David London

Software Lifecycle Security: Increased Scrutiny Offers Opportunity for Differentiation

Security Bulletin

Summary

• In June 2020, a software exploit dubbed GoldenSpy was observed targeting corporations doing business in China – the underlying executable file was part of required tax software. Companies were required to install the software to enable payment of local Chinese taxes, and the software’s backdoor enabled command and control of victim systems and remote code execution.1

• Discoveries like this will amplify scrutiny of software supply chains for both U.S. Government and critical infrastructure technology procurements, as well as critical foreign technology investments subject to U.S. Committee on Foreign Investment in the United States (CFIUS) review.

• Vendors and investors should be mindful of these trends and consider how effectively addressing them can be a valuable source of differentiation.

Why is the risk increasing?

As software products grow more complex – with increasing dependencies on a dizzying ecosystem of software libraries, tools and distribution mechanisms – the risk of exploitation expands.

Software complexity and velocity. Exploitation of software flaws is a longstanding tactic used in cyberattacks, and the rapidly increasing scale and complexity of software development is daunting. The current model Ford F-150 pick-up truck features more than 150 million lines of code. To place that number in sharper relief, the Lockheed F22 Raptor fighter jet, which achieved initial operating capability in 2005, features only 2 million lines of code.2 And while the agile software development evolution has been game-changing for productivity and customer satisfaction, the DevOps velocity can overwhelm some security safeguards present in more traditional models. With greater code complexity and velocity, comes increased risk of exploitation of coding errors.

Third party code use. In addition to the sheer volume of the code base, code composition also increases the complexity (and a level of opacity). Open source software code is now ubiquitous, with open source components found in nearly 99% of codebases.3 Experts estimate there will be almost a half-billion open source libraries available to developers within a decade. Meanwhile, modern software development environments are increasingly fluid, with the potential for code to change hundreds of times a day through dynamic calls for additional scripting.4

Emergence of infrastructure-as-code (IaC). Organizations are increasingly automating the management of their data centers and hardware through coded scripts and software rather than through more manual processes. While delivering efficiencies, this trend also exposes organizations to new vulnerabilities. A recent report identified more than 200,000 IaC templates with high and medium severity vulnerabilities. including 42% of AWS CloudFormation templates.5

NotPetya’s ongoing legacy. Litigation continues related to the 2017 notPetya ransomware incident6, attributed to Russia7, that impacted numerous global companies including Merck, Maersk and FedEx, among others. NotPetya used corrupted tax accounting software to debilitate computer systems around the world, and it remains one of most devastating cyber attacks in history. The event resulted in over $10B in impacts, and its aftermath is still being addressed.

Security implications of new foreign requirements. New cybersecurity and privacy requirements in countries like China and Russia are engendering increasing concerns that such authorities could be leveraged to identify and later exploit vulnerabilities in technologies developed or marketed in those jurisdictions, irrespective of where those technologies reside.

How is this changing procurement and investment reviews?

U.S. Government agencies are implementing a number of new authorities to restrict investments, procurements, suppliers, exports and other transactions involving high-risk software.

• In May 2020, the White House released an Executive Order on Securing the United States Bulk-Power System, which authorizes the Secretary of Energy to block bulk-power system electric equipment supplied by persons “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.8

• This follows a May 2019 Executive Order, which affords the Secretary of Commerce similar authorities regarding the Information and Communications Technology and Services Supply Chain, with updated implementing regulations expected soon.9

• The Foreign Investment Risk Review Modernization Act (FIRRMA)10, which garnered bipartisan support, extends CFIUS review to minority investments in U.S. companies that support critical infrastructure, develop critical technologies, or handle sensitive personal data.

