‘A comprehensive tool that can take you from crawl to walk to run’
Infosec experts have welcomed the US National Institute of Standards and Technology’s (NIST’s) overhaul of its cybersecurity supply chain risk management guidance (C-SCRM).
Developed in response to an executive order signed by President Biden in May 2021, the revised C-SCRM document provides advice on identifying, assessing, and addressing cybersecurity risks throughout the supply chain.
The publication – ‘Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations’ (PDF) – urges acquirers and end users of hardware, software, and digital services to undertake due diligence on the origin and security of a digital product’s components.
“If your agency or organization hasn’t started on [C-SCRM], this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately,” said NIST’s Jon Boyens, co-author of the publication, in a press release.
‘Foundational best practices’
Attackers are increasingly targeting digital supply chains because they can compromise multiple devices, applications or organizations by poisoning or exploiting weaknesses in widely used components, with the 2020 SolarWinds attack the most devastating example to date.
Ilkka Turunen, field CTO at software supply chain security specialist Sonatype, told The Daily Swig: “As next-gen supply chain attacks increase, the C-SCRM guidance formalizes many known practices across organizations large and small.
“It describes foundational best practices – like generating SBOMs [software bill of materials] – and the sustaining activities needed to maintain effective supply chain security practices.
He continued: “This compendium of knowledge imparts how to defend against future log4Shell issues and other next-gen threats. It’s time for organizations to invest into automating these processes.”
Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center, said the document covers much more than the value of SBOM for open source components.
“Software enters an organisation from multiple origin points, including open source and API usage,” he told The Daily Swig.
“Operators of software, whether the software is purely open source in nature or the result of proprietary development, effectively accept the business risks associated with the use of that software.
“Mitigation of software risks start with an understanding of how managed and unmanaged software usage with an organisation occurs, and progressively mitigating those risks – not just at the vendor level, but continuously with each new software version and change.”
Cequence Security, an API security specialist, recently sounded the alarm on the ongoing persistence of the critical Log4Shell vulnerability, which was discovered six months ago in the near-ubiquitous logging utility Apache Log4j.
The issue, which the firm dubbed ‘LoNg4j’, “illustrates how interconnected modern enterprise IT infrastructure is and how this digital supply chain extends far beyond the known applications”, said Jason Kent, Hacker in Residence at Cequence Security.
The revamped NIST guidance is currently available only as a PDF document, but the authors said they intend to also publish a more user-friendly, clickable web version and a quick-start guide aimed at organizations that are new to C-SCRM.