resident Joe Biden’s new executive order takes important steps to bringing awareness to security for organizations when developing software. With 52% of breaches caused by malicious attacks against applications in 2020, the changes mentioned in the executive order are becoming increasingly prevalent.
What are the high-level implications?
More engagement within the development cycle is crucial. The Executive Order calls to improve technological security, including application security and cloud security, utilizing methods such as incident tracking, testing, reporting, data encryption, multi-factor authentication, zero trust, and more. This can be seen as an opportunity for growth, since better technology and security leads to better competition in the market, and also incentivizes products to use security as a competitive edge. The increased competition pushes for improvements in software supply chain security.
Guidance is also provided on security practices for the software supply chain, and many guidelines include criteria that can be used to evaluate software security practices.
How does the Executive Order affect Cloud Security?
Modernizing cybersecurity ensures that we keep up with modern threats that are becoming increasingly complex and dynamic. The Executive Order emphasizes moving towards a Zero Trust security model, which emphasizes that organizations should not automatically trust anything within or outside the organization, and must instead verify everything that requests to connect to the system prior to granting access.
The shift to using secure cloud services such as Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) is also accelerating. There has also been more focus on data and analytics as a way to manage cybersecurity risks while investing in technology to meet modernization goals.
How does the Executive Order affect Application Security?
Application development must be secure from beginning to end. More importance has been placed on creating secure software development environments, including using separate build environments, auditing trust relationships, and tightening security via a multi-factor authentication/conditional access. Increasing and maintaining security documentation during the development process is also crucial. Additionally, data encryption and data protection will be employed to improve compliance and reduce customer and organizational risk.
More source code testing, and minimum standards for testing software source code are being enforced. This also includes identifying recommended types of testing, such as “code review tools, static and dynamic analysis, software composition tools, and penetration testing”. Forward Security uses the ASVS (Application Security Verification Standard), a set of guidelines that provides developers with requirements for secure development to ensure security standards are being met.
Maintaining integrity on open-source projects via documentation and controls on internal and third-party software is crucial. A Software Bill of Materials (SBOM) must now be provided for each product directly. The order encourages the modernization and adoption of secure cloud services and third-party software.
What are the long-term effects of these changes?
The executive order draws crucial attention to security, leading to higher quality applications from a security standpoint. Like agriculture and education, software is quickly becoming critical infrastructure. Security must be prioritized as the demand for software grows. With better security measures in place, developers build applications with more secure practices, making higher quality applications the norm.
Forward Security provides DevSecOps services to enable organizations to add security across all stages of app development and operation to ensure security is not an afterthought. Visit forwardsecurity.com or get in touch with us at firstname.lastname@example.org for a security consultation. Follow us on LinkedIn or Twitter for upcoming workshops and events.
Check out this article from the NIST (National Institute of Standards and Technology) for definitions and terminology mentioned in the Executive Order.
Cost of a Data Breach Report 2020 | IBM. (2020). https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/
House, T. W. (2021, May 13). Executive Order on Improving the Nation’s Cybersecurity. The White House. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/