Recently released guidelines from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute for Standards and Technology (NIST) offer tips for defending against software supply chain risks.

Attacks on software supply chains — which occur when a vendor’s infrastructure is infiltrated and software is infected ahead of being sent to customers — can have far reaching implications for government, critical infrastructure and even private sector software customers.

Such attacks are usually conducted via update hijacking, code signing tampering and compromising open-source code.

Source: CISASource: CISA

Likewise, attackers have also injected malicious code into public code repositories to encourage unsuspecting developers to download compromised software.

To potentially thwart such software supply chain attacks, the guidelines recommend that organizations: use software in the “context of a risk management program” as a general precaution; use NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess and mitigate risks; and implement the software development life cycle (SDLC) in their business processes, among other recommendations.

The CISA and the NIST released guidelines — Defending Against Software Supply Chain Attacks — were published in April 2021.

To contact the author of this article, email mdonlon@globalspec.com