The Cybersecurity and Infrastructure Agency (CISA), the National Security Agency (NSA) and the Office of the Director of National Intelligence (ODNI) have published important tips for developing secure software. They want to contain starting points for supply chain attacks.

Prominent Supply Chain Attacks

In such attacks, attackers focus on vulnerable components that are used on a large scale in other software. With such supply chain attacks, they intend to cause widespread damage.

For example, in the case of the hack of the provider of network and security products SolarWinds, attackers were able to compromise the update platform and distribute malicious code over it. More than 300,000 customers worldwide use the products. These attacks allowed attackers to gain access to US government IT systems, among other things.

Another prominent supply chain attack is a critical vulnerability in the Log4j Java library. The library is used in countless software, making countless systems vulnerable.

antidote

To prevent such attacks, the US institutions have published the 64-page document “Securing the software supply chain – Recommended practices guide for developers”. In it, developers will find many tips on how to develop more secure software.

Among other things, this involves effectively securing code, using third-party modules and validating finished software. In an article, those responsible state that they want to publish two more documents on preventing supply chain attacks.

These recommendations are commendable, but they are not without a certain irony, since secret services such as the NSA have practically invented and popularized breaking into systems and networks via such smuggled back doors.

