Feds, npm Issue Supply Chain Security Guidance to Avert Another SolarWinds

Lessons learned from the SolarWinds software supply chain attack were translated into concrete guidance this week when the US Cybersecurity and Infrastructure Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) released a joint best practices framework for developers to avoid future supply chain attacks.

Besides the US government's recommendations, developers also received npm Best Practices from the Open Source Security Foundation, to establish supply chain security open source best practices.

"The developer holds a critical responsibility to the security of our software," the agencies said about the publication, titled Securing the Software Supply Chain for Developers. "As ESF examined the events that led up the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer."

OpenSSF's announcement, meanwhile, noted that the npm code repository has grown to include 2.1 million packages.

Developers like Michael Burch, director of application security for Security Journey, applaud the industry's proactive approach, but Burch adds that it's now up to the cybersecurity sector to put these guidelines into action, particularly a recommendation for the implementation of software bills of materials (SBOMs).

"What we need now is the AppSec community to come together on the back of this guidance, and create a standard format and implementation for SBOMs to boost software supply chain security," Burch said.