In May of 2021, President Biden issued an unprecedented Executive Order on Improving the Nation’s Cybersecurity as a blueprint for federal agencies and private sector partners to improve their cybersecurity posture. Following high-profile incidents like the SolarStorm supply chain attack, the order prioritized critical areas for securely modernizing federal IT infrastructure.
Among other directives, the Executive Order requires government agencies to purchase only software that meets secure development standards to protect government data. To support the Executive Order, the National Institute of Standards and Technology (NIST) issued guidance in February of 2022 to provide federal agencies with best practices for enhancing the security of the software supply chain. Two sets of guidance were released by NIST: the Secure Software Development Framework (SSDF) and the companion Software Supply Chain Security Guidance.
The Executive Order directs the U.S. Office of Management and Budget (OMB) to take appropriate steps to require that agencies comply with the NIST guidelines within 30 days. This means that federal agencies must begin adopting the SSDF and related guidance immediately while customizing it to the agency’s risk profile and mission. Vendors who supply software to the U.S. government will soon also have to attest to meeting these guidelines.
In developing the guidelines, NIST gathered extensive input from technology professionals and other federal agencies through the solicitation of papers and virtual workshops, including input from Palo Alto Networks. Let’s look at some of the components of the NIST guidelines:
- The SSDF encompasses secure software development best practices from organizations such as the Business Software Alliance (BSA), the Open Web Application Security Project (OWASP) and SAFECode. These best practices aim to protect the software development infrastructure, reduce the number of vulnerabilities in software during development and continually respond to any newly found risks by addressing the root causes to prevent recurrences.
- The Software Supply Chain Security Guidance provides recommendations to federal agencies for purchasing software exclusively from organizations that follow a risk-based approach to development.
- These recommendations are intended to help agencies get the necessary information from software producers in a form that can help guide risk-based decisions. The recommendations span many types of software, along with firmware, operating systems, applications and application services, among others.
At Palo Alto Networks, the security of our customers and the integrity of our solutions are our highest priorities. We are committed to a rigorous and secure Zero Trust development environment for ourselves and our customers. In addition to state-of-the-art tools and techniques to detect any inadvertent vulnerabilities in code, these measures include:
- Performing security reviews and threat modeling early in the software development lifecycle.
- Protecting all endpoints and systems used in software development with Cortex XDR along with continuous monitoring to detect and respond to anomalies with Cortex XSOAR.
- Securing cloud infrastructure and applications early in development through continuous integration and continuous delivery (CI/CD) workflows.
- Scanning infrastructure-as-code (IaC) templates, container images, serverless functions and more to identify vulnerabilities, misconfigurations and compliance violations. With centralized visibility and policy controls, engineering teams can secure their full stack without leaving their tools, while security teams can ensure that only secure code is deployed.
- Using Prisma Cloud Compute to protect all cloud deployments throughout the application lifecycle.
- Managing vulnerabilities and dependencies in open source repositories, to build a software bill-of-materials (SBOM) of the packages in use for vetting; verify security of dependencies against open source and proprietary databases; and assist in remediation.
- Ensuring Identity and Access Management (IAM) so that only those that should have access, do have access to your supply chain and source code, and no one else.
- Inventorying and managing internet-facing systems assets with Cortex Xpanse based on attackers’ views of the internet. Attack surface management helps to account for shadow IT discovery, malicious exploit call-outs or other unauthorized internet-facing connections.
Additionally, we undertake a number of internal processes to ensure the integrity of our own products, which include software and firmware signing, secure updates, signature verification and additional oversight. We institute restrictions on who scopes and defines source code changes, reviewing new source code with a hierarchy of oversight and ensuring a “chain of custody” throughout development, testing and quality assurance processes. Our approach standardizes the software development, deployment, delivery and operation pipeline to ensure there are sufficient and necessary security controls in all phases.
Altogether, this is unified security for DevOps and security teams.
Our mission at Palo Alto Networks is to be the cybersecurity partner of choice, protecting today’s digital way of life. We support the Executive Order on Improving the Nation’s Cybersecurity and the subsequent guidance from NIST. In fact, NIST published a case study highlighting Palo Alto Networks end-to-end supply chain risk management practices in 2020. We look forward to working with our federal partners to meet these coming attestation requirements and continuing to serve as a trusted ally to help secure development standards. Contact the Palo Alto Networks federal team for additional information.