Thoughts on Biden’s cybersecurity Executive Order

2021-05-25 04:30

The compromise of SolarWinds enterprise solutions and the recent Microsoft Exchange zero-days have had a tremendous impact on the security posture of many US organizations, and it was just a matter of time before the US federal government took steps to act on these threats.

While there's some focus on threat intelligence sharing between different agencies and between providers and federal agencies, I am going to be focusing this article on the more preventive security measures outlined in the EO, specifically relating to modernizing federal government IT infrastructure, supply chain security and vulnerability management.

Leveraging a "User-access-first" approach to security makes security architecture and engineering choices much more scalable than an old-school "Perimeter security" model.

These dependencies play a significant role in the overall security of our applications.

Doing security effectively relies on adopting multiple security feedback loops in the SDLC. From threat modeling to threat hunting, DevSecOps is less about automation and more about adopting a way of doing security that keeps pace with the increasing speed of application development and delivery.

Strategic security automation - Leveraging automation for static analysis, source composition analysis and SBOMs and dynamic/interactive security analysis would be the way to go to not only identify but also remediate vulnerabilities early in the cycle.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/yCZ6FIV4LDU/

#cybersecurity #executiveorder