Government guide for supply chain security: The good, the bad and the ugly

2022-09-06 04:00

Just as developers and security teams were getting ready to take a breather and fire up the BBQ for the holiday weekend, the U.S.'s most prestigious security agencies dropped a 60+ page recommended practice guide, Securing the Software Supply Chain for Developers.

My first reaction was that it's great to see these agencies adding to the public discourse in these still heady days where we're all sorting out software supply chain security best practices.

I think it's also important for developers at large to weigh what makes sense in the most extraordinarily sensitive national security environments, versus what makes sense for the average enterprise developer and security team.

There are some excellent, prescriptive recommendations in the report where these agencies are advocating specific frameworks like Supply chain Levels for Software Artifacts and Secure Software Development Framework.

The report mentions these frameworks 14 and 38 times, respectively, and for developers and security teams that realize they have a software supply chain security problem but don't know where to start, now they have a clear path to take their first steps.

We all know most source code being used today is open source, and it has unique aspects for security - the report doesn't pay any care to how to choose which open source projects to use, what to look for when deciding on a new dependency, approaches to scoring systems, or how to tell the security health of an OSS project.

News URL

https://www.helpnetsecurity.com/2022/09/06/government-guide-supply-chain-security/

#security #supplychain