Secure Software Attestation
We are entering an era where software producers will have to attest to the security of the software they create. This is a bit like Sarbanes-Oxley. The CEO will have to sign off that the organization has followed some basic security practices.
None of this is unreasonable in my opinion. Anyone not doing basic application security practices probably isn't creating software that I would want to use. So I think transparency around this is great. However, this is sure to cause a lot of angst, as most software organizations aren't ready to make their software security practice public. So we're in for some bumpy road.
I took a look at the Cybersecurity and Infrastructure Security Agency Secure Software Development Attestation Form (also called "Self-Attestation Form"). It has a short list of basic software security requirements. These are a small subset of the NIST Secure Software Development Framework (SSDF), which was created in response to the Cybersecurity Executive Order 14028. With me so far?
I was curious how this evolved, so I put together a quick side-by-side comparison. Generally the Executive Order vision is a bit broader and deeper than what ended up in the CISA form. Let me know what you think (click to see the full spreadsheet and leave me comments)...
领英推荐
The BIG issue, though, is that the NIST SSDF has 19 categories and 42 total requirements and each one has a bunch of examples. The CISA Form only has 4. It's not a perfect mapping, but suffice it to say that there are many basic software security practices that aren't in the CISA form.
Which of these would you want a company to attest to before you trust their software. What if you were trusting your finances, healthcare, government, travel, military, elections, or social life to their software?
GTM Expert! Founder/CEO Full Throttle Falato Leads - 25 years of Enterprise Sales Experience - Lead Generation Automation, US Air Force Veteran, Brazilian Jiu Jitsu Black Belt, Muay Thai, Saxophonist, Scuba Diver
2 周Jeff, thanks for sharing! Any good events coming up for you or your team? I am hosting a live monthly roundtable every first Wednesday at 11am EST to trade tips and tricks on how to build effective revenue strategies. I would love to have you be one of my special guests! We will review topics such as: -LinkedIn Automation: Using Groups and Events as anchors -Email Automation: How to safely send thousands of emails and what the new Google and Yahoo mail limitations mean -How to use thought leadership and MasterMind events to drive top-of-funnel -Content Creation: What drives meetings to be booked, how to use ChatGPT and Gemini effectively Please join us by using this link to register: https://www.eventbrite.com/e/monthly-roundtablemastermind-revenue-generation-tips-and-tactics-tickets-1236618492199
Driving Innovation in Defense Tech | AFCEA 40 under Forty | AFCEA Distinguished Young Professional
1 年Very useful, thanks for putting this together. Curious how CISA guidance was limited compared to the others.
Head of Security at IonQ
1 年I don't know if I buy this is going to really happen. Like with other areas of security, the government will say they are going to force it but then it will be impossible to really accomplish in practice. Consider the logging directives and this commentary (not mine) ... https://medium.com/@cybureauocracy/m-21-31-ye-shall-log-no-matter-the-log-3fe69321639c I also worry that as with compliance and other standards, the state of the art will be far advanced from the state of the attestation. We'll be attesting that we don't use Struts. Not that we don't have any security issues. Because it turns out that really isn't a position we can take in the real world.
Solutions Engineer at Cycode
1 年Thank you for putting together this comparative spreadsheet. I’m really curious how the Secure Software Development Attestation Common Form will be used by software vendors and buyers.
I help lead Cyber Defense at KPMG Cyber Security Services | Co-Author of Investments Unlimited
1 年Nicely done Jeff