Executive Order 14028 and the Software Supply Chain

Michael Peters

2 months ago

With Executive Order 14028’s requirements coming into effect, government agencies and their software partners are looking for ways to meet these stringent requirements. These include managing system security across all potential attack vectors, including those introduced during the development cycle.

Here, we discuss how the Secure Software Development Framework is a good baseline for approaching the EO requirements.

What Is Executive Order 14028?

Executive Order 14028 (“Executive Order on Improving the Nation’s Cybersecurity”) is a comprehensive directive aimed at strengthening the aging and underdeveloped cybersecurity defenses of the United States.

Some of the general requirements and upgrades the EO defines include:

Moving Toward Zero-Trust Architecture: The Federal Government must begin moving toward zero-trust architectures in their SaaS, PaaS, and IaaS infrastructure.
Enhancing Software Supply Chain Security: The EO mandates developing new standards for software security, including secure development environments, vulnerability disclosure programs, and software bills of materials to ensure transparency in software components.
Modernizing Cybersecurity: Federal agencies must adopt a zero-trust architecture, assuming threats could exist inside and outside the network. Agencies must implement multi-factor authentication (MFA) and encryption within a specific time frame to protect data and limit access to authorized users.
Establishing a Cyber Safety Review Board: This body, modeled after the National Transportation Safety Board, will review and assess significant cyber incidents and provide recommendations for improving cybersecurity practices.
Enhancing Detection and Response Capabilities: The EO directs the development of government-wide endpoint detection and response capabilities to enhance the ability to detect and respond to cyber threats across federal networks. Agencies must also improve their incident response capabilities by adopting a standardized playbook for responding to cyber incidents.
National Security Systems: The order emphasizes the need to secure national security systems and calls for specific measures to protect these critical systems from cyber threats.
Incident Reporting: The EO sets requirements for federal contractors to report cyber incidents promptly, ensuring timely and adequate responses to government systems breaches.
Cloud Security: Federal agencies are encouraged to adopt secure cloud services and implement robust security measures to protect cloud environments.

How Are Threats Introduced to the Software Supply Chain?

The Biden EO and the Secure Software Development Framework (SSDF) aim to address security issues in software development and close security gaps not covered by typical compliance standards.

The software supply chain is a long and involved process that includes stages such as:

Code development and maintenance
Code modification, integration, and library management
Delivery (patches, updates, or upgrades)
Integration with other platforms
Ongoing maintenance

Because software development is now such an involved and integrated process, the software development cycle is quite vulnerable to attacks, including the following:

Source Code Repositories: Attackers can gain unauthorized access to source code repositories by modifying code to introduce vulnerabilities or backdoors. Malicious insiders with access to the repositories can also intentionally inject malicious code, many of whom are much harder to track than outside attackers.
Third-Party Libraries and Dependencies: Hackers can exploit vulnerabilities in third-party libraries or compromise them to inject malicious code into integrated software. Attackers create malicious packages with the same name as internal packages, tricking developers into downloading and using them.
Build Systems: Attackers can compromise build servers to inject malicious code during the build process. Manipulating build scripts to include malicious instructions or dependencies.
Code Signing and Integrity: Hackers can inject malicious scripts into otherwise legitimate software if they steal keys to sign and verify authentic code. They can also modify official checksums to falsify code authentication.
Package Managers and Repositories: Unprotected repositories can allow hackers to launch “poisoned” packages that look legitimate but contain malicious code. Upload malicious packages to public repositories where developers can download and use them—poisoning package repositories with malicious versions of popular packages.
Software Updates: Compromising the software update mechanism to deliver malicious updates to users and intercepting and tampering with update communications to deliver malicious payloads.
Infrastructure: Insiders or hackers can modify templates to include insecure configurations, or code can allow hackers to access deployment scripts.
Phishing and Social Engineering: Social engineering is one of the biggest threats to all software, including the supply chain. Attackers target developers and IT personnel to access critical systems and inject malicious code.

Aligning Compliance with Executive Order 14028 and the Secure Software Development Framework

The date for achieving the changes required in this EO has already passed, and a significant part of the requirements involves securing software and the software supply chain. Fortunately, NIST provides several approaches to such security–primarily the SSDF as detailed in NIST SP 800-218. This framework provides software developers a blueprint for meeting minimum security requirements during the development lifecycle.

Some ways these align include:

Enhancing Software Supply Chain Security

The order mandates that federal agencies adopt stringent software development and procurement security practices. It requires using Software Bill of Materials (SBOMs) to increase transparency about software components and their origins.

The SSDF provides guidelines for secure software development practices, emphasizing the need for rigorous security controls throughout the software development lifecycle. The SBOM aligns with SSDF’s emphasis on transparency and component security.

Establishing Baseline Security Standards

The EO directs NIST to define baseline security standards for software development, including requirements for developers to maintain secure environments and implement secure coding practices.

NIST 800-218 is a foundational document providing these baseline security standards. It outlines specific practices and controls developers should implement to enhance software security, such as secure coding, security testing, and vulnerability management.

Adoption of Zero Trust Architecture

The Executive Order calls for adopting a Zero-Trust Architecture across federal agencies, which minimizes implicit trust and continuously verifies the security posture of devices, users, and applications.

While the SSDF focuses specifically on software development practices, the principles of Zero Trust can be integrated into the development process to ensure that software products are designed with minimal implicit trust and robust security verification mechanisms.

Improving Vulnerability Detection and Response

The EO requires the implementation of EDR initiatives and enhanced logging practices to detect and respond to cyber threats more effectively.

The SSDF emphasizes the importance of security testing and continuous monitoring as part of the development lifecycle. By integrating EDR and advanced logging, organizations can better detect and address vulnerabilities throughout the software development process.

Information Sharing and Transparency

The EO promotes improved information sharing between private and government agencies to enhance collective cybersecurity efforts.

The SSDF supports this by encouraging organizations to document and share security practices, vulnerabilities, and mitigation strategies, fostering a collaborative approach to improving software security.

Shore Up Your Software Development with Lazarus Alliance

The timeline for adherence to Executive Order 14028 has passed, and software supply chain security will be paramount for success. If you’re a developer who needs to get their lifecycle and security management up to speed, work with Lazarus Alliance.

To learn more, contact us.

[wpforms id=”137574″]