The Biden Administration released its National Cybersecurity Strategy last week. It aims to address the increasing threat of cyberattacks and protect America’s critical infrastructure, data, and networks. With cybersecurity becoming an ever more pressing issue, the strategy sets out a comprehensive approach that focuses on safeguarding government and private sector networks, reducing risk, and enhancing resilience. One critical aspect of the strategy is Strategic Objective 3.3, which emphasizes the need for vendors of software to take more responsibility for developing secure code.
“Software has always been the Achilles heel of any security organization. You can create an incredibly secure environment with robust security controls and still be subject to an unknown vulnerability lurking in a mission-critical application,” explained Bruce Snell, Cybersecurity Strategist at Qwiet AI. “It shouldn’t go unnoticed that “SBOM” (software bill of materials) is pronounced ‘S – bomb’.”
Strategic Objective 3.3
In the past, software developers have not always taken cybersecurity seriously, resulting in the creation of software with known vulnerabilities that can be exploited by attackers. Strategic Objective 3.3 seeks to shift the liability for insecure software to vendors, making them more accountable for the security of the software they produce. This shift in responsibility is significant because it requires vendors to focus on developing secure code and implementing security best practices throughout the software development lifecycle.
The objective recognizes that software is a significant vector for cyberattacks, and as such, it places a greater emphasis on the importance of secure code development. It highlights the need for software developers to adopt secure coding practices, use secure software development tools, and undergo training to ensure they understand the potential cybersecurity risks associated with their code.
By making vendors more accountable for the security of their software, Strategic Objective 3.3 aims to reduce the number of successful cyberattacks and minimize the impact of those that do occur. It recognizes that while government agencies and organizations have a responsibility to protect their networks, they also rely heavily on third-party vendors for software and services. By holding vendors accountable for the security of their products, the objective aims to encourage them to prioritize security in their development processes, reducing the likelihood of vulnerabilities and exploits that can be leveraged by attackers.
Snell compared the shift in liability to the automotive industry. “”Most of us have had to deal with a recall that has you taking your car into the dealer for a fix. This sort of move could have software manufacturers being more active about making sure organizations are patched and on the most secure version of their code. Hopefully, this will make people look more closely at the costs associated with patching after the fact vs. more security testing before release.”
Develop More Secure Coding Practices
In addition to shifting liability for insecure software to vendors, Strategic Objective 3.3 also calls for the adoption of secure coding practices across the industry. It recognizes that secure code development is not a one-time event but a continuous process that requires ongoing attention and investment. The objective calls for the development of standards and best practices for secure code development, as well as the promotion of secure coding practices through training and education.
The objective also emphasizes the importance of integrating security into the software development lifecycle from the beginning, rather than treating it as an afterthought. By incorporating security into the development process, software developers can identify and mitigate potential vulnerabilities earlier in the process, reducing the risk of exploitation by attackers.
Finally, Strategic Objective 3.3 recognizes that the responsibility for secure code development is not limited to vendors but also extends to government agencies and organizations. The objective calls for the adoption of secure coding practices by all stakeholders, including government agencies, contractors, and subcontractors, to ensure that cybersecurity is integrated into all aspects of the software development lifecycle.
Software is a significant vector for cyberattacks and secure code development is a crucial and continuous process that requires ongoing attention and investment. By integrating security into the software development lifecycle and adopting secure coding practices across all stakeholders, the objective aims to enhance the resilience of America’s critical infrastructure, data, and networks against cyber threats.