New to Software Security Framework in Nairobi

Hi Sloan,

I am a long time reader, first time writer! I have a question for you about how implementing a software security framework relates to our software supply chain. My organization is starting to revise and strengthen our software security framework. Can you explain exactly how a good software security framework will improve our software supply chain?

Signed,
New to Software Security Framework in Nairobi

Hi, New to Software Security in Nairobi,

Thanks for reading and for writing in! I am happy to hear that your organization is taking steps to improve security during development. 

First, let’s break down what a software security framework is for our other readers. Then I’ll explain how this translates to a more secure software supply chain. 

What is a Software Security Framework?

Simply, a software security framework is a methodology for software development that emphasizes security best practices. Luckily, you don’t have to start your framework from scratch! There are existing frameworks that you can use to start your journey. Two examples are The National Institute of Standards and Technology’s Secure Software Development Framework (SSDF) and the US’s Improving the Nation’s Cybersecurity Executive Order (Executive Order 14028).

Your framework will address things like the use of open-source software (OSS), analyzing your software’s composition (SCA), and scanning for vulnerabilities. It should also address the tools your teams will use to support security throughout your software development lifecycle (SDLC). Having well-communicated standards around the tools your development teams use and a collective understanding for how they benefit your teams is an important element of a good software security framework.  

How Does This Affect Your Software Supply Chain?

As a reminder, your software supply chain is like a manufacturing supply chain. Much of modern software consists of OSS. This means it is likely that most of your software came from outside your organization. It’s important to know the makeup of your software, like it is with manufactured goods. If you learn that a component has a critical vulnerability, you’re going to want to know where it is being used in your applications so you can address it right away. 

Common elements of software security frameworks support a healthy software supply chain. The use of Software Bills of Materials (SBOMs) will provide visibility into your software’s composition. Routinely scanning for vulnerabilities in your software is a proactive approach to protecting against a growing number of supply chain attacks. Understanding and communicating the best remediation strategies to your developers will embed security and quality into the fabric of your software development lifecycle. 

A software security framework is ultimately a map for fostering a security-conscious organization. This map in turn will strengthen your software supply chain with tools, an aware staff, and monitoring for vulnerabilities.

Check out our blog post on how to improve your software supply chain with a software security framework. Want a deeper understanding of the Software Supply Chain? Check out our guide on what is the software supply chain?

Thanks for writing in, stay secure out there!

Sloan