APPSEC OBSERVER

The latest trends and tips in DevSecOps through instrumentation and Security Observability.

Subscribe To Blog

President Biden’s Executive Order: Secure the Software Supply Chain

In the fallout of a successful ransomware attack on a pipeline that supplies nearly half the East Coast’s gasoline, President Biden signed an executive order placing strict new standards on the cybersecurity of any software sold to federal agencies. U.S. government officials made a point of calling out Colonial Pipeline’s poor cyber defenses—and specifically, that they had no way to monitor for an adversary who successfully made it inside the network perimeter.

It should be no surprise that improvements to application security is a recurring topic throughout the executive order’s various sections. According to Verizon’s 2021 Data Breach Investigations Report, web applications continue to be a major attack vector—representing 39% of all data breaches in the last year. At the same time, the attack surface presented by applications is expanding—upwards of 111 billion lines of new software code are written each year. Federal agencies are not immune to application risks. Within the Department of Defense (DoD) alone, a single fighter jet may include more than 8 million lines of code—and that total jumps to 24 million lines counting its ground-based Autonomic Logistics Information System (ALIS).

President Biden calls out several specific areas where agencies need to elevate their application security capabilities, with support for:

  • Continuous compliance/continuous authority to operate (C-ATO) via continuously monitoring software systems in preproduction
  • Greater software supply chain transparency via a software bill of materials (SBOM), without needing access to the procured software source code
  • Continuous monitoring of production systems for cyber incidents, as well as automatic threat blocking when an exploit is confirmed to target a previously known or unknown vulnerability
  • Identification of zero-day vulnerabilities in both third-party libraries and software procured by federal agencies, along with automatic threat blocking for zero days
  • Automatic recognition all application frameworks and back-end systems the software system is using and map threat analysis against those

The Contrast Application Security Platform directly supports the majority of the goals of this executive order. Application security is critical to every federal agency. Preparing for stricter guidelines and higher levels of security in applications and the broader software supply chain should begin today.

Contrast provides the fastest, easiest, and most scalable application security platform available. Our integrated solutions (Contrast Assess, Contrast OSS, and Contrast Protect) are the best way for agencies to achieve President Biden’s goals and prepare for the standards that are coming to address his specific mandates. Below is an overview of the executive order and areas that pertain to application security—and specifically how Contrast can help agencies start preparing today for changes coming down the pike.

 

A new executive order calls for sweeping changes to improve cybersecurity across all Federal agencies. Application security is arguably the most critical priority. The Contrast Application Security Platform includes advanced testing and protection capabilities that were specifically designed for modern applications. Contrast can help agencies immediately anticipate the impact of these upcoming changes in terms of:

● Establishing effective application security policies
● Instituting a Zero Trust Architecture where appropriate
● Securing the software supply chain
● Defining more stringent standards for testing, monitoring, protection, and reporting
● Standardizing a Federal playbook for cybersecurity responses

 

Establish Software Security Policies

The order’s first section outlines the need for policy-level requirements to improve federal government efforts to detect, identify, deter, protect against, and respond to malicious actions and actors in order to foster a more secure cyberspace for the nation. Contrast supports all of these security policies at the application level. In fact, Contrast's breakthrough technologies have already been added to the NIST 800-53 standard as well as the DoD’s Platform One program. Our protection capabilities help detect and identify threat actors that target specific applications in the organization. Further, Contrast automatically blocks any attacks that have been proven to exploit a vulnerability inside the application.

President Biden goes on to state:

It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security. The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order. 

At Contrast, we believe that the fastest and most cost-effective way to achieve these application security goals at scale is to:

1. Continuously identify and eliminate vulnerabilities in custom code, open-source libraries, and other supply chain components in the most cost-effective manner
2. Prevent vulnerabilities that do make it into production from being exploited
3. Detect attacks and provide information about the attacker, what attack vectors they are using, and which systems they are targeting.



Modernize Federal Government Cybersecurity

Legacy application security tools (ones that were not designed for today’s Agile and DevOps environments) are a widespread problem for government agencies and their suppliers. Security is often an afterthought, not built-in from the beginning of the life cycle of the application and underlying infrastructure. Section 3 of President Biden’s order states:  

To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.

