White House Releases Executive Order on America’s Software Supply Chains

Following the end of 2020 software supply chain attacks on SolarWinds that impacted multiple government agencies and private sector companies, President Biden issued a 2021 executive order  asking for a comprehensive review of all government supply chains.

Within the order Biden calls for the Secretary of Commerce and Secretary of Homeland Security to coordinate with heads of appropriate agencies to report on the security and integrity of critical information and communications technology software supply chains. Specifically, President Biden requests:

“The Secretary of Commerce and the Secretary of Homeland Security, in consultation with the heads of appropriate agencies, shall submit a report on supply chains for critical sectors and subsectors of the information and communications technology (ICT) industrial base (as determined by the Secretary of Commerce and the Secretary of Homeland Security), including the industrial base for the development of ICT software, data, and associated services.”

Software Supply Chain Attacks are on the Rise 

In our sixth annual State of the Software Supply Chain Report, we documented a 430% increase in software supply chain related attacks. While our report was release well before the SolarWinds attack made headlines, our data reveals why Biden’s administration is so concerned about attacks on our critical infrastructure, including software.

In a “normal” breach pattern, time between a vulnerability disclosure and a breach is about three days, when it comes to open source software packages. This is when a vulnerability is discovered, appropriate processes are taken so project owners can remedy the issue and the known vulnerability is then shared publicly along with a fixed version of the code. 

In a case where adversaries are injecting malicious code into containers or open source packages, those breaches can occur as soon as the code is deployed into production and into your customers environment . Adversaries (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Derek Weeks. Read the original post at: