Today the Biden-Harris Administration issued a new National Cybersecurity Strategy focused on key pillars to strengthen and secure the nation’s digital ecosystems through an improved software liability framework for software products and services and best practices for secure software development. We’re pleased these pillars are codified in the Strategy, but the frank reality is everything laid out in the strategy has been possible for years for many private sector organizations.
We realize it's not feasible to turn everything in the Strategy on overnight, but we also have had the tools and frameworks for secure software development available for years. It's time we start referring to the lack of following best practices what it is - negligence. As the Strategy states, today’s vendors are regularly shipping products with “insecure default configurations or known vulnerabilities” and “integrate third-party software of unvetted or unknown provenance.”
Let’s take a look at some of the novel ideas that the Strategy’s proposed frameworks, tools and guidance outline, and how the dialogue is evolving around software supply chain security.
Software security is a multiplayer game
Software will never be perfectly secure. Even when organizations are doing the right things, bad actors will continue to exploit the gaps. That is why the Strategy’s focus on software liability–and a new safe harbor framework for companies that adhere to industry best practices–is an important discussion.
Some of the best practices and components for secure software development specifically called out in the Strategy include:
Investment in open source software security
It's great to see the Administration's commitment to memory-safe languages, software development techniques, frameworks and tools. Memory safety vulnerabilities are responsible for the vast majority of critical, remotely exploitable, and in-the-wild attacks we see on software.
Open source software has provided an unmeasurable benefit to every industry across the nation, and OSS is more secure by every metric than proprietary alternatives. Any strategy would be remiss not to mention the burden placed on open source software maintainers, and we’re pleased to see the Strategy acknowledge this through investment and partnership with the community. We’re also pleased to see the Strategy allocate the responsibility and liability of insecure outcomes where they belong - commercial software stakeholders.
Reaching a secure-by-default future
The National Cyber Strategy is a solid foundation for the work that lies ahead to transform the software development process so that it is inherently more secure. In addition to the strategy, today German think tank Stiftung Neue Verantwortung released a new policy paper and toolbox on the government’s role in securing the software supply chain. This resource offers governments actionable resources to implement many of the themes outlined in the US strategy. (Disclaimer: Chainguard provided contributions to SNV’s report)
At Chainguard, we are focused on:
We are working every day to develop tools and best practices that bake security into the development process by default, empowering developers and maintainers and supporting CISOs and their organizations as they seek to mitigate the risk of deploying vulnerable software. We still have a long road ahead, but having a document like the National Cybersecurity Strategy is critical to accelerating the pace of change we need if we are going to improve the security of the digital and critical infrastructures we rely on everyday.
If you or your organization is interested in learning more about how to incrementally tackle the pillars outlined in today’s Strategy or would be interested in working with Chainguard to audit your software supply chain and software development practices, get in touch.