CyberSecurity Part 1: The EO, SBOMs, Threats, and Policies


AI-Powered Chatbots in Customer Service and Engagement

Using AI for customer service in your company is a definite method to save time and money. If you’re like most business owners, you’re constantly searching for fresh, creative ways to improve your enterprise. We’re here to inform you that improving AI customer service is a simple and rapid win.

Read More »

Recent ransomware and cyber attacks on MS Exchange, Colonial, JBS Foods, and especially SolarWinds appear to have crossed the line. They prompted President Biden to issue Executive Order (EO) 14028 on CyberSecurity on May 12, 2021. The EO sets into motion a tsunami of paperwork that will likely have a massive impact on many, if not most, software developers by mid-2022. Our first part on CyberSecurity takes a quick look at what the EO means for developers, the new importance of Software Bill of Materials, resources for threat awareness, patches, and cybersecurity policies.

Executive Order 14028 on CyberSecurity

With cyberattacks continuing, escalating, and directly threatening national security, the US Federal Government has decided to start looking at how to learn cyberjudo. That’s the gist of Biden’s Executive Order on Improving the Nation’s Cybersecurity. It sets forth a broad range of reviews to be conducted, policies and guidelines to be written, reports to be generated, etc.

Cybersecurity has come up many times before. But this time, the sheer amount of paperwork US government agencies are embarking upon indicates that they’re about to get serious. In effect, the Executive Order is a call to start mobilizing for CyberWar. It’s defensive in scope (mostly). Hackers and ransomware criminals may start to tremble and quiver in about a year. They have little to fear now, but one might recall Admiral Yamamoto’s thoughts following his successful attack on Pearl Harbor:

“I fear all we have done is to awaken a sleeping giant and fill him with a terrible resolve.”

Better late than never, as they say, suffice that software developers are likely to feel the punch first, and perhaps hardest. It’s for our own good – and to protect our user data.

“I fear all we have done is to awaken a sleeping giant and fill him with a terrible resolve.”

Better late than never, as they say, suffice that software developers are likely to feel the punch first, and perhaps hardest. It’s for our own good – and to protect our user data.

The EO’s Impact on Software Developers

The Executive Order only directly impacts the processes and requirements of US Federal agencies in procuring and contracting with IT providers and software developers. However, if you’re providing software or IT services to a federal agency, they will ask for you to be compliant or they’ll find another vendor. By extension, if you are providing software or services to companies serving as IT partners for federal agencies, they may require you to comply, too. Concurrently, if the US Government is mandating this, other governments will follow suit – as there are international treaties (like NATO) involved.

But even if none of this applies to you, the language within the EO implies much broader intentions. The intention exists to establish cybersecurity criteria for a consumer labeling program and a tiered software security rating system implicitly, “[to] focus on ease of use for consumers and a determination of what measures can be taken to maximize participation.”

One other very important point is that it will require service providers to share more data about cyberattacks with the Cybersecurity and Infrastructure Security Agency, FBI, and other agencies than has previously been the case. This may impact terms of service agreements and may require the renegotiation and/or adjustment of contracts regarding the data to be shared.

Issues with Open Source Components

According to Herb Kranser of CISQ’s 2020 report, The Cost of Poor Software Quality in the US, Open Source components are a major source of security vulnerabilities. Nearly all software includes some open source components, but audits have found that 75% of open source code bases have vulnerabilities. Half have high-risk vulnerabilities.

Software Bill of Materials (SBOMs)

A “Software Bill of Materials” (SBOM) is a continuously updated formal record of the components used in creating software – to include both open source and third-party commercial components. It’s sort of like that list of ingredients on the side of a cereal box that you read while eating breakfast. For starters, SBOMs should include the following for each software component:

  • Supplier name
  • Component name
  • Version of the component
  • Cryptograph hash of the component
  • Any other unique identifier
  • Dependency relationship
  • Author of the SBOM data

Both developers and buyers can use SBOMs to verify whether the components they are using are up to date and to assess risks. Software Composition Analysis (SCA) Tools can be used to perform automated scans of an application’s codebase, its components, license compliance, and security vulnerabilities. Ideal, SBOMs should be embedded within the application to simplify this process.

For more about SBOMs:

Keep Up To Date on the Latest Software Vulnerabilities

Where to even start? My favorite government agency – The US National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database (NVD). The NVD is a repository of vulnerability data, security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. It includes 150,000 Common Vulnerabilities and Exceptions (CVEs) that are updated weekly with bulletins issued by the CyberSecurity & Infrastructure Security Agency (CISA). The bulletins include links to the latest patches when available. Love all the acronyms?!

