execute software supply chain attacks, which include compromising open-source code, tampering with code signing, and hijacking updates. They also stress that software supply chain compromise could allow threat actors to evade implemented defenses and gain persistent access to a targeted environment in order to conduct financial theft, data exfiltration, cyber espionage, and other malicious activities. CISA and NIST encourage network defenders to apply industry best practices to mitigate the risks associated with supply chain attacks. This article continues to discuss the new resource on software supply chain attacks provided by CISA and NIST. 

Security Week reports "CISA, NIST Provide New Resource on Software Supply Chain Attacks"