"Recent cyberattacks such as those executed against SolarWinds and its customers, and exploits that take advantage of vulnerabilities such as Log4j, highlight weaknesses within software supply chains, an issue which spans both commercial and open source software and impacts both private and government enterprises," the NSA says in its guidance.
The spy agency says there needs to be greater awareness that the software supply chain has the potential to be weaponized by nation-state adversaries using similar tactics, techniques, and procedures.
The Enduring Security Framework (ESF) – a public-private cross-industry working group led by the NSA and the Cybersecurity and Infrastructure Security Agency (CISA) – developed the guidance after examining the events that led up to the SolarWinds attack. ESF was established to cater to developers, vendors and customers in response to president Joe Biden's cybersecurity executive order aimed at federal agencies.
The incident demonstrated an awareness by state-backed hackers that the software supply chain was as valuable as publicly known and previously undisclosed software vulnerabilities.
"As ESF examined the events that led up the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer," the NSA said in a joint press release with CISA and the Office of the Director of National Intelligence.
While this guidance acknowledges the key role developers play in the software supply chain, the agencies will release versions of the best-practice guidance aimed directly at software vendors and software customers.
The agencies note vendor responsibilities include ensuing the integrity and security of software via contractual agreements, software updates, notifications and mitigations of vulnerabilities.
The guidance covers secure development practices, insider threats, open source, verification of third-party components, hardening build environments, and code delivery.
"The compromised engineer is a difficult threat to detect and assess. A compromised employee may be under pressure from outside influences or may have a grudge to avenge. Poor performance reviews, lack of promotion, or disciplinary actions are only a few of the events that might cause a developer to take action against an organization and sabotage its development effort. Additionally, nation states or competitors can leverage an insider's struggles with controlled substances, failing relationships, or debt, among other things."
Beyond compromised engineers, the guidance also highlights intentionally placed backdoors that make it easier for engineers to troubleshoot problems, poorly trained engineers, as well accounts that remain open after a developer contract has been terminated, and compromised remote development systems.
The guidance recommends developers perform static and dynamic code analysis, conduct nightly builds with security and regression tests, map features to requirements, prioritize code reviews, and review critical code.