CISA & international partners release new guidance for safe software deployment

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .

This week: CISA & international partners release new guidance for safe software deployment. Also: SEC fines firms impacted by Solar Storm for misleading investors.

This Week’s Top Story

CISA & international partners release new guidance for safe software deployment

Yesterday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released joint guidance with the FBI and other international partners titled “Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers,” as part of CISA’s Secure by Design initiative. The 12-page guide (PDF) is meant for software manufacturing organizations so that they can establish or bolster secure software deployment processes, in particular for software product updates, that go beyond just developing code securely:

“Safe deployment processes do not begin with the first push of code; they start much earlier.” – CISA

To do this, CISA stresses that software manufacturers need to ensure that their updated or newly released products are passing through “a series of well-defined phases that are supported by a robust testing strategy” so that customers of the products are less impacted in the wake of security incidents. The proper execution of these phases that span the software deployment timeline should enhance product quality, reduce deployment risks and provide a better experience for customers.?

Also, by enacting these phases, CISA and its partners believe that software manufacturers will have deployment processes with effective management of cost and impact scenarios, controlled planning, continuous improvement, agility in the wake of threats, and more. The guidance lists six total phases that software manufacturers should use, which span the deployment timeline’s internal and external stages.?

The first two phases, “planning” as well as “development and testing,” are internal phases that are not yet exposed to customers, which therefore require a lot of care and due diligence. The planning phase on its own consists of 10 pillars that include operational risk assessments, platform scaling, a deployment cadence plan, patching security vulnerabilities, and more. The second phase, development and testing, serves as the time during software deployment where a software manufacturer threat models the product to ensure that it is resilient to possible threats before it lands in the hands of a customer.?

The last four phases, “internal rollout (dogfood),” “deployment and canary testing,” “controlled rollout,” and “feedback into planning” are the external portion of the software deployment timeline. However, that doesn’t mean that these phases should be rolled out to a software manufacturer’s customers all at once. Rather, the guidance explains that these external phases should be slow-moving and highly controlled in an effort to prevent a bad or malicious software update being released prematurely to customers.?

In addition to providing insights into the six phases of secure software deployment, CISA believes that software manufacturers also need to change their mindsets in two ways. The first being the fostering of a “blameless retrospective (also called ‘postmortem’) culture,” which asserts that individual actions within the greater system of software deployment should not lead to an incident “if the environment and processes are resilient.” The second mindset change CISA calls for is the treatment of “near misses” as real incidents, because these situations “provide significant information to improve processes.” (CISA )

This Week’s Headlines

SEC fines firms impacted by Solar Storm for misleading investors

The U.S. Securities and Exchange Commission (SEC) this week charged four companies — Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies, and Mimecast Limited — for making misleading disclosures about cybersecurity risks and incidents related to the SolarWinds Orion software breach. The SEC found the companies downplayed or inaccurately represented the extent of the breaches, violating securities laws. The penalties include $4 million for Unisys, $1 million for Avaya, and nearly $1 million each for Check Point and Mimecast. In announcing the fines, the SEC stressed the importance of transparency in cyber disclosures and cautioned publicly traded firms against keeping the focus of their public statements in SEC filings focused on hypothetical risks when real incidents have occurred. (SEC.gov )

The procurement challenge breaks open the black box that is commercial software

Increasing attacks on commercial software vendors that impact their enterprise customers demonstrate that security teams will need to start going beyond the mitigation of software vulnerabilities and malicious open-source software – both of which have dominated discussions of software supply chain security (SSCS). In addition to these areas of risk, business leaders must also focus both resources and attention on prying open the black box that is commercial software, and the multitude of threats that come with it. ReversingLabs Chief Trust Officer Sa?a Zdjelar argues in this article for Security InfoWatch that commercial software is the largest and most under-addressed attack surface in enterprises today. Continue reading to get his take on why enterprise buyers of commercial software products need to better assess all of the risk they are taking on. (Security InfoWatch )

