惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Microsoft Security Blog
Microsoft Security Blog
B
Blog RSS Feed
云风的 BLOG
云风的 BLOG
G
Google Developers Blog
Recent Announcements
Recent Announcements
A
About on SuperTechFans
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Google Online Security Blog
Google Online Security Blog
Google DeepMind News
Google DeepMind News
S
Schneier on Security
S
Secure Thoughts
T
The Exploit Database - CXSecurity.com
Martin Fowler
Martin Fowler
P
Proofpoint News Feed
Security Latest
Security Latest
Jina AI
Jina AI
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Recorded Future
Recorded Future
T
Tor Project blog
有赞技术团队
有赞技术团队
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
News | PayPal Newsroom
博客园 - 三生石上(FineUI控件)
MyScale Blog
MyScale Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Last Week in AI
Last Week in AI
F
Full Disclosure
Hacker News: Ask HN
Hacker News: Ask HN
Forbes - Security
Forbes - Security
D
DataBreaches.Net
人人都是产品经理
人人都是产品经理
NISL@THU
NISL@THU
C
Cisco Blogs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Google DeepMind News
Google DeepMind News
Project Zero
Project Zero
IT之家
IT之家
T
Threatpost
Cyberwarzone
Cyberwarzone
O
OpenAI News
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
J
Java Code Geeks
P
Proofpoint News Feed
The Last Watchdog
The Last Watchdog
月光博客
月光博客
Latest news
Latest news
MongoDB | Blog
MongoDB | Blog
Apple Machine Learning Research
Apple Machine Learning Research

