a NIST blog
It’s week three in our Cybersecurity Awareness Month blog series! This week, we interviewed NIST’s Michael Ogata (Computer Scientist) and Paul Watrobski (IT Security Specialist) about the importance of updating software.
NIST’s Applied Cybersecurity Division’s core mission is to explore, measure, and evaluate both the cybersecurity guidance NIST provides as well as industry best practices. One of our current projects involves putting the practices described in NIST 800-218 Secure Software Development Framework (SSDF) into action. Many people think of updating software in the context of “that thing that happens randomly after I purchase a piece of software”…but today’s continuous integration and continuous delivery (CI/CD) environments—and the rapid pace of software evolution—tightly couple software updates into the daily functionality of many systems. Because these modalities deliver both new features and important security updates to customers, it is vital that the entire development process and supply chain be secure.
Our work at the National Cybersecurity Center of Excellence (NCCoE) will build a reference implementation of multiple secure software development pipelines. The primary output of pipelines like these will be more secure software. The resources that come out of this NCCoE project will provide individuals and teams of developers with the tools and guidance they need to produce and maintain more secure software. This will enable them to release software more rapidly and effectively for their users to update, better protecting themselves and their organizations.
The Profile of the IoT Core Baseline for Consumer IoT Products is a guidance from NIST’s Internet of Things (IoT) Working Group that identifies cybersecurity measures commonly needed for consumer IoT products, of which “software update” is a core capability. This is important information for both customers and manufacturers to be aware of at purchase and during development.
Over the past 40 years, software as a product has transformed from static and discrete to fluid and nebulous. People's relationship with software used be closer akin to the other physical tools in our lives. You bought them, brought them home, and used them. Now, with the ubiquity of the internet, software can change on a near constant basis. It's like if you opened your toolbox only to find your trusty screwdriver had subtly (or completely) changed. Whether it is the apps the average smartphone user has in their pocket or the microservices that power a corporation’s internal infrastructure, software changes and updates more quickly than ever. Today’s world of move-fast-and-break-things coupled with the need for ever faster time to market necessitates the constant delivery of software updates for feature updates, bug fixes, and security patches.
Security in the modern software supply chain landscape has likewise become increasingly complex. With development teams distributed in and around traditional corporate network boundaries and the increased reliance on code that originates from outside the organization (i.e., open source, 3rd party libraries, and software as a service), there is more need than ever for the codification and attestation of secure development practices. It is only through these actions can people and businesses timely and effectively apply updates to their software systems.
As users may be conducting more work on personal devices through bring-your-own-device (BYOD) programs, and working through less secure networks (e.g., working from home, a coffee shop, or a hotel on vacation), it becomes even more important to maintain up-to-date software. The attack surface has increased, and there are more avenues for attackers to get in. Now, more than ever, attackers are taking advantage of recently discovered vulnerabilities to break into devices and systems. As such, one of the simplest actions you can take to improve the protection of your finances, data, safety, etc. is to install software updates as soon as they are available. If you don’t, you’re putting yourself and your company at greater risk.
Michael and Paul:
The Software Supply Chain and DevOps Security Practices project at the NCCoE will bring together experts in the software development field to build reference implementations of secure software development pipelines. The landscape of software development is incredibly diverse; while no single implementation can hope to be the authoritative definition of cybersecurity for all organizations, we aim to build multiple highly relevant pipelines that model real world environments. To this end, the project will focus on two use cases for software development: 1) Free and open-source software (FOSS) development and 2) closed source software development. As with most NCCoE projects, the output of this project will be a reference guide that will not only detail how we built each of our environments, but also describe how the design choices we made achieve the outcomes described in the Secure Software Development Framework (SSDF).
We are still in the process of establishing collaborators. Stay tuned to the NCCoE website for updates!
Paul:
While not directly related to software updates, the Trusted IoT Device Network-Layer Onboarding and Lifecycle Management project aims to demonstrate mechanisms for manufacturers and service providers to initially connect IoT products and maintain their security throughout their lifecycle (i.e., through updates to individual devices and/or network systems).
Additionally, as mentioned above, NIST’s IoT Working Group developed guidance for manufacturers of consumer IoT devices. The outcomes of the 10 core capabilities described are vital for good cybersecurity, and “software update” is one of the these. We have been tasked with developing a profile of this previously published guidance with a focus on routers. “Software Update” will again be a core capability, but as the router is often the primary point of entry for a network, the software for these devices is even more important to keep up to date.
Michael:
Cybersecurity is a subject that affects us at every level of our modern lives: from my own safety and personal property to the safety of the nation and our economy. Cybersecurity is important to me because I can see and get excited for the all the good that technology can bring, but I know that we must safeguard that potential to protect the greater good.
Paul:
Cybersecurity is an exciting and fast-paced field. It’s incredibly important (and not always easy to get right). With everything going digital, cybersecurity has become even more important. As financial accounts, identification documents, private information, and physical controls become more accessible online, the risks continue to increase. I recognize my responsibility to protect myself and those around me, and I encourage others to do the same. Being aware (and spreading that awareness) is the first step—but taking simple actions, like applying or enabling automatic updates, is the second. Software IoT is evolving rapidly, putting more data, sensors, and controls online. While it is exciting and can sometimes feel like magic, it is also cause for caution and increased action.
Michael:
My favorite thing about working for NIST is knowing that I stand in the privileged position of serving the American people for the greater good. At NIST we can approach the problems of cybersecurity from a neutral position and focus on the science of what is true, actionable, and measurable.
Paul:
Since my first experience as a summer intern, I have enjoyed the collaborative nature of NIST. At both the main campus in Gaithersburg and the NCCoE, we are fortunate to have the opportunity to collaborate with other internal passionate engineers and scientists as well as industry leaders to continue learning about, developing, and demonstrating state-of-the-art cybersecurity solutions. It feels good to be working on fun and exciting technology that can also provide immense benefit for the common good.
For more information about updating software, visit our Cybersecurity Awareness Month Resources page. Please also help spread the word, and don't forget to engage with us NIST on Facebook and X/Twitter (@NIST and @NISTcyber). Join in on the social conversations using the #CybersecurityAwarenessMonth hashtag and remember to use the hashtag in your own social media outreach messages.