The U.S. government, in March, released an update to its framework to secure agencies’ software supply chains, which are under increasing risk of attack. The National Institute of Standards and Technology (NIST) unveiled the Secure Software Development Framework (SSDF) 1.1, which calls for tighter controls throughout the software development lifecycle and describes a set of best practices for organizations – and their third-party suppliers – to follow.
The SSDF focuses on how organizations can protect software supply chains, regardless of technology, platform, programming language, or operating environment, in large part by introducing security early in the DevOps process. There are four key practices:
-
prepare the organization
-
protect software (all components of the software should be safe from tampering and unauthorized access)
-
produce well-secured software (with minimal security vulnerabilities in its releases)
-
respond to vulnerabilities
“The goal of the SSDF, in my opinion, is to bring all agencies and their suppliers to the same place in terms of secure software development,” says Joel Krooswyk, senior manager of Solutions Architecture at GitLab. “The framework gets everyone on the same page and speaking the same language, which will inevitably help them to be more effective against whatever threats may come.”
While some agencies, such as the Department of Defense and Central Intelligence Agency, might be more sophisticated in the security and compliance of their software supply chains, other public sector organizations are less advanced, using a raft of ad-hoc legacy applications to manually handle vulnerabilities.
The SSDF undoubtedly will drive all government agencies to direct resources – human and technological – toward automating supply chain security. To ensure that they meet the measure of the framework without overburdening their teams and budgets, organizations should consider deploying GitLab, a single DevOps platform that has security built in early in the development lifecycle, end-to-end, and with maximum visibility.
Here’s how GitLab addresses the specific practices within the SSDF:
1. Prepare the organization
GitLab helps organizations ensure that their people, processes, and technology are prepared to perform security software development, in line with SSDF best practices.
The GitLab DevOps platform features:
-
Strong policy management and role-based permissions models with LDAP, single sign-on, and multifactor authentication support
-
Sophisticated security dashboards with severity and trends to provide all stakeholders visibility and observability into the software development lifecycle
-
Scaled agile process support, which is enabled through epics and issues and other documentation, making for a completely auditable environment
-
Simplified implementation of a zero-trust security framework with the DevOps platform
2. Protect the software
The SSDF guides organizations to protect all components of their software from tampering and unauthorized access.
GitLab helps organizations accomplish this through the use of:
-
commit signatures
-
code reviews
-
role-based, read-only controls
-
Software Bill of Materials (SBOM) data per release
-
security scanning in offline environments
3. Produce well-secured software
According to the SSDF, organizations should produce well-secured software with minimal security vulnerabilities in its releases.
The GitLab DevOps platform is purpose-built for this best practice and includes:
-
credential management
-
code reviews and approvals
-
centralized mitigation with vulnerability reports
-
security scanning (DAST, SAST, fuzz testing, secret detection, and more) that is integrated into the developer workflow
-
continuous compliance enforcement capabilities that enable organizations to tailor their pipeline reviews and security scans to all their applicable compliance mandates
-
the ability to find and fix vulnerabilities early on in development without building complex integrations
4. Respond to vulnerabilities
The SSDF wants organizations to be able to identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.
GitLab enables organizations to find and fix vulnerabilities early in the development process. The GitLab DevOps platform also features:
-
automatic updates for the Common Vulnerabilities and Exposures (CVE) database
-
the ability to contribute/disclose vulnerabilities directly via GitLab
-
Auto DevOps best practice scanning
-
status, severity, and related activity exposed on the Vulnerability Report page
-
integrated learning tools to learn about found vulnerabilities in real-time
-
on-demand scanning to look for new vulnerabilities in existing code
Using GitLab's DevOps platform, government agencies, and their suppliers, can apply the best practices set forth in the SSDF and ensure the software supply chain meets the requirements of other mandates through continuous compliance.