With major software supply chain attacks such as SolarWinds and the discovery of critical vulnerabilities like Log4j, the world has started to care a great deal about the security of software. These incidents, along with a string of others that span the past few decades, demonstrate that the problem of software supply chain attacks will not be going away anytime soon.
In fact, the problem has only gotten worse in the past two years. Specifically, software supply chain attacks via open-source repositories have taken a big hit, with attacks on npm and PyPI, two popular repositories, skyrocketing by 289% in the past four years.
Even more concerning, it has become clear that a significant number of organizations that produce software are not taking enough steps to secure the applications they are creating. According to a ReversingLabs commissioned survey on secure software practices, only 51% of software practitioners reported that their companies can protect their software from third-party risk when using open source, commercial solutions, and partner software. This signifies that there is a great deal of growth needed in the software industry when it comes to securing software.
Thanks to SolarWinds, Log4j, and other concerning software security incidents, the U.S. federal government has begun to take initiative over the past year and a half to address the growing problem of software supply chain attacks. This became official with the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity, which was followed by several other policy items and mandates that are expected to change the future of the software industry.
[ Download Report: The State of Software Supply Chain Security 2022-23 ]
Here's a timeline of the major documents, policy initiatives, and mandates that software organizations will want to take note of — whether they are selling their software products to the federal government, or not.
Article Link: A timeline of federal guidance on software supply chain security