US gov tells software suppliers exactly how it wants them to develop secure code
As CISA reportedly admits two of its systems were breached in February due to Ivanti flaws
The Biden-Harris Administration is "encouraging" Federal software suppliers to secure their products by forcing them to sign a secure software development attestation form.
The form, released jointly by the Office of Management and Budget and CISA aims to ensure the software producers who partner with the federal government leverage minimum secure development techniques and toolsets.
The self-attestation mechanism is part of CISA's "Secure-By-Design" roadmap to transform the software development lifecycle (SDLC) to align with the need to curb vulnerabilities from the get go.
While the first iteration of the roadmap was published in April 2023, the latest form is a tangible way for developers to engage with these principles.
Amongst other things, the form forces suppliers to affirm they have built their products in "secure environments", use automation or comparable processes to secure internal code and third partly components, and check for and disclose vulnerabilities on an ongoing basis. All of which you would really hope they were doing already.
The form isn't the only advisory focused on secure development to come out of CISA over the last week.
On the 7th of March, CISA concluded a two-day Open Source Software (OSS) Security Summit focused on key actions to help secure the open source ecosystem.
At the summit, CISA said it will work closely with package repositories to foster adoption of the Principles for Package Repository Security. This outlines voluntary security maturity levels for package repositories.
And five of the most widely used package repositories pledged to take steps in line with the Principles for Package Repository Security framework. These include The Rust Foundation, the Python Software Foundation, Packagist and Composer, npm, and Maven Central.
“Open Source Software is foundational to the critical infrastructure Americans rely on every day,” said CISA Director Jen Easterly in a statement.
“As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community, and are excited for the work to come,” he added.
The advice came as it emerged CISA was forced to take down two systems in February after they were breached due to previously identified flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways.
CISA had issued multiple advisories regarding the same flaws, with latest published at the end of February.
While the national agency did not provide details about the breach, according to sources speaking to Record Future News, "the two systems compromised were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans".
“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience," a CISA spokesperson was quoted saying to the publication.