On May 12, 2021, President Biden issued an executive order (EO) that aims to add more transparency into the software supply chain with recommended best practices and a pilot program for consumer software labeling aimed at improving the assurance of software. After hackers attacked Colonial Pipeline’s networks, which included ransomware, there is tremendous concern as to the safety of software supporting our critical infrastructure. The time was right for the President to act.
The EO is generally focused on improving the security of software used by the federal government. Among other things, it also directs the administration to develop a set of code development best practices. We know, through experience in creating the world’s leading cybersecurity ratings company, SecurityScorecard, that to be successful, the government must focus on creating metrics that are dynamic and reflect the latest and best information available so that consumers can make the very best buying decisions. “After recent supply chain attacks involving SolarWinds and Microsoft, it is imperative that we, as a nation, take software assurance seriously. Best practices can uplift not just the security of the software industry but the overall level of cybersecurity in our economy,” commented Mark Weatherford, SecurityScorecard advisor and former Deputy Undersecretary for Cybersecurity at the Department of Homeland Security. We applaud this EO as a critical step in bringing transparency to the federal government’s software marketplace. The logical next step is to bring similar transparency to the security of vendors and third parties in all industries.
Does software assurance equal safer software?
The EO proposes a labeling convention intended to provide a level of assurance that a piece of software is free from known vulnerabilities – both those that are unintentionally written into the code and those that may be injected maliciously in a production environment – and that the software functions in the intended manner. Ideally, this labeling/assurance-driven approach will encourage software developers to be more cognizant of their software development practices and environments, and allow them to distinguish their products with better assurance ratings.
While evaluating the assurance of software is not easy, the Biden administration can build on the good work already done by MITRE and others. “Software development best practices create a ‘trust but verify’ environment. While the software developed through best practices can be trusted, organizations will still need to verify that companies are using it correctly, keeping it up-to-date and patched,” commented Bryan Ware, SecurityScorecard advisor and former executive associate director for cybersecurity at CISA. While assurance ratings for software will not eliminate all vulnerabilities, they will allow consumers to identify which companies and developers follow secure coding practices. Developers will then be able to compete on the quality and security of their product, in addition to price and functionality.
Evaluating the security of the development environment
The EO includes several considerations for how to evaluate the assurance of software including the integrity of developing code and the security of the development environment itself. This holistic view is critical, as we have seen nation-states compromise software inside the development environment. Therefore, the security of the code is only as secure as the organization that is writing it.
However, verifying the security of the developing environment, which is to say the company’s own security posture, will be dependent on knowledge of the organization in a manner not always possible or feasible for consumers, or even the government. Without a full picture of the entire security environment surrounding the software development, customers will have, at best, only a partial understanding of the security of the products they are installing on their system.
This does not mean that every software developer must divulge trade secrets or intellectual property to provide an accurate assessment of their security environment. With the right tools, such as security ratings, publicly available information can provide a non-intrusive, yet still accurate, picture of any company’s security posture.
The role of security ratings in software assurance
Cybersecurity ratings provide valuable data points for a more comprehensive view of a software developer’s or any organization’s security posture. The most robust security ratings are updated daily to provide consumers with an outside-in, continuous, and objective understanding of themselves and their vendors. With this holistic view of a software vendor’s security posture, including its development environment, consumers can make better buying decisions.
Security ratings are a good indicator of an organization’s overall cyber health and hygiene. Indeed, in January 2020, CISA recognized security ratings as a cyber risk metric. And generally, we find that if an organization’s security rating is low, often this indicates that the organization is not prioritizing security. As such, a software developer with a low security rating could be failing to prioritize security in their development environment and the assurance level of their software should be lower.
We are pleased to see the importance that the Biden Administration is placing on securing the nation’s supply chain, and especially the focus on a metrics-driven approach toward software assurance. We hope that all aspects of a code developer’s approach is evaluated when determining their software’s assurance level. “Recent attacks have shown us that no matter how well coded a piece of software is, if the development environment is compromised it can’t be trusted,” said Rob Knake, SecurityScorecard advisor and former director for cybersecurity on the National Security Council under President Obama.
Should transparency in security programs be the next step?
As we wait to see how the levels of assurance will be delineated and evaluated, we are convinced that providing more transparency in the software market can be leveraged for other aspects of third-party due diligence. If we expect buyers and consumers to measure how much risk a piece of software is introducing into their environment, shouldn’t we also expect them to measure the security of those with which they do business? Security ratings already exist and allow companies to weigh not only the cost, service, and speed of any given vendor, but also potentially how much risk that vendor could introduce into their environment depending on the security of their corporate network. With more transparency on which vendors make security a priority, and which ones don’t, public and private sector buyers can make risk-informed business decisions.