The Enduring Security Framework (ESF) - a public-private cross-sector working group led by three US agencies; the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI) - has released guidance for developers for securing software supply chains.
The guidance paper is the first in a three part series addressing developers, vendors and software customers and outlines the key areas the ESF sees as in particular need of care, including the risks involved in using third party software. It also details methods recommended for minimising those risks by verifying third-party components, avoiding build chain exploits, and defining and managing secure product criteria.
The use of third-party software - particularly binaries, or opaque files of pre-compiled code - is identified as an area of high risk because the software involved may no longer be maintained and could have unpatched vulnerabilities, according to the guidance.
The ESF advises mitigation measures including binary scanning and software composition tools that can detect intrusive files without access to the source code. A software bill of materials (SBOM) is recommended to simplify validation and identify the points of vulnerability when defects are discovered. A variety of SBOM specifications exist, the guidance points out, including NIST software identification tags.
Through the creation of a new security framework that it has titled Supply Chain Levels for Software Artefacts’ (SLSA), the ESF sets out a common-language framework that it says can be used by all stakeholders in the software development lifecycle.
The SLSA specifies four levels of assurance for components across the chain, defined from details such as code environment isolation, build method (i.e. using a service like GitHub over building locally on a workstation), and bit-for-bit build reproducibility. While the version put forward by the ESF is preliminary, versions of the SLSA have been in use at Google since 2013.
Formed in the wake of the infamous hacking of SolarWinds Orion in 2020, the ESF is set to extend the guidance to cover software vendors and their customers.