feds,-npm-issue-supply-chain-security-guidance-to-avert-another-solarwinds

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Feds, npm Issue Supply Chain Security Guidance to Avert Another SolarWinds

Lessons learned from the SolarWinds software supply chain attack were translated into concrete guidance this week when the US Cybersecurity and Infrastructure Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) released a joint best practices framework for developers to avoid future supply chain attacks.

Besides the US government’s recommendations, developers also received npm Best Practices from the Open Source Security Foundation, to establish supply chain security open source best practices.

“The developer holds a critical responsibility to the security of our software,” the agencies said about the publication, titled Securing the Software Supply Chain for Developers. “As ESF examined the events that led up the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer.”

OpenSSF’s announcement, meanwhile, noted that¬†the npm code repository has grown to include 2.1 million packages.

Developers like Michael Burch, director of application security for Security Journey, applaud the industry’s proactive approach, but Burch adds that it’s now up to the cybersecurity sector to put these guidelines into action, particularly a recommendation for the implementation of software bills of materials (SBOMs).

“What we need now is the AppSec community to come together on the back of this guidance, and create a standard format and implementation for SBOMs to boost software supply chain security,” Burch said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Related News

LastPass Discloses Second Breach in Three Months

LastPass Discloses Second Breach in Three Months

An attacker who breached the software development environment at LastPass this August and stole source code and other proprietary data…
Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines

Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines

An attacker submitting changes to an open source repository on GitHub could cause downstream software projects that include the latest…
One Year After Log4Shell, Most Firms Are Still Exposed to Attack

One Year After Log4Shell, Most Firms Are Still Exposed to Attack

The Log4j vulnerability continues to present a major threat to enterprise organizations one year after the Apache Software Foundation disclosed…