The Software Development Impacts of the Executive Order on Improving the Nation’s Cybersecurity
September 30, 2021
Introduction
2020 and 2021 have seen a dramatic increase in cyberattacks on U.S. soil and worldwide. Following the cyber attack on the Colonial Pipeline, considered one of the most serious in U.S. history, President Joe Biden signed an Executive Order on Improving the Nation’s Cybersecurity in May 2021 to increase the cybersecurity of software used by federal agencies.
In this executive order, President Biden laid out a framework to equip federal agencies with software that is more secure and adept at countering or resisting the cyberattacks that have increased dramatically over the last few years. The deadline for 180 days following the publication of the executive order is fast approaching, at which point the Director of the NIST will announce preliminary guidelines to enhance software supply chain security. 90 days after this preliminary guidance is published, the Secretary of Commerce will issue guidance including standards, procedures, and/or criteria with regards to a number of elements in secure software development.
One of the ways for software vendors to be ready to meet these new guidelines that will soon be published in detail is to ensure that the source code of their software programs is guaranteed bug-free, using exhaustive static analysis.
The Department of Homeland Security has stated that it is estimated a whopping 90% of cyberattacks exploit defects in the design or code of software. Using exhaustive static analysis, a software company can mathematically guarantee the absence of these vulnerabilities at the source code level, preventing a cyberattack before it can take place.
The new guidelines: how will software development processes be affected?
Section 4 of President Biden’s Executive Order on Improving the Nation’s Cybersecurity lays out the framework for a more cyber secure software development process.
According to the executive order, the development of commercial software will need to be implemented with mechanisms that are more rigorous and predictable; in this way, products will be guaranteed to function safely and securely. Critical industry software in particular will be subject to the need for greater cybersecurity, with the establishment of basic security standards for the development of software used by the U.S. government.
The federal government and all the appropriate actors (such as private sector or academia), will have to comply with standards written in this fourth section of the order. Compliance with those guidelines can be achieved in part with the development or implementation of tools and best practices.
The challenges that software vendors now face to be compliant with these guidelines
The new guidelines for software development addressed in Section 4 of this Executive Order call for more transparency in the software development process, more focus on the ability of software to resist attack, and adequate controls to prevent tampering by malicious actors.
Software vendors and their development teams will now need to take into account a series of requirements and standards, such as having a secure software development environment that uses administratively separate build environments, evaluates and audits trust relationships, includes multi-factor, risk-based authentication, and more. But also, software development teams will now need to have an automated tool or process in place to “check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release.”
In addition, software vendors will need to be able to provide proof of the existence of such a tool or process and make public a summary of risks assessed and mitigated. They will also need to maintain up-to-date records of the origin of software code and components, as well as on the controls of internal and third-party software components, including audits on these controls.
For some software companies, these new requirements may introduce significant changes to their existing development process. But one thing is certain: a solution exists to help companies reduce their code verification costs, and bug detection time, thereby reducing the efforts needed to check for potential vulnerabilities in software provided to federal agencies.
How exhaustive code analysis can help software vendors to be compliant with the new guidelines
TrustInSoft offers a solution to help software developers mathematically guarantee the absence of vulnerabilities before they can be exploited. Recognized by the NIST, TrustInSoft Analyzer is a hybrid static and dynamic code analyzer that uses formal methods to ensure that your software behaves in a deterministic way, does not crash whatever the inputs, and is immune from security flaws, while reducing validation efforts.
Used by developers in many industries worldwide including IoT, defense, automotive, telecom, semiconductor and aeronautics, the exhaustive code analysis hardens C and C++ source code, thus ensuring code security and safety.
It reduces code verification costs, time-to-market, and is compatible with numerous coding standards such as CERT-C, and industry standards, including ISO26262, DO-178C, IEC61508, and many others.
It is the only source code analyzer that can provide a mathematical guarantee on the quality of the source code without the need to specially configure the development process.
Using TrustInSoft Analyzer can provide developers with an automated tool that exhaustively detects code vulnerabilities, helping them comply with this crucial part of the new guidelines set out in this Executive Order. Software vendors can use the mathematical proof of the absence of vulnerabilities as a way to prove to the U.S. government that they have a rigorous mechanism for ensuring that products function securely and as intended.
For more information, visit: https://trust-in-soft.com/product/trustinsoft-analyzer/