The National Security Agency (NSA) has released new guidance to network owners and operators on securing their open-source software supply chains, citing an increase in the number of attacks in recent years.
Convenience has made open-source software ubiquitous, but its use can also be a double-edged sword when vulnerabilities are discovered in software components in widespread use. Vulnerabilities such as the infamous bug in Java’s Log4j logging library have drawn scrutiny from federal regulators as well as Congress, and the open-source supply chain is a major focus of the Biden administration’s National Cybersecurity Strategy.
The NSA guidance, 45 pages long, adds to prior federal releases detailing compliance with previous executive orders and forthcoming regulations on cybersecurity for defense vendors.
However, as CSO Online noted, the NSA’s guidance on software bills of materials (SBOMS) is broadly applicable to any organization seeking to get a handle on their software supply chain, not just defense industrial base contractors finding themselves subject to new documentation requirements.
There are four main sections to the document, each with advice on a separate topic: open-source software management, creating and maintaining secure open-source repositories, open-source maintenance and crisis management, and the creation and validation of SBOMs.
The NSA advises laying out key roles and responsibilities for developers and suppliers, as well as evaluating new open-source components against vulnerability databases such as the one maintained by the National Institute of Standards and Technology (NIST). For SBOMs, it recommends using the National Telecommunications and Information Administration’s guidance on minimum requirements for SBOMs, as well as its SBOM playbook for software suppliers.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
On creating and maintaining internal open-source repositories, the NSA laid out a sample process involving the use of an intermediate secure repository to test new packages with tools like software composition analysis. When moved to the secure repository, the NSA advises continuous checks for new vulnerabilities and patches, as well as notifications to developers who have downloaded components which later turn out to have issues.
In particular, the NSA recommends uses of frameworks like the Secure Supply Chain Consumption Framework, which was designed by the Open Source Security Foundation, and data standards such as Vulnerability Exploitability eXchange (VEX) documents.
Other NSA recommendations include secure code signing requirements and a crisis management plan—such as NIST’s Incident Handling Guide. The section on SBOMs also breaks down the various ways organizations can create such bills of materials, noting SBOM extraction tools generally fall into four categories: source, binary, package, and runtime extractors.
The document lays out how each extraction type works “with respect to their availability, adoption, and performance,” as well as how to use SBOMs in combination with VEX documentation to enable quick decisions about the level of risk posed by new vulnerabilities.