Four Federal Software Supply Chain Security Trends to Watch
By Jeff Stewart, Vice President, Product, SolarWinds
The exponential growth of digital government has led to unprecedented security breaches across the supply chain. To address these threats, in 2021 the Biden administration enacted Executive Order 14028 intensifying scrutiny over vendors’ software supply chain. Subsequently, in 2023 the National Cybersecurity Strategy was introduced, urging software vendors to deploy greater secure software practices based on the NIST Secure Software Development Framework.
Despite these developments, a recent survey found most public sector respondents remain concerned about software supply chain security and are unsure what measures to implement to safeguard their systems.
While software supply chain security is a relatively new concept, here are four enduring trends to help agencies close the supply chain security gap and have a lasting impact on the public sector’s overall cybersecurity posture.
- Making software releases faster and more secure with DevSecOps and AIOps
Today’s applications are built compositely with natively developed code integrated with third-party and open-source components, potentially creating numerous entry points for a threat actor. Unfortunately, while developers can control the things they build, they have zero control over how those applications are validated and secured.
DevSecOps and AIOps can help.
DevSecOps helps agencies break down the silos between development, operations, and security to produce faster, more secure software releases. Meanwhile, AIOps works across IT operations to help ensure software in production is operating efficiently, securely, and reliably.
AIOps works by leveraging artificial intelligence, machine learning, and predictive analytics to collect data from the entire digital ecosystem. It autonomously analyzes this data to yield deep, consolidated insights into the IT infrastructure and development process, including identifying vulnerable code.
AIOps doesn’t just find issues, it also fixes them automatically. For example, it can patch known vulnerabilities in production or deployed software. This streamlines the process for DevSecOps teams, allowing them to easily track and address security and performance problems from the source of the code to its deployment.
- Meeting and exceeding compliance standards
Executive Order (EO) 14028 and other actions underscore the federal government’s commitment to leveraging its purchasing power to elevate security standards across the supply chain.
In response, agencies are increasingly looking to partner with software vendors who develop systems utilizing best practices that consistently meet or exceed NIST standards. Those practices include:
- Basing the application build system on ephemeral operations, spinning up resources on-demand and destroying them when discrete tasks have been completed.
- Building in parallel by utilizing isolated and distinct build environments, where numerous scans and security checks are performed before release.
- Advancing beyond zero trust by adopting an “assume breach” position.
- Deploying automated tools to concurrently scan for vulnerabilities throughout the development process.
- Recording each build step, creating an immutable record of proof, and providing complete traceability.
- And more.
- Increased transparency through SBOMs
SBOMs (or software bills of materials) are a critical step forward in mitigating software supply chain risk. These documents provide a thorough overview of all components, libraries, tools, and processes used by software vendors in the build process. This transparency makes it easier for agencies to identify security risks that require patching or addressing through mitigating controls.
To date, three agencies – DoD, NASA, and GSA – have proposed new rules for federal contractors to develop and maintain SBOMs for any software used on a government contract.
Compliant vendors generate SBOM files at build time and may use them in the build process to validate that third-party dependencies haven’t changed underlying code, provide a comprehensive picture of the dependency tree available on a current build and historical basis, and perform build-time checks and enforce policies based on CVSS-scoring.
- Increased observability across the supply chain
To counter security threats and increase visibility across the complex and layered software supply chain, agencies are increasingly adopting observability tools, techniques, and processes.
Observability offers comprehensive visibility into service delivery and component dependencies across the software creation and deployment ecosystem. This enables various departments within an agency, ranging from IT to development teams, to gain clearer, holistic insights into vulnerabilities for more rapid remediation. In addition, teams can leverage the integrated automation of AIOps to further boost security by reducing the opportunity for human error.
Observability solutions offer a holistic approach to identifying and addressing risks, making the future of software supply chain security significantly more promising.
Partnership is key
The four trends outlined above give federal agencies an opportunity to set a new standard for mitigating software supply chain risks. Crucially, agencies needn’t tackle this challenge alone. Software companies are actively addressing supply chain risk and can support agencies as they work to mitigate their own risks. These collaborations between the public and private sectors will be instrumental as agencies aim to meet or surpass NIST guidance for secure software development.