close search bar

Sorry, not available in this language yet

close language selection

Attesting to secure software development practices

Tim Mackey

Mar 12, 2024 / 2 min read

It’s been almost three years since President Biden issued Executive Order 14028, and while we’ve heard vendors talk about “compliance with EO 14028” for about that long, the reality is that industry hasn’t had anything to comply with—until now.

On March 11, CISA published the Secure Software Development Attestation Form as part of its obligations under OMB memo M-22-18 and the successor OMB memo M-23-16. Publication of the Self-Attestation form starts a clock in which any providers of software for use in critical infrastructure have 90 days to provide a completed form, and all other providers of software to the U.S. government have 180 days to do the same.

Like most government requirements, and the Self-Attestation form is a requirement, there are penalties for noncompliance. The form needs to be signed by someone within the software provider’s leadership team, potentially the CEO, and false statements are punishable under 18 U.S.C. § 1001, which covers False Statements made to the U.S. government. What this means is that any software producer that might be tempted to simply respond “Yes” to all questions should think twice about doing so.

Obviously, if you’re required to attest to software development practices, it’s helpful if those practices are well known and well understood. This is where the Self-Attestation form makes life easy, as software providers are expected to follow a subset of the NIST Secure Software Development Framework (SSDF) activities. The 42 activities in the SSDF also have line-of-sight to other standards like IEC 62443, and maturity models like the BSIMM.

This then means that for organizations that have benchmarked their software development policies, processes, and workflows against a NIST-referenced standard or model, attesting to the elements in the Self-Attestation form should be simple. For those businesses that are pursuing a FedRAMP Authorization, the Self-Attestation form allows for a FedRAMP 3PAO Assessor to provide an independent attestation that can be used in lieu of self-attestation.

How consistent are your secure development processes?

But what about all those businesses whose software is in use within the U.S. government but aren’t FedRAMP authorized? Some might feel that the risk of making a mistake when self-attesting isn’t worth taking. Given that there are far more than the 328 FedRAMP-authorized applications running within the U.S. government, a trustworthy attestation process needs to exist. Ideally, it should identify whether the corporate policies governing software development are consistently followed by development teams.

This is where Synopsys comes in. Synopsys is an independent provider of BSIMM assessments and has been delivering BSIMM assessments for over a dozen years. Since a BSIMM is a reference for the NIST SSDF, and knowing that the Self-Attestation form has been coming for the last year, it stands to reason that we’ve created an SSDF Readiness Assessment to assist customers in measuring how confident they should be in their ability to deliver secure code.

The SSDF Readiness Assessment is part of the overall Synopsys strategy for software supply chain security and risk management. Using an SSDF Readiness Assessment, customers can confidently determine where any gaps in their AppSec programs might be, where inconsistent implementations might exist, and where consistency results in secure software products. If the future of your business depends upon an accurate understanding of your software development practices, processes, and workflows reducing that business risk, is solvable with an SSDF Readiness Assessment.

Learn more about SSDF Readiness Assessments

Continue Reading

Top 10 free pen tester tools

Top 10 free pen tester tools

Natalie Lightner
By Natalie Lightner

Apr 11, 2024 / 5 min read

Tags: Software Integrity, Security News & Trends, Pen Testing, Web AppSec, Manage Security Risks
Managing risk at scale

Managing risk at scale

Charlotte Freeman
By Charlotte Freeman

Apr 08, 2024 / 2 min read

Tags: Software Integrity, Manage Security Risks
SANS report: Securing the shifting landscape of application development

SANS report: Securing the shifting landscape of application development

Charlotte Freeman
By Charlotte Freeman

Apr 03, 2024 / 2 min read

Tags: Software Integrity, Manage Security Risks
Guide to updating from NIST CSF 1.1 to 2.0

Guide to updating from NIST CSF 1.1 to 2.0

John Waller
By John Waller

Mar 29, 2024 / 7 min read

Tags: Software Integrity, Cloud Security, Manage Security Risks
4 approaches to vulnerability remediation

4 approaches to vulnerability remediation

Natalie Lightner
By Natalie Lightner

Mar 27, 2024 / 4 min read

Tags: SCA, Build Security into DevOps, Training, Manage Security Risks
2024 OSSRA report: Open source license compliance remains problematic

2024 OSSRA report: Open source license compliance remains problematic

Fred Bals
By Fred Bals

Mar 19, 2024 / 4 min read

Tags: Artificial Intelligence, Software Integrity, Manage Security Risks, OSS License Compliance

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security