NSA’s and CISA’s Recent Security Guidance: The Good and the Bad
1 min read
Oct 22, 2022
The NSA and CISA released the guide “Securing the Software Supply Chain: Recommended Practices Guide for Developers” last month and while David Wheeler, the director of open-source supply chain security at the Linux Foundation and OpenSS, welcomes it, he said there are some questionable requirements.
The guide covers aspects of security such as how to develop secure code, how to verify third-party components, and how to harden the build environment, among other things. It’s also part of the government’s effort to bolster supply chain security stemming from last year’s Executive Order, which aims to curb the 650% growth in supply chain attacks, according to Sonatype’s 2021 State of the Software Supply Chain.
The guide encourages developers to take regular and relevant security training and that they should be evaluated periodically, at least annually. The security training for the development team is ideally conducted by a centralized, expert security team that can help product teams grow their expertise in secure development.
Related Articles
1 - 0 min read
SPDX 3.0 Revolutionizes Software Management & Security
1 - 0 min read
White House Warns: Move to Memory-Safe Languages
1 - 0 min read
Open Source is Not Insecure, Despite Common Misconceptions
1 - 0 min read
Do I Need Antivirus as a Linux User?
1 - 0 min read
Hackers' Backdoor: Warning of New Linux Kernel Vulnerability
