The National Security Agency (NSA), whose cybersecurity division prevents and eliminates threats to American security systems, the Cybersecurity and Infrastructure Security Agency (CISA), an agency that improves the security, resilience, and reliability of America’s cybersecurity and communications infrastructure, and the Office of the Director of National Intelligence (ODNI) have all communicated a set of recommended strategies that software vendors can implement.
This guidance was issued in response to a number of recent high-profile cyber attacks, including the SolarWinds hack that exposed flaws in the software supply chain that state-backed threat actors can easily exploit.
The guidelines include software protection, which states that all forms of code should be protected from unauthorized access and manipulation and that the principle of least privilege should be applied throughout the Software Development Life Cycle to ensure that the code supplied to customers contains all the necessary security features and that these features work as intended.
Another is to develop well-secured software that mitigates security risks and enables them to deliver software that allows a customer to access only the information and resources for which he is authorized, while preventing access to unauthorized information and resources.
Other tasks include ensuring that third-party vendors meet security requirements, configuring compilation and build processes, analyzing human-readable code, testing executable code, configuring software with default settings, and responding to vulnerabilities.
Following the publication of the first chapter in September with guidelines for software developers focusing on software vendors and customers, the parties involved will issue one more advisory focused on customers acquiring organizations that are part of the life cycle of the software supply chain.
The sources for this piece include an article in BleepingComputer.