The increase in cybersecurity incidents is prompting authorities to react on both sides of the Atlantic. In July, the White House published an executive order for the “improvement of the country’s cybersecurity” requiring in particular the removal of barriers to the exchange of information on incidents and vulnerabilities, as well as supplier transparency on the components of the software sold to the administration.
Following suit, the EU yesterday presented its “proposal for a new legislative act on cyber-resilience”. The project includes rules relating to the security of products placed on the market containing digital elements, requirements for the design and development of said products, and requirements for the management of the life cycle of its products and the reporting of vulnerabilities. Note that the draft applies to products with digital elements, but not to services, such as Software-as-a-Service (SaaS), unless a product requires remote data processing designed or under the responsibility of the manufacturer.
“We are entitled to expect that the products we buy on the single market are safe. Just as we can trust a toy or a fridge with a CE mark, we can, thanks to the Cyber Resilience Act, be sure that the connected objects and software we buy offer strong cybersecurity safeguards. This act will put the responsibility on those who must assume it, that is to say those who put the products on the market”, comments Margrethe Vestager, Executive Vice-President for a Europe fit for the digital age.
The software supply chain in the crosshairs
One aspect of the European and American bills catches the eye: securing the software supply chain. Since the Log4j vulnerabilities and the Solarwinds affair which had an impact on millions of applications, the question of the transparency of the components of this software – in particular the open source bricks – has been the subject of much debate and development. The idea of standardized and machine-readable documents describing all the components of an application is becoming popular: the Software Bill of Materials or SBOM. This was also one of the main topics of the OpenSSF Day Europe which was held this week in Dublin. The European project thus explains that in order to facilitate the analysis of the vulnerability, the suppliers must in particular establish a Software Bill of Materials allowing themselves and the users to follow up on the vulnerabilities and known and newly appeared risks.
The subject is also in the crosshairs of the White House, whose CISO Chris DeRusha published this week a “guidance” for the supply of software intended for the administration. The guidance directs US agencies to use only software that meets secure software development standards and encourages them to require Software Bills of Materials from their vendors for critical uses.
To find out more, ICTjournal has devoted several articles in recent months to the security of the software supply chain:
Companies mismanage open source app dependencies
CIOs don’t trust their software supply chain
$150 million to secure the software supply chain