Page 190 - Cyber Defense eMagazine July 2024
P. 190

coming  next,  including  the  potential  shift  from  product  security  being  a  voluntary  commitment  to  a
            requirement.



            Continuous Guidance and Requirements

            Over  100 signatories  have  committed  to making  a good-faith  effort to meet  CISA’s  Secure by  Design
            pledge  goals,  including  increasing  multi-factor  authentication  use,  reducing  default  passwords,  and
            reducing  entire  classes  of  vulnerabilities  within  one  year.  In  the  spirit  of  radical  transparency,  these
            organizations are encouraged to document their progress publicly.

            In  April  2024,  CISA  and  the  Office  of  Management  and  Budget  (OMB)  released  a  Secure  Software
            Development  Attestation  Form, which  CISA Senior Technical  Advisor Jack Cable positions  as another
            “key step” in ensuring federal contractors deliver secure products to the government.

            These efforts aim to advance Secure by Design principles and enhance software supply chain security
            by providing more visibility and oversight into government agencies’ software development  and security
            practices.



            Incentivizing secure software development

            The White House is in talks with software makers to create frameworks that legally incentivize software
            development without exploitable flaws. This effort, coined Secure by Demand, is a significant component
            of the Biden administration’s National Cyber Strategy.

            Software liability is a complicated  issue, especially in open-source  software, which takes a community-
            based,  collaborative  approach  to development.  The  focus  on  liability  is a penalty-based  approach  for
            software vendors and the open-source community without consideration for its broader implications.


            Some alternatives under discussion include requiring manufacturers to use open-source components to
            keep  their  tools  updated  to  the  latest  versions  or  establishing  shared  liability  between  open-source
            maintainers and the companies that incorporate the tools into their products.

            Regardless  of future requirements,  continued  education  on Secure  by Design  and Secure  by Demand
            approaches is necessary to improve secure software development.



            Developing Secure by Design software

            A Secure by Design approach is the best way to avoid introducing vulnerabilities to an agency’s software.
            All support agencies can move toward a Secure by Design framework by adopting DevSecOps practices,
            maintaining  a  software  bill  of  materials  (SBOM),  and  ensuring  that  AI  incorporated  into  the  software
            development process is secure.







            Cyber Defense eMagazine – July 2024 Edition                                                                                                                                                                                                          190
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   185   186   187   188   189   190   191   192   193   194   195