Contrast technologies help many organizations to securely embrace modernization initiatives, including:

  • Cloud-native and container-based development
  • Application programming interfaces (APIs), microservices, and web services
  • Modern languages and frameworks
  • Expanded use of open-source components
  • Agile and DevOps systems

Establishing an application security communications infrastructure is a key foundation for cost-effective vulnerability remediation and incident response. Contrast centralizes and streamlines application layer cybersecurity data about vulnerabilities and attacks. Contrast continuously gathers data about custom code vulnerabilities, open-source vulnerabilities, and attacks on production for all applications and APIs. Contrast provides advanced tools for organizing, searching, sorting, prioritizing, and managing this data.

Instituting a Zero Trust Architecture

Contrast also supports the executive order’s goals for a Zero Trust Architecture at the application layer. Rather than deploying centralized firewalls and intrusion detection systems (IDS), Contrast protects each application and API individually, wherever they exist throughout the organization (e.g., on-premises, in the cloud, inside containers) throughout the entire life cycle of the application. Contrast can even work within completely air-gapped environments. Our vulnerability database is available offline and has helped many federal organizations secure even the most highly sensitive and controlled environments.

The executive order also specifies the need for “incorporating automation throughout the lifecycle of FedRAMP, including assessment, authorization, continuous monitoring, and compliance…” Legacy approaches require human expert resources in the critical path to deployment and during operation. Contrast's market leading accuracy enables agencies to “shift left” to achieve high-velocity development without sacrificing security. This includes the ability to automate streamlined application security workflows, continuous threat monitoring, and compliance auditing/reporting.

Enhancing Software Supply Chain Security

As the executive order states, “There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.” Applications are a top pathway for breaches because traditional approaches to application security are ineffective. Results from outdated testing tools require analysis by human security experts. This creates a co-dependent feedback loop with developers, a growing backlog of unremediated vulnerabilities, and a bottlenecked development pipeline.

Our approach aligns the objectives and workflows of development, security, and operations teams—enabling organizations to evolve from DevOps to DevSecOps shops within minutes. Contrast’s instrumentation-based security embeds protection inside the code itself for comprehensive visibility, continuous monitoring of application systems, and contextual awareness that helps organizations fix vulnerabilities much faster than legacy application security tools. Our approach works at scale—fostering a healthy security culture, massive improvement in mean time to remediation (MTTR), and the most cost-effective application security possible. Following are some of the most relevant areas in the executive order related to the software supply chain.

Federal requirements for securing the supply chain

The order outlines a number of specific federal requirements designed to improve protection of critical software by rapidly improving the security and integrity of the software supply chain. Contrast can help government agencies meet requirements such as the Open Web Application Security Project (OWASP), Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs), Payment Card Industry (PCI), and others. Agencies can easily set Contrast platform policies to fail an application’s compliance when a vulnerability listed in any of these standards is found.

Contrast has already helped many government agencies secure their software supply chains. The platform’s software composition analysis (SCA) capabilities can inventory all third-party/open-source libraries used by a commercial off-the-shelf (COTS) or government off-the-shelf (GOTS) application—including how they are used, the specific classes that are used in each library, and any licensing risks associated with library usage. Contrast also identifies software vulnerabilities without having access to source code. This includes unknown (zero-day) vulnerabilities in custom code, as well as known and unknown vulnerabilities in open-source/third-party libraries. The Contrast platform finds these issues within seconds, helping organizations with their C-ATO initiatives. And Contrast is the only application security provider that combines all of these capabilities in a single, integrated DevSecOps platform.

Automated testing and remediation

The order also requires “employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release …” Contrast provides automated and highly accurate vulnerability testing with prioritized results and contextual information that helps developers remediate vulnerabilities in real time as they write code. This not only helps eliminate application vulnerabilities but it also provides security at the speed of modern DevOps delivery cycles.