• These authorities build upon additional statutes enacted within the last several years, all focused explicitly or implicitly on technology supply chain security, including:

   – The Secure and Trusted Communications Network Act of 201911
   – The Export Control Reform Act of 201812
   – SECURE Technology Act of 201813
   – Multiple additional provisions within the FY 2019 NDAA (including foreign source code disclosure requirements and other items)14

Earlier this year, the Congressionally-chartered Cyberspace Solarium Commission recommended Congress pass a law that final goods assemblers of software, hardware and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities.15

• Focus extending beyond the United States. While the United States has had the most aggressive stance in mitigating security risks associated with well-publicized targets like Huawei and Kaspersky, other Western nations’ stances are also evolving. This month, the British government announced it would bar telecom companies from purchasing new Huawei equipment and ordered providers to remove its technology from their 5G networks by 2027, marking a significant policy reversal.16

Implications for Action

So how do companies address these trends, and is there an opportunity to leverage heightened expectations to drive market differentiation?

1. Align to emerging software frameworks. While existing security frameworks (e.g., NIST SP 800-53, 800-171, CMMC) offer little guidance on comprehensive software security practices, emerging authoritative frameworks like NIST’s Secure Software Development Framework (SSDF)17 and Business Software Alliance (BSA) Framework for Secure Software18 offer greater precision on software lifecycle security best practice. These emerging frameworks provide a common language for secure development and reflect best practice from existing resources (BSIMM, OWASP SAMM), etc. Companies’ software lifecycle environments can now be independently assessed and benchmarked against these frameworks.

2. Consider national security risks and opportunities for transparency. Given heightened risks (and risk perception) of foreign interference, companies should seek framework alignment while assessing whether product development is exposed to high risk geographies – thus anticipating government concerns and planning for risk reduction. This effort can illuminate high risk code development locations, supply chain dependencies and insider risks that could generate government or customer headwinds.

3. Implement training in secure coding principles. Even large organizations with sophisticated development teams often lack foundational secure coding training. In addition to rigorous testing, organizations can deploy software solutions that deliver integrated, on-demand training that could mitigate coding risks at the source.

4. Apply independent testing. Internal testing can be validated and further strengthened through independent testing expertise. A sustainable risk-based test plan supported by rigorous testing by qualified third parties can reinforce durable security and build credibility with key stakeholders.

Framework alignment combined with a national security review and independent testing, provides a real opportunity to position security as a core differentiator

For further information or questions, please contact David London (david.london@chertoffgroup.com) or Adam Isles (adam.isles@chertoffgroup.com) at The Chertoff Group.

---

[1] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/?utm_source=sl-blog&utm_medium=chapter-two-click&utm_campaign=goldenspy
[2] http://sites.ieee.org/futuredirections/2016/01/13/guess-what-requires-150-million-lines-of-code/
[3] https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/2020-ossra-report.pdf
[4] https://www.sourceclear.com/resources/TheBusyManagersGuideToOpenSourceSecurity.pdf
[5] https://unit42.paloaltonetworks.com/cloud-threat-report-intro/
[6] https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
[7] https://www.whitehouse.gov/briefings-statements/statement-press-secretary-25/
[8] https://www.whitehouse.gov/presidential-actions/executive-order-securing-united-states-bulk-power-system/
[9] https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply- chain/
[10] https://home.treasury.gov/sites/default/files/2018-08/The-Foreign-Investment-Risk-Review-Modernization-Act-of-2018-FIRRMA_0.pdf
[11] https://www.govinfo.gov/content/pkg/PLAW-116publ124/html/PLAW-116publ124.htm
[12] https://uscode.house.gov/view.xhtml?path=/prelim@title50/chapter58&edition=prelim
[13] https://www.congress.gov/115/bills/hr7327/BILLS-115hr7327enr.pdf
[14] https://www.congress.gov/bill/115th-congress/house-bill/5515/text
[15] https://www.solarium.gov/
[16] https://www.wsj.com/articles/u-k-makes-u-turn-on-huawei-after-u-s-pressure-11594727179?mod=hp_lead_pos1
[17] https://csrc.nist.gov/publications/detail/white-paper/2020/04/23/mitigating-risk-of-software-vulnerabilities-with-ssdf/final
[18] https://www.bsa.org/reports/bsa-framework-for-secure-software

Schedule a Consultation

Contact us today to learn what we can do for you.

Schedule a Consultation