New York hospitals have new cybersecurity requirements

Earlier this month, the New York Department of Health (DOH) published a new cybersecurity regulation that all general hospitals licensed pursuant to article 28 of the Public Health Law?must provide notice to the DOH within 72 hours of a cybersecurity incident – effective immediately. The DOH defines a “cybersecurity incident” as an event that has an “adverse material impact on the normal operations of the hospital.” This could take the form of any kind of cybersecurity incident, including ransomware and the breach of a third-party vendor. Additional parts of the regulation, which will not take effect until October 2025, include designating a Chief Information Security Officer (CISO), utilizing a qualified cybersecurity third-party to manage the hospitals efforts, having an incident response plan, and more. (Data Protection Report )

Attackers target exposed Docker Remote API servers with perfctl malware

Researchers at Trend Micro have discovered that the malware strain perfctl used for crypto-mining operations in the past is once again being used by cybercriminals, this time by exploiting Docker Remote API servers. Cybercriminals carry out the attack by creating a Docker container with specific settings while also executing a Base64 encoded payload. This payload execution allows for the attacker to escape the container, create a bash script, set environment variables, and download a malicious binary disguised as a PHP extension, researchers noted. This attack was also designed stealthily using several detection evasion techniques, making it even more difficult for security teams to spot. Researchers recommend that organizations take measures to secure their Docker Remote API servers, monitor regularly for unauthorized access and suspicious behavior, patch for security vulnerabilities, and run regular security audits – all to combat this threat. (Trend Micro )??

The struggle for software liability: Inside a ‘very, very, very hard problem’

This article from The Record explores the newfound age of software liability that has arisen out of major cybersecurity incidents and government initiatives, and how the road to formalizing it may be more complicated than meets the eye. This messy situation stems from several factors, which include grandfathered-policy to protect the software industry from liability, disagreements among leaders and experts as to whether holding these organizations accountable is good for both business and security, as well as the ultimate clash of law and technology that reflects theoretical planning turned into reality.?

Despite the road to achieving formalized software liability looking long and arduous, experts do believe that as more cyber attacks target critical infrastructure, regulators will take bolder steps to protect end-users and new rules for software liability will be achieved. (The Record )

Redefining security in DevSecOps

After the concept of DevOps – the convergence of software development and operations – gained traction more than a decade ago with regard to creating and deploying software applications, questions arose about the role of cybersecurity in the DevOps process. This led to?the rise of DevSecOps, which pushes the concept of shifting security practices “left” into the process of developing software, in addition to getting operations staff to implement security practices into their efforts – all while balancing business priority to constantly push out releases. Since its inception, DevSecOps has taken the form of legacy application security (AppSec) scanning tools that are integrated into the software development lifecycle (SDLC). However, this edition of the Securely Built blog argues that these legacy AppSec tools serve as reactionary methods – rather than proactive ones, making threat modeling a must for AppSec teams. (Securely Built )?

For more insights on software supply chain security, see RL Blog .?

The Best of RL

Blog | CISO Survival Guide: Commercial Software Supply Chain Risk

Today's enterprises run on commercial-off-the-shelf (COTS) software for nearly every critical function, from payroll and human resources to IT infrastructure - all provided by trusted vendors. But do you know how to manage all the risk that comes with that? Continue reading to learn how. (Read It Here )

Webinar | Supercharge Threat Modeling with Software Supply Chain Security

October 29 at 12 pm ET

The better the data, the better the threat modeling. That’s where modern software supply chain security comes in. Chris Romeo , co-founder and CEO of devici joins RL’s Joshua Knox and Paul F. Roberts for a discussion about marrying threat modeling operations with modern SSCS to modernize it for the next generation of threats coming from software supply chains. [Register Here ]?

Webinar | Learn How to Find ALL the Ghosts in Your Software Supply Chain with Spectra Assure

October 31 at 12 pm ET

This Halloween, join us for an interactive and engaging demo of Spectra Assure, RL’s software supply chain security solution. Save your seat now to learn how Spectra Assure can spot all of the frightening threats lurking in the software you build or buy. Let’s bust some ghosts and secure your software supply chain, together! [Register Here ]

For more great conversations to watch, see RL’s on-demand webinar library .?