The Inner Circle

 View Only
  • 1.  NSA, ODNI, and CISA Securing the Software Supply Chain: Recommended Practices for Developers

    Posted Sep 01, 2022 01:03:00 PM
      |   view attached
    Hi All,

    The NSA, ODNI, and CISA developed this document to further their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity recommendations and mitigations.

    This document will provide guidance in line with industry best practices and principles, which software developers are strongly encouraged to reference. These principles include security requirements planning, designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure (e.g., environments, source code review, testing).

    Unmitigated vulnerabilities in the software supply chain pose a significant risk to organizations. This paper presents actionable recommendations for a software supply chain's development, production and distribution, and management processes to increase the resiliency of these processes against compromise. All organizations have a responsibility to establish software supply chain security practices to mitigate risks, but the organization's role in the software supply chain lifecycle determines the shape and scope of this responsibility. Because the considerations for securing the software supply chain vary based on the organization's role in the supply chain, this series presents recommendations geared toward these important roles, namely, developers, suppliers, and customers (or the organization acquiring a software product).

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------


  • 2.  RE: NSA, ODNI, and CISA Securing the Software Supply Chain: Recommended Practices for Developers

    Posted Sep 02, 2022 12:13:00 PM
    Many Thanks for sharing, Michael.  I just finished an exercise for the IBM training in Coursera where I have to make a case study, and I choose to make a study the SolarWinds case, AKA Solaragate by Microsoft, without knowing of the magnitude of the case before. This document probably is an outcome of that incident, and it's really quite detailed, excellent reading. If someone still doesn't know about SolariWinds case, please take a look and study the case. It was huge, very huge, and the impact was absurd. Its extension is unknown till today, the attackers could have stolen so much data, classified, intelligence docs, projects, and so many things that it would take decades to study them, if they were stolen indeed. Brgds..

    ------------------------------
    Fabio Muller
    Computer Engineer
    Home
    ------------------------------



  • 3.  RE: NSA, ODNI, and CISA Securing the Software Supply Chain: Recommended Practices for Developers

    Posted Sep 02, 2022 10:54:00 PM





  • 4.  RE: NSA, ODNI, and CISA Securing the Software Supply Chain: Recommended Practices for Developers

    Posted Sep 06, 2022 06:17:00 AM
    Thanks for sharing!

    ------------------------------
    Derrek Arce
    Senior Cloud Security Engineer
    Arvest
    ------------------------------



  • 5.  RE: NSA, ODNI, and CISA Securing the Software Supply Chain: Recommended Practices for Developers

    Posted Sep 06, 2022 06:31:00 AM





  • 6.  RE: NSA, ODNI, and CISA Securing the Software Supply Chain: Recommended Practices for Developers

    Posted Sep 06, 2022 04:37:00 PM
    Thank you, for sharing.

    ------------------------------
    Orhan IMAN
    Manager
    FIRAT BILGI LTD
    ------------------------------



  • 7.  RE: NSA, ODNI, and CISA Securing the Software Supply Chain: Recommended Practices for Developers

    Posted Sep 06, 2022 10:09:00 PM