April Security News Update: The U.S. Government Puts Plans in Motion to Protect Data

The U.S. government takes action to strengthen software security and protect personal and government data, while a study finds that insider threats are a significant risk to data security.

application security

CISA Requires Software Developers to Attest to Secure Development Practices

The Biden-Harris administration has approved the Cybersecurity & Infrastructure Security Agency (CISA) “Secure Software Development Attestation Form.” Software developers who provide solutions to the federal government will use the form to attest to the adoption of secure development practices. This action builds on President Biden’s Executive Order 14028, Improving the Nation’s Cybersecurity, following the SolarWinds attack.

Action Items:

Ensure you comply with best practices on the attestation form, including:

      • Segmenting development environments
      • Logging, monitoring, and auditing access
      • Using multifactor authentication
      • Encrypting sensitive data
      • Continuously monitoring and responding, when necessary, to alerts of suspicious activity
      • Maintaining trusted source code supply chains
      • Using automated tools to check for vulnerabilities

Review the form, instructions, and references to learn more.

However, don’t limit best practices to what’s included in the attestation form. Chris Hughes, chief security advisor at Endor Labs and Cyber Innovation Fellow at CISA, says, “Some key practices seem to be neglected, such as the need for threat modeling to enable secure-by-design systems. It also lacks any mention of memory safety, which has ironically also been a core message from CISA in other avenues.”

“The biggest challenges to meeting the requirements will be for those suppliers who haven’t implemented secure software development practices or leveraged frameworks such as NIST’s SSDF, OWASP SAMM, or BSIMM,” he says. “This could lead to some suppliers exiting or avoiding the Federal market due to the higher level of maturity required and potentially limited access to innovative commercial software solutions for the Federal government.”

Henrik Plate, security researcher at Endor Labs, adds, “Software providers will need to take more responsibility for all the open-source software they consume. It will become more and more important for software providers to define and use security and quality criteria during the selection and use of open source components.”

“Software dependency management will become a more important function of software development, in particular regarding the consumption of open source, which represents the biggest share of the code base of most software products and services,” he says.

New Executive Order Aims to Protect Personal and Government Data

On February 28, President Biden signed Executive Order 14034, “Protecting American’s Sensitive Data from Foreign Adversaries.” Shiva Nathan, founder and CEO of Onymos says the order casts doubts that existing data security measures are adequate.

“Threat actors are growing more sophisticated at a time when our SaaS economy is becoming increasingly interdependent — one weak link in the supply chain can affect millions of organizations simultaneously. This is particularly true when it comes to health and MedTech, where the most sensitive data types, old, entrenched processes, and digital transformation all collide,” he says.

“The Executive Order reveals that sensitive PHI and PII data can be accessed and exploited by Threat actors, even when it is anonymized and pseudonymized, by making simple connections between outside (and unsuspecting) data sources. This revelation should not be surprising as we’ve seen the number of cyberattacks and data breaches increase dramatically since 2020. The explosion of telehealth and at-home care created an exponential new number of attack surfaces for threat actors,” Nathan explains.

Action Items:

Evaluate your data access policies and practices, including:

      • Carefully scrutinize internal and external parties who have access to data.
      • Vet third-party vendors and service providers and limit their access to data.
      • Watch for a proposed rule from the Attorney General and Secretary of Homeland Security on classifications of transactions that are subject to this order. It is due within 180 days from the Executive Order.

The NSA Issues Guidance on Zero Trust

The National Security Agency (NSA) released a Cybersecurity Information Sheet on advancing Zero Trust to strengthen network control and mitigate damage from intrusions. The information sheet focuses on the network and environmental pillar, one of the seven pillars that make up a Zero Trust framework. Read the full report from the NSA.

Action Items:

Brian Soby, CTO and co-founder at AppOmni, says the NSA’s position is supported by benchmarks including NIST’s Zero Trust Architecture. He says:

      • “In their announcement, the NSA recognizes this market shift, especially the prevalence and customer adoption of products such as Secure Service Edge (SSE) and Secure Access Service Edge (SASE), which provide part of the microsegmentation capability promoted by this new guidance.
      • He says the NSA frames Zero Trust maturity as moving microsegmentation closer to applications and including continuous visibility and feedback.
      • He says to counteract cybercriminals going around these measures, organizations should apply the principle of least privilege and strong Zero Trust management to all SaaS solutions and other enterprise applications.

New Report Reveals Insider-Driven Data Leaks Cost Organizations an Average of $15 Million

Code42’s annual Data Exposure Report offers some sobering news:

      • Insider-driven events have increased by 28 percent since 2021.
      • The majority, 85 percent, of cybersecurity leaders expect data loss from insider events to increase in the next year.
      • Although 99 percent of organizations have implemented data protection solutions, 78 percent have experienced sensitive data leaks.
      • The average cost of insider events is $15 million.

Action Items:

      • Deploy security measures with AI and generative AI technology, a significant contributor to data leaks.
      • Revise policies to address cloud computing.
      • Maintain visibility into source code downloads, data uploaded to personal cloud accounts, and CRM data downloads.
      • Ensure your team is well-trained on data security regulations and company policies.
      • Train employees to spot phishing attempts.

For more security updates and insights, visit DevPro Journal’s Security resources page.

Mike Monocello

The former owner of a software development company and having more than a decade of experience writing for B2B IT solution providers, Mike is co-founder of DevPro Journal.

The former owner of a software development company and having more than a decade of experience writing for B2B IT solution providers, Mike is co-founder of DevPro Journal.