NIST updates software supply chain risk management guidelines
Adam Bannister May 11, 2022 at 10:56 UTC
Updated: May 11, 2022 11:25 UTC
“A complete tool that can take you from exploring to walking and running”
Infosec experts have welcomed the U.S. National Institute of Standards and Technology’s (NIST) overhaul of its Cybersecurity Supply Chain Risk Management (C-SCRM) guidance.
Developed in response to an executive order signed by President Biden in May 2021, the revised C-SCRM document provides guidance on identifying, assessing, and managing cybersecurity risks throughout the supply chain.
The publication – “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations” (PDF) – urges acquirers and end users of hardware, software and digital services to undertake due diligence on the origin and security of the components of a digital product.
“If your agency or organization has not started [C-SCRM]it’s a comprehensive tool that can take you from crawl to walking and running, and it can help you do that right away,” NIST’s Jon Boyens, co-author of the publication, said in A press release.
“Core Best Practices”
Attackers are increasingly targeting digital supply chains as they can compromise multiple devices, applications or organizations by poisoning or exploiting weaknesses in widely used components, with the SolarWinds 2020 attack being the most devastating example to date .
Ilkka Turunen, technical field manager at software supply chain security specialist Sonatype, said The daily sip“As next-generation supply chain attacks increase, the C-SCRM guidelines formalize many known practices in organizations large and small.
“It outlines fundamental best practices – like generating SBOM [software bill of materials] – and the support activities necessary to maintain effective supply chain security practices.
He continued, “This compendium of knowledge explains how to defend against future log4Shell issues and other next-generation threats. It’s time for organizations to invest in automating these processes.
RELATED NIST Revamps Aging Enterprise Patch Management Guidance
Tim Mackey, senior security strategist at Synopsys Cybersecurity Research Center, said the document covers much more than the value of SBOM for open source components.
“Software enters an organization from multiple points of origin, including open source and API usage,” he said. The daily sip.
“Software operators, whether the software is purely open source in nature or the result of proprietary development, do accept the commercial risks associated with the use of that software.
“Software risk mitigation begins with an understanding of how the use of managed and unmanaged software within an organization occurs, and the gradual mitigation of those risks – not just at the vendor level, but continuously with each new version and modification of the software.
Cequence Security, an API security specialist, recently sounded the alarm over the persistence of the critical Log4Shell vulnerability, which was discovered six months ago in the near-ubiquitous Apache Log4j logging utility.
Keep up to date with the latest news on software supply chain attacks
The issue, which the company has dubbed “LoNg4j,” “illustrates how interconnected modern enterprise IT infrastructure is and how this digital supply chain extends far beyond known applications,” Jason said. Kent, hacker in residence at Cequence Security.
The revised NIST guidelines are currently only available as a PDF document, but the authors said they also plan to publish a more user-friendly, clickable web version and a quick start guide for organizations new to C- SCRM.
RECOMMENDED Zero-day bug in uClibc library could leave IoT devices vulnerable to DNS poisoning attacks