Software supply chain attacks have long been a concern for some cybersecurity professionals, but the conversations surrounding supply chain risk management have become more mainstream due to this year’s headlines detailing highly disruptive attacks (SolarWinds, Colonial Pipeline). Just last month we saw multiple stories about supply chain attacks that were reportedly launched by Lazarus, an advanced persistent threat (APT) group believed to be based in North Korea.
It’s clear that software companies will be taking a closer look at their supply chain security practices in the coming year, especially federal departments, agencies, and contractors that are affected by President Biden’s Executive Order (EO) 14028, which focuses heavily on supply chain security. While the EO doesn’t obligate businesses to test their software in specific ways or meet specific requirements, it does obligate the National Institute of Technology (NIST) and other agencies to create specific guidelines, and eventually the Office of Management and Budget will incorporate those guidelines into acquisition rules for companies doing business with the U.S. federal government. For companies not directly working with the U.S. government, these same guidelines are likely to become a de facto baseline for how software is built, tested, secured, and operated.