The lessons learned from the SolarWinds software supply chain attack were turned into tangible guidance this week when the United States Cybersecurity and Infrastructure Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) released a joint best practises framework for developers to prevent future supply chain attacks.
In addition to the recommendations from the US government, developers received npm Best Practices from the Open Source Security Foundation in order to establish supply chain security open-source best practices.
"The developer holds a critical responsibility to the security of our software," the agencies said about the publication, titled Securing the Software Supply Chain for Developers. "As ESF examined the events that led up to the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer."
Meanwhile, OpenSSF announced that the npm code repository has grown to encompass 2.1 million packages.
Developers like Michael Burch, director of application security for Security Journey, praise the industry's proactive framework, but Burch adds that it is now up to the cybersecurity sector to put these guidelines into action, particularly a recommendation to implement software bills of materials (SBOMs).
Burch concluded, "What we need now is the AppSec community to come together on the back of this guidance, and create a standard format and implementation for SBOMs to boost software supply chain security."