Last week, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI), published the third of a three-part series on securing the software supply chain, titled Securing Software Supply Chain Series - Recommended Practices Guide for Customers. This publication follows the August 2022 release of guidance for developers and October 2022 release of guidance for suppliers.
Over the last few years, software supply chain compromises have considerably increased for both open source and commercial software products. For example, as we learned with Solar Winds Orion nearly 2 years ago, if a software package injected with malicious code proliferates to multiple consumers it is much more difficult to remediate. Accordingly, this guidance provides recommended practices for software customers to ensure the integrity and security of software during the procuring and deployment phases. Access the full report here.