Would you have guessed that a time would come when the White House focuses so emphatically on the needs of software developers and software businesses? It may be surprising to some, but in hindsight, it was only a matter of time. Because today, national security and human security are tied up with software security.
In my last post, I mentioned President Biden urging software businesses to have resilient security. In this follow-up, I want to briefly address specific cyberattack prevention directives that were also provided by the Biden-Harris administration, for technology and software companies.
Most of this won't surprise you, but it's a great reminder for us to check our software and business... Are we doing the things we're supposed to be doing? And are we doing them well?
The Directives for Technology and Software Companies
1. Build security into your products from the ground up — “bake it in, don’t bolt it on” — to protect both your intellectual property and your customers’ privacy.
Damilare's commentary: Every serious software company - once out of the super-early, neophyte startup stage - must have a Secure Development Lifecycle(SDL). The SDL builds security into every one of the (now iterative) steps of software development... requirement definition, architecture & design, coding, testing, deployment... and the automation that ties most of it together. This can't be optional.
2. Develop software only on a system that is highly secure and accessible only to those actually working on a particular project.
Damilare's commentary: This is one of those requirements that compliance frameworks like SOC2 and ISO27001 check for. If the security of developer systems is weak, it increases the risk of cyberattackers injecting malicious code into your software product/ updates, right from the developer's machine. I.e. no need to hack the software, the insecure developer machine already provides convenient access.
3. Use modern tools to check for known and potential vulnerabilities. Developers can fix most software vulnerabilities — if they know about them.
Damilare's commentary: It is increasingly convenient to discover coding vulnerabilities during development. Static analysis tools can be integrated into CI/CD, catching coding flaws as developers commit code. Modern security training tools also provide contextual and gamified secure coding training.
4. Software developers are responsible for all code used in their products, including open-source code.
Damilare's commentary: 3rd-party vulnerability management tools can be integrated into CI/CD such that when vulnerabilities in open-source software components (that are used by your business) are discovered, patches are automatically provided to your developers for them to use in fixing their software. Some of the actual fixes can also be automated.
5. Implement the security practices mandated in the President’s Executive Order, Improving our Nation’s Cybersecurity.
Damilare's commentary: A few months ago, we released a brief that outlines in simple and clear language, the key goals, opportunities, and trends that can be found in the President's executive order. You can access it here.
I hope you found this helpful!