Programmer in software team working with software on many computers showing SBOM.

Why in 2023 Software Teams Should Care About Biden’s 2021 Cybersecurity Act

From the gas in your car to the electricity in your offices, malicious users can hijack everything, holding you and your business for ransom.

Looking back, this is precisely what happened in 2021 during the Colonial Pipeline incident. Gasoline, diesel, home heating oil, and jet fuel were suddenly unavailable, creating spot shortages in the U.S. market.

Then came the SolarWinds attack, in which undetected malware affected around 18,000 customers from Fortune 500 companies to the U.S. government. If it can happen to these industry dominators, it could happen to your company, too.

According to IBM, it takes an average of 287 days to identify a data breach, with an additional 80 days to contain it.  During this time, you could exceed the average $4.87 million in estimated losses and costs due to the breach. Ouch.

So why don’t we just nip the issue in the bud? Thankfully, it’s simple to put the proper protections in place, just like SolarWinds did with its weak default password, and fortify your digital assets and SDLC from potentially catastrophic hijacks.

Making sure companies have these protections in place was the impetus for President Biden’s Cybersecurity Act of 2021. While it’s been two years since its enactment, it’s important to remind companies why it remains critical today. Let’s review.

What is a Software Bill of Materials, and what’s in it?

First, it’s important to know what a Software Bill of Materials (SBOM) is. An SBOM is a list of the components that make up a software application or system. The list can be used to track down the source code for these components, and their dependencies. Having an SBOM can be critical for several reasons, among them security. An SBOM typically lists the following for each software product:

  • Name of the software product
  • Version number
  • Release date
  • Name of the software company
  • Software license agreement
  • Description of the software product
  • System requirements
  • Hardware requirements
  • Minimum system requirements
  • Recommended system requirements

When a software application or system breach occurs, it is often because one of its dependencies has been compromised. With an SBOM, developers can quickly identify the component responsible and patch it up. Additionally, an SBOM tracks down vulnerabilities in dependencies that have not yet been exploited, helping increase the application’s security posture.

What is the SBOM Executive Order 14028?

After a string of cybersecurity hacks, breaches, and espionage through ransomware that impacted private and public sectors on multi-million dollar scales, the Biden Administration put into place Executive Order 14028. It aims to make cybersecurity standards compulsory for Federal Agencies and achieve the following:

  • Strengthen and suggest systems to mitigate future hacks, breaches, and cybersecurity events.
  • Provide both public and private sectors with a cybersecurity standard to follow.
  • Enforce and accelerate the adoption of highly effective cybersecurity standards such as zero-trust architecture and SBOMs.

The Order’s contents include emphasizing the production of an SBOM, which uplifts a key cybersecurity standard into a national standard and is relevant for all businesses, even non-Federal. An SBOM helps identify which components need to be updated or patched to fix a security vulnerability. As well as tracking the provenance of a piece of software, having an SBOM makes it easier to identify malicious code.

Why should software teams care about the executive order?

When you align your organization’s security postures to a Federal standard, you are setting your digital supply chains and assets up for the following:

  • The highest minimum standard against advanced cyber attacks.
  • Reduced legal liability through insecure sections of your supply chains and digital assets.
  • Modernized cybersecurity practices through expected standards such as zero-trust.
  • Creating awareness of your software supply chain securities through initiatives like the SBOM.

According to a report by Trend Micro, 41% of organizations are not confident about their software security, especially when it comes to open-source components. Your business may be part of this percentage, which doesn’t bode well for the security of your digital assets, sensitive data, and infrastructures.

Without a clearly defined security policy, teams cannot effectively take ownership, which leaves potential gaps in your security and monitoring processes. Using Biden’s Executive Order as a security template can reduce this gap.

So, what should you do next?

It’s easy to tell teams to make an SBOM. But without the right tools to create, manage, and share the details included in one, software products and pipelines will remain vulnerable. SBOM is only one component of the expected security hardening process. Section 4 of the Executive Order details what is needed to secure your SDLC postures. This includes:

Separating build environments

A clear and separate build environment allows for the isolation of the build process from the development environment. This isolation ensures that the build process is not contaminated by any malicious code that may be present in the development environment.

MFA and risk-based authentication

MFA and authentication strategies protect against unauthorized access and ensure that only authorized users can access sensitive data. Risk-based authentication also allows organizations to detect and respond to threats promptly.

Dependency documentation

Dependency documentation is necessary for software security because it provides a clear and concise description of the dependencies for a piece of software. This information is essential for understanding the attack surface and ensuring all dependencies are properly secured.

Artifact generation and vulnerability scanning

Artifact generation and vulnerability scanning help identify potential security risks and vulnerabilities, which enables security teams to take steps to mitigate or eliminate them. This ensures the software is less likely to be exploited by attackers.

Providing an SBOM

Suppose a vulnerability is discovered in one of the software components. In that case, the SBOM can be used to identify which other elements may be affected and take steps to mitigate the risk.

You are aligning your security levels to the highest minimum requirements by implementing the above. When it took effect, Biden’s Executive Order aimed to launch an active campaign and crusade against the lack of security measures for organizations in both the public and private sectors. This has not changed.

Prepare your CI/CD pipelines per Biden’s EO by automating your monitoring, detection, and risk mitigation processes. No one wants to be another SolarWinds or Colonial Pipeline. Secure your assets before they become someone else’s prize.