Recent attacks on software supply chains have shown the potential to affect hundreds, or even thousands, of companies. They have also revealed the extent to which software is a collaborative, distributed, and aggregated effort, with potential vulnerability appearing throughout the system.
Grant Thornton Cybersecurity and Privacy Advisory Services Managing Director Maxim Kovalsky recently explained how these vulnerabilities arise in both the underlying code and the environments through which the code passes. To address this, the federal government has issued Executive Order 14028 (EO 14028), which establishes new requirements for software producers who supply the federal government.
To discuss the implications of this order, Kovalsky moderated a panel of industry experts that included Mitch Herckis, Director of Federal Cybersecurity at the Office of Federal CIO, Office of Management & Budget; Tim Brown, SolarWinds Chief Information Security Officer; Neatsun Ziv, Ox Security Co-founder and Chief Executive Officer; and Jitendra Joshi, Grant Thornton Cybersecurity and Privacy Advisory Services Director.
Herckis explained that the executive order is, in fact, a comprehensive order which addresses a wide range of topics — including how the federal government organizes itself around zero trust initiatives, shares threat information and provides the equivalent of an Energy Star rating to Internet of Things (IoT) devices. The part of the order which sets forth requirements for providing software to the federal government was developed with extensive industry input, in conjunction with guidance from the Office of Management and Budget. It requires CISOs to self-attest that certain minimum requirements have been met. Herckis said that, as time goes on, the intent is to further iterate those requirements so the bar can be continually raised. EO 14028 specifically addresses software developed after the release of the order.
Brown sees the need for such requirements, and thinks it's a good initial step. The compromise of SolarWinds’ Orion product delivered valuable insights into the nature of the threat. Brown said that the old assumption that only significant expenditures on third-party products should be scrutinized for security proved to be misguided, as Orion did not represent a significant spend by enterprises. Threat actors can cause significant damage to an organization by targeting a $25,000 piece of software. He emphasized that it is important to identify both the existence of a vulnerability and potential exploitability of that vulnerability. The goal is to provide everyone involved with a sense of the real, practical risks.
Recent attacks on software supply chains have shown the potential to affect hundreds, or even thousands, of companies. They have also revealed the extent to which software is a collaborative, distributed, and aggregated effort, with potential vulnerability appearing throughout the system.
Grant Thornton Cybersecurity and Privacy Advisory Services Managing Director Maxim Kovalsky recently explained how these vulnerabilities arise in both the underlying code and the environments through which the code passes. To address this, the federal government has issued Executive Order 14028 (EO 14028), which establishes new requirements for software producers who supply the federal government.
To discuss the implications of this order, Kovalsky moderated a panel of industry experts that included Mitch Herckis, Director of Federal Cybersecurity at the Office of Federal CIO, Office of Management & Budget; Tim Brown, SolarWinds Chief Information Security Officer; Neatsun Ziv, Ox Security Co-founder and Chief Executive Officer; and Jitendra Joshi, Grant Thornton Cybersecurity and Privacy Advisory Services Director.
Herckis explained that the executive order is, in fact, a comprehensive order which addresses a wide range of topics — including how the federal government organizes itself around zero trust initiatives, shares threat information and provides the equivalent of an Energy Star rating to Internet of Things (IoT) devices. The part of the order which sets forth requirements for providing software to the federal government was developed with extensive industry input, in conjunction with guidance from the Office of Management and Budget. It requires CISOs to self-attest that certain minimum requirements have been met. Herckis said that, as time goes on, the intent is to further iterate those requirements so the bar can be continually raised. EO 14028 specifically addresses software developed after the release of the order.
Brown sees the need for such requirements, and thinks it's a good initial step. The compromise of SolarWinds’ Orion product delivered valuable insights into the nature of the threat. Brown said that the old assumption that only significant expenditures on third-party products should be scrutinized for security proved to be misguided, as Orion did not represent a significant spend by enterprises. Threat actors can cause significant damage to an organization by targeting a $25,000 piece of software. He emphasized that it is important to identify both the existence of a vulnerability and potential exploitability of that vulnerability. The goal is to provide everyone involved with a sense of the real, practical risks.
To discuss the implications of this order, Kovalsky moderated a panel of industry experts that included Mitch Herckis, Director of Federal Cybersecurity at the Office of Federal CIO, Office of Management & Budget; Tim Brown, SolarWinds Chief Information Security Officer; Neatsun Ziv, Ox Security Co-founder and Chief Executive Officer; and Jitendra Joshi, Grant Thornton Cybersecurity and Privacy Advisory Services Director.
Herckis explained that the executive order is, in fact, a comprehensive order which addresses a wide range of topics — including how the federal government organizes itself around zero trust initiatives, shares threat information and provides the equivalent of an Energy Star rating to Internet of Things (IoT) devices. The part of the order which sets forth requirements for providing software to the federal government was developed with extensive industry input, in conjunction with guidance from the Office of Management and Budget. It requires CISOs to self-attest that certain minimum requirements have been met. Herckis said that, as time goes on, the intent is to further iterate those requirements so the bar can be continually raised. EO 14028 specifically addresses software developed after the release of the order.
Brown sees the need for such requirements, and thinks it's a good initial step. The compromise of SolarWinds’ Orion product delivered valuable insights into the nature of the threat. Brown said that the old assumption that only significant expenditures on third-party products should be scrutinized for security proved to be misguided, as Orion did not represent a significant spend by enterprises. Threat actors can cause significant damage to an organization by targeting a $25,000 piece of software. He emphasized that it is important to identify both the existence of a vulnerability and potential exploitability of that vulnerability. The goal is to provide everyone involved with a sense of the real, practical risks.
Share with your network
Share