{"id":2426,"date":"2024-01-27T00:30:00","date_gmt":"2024-01-27T00:30:00","guid":{"rendered":"https:\/\/www.darkreading.com\/application-security\/nrc-issues-recommendations-for-better-network-software-security"},"modified":"2024-01-27T00:30:00","modified_gmt":"2024-01-27T00:30:00","slug":"nrc-issues-recommendations-for-better-network-software-security","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/01\/27\/nrc-issues-recommendations-for-better-network-software-security\/","title":{"rendered":"NRC Issues Recommendations for Better Network, Software Security"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

The <\/span>Network Resilience<\/a><\/span> <\/span>Coalition<\/a><\/span> issued recommendations intended to improve network security infrastructure by reducing vulnerabilities created by outdated and improperly configured software and hardware. NRC members, joined by top US government cybersecurity leaders, outlined the recommendations at an event in Washington, DC.<\/span><\/p>\n

Established in July 2023 by the Center for Cybersecurity Policy and Law, the NRC seeks to align network operators and IT vendors to improve the cyber resilience of their products. The NRC\u2019s <\/span>whitepaper<\/a><\/span> includes recommendations for addressing secure software development and lifecycle management, and embraces secure-by-design and default product development for improving software supply chain security.<\/span><\/p>\n

NRC’s members include AT&T, Broadcom, BT Group, Cisco, Fortinet, Intel, Juniper Networks, Lumen Technologies, Palo Alto Networks, Verizon, and VMware.<\/span><\/p>\n

The group is calling on all IT vendors to heed government warnings that nation-state threat actors have stepped up their efforts to attack critical infrastructure by exploiting hardware and software vulnerabilities not adequately secured, patched, or maintained.<\/span><\/p>\n

Their recommendations are consistent with the Biden Administration\u2019s <\/span>Executive Order 14208<\/a><\/span>, calling for modernized cybersecurity standards, including improved software supply chain security. They also map to the Cybersecurity and Infrastructure Security Agency\u2019s (CISA) <\/span>Security-by-Design and Default<\/a><\/span> guidance and to the administration\u2019s Cyber Security Act issued last year. <\/span><\/p>\n

CISA executive assistant director for cybersecurity Eric Goldstein described the formation of the group and the release of the whitepaper six months later as a surprising but welcome development. \u201cFrankly, the idea even a few years ago of networking providers, technology providers, [and] device manufacturers coming together and saying we need to do more collectively to advance the cybersecurity of the product ecosystem would have been a foreign concept,\u201d Goldstein said during the NRC event. \u201cIt would have been anathema.\u201d<\/span><\/p>\n

Embracing NIST\u2019s SSDF and OASIS Open EoX<\/span><\/h2>\n

The NRC is calling on vendors to map their software development methodologies with NIST\u2019s <\/span>Secure Software Development Framework (SSDF)<\/a><\/span>, while detailing how long they will support and release patches. Also, vendors should release security patches separately rather than bundling them with feature updates. At the same time, customers should give weight to vendors that have committed to issuing critical patches separately and conform to the SSDF.<\/span><\/p>\n

Further, the NRC recommends that vendors support <\/span>OpenEoX<\/a><\/span>, an effort launched in September 2023 by OASIS to standardize how providers identify risk and communicate end-of-life details in a machine-readable format for every product they release.<\/span><\/p>\n

Governments worldwide are trying to determine how to make their overall economies more stable, resilient, and secure, said Cisco chief trust officer Matt Fussa. \u201cAll companies, I think, are closely partnered with CISA and the US government as a whole to drive best practices like producing software bills and materials, engaging in and deploying secure software development practices,\u201d Fussa said during this week\u2019s NRC press event.<\/span><\/p>\n

Initiatives to boost transparency in software, establish more secure build environments, and shore up software development processes will result in improved security beyond just critical infrastructure, Fussa added. \u201cThere will be a spillover effect outside the government as those things become norms in the industry,\u201d he said. <\/span><\/p>\n

