As part of its ongoing efforts to improve cybersecurity, the Biden-Harris administration announced that it has approved secure software development confirmation form.
The form, jointly developed by CISA and the Office of Management and Budget (OMB), will be required to be completed by any company that provides software that the Government will use. It will help ensure that the software is developed by companies that prioritize security.
“The requirements in the form represent some fundamental secure development practices that vendors looking to sell software to the federal government should be in a position to meet if they want to play in the federally regulated ecosystem,” said Chris Hughes, Chief Security Advisor at Endor. Associate for laboratories and cyber innovation at CISA.
One of the requirements in the form is that the software is developed in a secure environment. These include separating production and development environments, minimizing the use of insecure products in code, enforcing multi-factor authentication across all environments, encrypting sensitive data, implementing defensive practices such as continuous monitoring and alerting, and routinely logging, monitoring and auditing trust relationships.
“Practices such as separating development and production environments, implementing logging, and MFA are critical security controls that should be in place in any modern secure software development environment,” Hughes said.
Another requirement is to maintain reliable supply chains in good faith by using automated third-party code monitoring tools and maintaining the provenance of internal code and third-party components.
It also requires regular use of automated tools that check for security vulnerabilities, including having policies in place to detect and address known vulnerabilities.
However, Hughes believes that this form is missing some elements. For example, it does not require the use of threat modeling or memory security, which is something CISA advocates for. He said it also allows the CEO to designate others who will be able to sign the certificate as potential scapegoats if things go wrong or if the certificate is forged.
“On the one hand, we hear that cybersecurity should be a boardroom issue, and CISA even calls for C-suite involvement in their publications around secure by design/default, but then this template allows this key attestation activity to be delegated to someone else in the organization and potentially prevents it from being visible to the C-suite/CEO and executive leadership team,” Hughes said.
Hughes believes software vendors who have not yet implemented secure software development practices will have the hardest time meeting certification requirements.
“They will need to assess their current development practices, identify gaps and implement plans to correct them,” he said. “This of course requires time and resources, which smaller startups and immature organizations have limited access to, especially in the face of competing demands for speed to market, revenue, return to investors, speed of features and more.”
The form will be available for online application at CISA website starting later this month.