Revenera Notifies software vendors of Executive Order US Decree on Security of Software Supply Chains
Since May 2021, U.S. government agencies have specific policies that directly affect software vendors and developers. A software bill of materials with components used becomes just as mandatory as automated vulnerability management.
Companies on the topic
For software providers who want to be considered by US authorities, stricter guidelines regarding the software supply chain will apply in the future.
(© littlewolf1989 – stock.adobe.com)
If companies want to sell their software solutions to the US government, they will have to meet specific requirements in the future. This is reported by Revenera in view of an executive order from the US government dated May 12, 2021. Corresponding providers are obliged to provide their own Software Bill of Materials (SBOM) for each product, either directly to the buyer or via a platform or website.
Code integrity and trustworthiness of supply chains must be ensured using automated tools and processes.The same applies to vulnerability management. In addition, software vendors are required to participate in a vulnerability disclosure program that includes a reporting and disclosure process.
The software bill of materials must include accurate and up-to-date data (including origin) on code and software components. But the other Pinkte must also be documented in detail: from the controls for internal and external software components to the tools and services used in the software development process.
Regular audits and company-wide enforcement of all measures are also part of the obligations. Software Composition Analysis (SCA) and Software BOM are gaining priority, warns Nicole Segerer, VP of Product Management & Marketing at Revenera: “Providers need comprehensive insight into their applications. You need to understand where your components come from, where they are deployed, and who is responsible for potential security and compliance risks.“
Revenera has compiled some best practices that software vendors and developers should consider when using open source software
- Create a complete and up-to-date software BOM for each application across all deployed components (OSS and third-party vendors), including their dependencies. This includes products that are only hosted and not shared with customers.
- Implement processes to identify and eliminate known and newly reported vulnerabilities in open source components within applications.
- Perform continuous, automated software composition analysis that enables development teams to identify and address vulnerabilities early in the SDLC.
- Increase the security awareness of your teams in dealing with open source through training and management training, access to resources and exchange with the open source community.
- Enforce open source compliance and security policies consistently and across departments. Dedicated teams in the form of an Open Source Program Office (OSPOs) and/or an Open Source Review Board (OSRBs) help to develop and implement a holistic open source strategy