Why selling software to the government is like going to a confessional

Joe Nicatoro Yes, great question. This is mainly due to the SolarWinds attack. Basically he issued an executive order saying that NIST would create new guidelines or frameworks for software supply chain security. This eventually became the NIST SSDF. And right after that, [Cybersecurity and Infrastructure Security Agency (CISA)] We decided to use that SSDF as part of our certification for a company that sells software across government. This was not a comment period, but was finalized as of last week. This basically means that within the next three months, all critical software sold in the government must have this certificate, or any non-critical software currently sold must have this certificate. This means that you need to get . If sold to the government, this certification must be done within 6 months. And essentially, what this certification is is that the CEO or some other designated executive level person within that organization, or a third party authorized regulator, comes in and basically “Hey, these particular people have controls in place or in place. And we have certified to CISA that this company follows good standards and practices in software development. Masu.

tom temin If you're a large company like Microsoft, SAS, Salesforce, or Oracle that pretty much dominates the software industry, you probably already have secure development practices in place. Is there anything to be afraid of if we prove this?

Joe Nicatoro I think most organizations have many of the controls in place that are required for SSDF. This includes using appropriate application security tools such as static analysis, dynamic analysis, and software configuration analysis. I think what most organizations struggle with is implementing these additional controls primarily to increase overall security. the supply chain itself. There are currently many tools on the market that primarily focus on risks within applications. There aren't many tools that focus on the risks of the actual software factories that are writing this code. I think that's why we've seen a lot of software supply chain attacks increase over the last four to five years. 6, in some cases over 700% compared to the previous year. So I definitely think large companies have the ability to meet these regulations. I think they obviously have a little bit more work to do, but I think they can definitely get it done. I think the bigger struggle, especially for large companies, will be to prove this in an automated way. I think one of the things that is missing with this new CISA certification is the ability for Microsoft and these large organizations to do the testing in an automated way. At this point, we primarily use PDFs or fill out forms on websites. And when we move at the speed of development, manual processes like this slow down development. And I think that's going to be the biggest hurdle in an organization's transition.

tom temin And then back up the food chain just a little bit. The reality of most commercial software is that it involves only a little coding by the vendor, and most of it assembles open source components that may be common to his 10,000 other programs. So, is that an obstacle to securely authenticating?

Joe Nicatoro So again, I think a lot of the organizations that we talk to do some kind of software configuration analysis to make sure that the open source packages that they're deploying are healthy and don't have a lot of stuff in them. This means that we are conducting a test. It's a risk to them. But certainly, the concern as we move forward is, again, making sure that the packages that we're using don't introduce additional risk to that organization. But the bigger picture is to look at how open sources and their packages are used across applications in your organization to really start considering the risks holistically, rather than just determining if there are vulnerabilities. I think it's important to pay attention to whether it's being used. Packages may not be in the active code, may not be affected by the entire code used, may not even have reachable vulnerabilities, etc.

tom temin I'm talking to Joe Nicatoro. He is the field CTO of his Legit Security. One final question for the vendor side: if a vendor makes this proof, what are the consequences? And I don't think there's any software out there yet that wouldn't allow someone to hack something. , several vulnerabilities are exposed. So what happens?

Joe Nicatoro I think this is something we are all looking forward to. I think there was definitely precedent for Uber's girlfriend CISO going to jail and filing a lawsuit over SolarWinds. So I do believe that there is some precedence in having ownership and responsibility for the overall leadership of the security programs at these companies. I don't think there's a very real threat of what's going to happen. Do you need to prove something like that and show that there was a violation or that you may have proven something improper? But again, the CTO, CISO, or I think we're starting to see a shift in the way we look at these from a legal perspective, where one of the CISOs is going to have some level of personal responsibility. Someone else who is signing these overall certificates has stated that there will be consequences if there is a violation.

tom temin Well, I hope I can ensure at least some level of safety. Now let's move on to the government side. What does the contracting officer do at the time of executing this? What are you telling them you need to do now to ensure you have the proper documentation for the certificate?

Joe Nicatoro If you're talking from a government perspective like CISA, what I think governments need to adjust to make this a little bit easier for organizations is primarily some way to automate these overall authentications. Same as we talked about. government. Again, for organizations with one or two application forms, filling out the PDF should not be too difficult. But for organizations selling 100, 1000, or even 10,000+ applications across the government, running 10,000 manual PDFs to sign each certificate can be a significant effort. And at that point, the development process will slow down and most organizations will seriously consider whether this is important to them. I think if CISA can come up with some way to automate these forms, like allowing API ingestion, then organizations will definitely be able to lock these certificates directly into their entire development process and start developing. . We prove these things because the development is done using all the controls already in place.

tom temin So both sides really need the grease of an automated process, even though it's related to what happened legally.

Joe Nicatoro 100%. The overall goal of the security we introduce into development is for security to move at the pace of development. Our goal is to never slow down that development process. The main reason for that is because, again, this is typically how companies make money, this is how they create feature sets, and this is how companies stay relevant in the overall space. Therefore, delaying this creates other risks and impacts that affect the business as a whole. So our goal as security should always be to implement these practices or controls in a way that is really invisible or transparent to the entire development process. And I think this is proof of the same thing. That we can, in your words, agree on both sides and prove these things in a reasonable way, while at the same time providing the information necessary for the government to show that these regulations are in place. will become very important. For this entire program to be successful.

tom temin And what about the resellers who are actually moving a lot of software around? Are they just third-party passthroughs and the certificates still belong to the vendor?

Joe Nicatoro Yeah. At that point, I think many resellers will launch services that essentially do authentication on their behalf. It's no different than the third parties that do a lot of FedRAMP authentication on the side where FedRAMP is a service. I believe the same thing happens with CISA authentication. There, organizations come out and basically sell those services to organizations and say, “Hey, we'll validate your controls and make sure everything you're doing is correct.'' ” you would say. Approved according to overall CISA certification requirements.

tom temin It may become a new value-added and highly profitable service.

Joe Nicatoro Yes, 100% there is no doubt that something will turn around for many resellers and various types of compliance agencies. Again, we're already seeing that with things like FedRAMP. We see it in all other compliances as well. Many of these compliances are very difficult to comply with. So if you can get a third party to step in and help you understand where the gaps are and fix those gaps, it makes your job a lot easier.