U.S. Government’s Guidelines for Securing Software: Suppliers

Recently the U.S. Government, through the Enduring Security Framework (ESF) Software Supply Chain Working Panel, released the second in a series of three guidance documents to improve the security of the software supply chain. The first document addressed developers and the final one will be for customers. 

In this article, we take a deep dive into the guidance that software suppliers can take to improve the security of the software they distribute. The guidance will help organizations who supply software establish a security baseline if they haven’t already – a vital step. 

As the authors point out, the “supplier also holds a critical responsibility in ensuring the security and integrity of our software. After all, the software vendor is responsible for liaising between the customer and the software developer. It is through this relationship that additional security features can be applied via contractual agreements, software releases, and updates, notifications and mitigations of vulnerabilities.”

Sponsorships Available

Sponsorships Available

Sponsorships Available

We couldn’t agree more – it is why we do what we do. But what steps can software suppliers take? 

We have summarized it here for you, including what steps your organization can take.

What it recommends

Defines responsibilities for the supplier

The guidance defines a software supplier as an “intermediary, between the developer and customer” and suggests they retain primary responsibility for 

1. Maintaining the integrity of securely delivered software.
2. Validating software packages and updates.
3. Maintaining awareness of known vulnerabilities.
4. Accepting customer reports of issues or newly discovered vulnerabilities and notifying developers for remediation.

Define criteria for software security checks for the organization

Define what checks are required before delivering software, ensure the checks are completed, and notify customers of vulnerabilities, mitigations, and end-of-life support. Everyone in the software development lifecycle (SDLC) should be aware of these requirements and why (Read more...)