New secure software development rules in the US will require executives to sign forms confirming product security if they want to work with the US federal government.
He secure software development certification form is part of the US government's technology security initiative and aims to ensure that software used by the government is developed securely.
The form details the minimum secure software development requirements that a software company must meet before federal agencies can use its software.
This applies to any software developed or significantly updated after September 14, 2022. However, it does not include open source software obtained directly by federal agencies.
The form must be signed by the software company's CEO or an employee with “authority to bind the corporation.”
By signing, executives attest (confirm) that the software is developed in accordance with the secure software development practices contained in this form.
The move comes in direct response to the SolarWinds software supply chain attack in 2021, which saw thousands of customer systems compromised.
What are the requirements for secure software development?
Secure development practices themselves come from Secure Software Development Framework published by NIST and covers four main areas.
Software development environments should be secure, with regular logging, monitoring and auditing of trust relationships used for authorization and access to any software development.
Multi-factor authentication (MFA) and conditional access need to be implemented, while sensitive data such as user credentials should be encrypted. Similarly, the rules state that defensive cybersecurity practices must also be used, including continuous monitoring of operations and alerts.
Software manufacturers must make a “good faith effort” to maintain reliable source code supply chains by employing tools or processes to address the security of internal code and third-party components. They must also maintain the provenance of internal code and third-party components built into their software.
Finally, according to the rules, software companies must use tools to check for security vulnerabilities on an ongoing basis and before the release of products, versions or updates.
This means they will need to have robust processes in place to address security vulnerabilities found prior to product release and have a vulnerability disclosure program in place.
“If the requested information is not provided, the agency could stop using the software in question. “Intentionally providing false or misleading information may constitute a violation of 18 USC § 1001, a criminal statute,” the form states.
What do secure software rules mean for developers?
The Cybersecurity and Infrastructure Security Agency (CISA) suggested that in the future it would be more common for the public and private sector to make similar demands on their suppliers.
“Software underpins nearly every service our government provides on behalf of the American people,” said Chris DeRusha, federal CISO, and Eric Goldstein, deputy executive director for cybersecurity at CISA. in a joint statement.
“We envision a software ecosystem where our partners in state and local government, as well as the private sector, also seek these assurances and take advantage of software that is designed to be secure by design.”
The CISA repository for the online forms is expected to be available by the end of March, giving companies some time to understand the content and requirements of the form, he said.
Chris Hughes, chief security advisor at application security company Endor Labs, said that while the move should be welcomed, the requirements in the form represent well-established fundamental secure development practices.
“Practices such as separating development and production environments, implementing logging, and MFA are critical security controls that should exist in any modern secure software development environment,” he said.
However, it does not mention anything about the need for threat modeling to enable safe-by-design systems or memory safety.
Executives could pass the buck
A key area of concern highlighted by Hughes centers on the certification process itself. He noted that CEOs can get another executive to sign the form, raising questions about whether executives will simply delegate this to other staff members.
“On the one hand, we hear that cybersecurity should be a boardroom topic and CISA even asks for senior management involvement in its security by design/default publications, but then this form allows this key certification activity be delegated to someone else in the organization and potentially prevent it from being as visible to the C-suite/CEO and executive leadership team,” he said.
The biggest challenges in meeting the requirements will be for vendors that have not yet implemented secure software development practices, Hughes said.
Therefore, these vendors will be forced to evaluate their current development practices, identify gaps, and implement plans to address them. This means that some organizations could be prevented from working with government agencies.
“This could lead some vendors to abandon or avoid the federal market due to the higher level of maturity required and potentially limited access to innovative commercial software solutions for the federal government,” he said.