During a media Q&A held immediately following the briefing, Cisco\u2019s Fussa acknowledged that vendors have been slow to comply with the executive orders for issuing SBOMs or self-attestation of the open-source and third-party components in their offerings. \u201cOne of the things we were surprised by was that once we were ready to produce them \u2014 it wasn’t quite crickets, but it was lower volume than we might have expected,\u201d he said. \u201cI think over time, as people were comfortable with how to use them, we’ll see that pick up and eventually be common.\u201d<\/span><\/p>\n

Immediate Action Recommended<\/span><\/h2>\n

Fussa is urging stakeholders to start adopting practices outlined in the new report immediately. \u201cI\u2019d encourage you all to think about doing this with urgency, deploying SSDF with urgency, building and getting your customers SBOMs with a sense of urgency, and frankly driving security with a sense of urgency, because threat actors aren\u2019t waiting, and they\u2019re actively seeking new opportunities to exploit against all of our networks.\u201d<\/span><\/p>\n

As an industry consortium, the NRC can only go so far as incentivizing its members to follow its recommendations. But because the whitepaper aligns with the Executive Order and the <\/span>National Cybersecurity Strategy<\/a><\/span> released by the White House last year, Fussa believes adhering to it will prepare vendors for the inevitable. \u201cI’ll make a prediction that a lot of the suggestions that you see in this paper will be requirements under the law, both in Europe and in the US,\u201d he added.<\/span><\/p>\n

Jordan LaRose, global practice director for infrastructure security at NCC Group, says having ONCD and CISA behind the consortium\u2019s effort is a noteworthy endorsement. But having read the paper, he didn\u2019t believe it offered information that isn\u2019t already available. <\/span><\/p>\n

\u201cThis whitepaper is not super detailed,\u201d LaRose says. \u201cIt doesn’t outline an entire framework. It does reference NIST SSDF but I guess the question that most people will pose themselves is, do they need to read this whitepaper when they could just go and read the NIST SSDF.\u201d<\/span><\/p>\n

Nevertheless, LaRose notes that it underscores the need for stakeholders to come to terms with potential requirements and liabilities that they stand to face if they don\u2019t develop secure-by-design processes and implement the recommended end-of-life models.<\/span><\/p>\n

Carl Windsor, senior VP of product technology and solutions at Fortinet, said any effort to build security into the products from day one is critical. Windsor said he is especially encouraged that the report embraces SSDF and other work by NIST and CISA. \u201cIf we build our products from day one, aligning to the NIST standards, we\u2019re 90 to 95% of the way with all of the other standards that are coming out there around the world,\u201d he said.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

The Network Resilience Coalition issued recommendations intended to improve network security infrastructure<\/p>\n","protected":false},"author":12,"featured_media":2427,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-2426","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/nrc-issues-recommendations-for-better-network-software-security-scaled.jpg?fit=2560%2C1458&ssl=1",2560,1458,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/nrc-issues-recommendations-for-better-network-software-security-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/nrc-issues-recommendations-for-better-network-software-security-scaled.jpg?fit=300%2C171&ssl=1",300,171,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/nrc-issues-recommendations-for-better-network-software-security-scaled.jpg?fit=640%2C364&ssl=1",640,364,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/nrc-issues-recommendations-for-better-network-software-security-scaled.jpg?fit=640%2C364&ssl=1",640,364,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/nrc-issues-recommendations-for-better-network-software-security-scaled.jpg?fit=1536%2C875&ssl=1",1536,875,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/nrc-issues-recommendations-for-better-network-software-security-scaled.jpg?fit=2048%2C1167&ssl=1",2048,1167,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/nrc-issues-recommendations-for-better-network-software-security-scaled.jpg?fit=1024%2C583&ssl=1",1024,583,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/nrc-issues-recommendations-for-better-network-software-security-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/nrc-issues-recommendations-for-better-network-software-security-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/nrc-issues-recommendations-for-better-network-software-security-scaled.jpg?fit=2560%2C1458&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2426","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2426"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2426\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/2427"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}