The U.S. Presidential Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity was signed on May 12, 2021. The EO charges multiple agencies with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.
Background on the Executive Order on Improving the Nation's Cybersecurity
NIST (The National Institute of Standards and Technology) was directed to recommend minimum standards for software testing by gathering input from the private sector, academia, and government agencies. Then with that information, they identified existing or developing new standards, tools, best practices, and other guidelines to enhance software supply chain security.
The findings were published in Security Measures for “EO-Critical Software” Use Under Executive Order (EO) 14028 July 9, 2021, and NIST.IR.8397 (Guidelines on Minimum Standards for Developer Verification of Software).
📕 Related Resource: Learn more about Automating Government Compliance and Security
Back to topWhat Is Included In the Executive Order
Although the resulting guidelines are ultimately aimed at federal agencies, they are also available for others to use. The guidelines include:
- Criteria to evaluate software security.
- Criteria to evaluate the security practices of the developers and suppliers.
- Innovative tools or methods to demonstrate conformance with secure practices.
While NIST.IR.8397 does not address the totality of software verification, it instead recommends 11 techniques that are broadly applicable and form the minimum standards:
- Threat modeling to look for design-level security issues.
- Automated testing for consistency and to minimize human effort.
- Static code scanning to look for top bugs.
- Heuristic tools to look for possible hardcoded secrets.
- Use of built-in checks and protections.
- “Black box” test cases.
- Code-based structural test cases
- Historical test cases.
- Fuzzing.
- Web app scanners.
- Address included code (libraries, packages, services).
In addition, NIST.IR.8397 provides guidelines recommending minimum standards testing which applies to both customer source code and third-party software. This includes identifying recommended types of manual or automated testing, such as code review tools, static and dynamic analysis, software composition tools, and penetration testing.
Back to topHow to Enforce Executive Order Cybersecurity Guidelines
To ensure that software is sufficiently safe and secure, software must be built well from the beginning. Frequent and thorough verification by developers as early as possible in the SDLC is one critical element of software security assurance. This verification must be based on some references, such as:
- The software specification
- Coding standards (e.g. MISRA)
- Collections of properties
- Security policies
- Lists of common weaknesses
The use of a static analysis tool is recommended to check code for many kinds of vulnerabilities and for compliance with the organization’s coding standards.
Static source code analysis should be done early in the SDLC and should be part of automated verification. This enables early, automated problem detection. By integrating the static analysis tool into the development environment, developers can be provided with immediate feedback. As well as detecting vulnerabilities, static code analysis can add assurance in the gaps between test cases.
Organizations should select and standardize static analysis tools and establish lists of “must fix” bugs based on their experience with the tool, the applications under development, and reported vulnerabilities. Tool users should apply warning suppression and prioritization mechanisms provided by tools to triage the tool results and focus their effort on correcting the most important weaknesses.
Automated verification is recommended to:
- Ensure that static analysis does not report new weaknesses.
- Run tests consistently.
- Check results accurately.
- Minimize the need for human effort and expertise.
Because verification is automated, it can be repeated often, for instance, upon every commit or before an issue is retired.
Thorough testing is necessary to reduce software vulnerabilities, but exhaustive testing is virtually impossible for most code. Therefore, coverage data in the form of software metrics, produced by a static analysis tool can be used to determine when an acceptable level of testing has been achieved.
This EO directly affects companies that supply IT products and services to the U.S. Government.
Back to topHow Perforce Static Analysis Can Help
Perforce static analysis tools Helix QAC and Klocwork can help your organization and suppliers meet the recommended software verification guidelines.