MeriTalk

Eliminating Silos in IT/OT Cybersecurity Is a Funding Challenge, Not a Technical One The FedRAMP High Supply Crisis Is a Federal Security Problem – Not a Procurement Footnote How More Tightly Focused Software Development Initiatives Will Unlock Innovation Across Government Transforming Federal Cybersecurity Through Private Sector Innovation Evolving Zero Trust and Embedded AI – Federal Government Cybersecurity Predictions for 2026 Unlocking AI’s Potential in High-Assurance Environments Accelerate Agentic AI in the Federal Government: Top Takeaways Why Congress Must Reauthorize the Technology Modernization Fund Make Cybersecurity a Key Ingredient of Modernization How Spectro Cloud’s PaletteAI Secure helps agencies scale AI securely, compliantly, and confidently Fix the Foundation: How Hybrid Cloud and Trusted Data Enable Government AI New Google Workspace Cost-Saving Offer Available for U.S. Federal Government Reinventing FedRAMP in the Age of AI Balancing Security and Efficiency: The Federal IT Dilemma in the AI Era Meeting Evolving State and Local Cyber Threats AI Is the Solution to Stop AI Data Theft Enhancing U.S. Government Operations with AI and Human-Centered Design How FinOps Can Help Agencies Slash Cloud Costs in 5 Steps Will Quantum Computing Weaken or Strengthen Cybersecurity of Federal Systems? Improving Citizen and Federal Employee Experience with Virtual AI Assistants Strategies for Securing the Federal Supply Chain Reframing the U.S. Government’s Approach to Cybersecurity Oversight Three Steps Agencies Can Take to Meet Government’s AI Requirements The Impact of NIST’s PQC Standardization on the Federal Cybersecurity Ecosystem Generative AI is Revolutionizing Federal Government Operations NIST’s new PQC Algorithms and What They Mean for Federal Agencies Addressing the U.S. Quantum Labor Shortage Before It’s Too Late How a Community Vigil Approach and Secure by Design are Critical to Software Cybersecurity Addressing the Talent Shortage: How Digital Government Improves Satisfaction, Retention Here’s What We Can Learn (and Do) About Cybercrime from FBI’s Latest Internet Crime Report Implementing AI Assurance Safeguards Before OMB’s December Deadline The Next AI Wave: Quantum AI CDM’s Evolution to Non-Traditional Technology: Why Now and How Will it Succeed? Customer Expectations Require Agencies to Raise the Bar on Customer Experience, Report Shows Applying for Government Benefits Shouldn’t Be Difficult When It Comes to Identity Verification FedRAMP Baseline Transition Points to OSCAL-Native Tools What Zero Trust Means for Modern Government: Best Practices for Key Tenets Four Ways to Handle the IT Funding Crunch Agencies Need to Get Creative to Fill the Cyber Workforce Gap Customer Identity trends report shows control trumps convenience Federal Agencies Making Strides Toward Sustainability and Climate Action Executive Order 14028 | Improving the Nation’s Cybersecurity Depends on Data | All Data is Security Data Applying Geospatial Intelligence, AI/ML to Climate Change Challenge My Cup of IT: Angry at Arthritis, Hunting for Cures How the Federal Government Can Help Combat a Fragmented Internet Accelerating Cybersecurity for US Critical Infrastructure Getting in on the Ground Floor of the ‘New Observability’ Comply-to-Connect is Key to Zero Trust for DoD How Will Upcoming Cryptocurrency Regulations Affect Industry? My Cup of IT: Cup Cake for Kushner? Launching a New Era of Government Cloud Security Managing IT Complexity in Federal Agencies Agencies Must Modernize Zero Trust Approaches to Achieve Optimal Protection Five Essential Metrics for Measuring Federal Government CX Unlocking the Benefits of 5G and Beyond The Federal Factory of the Future: How AI is Transforming Manufacturing The Quantum Impact on Cyber How Next-Gen Computers Will Transform What’s Possible for Federal Government Agencies Must Take an Authentic Approach to Synthetic Data Biometrics and Privacy: Finding the Perfect Middle Ground Two-Way Street: Why Officials and Constituents Are Equally Responsible for Securing the Midterms The “Programmable World” Will Bring the Best of the Virtual World Into the Physical One Cyberattacks are a Common Occurrence and the Costs are Higher Than Ever Increasing Equity Through Data and Customer Experience The AI Edge: Why Edge Computing and AI Strategies Must Be Complementary How Metaverses and Web3 can Reshape Government Four Emerging Technology Trends set to Impact Government Most 5G Enables AI at the Edge Plugging Cyber Holes in Federal Acquisition Resilient Critical Infrastructure Starts with Zero Trust The Evolution of Government Tech Procurement Under CMMC 2.0 Zero Trust Requires Continuous, Tested Security for Federal Agencies How Multi-INT Fusion Accelerates Mission Intelligence for Real-Time Decision Advantage Three Things to Consider for Responsible AI in Government Legislation, White House Orders Show Agencies Opportunity for Hybrid Cloud Creating an Effective Framework for DoD’s Software Factories Realizing Upsides for Digital Security in the Hybrid Workplace A Future With AI and ML: The Power of Workforce Education Five Tips to Begin MFA Integration and Embrace Zero Trust The Vital Intersection Between Equity and Digital Transformation Equity as a Platform: Applying a New Mindset to Scale Innovation Harnessing the Right Data for Evidence-Based Equity From EO to Action: Human Factors of Enabling a Cyber Safety Review Board For Equity in Government Services, It’s Time to Change the Paradigm Critical Questions to Ask When Considering Explainable AI (XAI) for Your Federal Agency The Telework Model for Government: COVID Lessons for Building an Effective Workforce DevSecOps: 4 Steps for Mitigating the Next Cyber Attack in Your Federal IT Environment Better Cyber Hygiene Helps, but Federal Security Needs SASE Lift DoD, Feds Plot Top Cyber, Cloud Priorities for 2022 Cloud-Native Government: How to Transform With Intention DoD and VA Health Networks Face Growing Threat From Medical-Device Vulnerabilities New Federal Cybersecurity Requirements: How Agencies Should Implement a Zero Trust Architecture Protecting Our Nation Through Big Data Analytics Three Ways COVID-19 Altered Federal, State IT Budget Allocations Ransomware is More Than a Cybersecurity Issue From Me to We: Take the Mission Further With Multiparty Systems Anywhere, Everywhere: Integrating Your Virtual Workplace ‘I, Technologist’: Empowering Innovators in the Federal Workforce Mirrored World: Digital Twins Report for Duty Across Government Stack Strategically: Rearchitecting Government for What’s Next
Four Federal Software Supply Chain Security Trends to Watch
MeriTalk Sta · 2023-12-21 · via MeriTalk

By Jeff Stewart, Vice President, Product, SolarWinds

The exponential growth of digital government has led to unprecedented security breaches across the supply chain. To address these threats, in 2021 the Biden administration enacted Executive Order 14028 intensifying scrutiny over vendors’ software supply chain. Subsequently, in 2023 the National Cybersecurity Strategy was introduced, urging software vendors to deploy greater secure software practices based on the NIST Secure Software Development Framework.

