Critical Update: Do You Know What’s In Your Software?


In the wake of several major cybersecurity incidents, the government wants to shore up its software supply chain. Two experts explain the merits of some approaches and why there’s no silver bullet. 

Recent intrusions into federal agencies and critical infrastructure are causing the government to more closely examine how software is made, in addition to who’s making it and where.

Even before President Joe Biden and his transition team entered the White House amid the unfurling SolarWinds crisis, the executive branch was working to collectively reduce weaknesses in the government’s software supply chain. A new executive order gets deeper into core software development techniques than anything from previous administrations.

The SolarWinds compromise, in particular, drew attention to vendor’s responsibilities to defend their customers from attack. The hackers were able to infiltrate scores of entities—including nine federal agencies—at once in part by gaining entry into SolarWinds’ environment and sending out an update laced with malware.   

The new order, issued May 12, looks to raise the standard of software the government buys based on basic cyber hygiene practices and auditing capabilities across the board, instead of banning companies like Huawei and Kaspersky from suspect regimes—China and Russia, respectively.

Nextgov’s Critical Update examined a central element of the order—a software bill of materials, or SBOM—and its potential to change the way the industry does business, among other ways government officials could try to encourage more secure software development.

“If you look at a software bill of materials as a measure of a high-performing product development organization, then it can be used kind of like a canary in the coal mine,” said Beau Woods, a senior adviser to the Cybersecurity and Infrastructure Security Agency. “It's a small conceptual shift to open up that transparency. But there's a lot of ways to do it, a, and b, there's a lot of changes in standard business processes and operational procedures that would need to accompany some of those ways to open up transparency in the supply chain.”

For the vast majority of the software supply chain, which is open source, that transparency is not a problem. But for vendors at the top who guard their processes and maintain exclusive rights to their code, it may take some more convincing to maximize the security benefits of full component disclosure.    

“A number of the closed source providers really, really don't want to reveal that information. Some of that I think is for legitimate reasons, and some of it I think is because they don't want to admit that there are some very serious problems in the software that they're releasing to their customers,” David Wheeler, director of open source supply chain security for the Linux Foundation, said. “I think there's gonna be organizations who will be kicking and screaming against that.”

Listen below in your browser or download this episode from Apple Podcasts, Google Podcasts or your favorite podcast platform.