This article is Part 1 of a two-part series – Part 2: Simplifying NIST’s Guidance for US Executive Order 14028: New Standards for Software Verification
The United States’ cybersecurity executive order takes important steps to bringing awareness to security for organizations when developing software. With 52% of breaches caused by malicious attacks against applications in 2020, the changes mentioned in the executive order are becoming increasingly prevalent. Modernizing cybersecurity ensures that we keep up with the latest threats that are becoming increasingly complex and dynamic.
What Are the High-level Implications?
The Executive Order calls to improve technological security, including application security and cloud security, utilizing methods such as:
- Incident tracking
- Software testing
- Reporting
- Data Encryption
- Multi-factor authentication
- Zero trust
- and more
This can be seen as an opportunity for growth, since better technology and security leads to better competition in the market, and also incentivizes products to use security as a competitive edge. This growth pushes for improvements in software supply chain security.
Guidance from the Executive Order is also provided on security practices for the software supply chain and includes criteria that can be used to evaluate software security practices.
How Does the Executive Order Affect Cloud Security?
The use of secure cloud service such as Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) is accelerating. The Executive Order emphasizes moving to cloud environments and following a Zero Trust security architecture, meaning no environment including the cloud should be considered trusted and all access should be authenticated and authorized.
How Does the Executive Order Affect Application Security?
The Executive Order notes that application development must be secure from beginning to end. More importance has been placed on creating secure software development environments, including:
- Using separate build environments
- Auditing trust relationships
- Tightening security via a multi-factor authentication and conditional access
- Increasing and maintaining security documentation during the development process is also crucial
- Data encryption and data protection will be employed to improve compliance and reduce customer and organizational risk
Guidelines recommend minimum standards for testing software source code, including types of testing such as:
- Code review tools
- Static and dynamic analysis (SAST / DAST)
- Software composition tools
- Penetration testing
Forward Security uses the OWASP’s Application Security Verification Standard (ASVS), providing developers with requirements that can be used to build more secure applications and meet the security assurance goals or the organization.
Maintaining integrity on open-source projects via documentation and controls on internal and third-party software is crucial.
A Software Bill of Materials (SBOM) must now be provided for each product directly. The order encourages the modernization and adoption of secure cloud services and third-party software.
What Are The Long-term Effects of These Changes?
The executive order draws crucial attention to cybersecurity, leading to higher quality applications from a security standpoint. Much like agriculture and education, software is quickly becoming critical infrastructure. As the demand for software grows, security must be prioritized and included as part of the application’s DNA rather than an afterthought, making high quality applications the norm.
Forward Security provides DevSecOps products and services to assist organizations with adding security across all stages of app development and operation, ensuring security is not an afterthought.
Contact us at contactus@fwdsec.com for a free security consultation. Follow us on LinkedIn or Twitter for upcoming workshops and events.
Check out this article from the NIST (National Institute of Standards and Technology) for definitions and terminology mentioned in the Executive Order.
References
Cost of a Data Breach Report 2020 | IBM. (2020). https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/
House, T. W. (2021, May 13). Executive Order on Improving the Nation’s Cybersecurity. The White House. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/