Despite these developments, a recent survey found most public sector respondents remain concerned about software supply chain security and are unsure what measures to implement to safeguard their systems.

While software supply chain security is a relatively new concept, here are four enduring trends to help agencies close the supply chain security gap and have a lasting impact on the public sector’s overall cybersecurity posture.

  1. Making software releases faster and more secure with DevSecOps and AIOps

Today’s applications are built compositely with natively developed code integrated with third-party and open-source components, potentially creating numerous entry points for a threat actor. Unfortunately, while developers can control the things they build, they have zero control over how those applications are validated and secured.

DevSecOps and AIOps can help.

DevSecOps helps agencies break down the silos between development, operations, and security to produce faster, more secure software releases. Meanwhile, AIOps works across IT operations to help ensure software in production is operating efficiently, securely, and reliably.

AIOps works by leveraging artificial intelligence, machine learning, and predictive analytics to collect data from the entire digital ecosystem. It autonomously analyzes this data to yield deep, consolidated insights into the IT infrastructure and development process, including identifying vulnerable code.

AIOps doesn’t just find issues, it also fixes them automatically. For example, it can patch known vulnerabilities in production or deployed software. This streamlines the process for DevSecOps teams, allowing them to easily track and address security and performance problems from the source of the code to its deployment.

  1. Meeting and exceeding compliance standards

Executive Order (EO) 14028 and other actions underscore the federal government’s commitment to leveraging its purchasing power to elevate security standards across the supply chain.

In response, agencies are increasingly looking to partner with software vendors who develop systems utilizing best practices that consistently meet or exceed NIST standards. Those practices include:

  • Basing the application build system on ephemeral operations, spinning up resources on-demand and destroying them when discrete tasks have been completed.
  • Building in parallel by utilizing isolated and distinct build environments, where numerous scans and security checks are performed before release.
  • Advancing beyond zero trust by adopting an “assume breach” position.
  • Deploying automated tools to concurrently scan for vulnerabilities throughout the development process.
  • Recording each build step, creating an immutable record of proof, and providing complete traceability.
  • And more.
  1. Increased transparency through SBOMs

SBOMs (or software bills of materials) are a critical step forward in mitigating software supply chain risk. These documents provide a thorough overview of all components, libraries, tools, and processes used by software vendors in the build process. This transparency makes it easier for agencies to identify security risks that require patching or addressing through mitigating controls.

To date, three agencies – DoD, NASA, and GSA – have proposed new rules for federal contractors to develop and maintain SBOMs for any software used on a government contract.

Compliant vendors generate SBOM files at build time and may use them in the build process to validate that third-party dependencies haven’t changed underlying code, provide a comprehensive picture of the dependency tree available on a current build and historical basis, and perform build-time checks and enforce policies based on CVSS-scoring.

  1. Increased observability across the supply chain

To counter security threats and increase visibility across the complex and layered software supply chain, agencies are increasingly adopting observability tools, techniques, and processes.

Observability offers comprehensive visibility into service delivery and component dependencies across the software creation and deployment ecosystem. This enables various departments within an agency, ranging from IT to development teams, to gain clearer, holistic insights into vulnerabilities for more rapid remediation. In addition, teams can leverage the integrated automation of AIOps to further boost security by reducing the opportunity for human error.

Observability solutions offer a holistic approach to identifying and addressing risks, making the future of software supply chain security significantly more promising.

Partnership is key

The four trends outlined above give federal agencies an opportunity to set a new standard for mitigating software supply chain risks. Crucially, agencies needn’t tackle this challenge alone. Software companies are actively addressing supply chain risk and can support agencies as they work to mitigate their own risks. These collaborations between the public and private sectors will be instrumental as agencies aim to meet or surpass NIST guidance for secure software development.