Since 2007, SAFECode members have been sharing effective practices for software and supply chain security, both among ourselves and with the industry at large. So we were excited to see that the U.S. Government has acknowledged the role of software developers in improving the country’s cybersecurity in the recently issued Executive Order. Section 4 of the order addresses software supply chain security – both the application of secure development practices and the protection of software that’s under development or imported from other developers. The government is seeking input on the specifics of implementing the order – NIST will be seeking input from the private sector on tools, techniques, and evaluation criteria that can contribute to enhanced software security and assurance.
We were especially happy to see that the Executive Order recognizes the critical role of developers’ processes in creating secure software, and that it specifically refers to the use of automated tools to help assure software security. The U.S. Government cited these approaches in the NIST Secure Software Development Framework (SSDF) that NIST created in close collaboration with SAFECode and BSA – The Software Alliance. Recognition of these scalable approaches to delivering secure software will go a long way toward enabling implementation of the Executive Order to achieve its objectives.
At SAFECode, we believe that the new Executive Order represents an opportunity to improve the software that our industry creates and our customers rely on. It will encourage more developers to apply best practices and stimulate the creation of new approaches. This will amplify the messages that SAFECode has been sending since its founding and help us all do a better job. We plan on being active participants in consultations with NIST and sharing our views and experience in creating scalable and effective software security processes. We’ll continue to share our experiences and perspective in future blogs.