"US Gov Issues Guidance for Developers to Secure Software Supply Chain"
The Cybersecurity and Information Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) have announced the release of the first part of a three-part joint guidance on securing the software supply chain. The guidance has been created by the Enduring Security Framework (ESF), a cross-sector working group led by the NSA and CISA and focused on addressing the risks threatening critical infrastructure and national security. The first part of the series is called "Securing Software Supply Chain Series - Recommended Practices for Developers." It provides recommended best practices for software developers looking to improve the security of the software supply chain. According to ESF, this document will provide guidance in line with industry best practices and principles, which software developers are strongly encouraged to reference. These principles include security requirements planning, designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure. Meant to be applicable to many scenarios, the guidance offers actionable recommendations for a secure software development lifecycle (Secure SDLC), a first step towards a secure software supply chain. Development teams are advised to adapt and customize the secure SDLC process to meet their specific needs, identifying the procedures and policies they can use to ensure the implementation of secure development practices. The document also details common threat scenarios that may occur during the software development lifecycle and provides recommendations on mitigations, architecture and design documents, the creation of threat models and security test plans, release criteria, vulnerability handling policies, and assessment and training. The guidelines also recommend various Secure SDLC processes and practices provided by NIST, Carnegie Mellon University, OWASP, US-Cert, OpenSSF, and others.
SecurityWeek reports: "US Gov Issues Guidance for Developers to Secure Software Supply Chain"