Menu Close

US CISA & NIST Issue Guidance to Defend Against Supply Chain Attacks!

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

New guidance highlights software supply chain risks & tips on how to identify, assess, & mitigate risks.

News about last year’s SolarWinds attack was industry altering. Now, after that incident, 2 US Govt. agencies are issuing guidance to software vendors & customers on how they can be better equipped to defend against future attacks.

This week the US Cyber-Security & Infrastructure Security Agency (CISA) & the US National Institute for Standards & Technology (NIST) released Defending Against Software Supply Chain Attacks (.PDF).

Targeting Lesser Known

A supply chain attack is an attack usually carried out by targeting lesser known or less secure elements in the software supply chain. 3rd-party providers, vendors, or partners with weaker security are often a common target.

CISA & NIST observed that attacks, especially of late, have been carried out by either hijacking a vendor’s updates, usually by hacking their network, using the code-signing system to falsify trust & validate code, & by compromising open source-code that is in 3rd party code.

Common Attack Techniques

This document, released on Mon., gives an overview on software supply chain risks, examples of common attack techniques, & recommendations for developing & overseeing a risk management program.

It encourages readers to think of any product they’re considering purchasing & implementing through the lens of 1 of these programs, like NIST’s Cyber Supply Chain Risk Management (C-SCRM) or Secure Software Development Framework (SSDF).

Mitigate Risks

NIST’s C-SCRM can help organisations identify, assess, & mitigate risks in a distributed supply chain ecosystem. It is not a new concept, but dates back to 2016, but NIST’s C-SCRM was last updated this month, so its directives are timely.

SSDF is newer & was originally published in April 2020. This framework relies on secure software development practice guidance from BSA, OWASP, & SAFE Code. The guide’s aim is to help reduce the number of vulnerabilities in software & mitigate the impact of exploited vulnerabilities.

The guidance is just that, guidance; but as seen in SolarWinds, malicious, barely detectable vulnerabilities can still find their way in, even after due diligence.

Encouraging Organisations

So, this is why in their document CISA & NIST are also encouraging organisations to have a vulnerability management program. By having a way to scan, identify, triage, & mitigate vulnerabilities, businesses can help put right any issues that arise in software.

Ensuring software follows a software development life cycle, or SDLC, 1 that has SSDF roles & security requirements can help organisations increase the resilience of their software too.

Mitigate Vulnerabilities

Organisations should also do these things to mitigate vulnerabilities post-deployment by obeying the following:

  • Archiving & protecting each release of software so that the vendor can analyse, identify, & develop mechanisms to eliminate vulnerabilities discovered post-release.
  • Maintaining processes, & even a formal program, to identify & confirm suspected vulnerabilities in software, whether identified by the vendor, its customers, or 3rd-party researchers.
  • Establishing an assessment, prioritisation, & remediation approach that enables vulnerabilities to be remediated quickly

There are a handful of additional variables to consider around software procurement & deployment. The new guide is by no means exhaustive, but it should give organisations a baseline on best practices to follow if they are not already.

Virtual Conference May 2021


More To Explore

Community Area


Home Workouts


spaghetti Bolognese