Security Agencies Post Compendium of Software Security Best Practices for Developers

A trio of federal security entities has published guidance on how the developer community can better protect the software supply chain.

The document, titled “Securing the Software Chain for Developers,” resulted from a collaboration among the National Security Agency, Cybersecurity and Infrastructure Agency and the Office of the Director of National Intelligence.

Specifically, the paper is a product of the Enduring Security Framework public-private working group led by NSA and CISA.

The document offers industry and government-evaluated recommendations and serves as a compendium of existing resources for developers, NSA said Thursday.

In the 64-page document, ESF noted that President Joe Biden’s May 2021 executive order directed the federal government to better secure the software supply chain.

Biden called for systematic reviews, process improvements and new security standards for agencies procuring software products.

ESF said that software chain flaws are emphasized by cyberattacks like the Russia-linked SolarWinds hack and the vulnerability exploits like Log4j, which impacted many applications.

The guidance is only the first in a three-part series. ESF will publish two others: one targeted at software suppliers and another at software customers.

ESF added that the document furthers the respective cybersecurity missions of NSA, ODNI and CISA, including the issuance of cybersecurity recommendations and mitigations.