If you need to conduct additional research about a vulnerability, CERT’s Vulnerability Notes Database provides summaries, technical details, remediation information, and lists of affected vendors. Many service providers and third-party software offer their own advisories, as well.

NIST is also the parent organization for the Federal Labs Consortium (FLC). Though not directly related to software security, the FLC is your one-stop-shop on all things related to Technology Transfer (T3) – patents, research, engineers, scientists. It’s like Bond’s “Q” on Steroids.

Keep Your Software Up to Date with the Latest Patches

With SBOMs, you know what’s in your software. With CISA and the NVD you know about the latest vulnerabilities. The most important thing you can do now is to keep your software up to date with the latest patches. Here, it’s also important to test the patches before deploying them to production. Patches aren’t foolproof, however.

This is where we see why the attack on SolarWinds prompted the federal government to begin preparing for war. Solarwinds offers a lot of companies (and federal agencies) the ability to automate their patches. The attack/espionage on SolarWinds inserted “backdoors” into the networks of these companies and agencies (around the world) – a year before it was detected!

Establishing Security Policies

It’s not just the Russians, Chinese, North Koreans, and Iranians getting unauthorized access to our systems and causing mayhem. When it comes to security, you really can’t trust anyone. It can be some guy with a laptop. Autistic, Gary McKinnon hacked NASA using a dial-up modem to access secret images of UFOs. To his credit, he left notices to NASA employees how to create secure passwords – and use them. Then, there’s Vault 7 and the freakin’ 34 Terabytes of data stolen by a CIA employee (over a period of years).

When it comes to creating a security policy, there’s ample assistance available:

  • When it comes to secure software development, securing your systems, though a bit dated (2006), make sure to grab NIST’s 178-page Information Security Handbook: A Guide for Managers. It’s free. It has 14 chapters covering everything from roles and responsibilities and SDLC to IT contingency planning, configuration management, and more.
  • Cloud Software Finland offers the Handbook of The Secure Agile Software Development Life Cycle, but if you look around you can find many different options for free.
  • If you are looking to set up a formal program, you will want to check out the ISO/IEC 27000 family of management system standards. ISO/IEC 27032:2012 covers security techniques and guidelines for Cybersecurity.

ISO compliance and/or certification may be required when contracting software development for government agencies and enterprises. Not every organization needs to be so formal, suffice that while it’s important to secure your software, it’s critical to secure user data. Failing to do so can open your company up to lawsuits and fines. For failing to take reasonable steps to secure its user data, Equifax was fined $575 million. Failure to secure user healthcare data (HIPAA), however, can in rare cases lead to fines and jail time. Security is serious business.

Enforcing Security

Aside from government enforcement of cybersecurity issues, it’s somewhat harder to find good guidance on how to actually enforce “cybersecurity” with developers and employees (as in non-developers who use company systems).

  • Memorandum of Understanding and Non-Disclosure Agreement. These are the strongest mechanisms for requiring employees and contractors to not share and to limit the manner in which they can access company data. A breach of an NDA can be grounds for suspension, termination, and civil suits.
  • The actual theft of trade secrets falls under the Economic Espionage Act which can result in a fine of up to $250k for an individual or $5 million for companies, 10 years of imprisonment, or both. Trade Secrets Act which prescribes criminal penalties

No one wants to get draconian about it – particularly with fellow developers and employees. But, it’s a real issue as employees are responsible for 40% of data theft and 70% of it takes place within 30 days of an employee giving notice.

The important thing, for now, is to take heed that cybersecurity is in the process of becoming much more important than ever before. COVID accelerated the trend toward distributed teams by a decade or more relative to earlier trends. The recent cyberattacks and subsequent response by the Whitehouse’s tech team will do the same – for national security and user data.

In our second part on CyberSecurity, we’ll get into secure software development best practices. In addition to how to make your software more secure, we’ll cover how to prevent, monitor, and detect security threats, and more.

Did you like our content?

Spread the word

Subscribe to Our Newsletter

Don't miss our latest updates.
All About Software Engineering Best Practices, Productivity Measurement, Performance Analytics, Software Team Management and more.

Did you like our content?

Spread the word

Subscribe to Our Newsletter

Don't miss our latest updates. All About Software Engineering Best Practices, Productivity Measurement, Performance Analytics, Software Team Management and more.