Getting to Grips with Supply Chain Security Compliance Obligations

By Eilon Elhadad Sr. Director, Software Supply Chain Security at Aqua Security.

  • 1 year ago Posted in

A new study has found that over a third of UK organisations say inadequate software supply chain security represents the biggest risk to their business and confirm that getting to grips with new regulations represents another top concern.

Conducted at Cloud Expo Europe in March 2023, the research found that 36.9% of organisations have significant fears with regards to supply chain security. The majority are also struggling to navigate a raft of new supply chain security compliance obligations, with just 36.9% saying they were confident they could adopt these new guidelines and frameworks within the required timeframes.

With Gartner estimating that more than 95% of new apps will be deployed on cloud-native platforms by 2025 and software supply chain attacks up 18 percentage points compared to 2022, addressing supply chain security and eliminating any confusion relating to new security standards is now a top priority.

With this in mind, let’s take a look at the key actions organisations should take to move ahead on both fronts.

Confronting multiple challenges on multiple fronts

A number of high profile attacks and the prominent role of the software supply chain in cloud native application development have served to thrust software supply chain security into the limelight.

While 34% of UK organisations now have a cloud native security strategy in place and 28% have made IT Security and DevOps teams jointly responsible for cloud native security, supply chain vulnerabilities continue to be a primary concern for 37% of organisations. These security concerns appear to be focused on two primary areas: open source vulnerabilities and flaws in software that could be exploited (47%), followed closely by third party vendor risk (44%).

While organisations understand that the pressure is on to address these issues and achieve compliance with new obligations around supply chain security, many appear to be struggling when it comes to implementing these standards and guidelines.

Confronted by no fewer than four best-practice guides and two communications from the US federal government, including Executive Order 14028, it’s not surprising that 52% of organisations are finding it hard work to keep up with the deadlines, let alone adhering to the fine print.

Indeed, the research reveals only 22% are planning to adopt SBOM standards such as Cyclone DX and SPDX, and while 18% had ISO02700 standards in their sights and 13% were adopting NIST CSF, only 11% plan to implement NIS2 guidelines.

So, when it comes to securing software supply chains and staying compliant how can organisations best push forward with confidence and clarity?

Adopting new standards – the top 7 things you need to know

1. Issued in September 2022, the White House memorandum on enhancing the security of the software supply chain through secure development practices is a key document that sets out the deadlines for compliance with specific guidelines, including the NIST’s Secure Software Development Framework (NIST 800-218). While there is no specific enforcement

requirement, organisations can use the memo to understand the list of software supply chain compliance deadlines and use NIST 800-218 to understand the requirements.

2. From June 2023, organisations that sell software to a US federal agency or who supply companies that sell to federal agencies are required to self-certify compliance with NIST 800-218 guidelines.

3. The White House’s executive order led to the publication of four best-practice guides for software supply-chain security by the following organisations: the Cloud Native Computing Foundation (CNCF), Google (now the Linux Foundation), the Centre for Internet Standards (CIS) and the joint guidelines published by National Security Agency (NSA), Cybersecurity and Infrastructure Agency (CISA) and the Office of the Director of National Intelligence (ODNI). Despite all these best practice guidelines, the only guide that counts towards self-attestation and compliance is NIST 800-218 but it’s difficult to understand just from the NIST guide exactly how to self-attest. Use the unique parts of each of the best-practices guides as helpful tools, but measure your compliance by the NIST 800-218 guidance.

4. The formal self-attestation form is not slated for release until January 2023. However, there are useful self-attestation forms drafted by NIST and the NSA, CISA, and ODNI that you can use to get started today. Until that time two draft self-attestation forms are available:the NIST 800-218 FAQ and the NSA, CISA, and ODNI Recommended Practices Guide for Developers.

5. Simply creating a software bill of materials (SBOM) and supplying this to a federal agency isn’t sufficient for self-attestation, as NIST sets out explicit requirements relating to people and processes that an SBOM may not necessarily address. For example, vulnerability fixes, third-party licence information, new vulnerability notifications and a process for publishing updates and patches that address new vulnerabilities aren’t always to be found in SBOMs. For this reason, organisations should use an SBOM as a tool to get self-attestation quicker and not as a self-attestation tool in and of itself.

6. Not all SBOMs are created equal and organisations that focus on going beyond using a code repository to create an SBOM will benefit from achieving a more helpful, all-inclusive SBOM that saves more time. Using the CI/CD tool to create an SBOM will deliver a lot of the application context that’s needed to attest to the security and authenticity of products included in the product: where the artifact is located in the pipeline, what security checks have been run, when the artifact was built, who did the commit, the configurations of the environment, if images were digitally signed, pending security vulnerabilities, and so forth. Organisations should check if their SBOM includes proof of appropriate security checks in addition to most basic information, such as third-party libraries used, packages, and artifact versions produced. All of which saves time when creating self-attestations.

7. To address self-attestation gaps relating to people and processes, including delivering adequate visibility into roles and responsibilities, organisations can use the draft self-attestation form from NIST or in the appendix of the NSA, CISA and ODNI guidelines to cover people and processes.

Looking ahead with confidence

As companies strive to create differentiation in the form of digital offerings, cloud native development offers an opportunity to push new offerings and features to market faster. But moving fast and staying secure depends on companies addressing the growing threat of software supply chain attacks by implementing true end-to-end security solutions that keep their software supply chain secure. It also depends on remaining compliant in the most streamlined and effective way possible.

To minimise friction when deploying best practices around security, organisations first need to understand exactly what they need to be compliant with and how best to demonstrate their compliance on these requirements in relation to how they protect the code, tools and processes used to build software.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.