Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

As the neverending stream of publications implementing Executive Order (EO) 14028 continue to drop, the National Institute of Standards and Technology (NIST) continues to provide additional guidance. At the end of August 2023, NIST released its most recent draft Special Publication (SP) 800-204D “Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD pipelines.” Although NIST will collect comments until October 13, 2023, this draft provides some insight into the agency’s future direction. In response to attacks targeting the software supply chain (SSC), NIST published SP 800-204D as a follow up to its Secure Software Development Framework (SSDF), integrating security assurance into CI/CD pipelines. 

Although developers don’t need to know all the details, you may want to have a high level understanding of the basic principles outlined in NIST’s “Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD pipelines.”

Differentiating between software supply chain defects and software supply chain attacks

At the outset, NIST notes that SSDF as an application architecture may not map to the Software Development Lifecycle (SDLC) that cloud-native application developers use. To tie everything together, the agency identifies these following SSC activities:

  • Dependency management
  • Writing source code
  • Building, packaging, and delivering an application
  • Repacking and containerization

In doing this, NIST explains that the SSC model applies to elements of secure software development, secure build systems, and dependency management.

Additionally, NIST makes the following distinction:

  • Software Supply Chain Defects: unintended defects that malicious actors can exploit, like Log4Shell
  • Software Supply Chain Attacks: malicious tampering with steps, artifacts, or actors intended to compromise software artifact consumers

A SSC attack occurs in the following three stages:

  • Artifact, step, or actor compromise that modifies an artifact or its information
  • Propagation throughout the chain
  • Exploitation by the attacker to achieve objectives

SSC Risk Factors

NIST categorizes the risk factors into five groups:

  • Developer environment: workstations and environments 
  • Threat actors: internal threats (disgruntled employees or contractors) and external threats (foreign adversaries, criminal organizations, and cyber activists)
  • Attack vectors: malware, social engineering, network-based attacks, physical attacks
  • Attack targets: at-risk assets like source code, credentials, and sensitive data
  • Types of exploits: malicious actors seeking to compromise components by injecting vulnerabilities or malware into SSC, using stolen credentials, leaking sensitive data, injecting malicious code into repositories, leveraging code integrity issues in public repositories

Mitigation Measures

Noting that a secure software dev