With threats growing at an unprecedented rate, cyber hygiene alone won’t be enough to protect federal software supply chains from malicious attacks. America’s adversaries are more aggressive than ever, surpassing conventional malware and advancing their tactics.
The recent global cyber-attack targeting MOVEit federal software serves as a vivid reminder of the potential consequences that can arise from threat actors. This incident highlights the urgent need for enhanced security measures and a comprehensive approach to protect federal software supply chains.
Steps to Take Now
As the government works to understand the impacts of the attack, there are industry-proven techniques and actions agencies can take now to ensure software security controls are in place. Below are six critical steps every federal software security plan needs.
— Software Scanning Services. It can take several months to obtain necessary security approvals before the government-off-the-shelf software can be deployed. Scan-as-a-Service features can perform a complete application or software assessment within days of receiving the source code. This ensures vulnerabilities are addressed early. The process is fast, reliable and affordable, creating a security body of evidence for chief information security officers. Moreover, this service can ensure the software supply chain is airtight throughout the screening process. It can also help identify a vendor’s Software Bills of Materials, or SBOMs, and disclose where data is transmitted and stored.
— Zero Trust Architecture. Approaches must be proactive against potential threats and align with a Zero Trust Architecture, or ZTA, which assumes every transaction is a threat and follows a ZT maturity model to explore, analyze, select, implement and continuously monitor ZT strategy as the threat landscape evolves. ZTA provides continuous verification and strict access controls for every user, device and application seeking access to resources. Together, ZT, micro-segmentation, firewalls, encryption, and intrusion detections create a layered defense system, reducing the attack surface, decreasing the likelihood of attacks and minimizing the impact of incidents.
— Continuous Monitoring: Real-time visibility, proactive threat detection, and timely incident responses are all reasons for agencies to lean into continuous monitoring. Proactive security measures and monitoring support compliance with regulatory standards help leaders stay ahead of emerging threats with robust and resilient security frameworks. The continuous assessment of the SBOMs resulting from Software Composition Analysis is crucial in enabling continuous detection of vulnerabilities within software components. By including information about the versions and dependencies of each component, agencies can compare data against vulnerability databases and security advisories. This allows them to identify known vulnerabilities and apply patches or updates as soon as they become available, reducing the risk of exploitation.
— Identity and Access: Robust mechanisms must be in place to authenticate and authorize those accessing government software, including controlling user access, enforcing strong authentication protocols and managing privileges. Collaboration between identity systems is particularly important to enable interoperability, enhance accuracy and reliability, and detect inconsistencies and vulnerabilities. This centralized control simplifies administration, reduces the risk of misconfigurations or access inconsistencies, and enables efficient management of user access throughout the software ecosystem. By working together, different systems can provide stronger protection against threats and align with ZT frameworks.
— Automation: Automating routine security tasks frees up valuable human resources, allowing security teams to focus on more complex and strategic activities. This enables security professionals to invest their time and expertise in threat hunting, vulnerability analysis and incident response, thereby improving the overall security posture. For example, the Security Content Automation Protocol, or SCAP, plays a crucial role in securing software by providing a standardized and automated approach to security management. It enables streamlined security processes, automates vulnerability assessments, enforces secure configurations, and ensures compliance with industry standards and regulatory requirements. By leveraging SCAP, agencies can enhance the overall security of their software systems, reduce the risk of attacks and breaches, and maintain a strong security posture in an ever-evolving threat landscape.
— Leveraging AI/ML: By using artificial intelligence and machine learning algorithms, government agencies can proactively identify and mitigate threats before they cause significant harm by identifying patterns and analyzing anomalies. Additionally, AI can automate security tasks and vulnerability assessments to promote efficiency and reduce human error. AI and ML are also capable of learning and adapting to user behavior patterns to strengthen against threats. Ultimately, AI and ML techniques aid in identifying software vulnerabilities by analyzing source code, system configurations and historical data. By automatically scanning codebases and conducting static analysis, AI/ML algorithms pinpoint potential weaknesses, such as insecure coding practices or outdated libraries, helping to proactively address issues before they are exploited.
Time is of the Essence
Industry and government need to collaborate on secure software to enhance national security. Proven solutions and lessons learned will be invaluable resources as agencies aim to increase resilience and improve risk management frameworks.
While many agencies have taken important first steps in identifying and securing critical software supply chains, recent attacks and federal guidance underscore the need to become more aggressive by securing government software without delay to protect America’s critical cyber infrastructure.
Shawn Kingsberry is vice president of cybersecurity at SAIC, a Reston, Virginia-based provider of government services and information technology support.