This week, the White House released its updated National Cybersecurity Strategy detailing the comprehensive approach the U.S. Government’s Administration is taking to cybersecurity.
The strategy contains a set of three pillars that outline collaboration between public and private sectors, dealing with systemic challenges within cybersecurity and realignment of incentives for the industry.
Pillar Three specifically talks about shaping, or re-shaping, “market forces to drive security and resilience.” This pillar aims to shift responsibility for security vulnerabilities from software consumers to software creators through the required implementation of secure-by-design development practices.
We can think about a few reasons behind this pillar, but an undeniable one is that this direction will be key for establishing a secure digital ecosystem. In today’s software, everything is a dependency of a dependency, and the trickledown effect of insecure software is massive. Just as an example, compliance with Executive Order 14028, which aims to better secure federal agencies, becomes virtually impossible if software providers aren’t also held liable to secure their products.
Let’s double down on Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services which has the potential to change the security modus-operandi of software companies. It can be broken down to three impactful actions:
- The development of legislation that will make software providers responsible for the security of the software they’re releasing. This type of legislation would make it much harder, if not impossible, to be free from liability via contractual clauses.
- The development of a Safe Harbor framework that can adapt to different types of software providers. This will draw from the NIST Secure Software Development Framework (SSDF) and will continue to evolve to include advanced software supply chain security technologies.
- The development of incentives to drive adoption of the above – for one, federal purchasing power.
What Does It Mean Right Now?
The truth is, from strategy to execution there is a long path. But we do have a better sense of possible future liabilities and the security standard that software companies are going to be increasingly held to.
If we take SSDF as the driving framework, we know that for companies, meeting compliance can be very challenging; it can take between 6-8 different tools, including traditional application security testing, supply chain posture management, advanced scanning/analyses, tools for SBOM generation and provenance, and management of all the above. An alternative is to leverage 1-2 purpose-built tools.
The Aqua platform is one such purpose-built tool. It covers the different layers (code, process, and infrastructure of development) in a way that is automated for both security deployment and compliance attestation. The platform offers next-gen SBOMs that meet compliance requirements for SBOM and provenance. It also provides advanced vulnerability discovery with proprietary mechanisms like integrity scanning and open-source health that catch advanced software supply chain attacks in a more effective, reliable way.
Companies that do software security right will, in the short term, have a huge differentiation. Software transparency is imminent, and companies’ security will be exposed (in big part via SBOMs), and those with higher security will be preferred over those outwardly vulnerable. In the long term, software security will be key for business continuity, and non-compliance might not be an option. The Aqua platform and our playbook for automating compliance is built exactly to help companies ease this process and be able to re-focus on innovation.