The Biden Administration’s executive order on cybersecurity of May 12th, 2021, was ambitious but clear: if agencies want to protect themselves against crippling breaches like SolarWinds and Colonial Pipeline while improving their own incident response, there are steps they need to follow for securing critical infrastructure and supply chains.
One year later, it’s clear that progress has been made, but there is still work to do. Data from the most recent Invicti AppSec Indicator revealed that 32% of government agencies were vulnerable to SQL injection (SQLi) attacks in 2021. It’s a flaw that can lead to sensitive information exposure and pave the way for even more serious attacks, so its alarming frequency signals we’re still not out of the woods in terms of preventing severe vulnerabilities, which includes keeping vital software supply chains secure.
The importance of clarity in the software supply chain
Transparency in the software supply chain is critical, and it can make or break incident response for agencies of all sizes. With a Software Bill of Materials (SBOM), organizations can quickly and efficiently determine whether or not a newly discovered vulnerability presents a potential risk to an application in their asset inventory. This transparency is imperative for improving security posture and shrinking the overall attack surface.
In an effort to refocus some of these critical efforts on the software supply chain, the National Institute of Standards and Technology (NIST) recently updated its response to the Executive Order, which includes guidelines for identifying and remediating risk in the software supply chain. Now, the publication outlines best practices for managing cybersecurity risks within the supply chain and offers guidance for checking components that may have been overlooked in previous security processes.
This update comes a few months after the Office of Management and Budget (OMB) released a memo encouraging federal agencies to adopt a zero trust architecture. As more federal agencies partner with cybersecurity vendors to improve processes and integrate more modern tooling, they are able to maximize security coverage while also implementing zero trust principles. Because zero trust “...assumes that a breach is inevitable or has likely already occurred,” it helps in narrowing access to only what is needed and can raise flags about suspicious activity, helping agencies cover more of their attack surface.
Looking ahead: building on a foundation of AppSec transparency
Zero trust and SBOMs are both strategies that can help agencies take their AppSec programs to the next level and give their security posture a boost, especially when it comes to transparency in the software supply chain and taking a more proactive approach to getting complete coverage. As bad actors continue to exploit direct-impact vulnerabilities, especially targeting government sectors, that level of transparency is more critical than ever.
With these directives in place, agencies have a foundation for shifting away from legacy solutions and prioritizing more modern approaches to cybersecurity that can help keep the supply chain secure. By following NIST’s guidelines and embedding comprehensive security monitoring into their development processes with a focus on protecting sensitive data in real time, agencies can continually diagnose and mitigate web application vulnerabilities much more effectively.
To gain deeper insight into NIST’s pilot programs, read about their cybersecurity efforts and recommendations outlined here for improving supply chain security.