Continuous monitoring, alerts, and responses

The executive order specifically calls out the need for “monitoring operations and alerts and responding to attempted and actual cyber incidents …” The Contrast platform’s protection capabilities are specifically designed to continuously monitor and automatically block cyberattacks in production. It also reports on cyber incidents that were not successful in exploiting vulnerabilities that may be present in application code. This real-time threat intelligence can be automatically sent to central security tools—such as security information and event management (SIEM)—to enhance broader defensive awareness across the organization.

Artifact reporting

The order requires the ability to provide upon request artifacts of the execution of security tools and processes. Contrast attestation reports provide evidence of vulnerability remediation based on the most current application information—including all software artifacts. These report details include:

  • Artifact or components licenses
  • Artifact usage inside the vendor software—how many classes a library has and how many of them are used by the library
  • Any zero-day vulnerabilities that third-party libraries may have
  • Artifact provenance (i.e., origin)

Tracking third-party code and components

There’s also a call in the executive order for “maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis.” Here, Contrast supports the certification, compliance validation, and ATO requirements that apply to government agencies. Further, Contrast is the only distributed continuous monitoring system for third-party code and components. 

Establishing standards for application security testing

As part of these new requirements, President Biden also tapped the National Institute of Standards and Technology (NIST) and National Security Agency (NSA) to jointly publish guidelines in the next two months that recommend minimum standards for vendor testing of software source code—including identifying recommended types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools, and penetration testing).

Contrast's underlying technology has already been recognized by NIST as a recommended type of testing. Such testing can be performed by vendors supplying technology to government organizations, or performed by government organizations on vendors’ software without needing to have access to the source code.

Consumer software labeling

President Biden outlines the need for a labeling program based on criteria that reflects a baseline level of secure practices and even increasingly comprehensive levels of testing and assessment that a product may have undergone. Contrast can help by automatically generating labels that accurately reflect the application’s security pedigree. Our technology has helped many organizations with secure software practices and (more importantly) the modernization of their cyber defenses. We have helped organizations with the continuous assessment of their applications in all environments, including production systems. In the case that a noncritical vulnerability is not resolved in preproduction, our technology can be enabled to prevent any exploitation that may happen in production.

Along these lines, we are very confident that the U.S. government will improve its software security posture, and Contrast is in a unique position to:

  • Resolve security issues minutes after installation by integrating security into your existing DevOps toolchain
  • Provide the most accurate testing results available
  • Reduce the agency’s MTTR for code vulnerabilities
  • Continuously monitor for and block malicious attacks
  • Simplify supply chain management

Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

Response procedures currently used to identify, remediate, and recover from vulnerabilities and incidents vary across agencies—and this variation hinders the government’s broader ability to perform comprehensive analysis across agencies. Standardized response processes ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses. 

Contrast’s integrated defenses across the entire software development life cycle (SDLC) help provide comprehensive, real-time application security intelligence at all times. Today, Contrast helps many government agencies continuously monitor for vulnerabilities in software systems. Our platform is also able to block any attacks trying to exploit such vulnerabilities in production systems. Such blocked events can then easily be cataloged in a centralized incident management system.

Redefining Application Security for the Modern Era

President Biden’s executive order is part of redoubled efforts to strengthen the U.S.’ defenses to encourage private companies to practice better cybersecurity—or risk being locked out of federal contracts. As illustrated above, a major part of this process will include defining what modern application security really means.

As recent attacks like the Colonial Pipeline show, application security can no longer be an afterthought. Security must be a foundational element of the modern software supply chain—from design, throughout development, and even beyond delivery. And this is precisely what the Contrast DevSecOps platform was built to provide.

To learn more, some of the latest performance data about the Contrast platform’s unique capabilities can be found in this 2021 State of Open-source Security Report.

Rali Kettani

Rali Kettani

Rali Kettani is a Sales Engineering Manager with Contrast Security and has been in the technology field for over 20 years, predominately focused on application security. He has a background in software development with extensive experience with different application security technologies, and has successfully helped dozens of Fortune 500 companies and U.S. government entities to modernize their application security practice and transition DevSecOps. Rali has a Master’s degree in Management Information Systems from The George Washington University and a Bachelor’s degree in Computer Science from Georgia College. He is based out of Washington DC.

SUBSCRIBE TO THE BLOG