The 2023 National Cybersecurity Strategy, which the White House released last week, should serve as a wake-up call to all organizations that develop software, whether for internal or external use. The policy puts the liability for poor security on software makers and requires a strengthening of security at every step of the software development lifecycle.
The policy shines a spotlight on the importance of collaboration, digital transformation, automation, and transparency. The White House is seeking to advance security-first posturing, eliminate the top cybersecurity threats, rebalance software security responsibility and data stewardship, defend against malicious actors, and forge international partnerships.
“Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers. Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product,” the White House strategy states.
A replacement of the 2018 National Cyber Strategy, the 2023 policy focuses on five key pillars designed to improve national and global cybersecurity for the public and private sectors.
The five pillars of the 2023 National Cybersecurity Strategy are:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
What the strategy means for software makers
The White House’s strategy puts the onus for developing, deploying, and maintaining secure software on software makers. It states that too many vendors “ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance.”
In addition, the strategy notes that software makers “are able to leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles or perform pre-release testing.”
Developers who fail to take reasonable precautions to secure their software will be held liable, according to the strategy, with the ultimate goal of encouraging the development of safer and more secure products and services. The White House plans to work with Congress to create legislation that establishes liability for software products and services.
DevSecOps and National Cybersecurity Strategy
One scalable and dependable way to align with the National Cybersecurity Strategy is with a comprehensive DevSecOps approach, which integrates security and compliance into the developer experience.
GitLab’s DevSecOps Platform helps software makers:
- Secure their end-to-end software supply chain, including source, build, dependencies, and release artifacts
- Create an inventory of software used with a software bill of materials (SBOM)
- Demonstrate their software is trustworthy via SLSA
GitLab automatically scans vulnerabilities in source code, containers, dependencies, and running applications. By centralizing end-to-end collaboration, GitLab ensures the "secure-by-design" principle recommended by the National Cybersecurity Strategy is applied in every phase of software development.
GitLab also helps companies track changes, implement necessary controls to protect what goes into production, and ensures adherence to license compliance and regulatory frameworks.
The White House’s strategy also proposes future legislation that will include safe harbor from liability for those that follow best practices like NIST’s Secure Software Development Framework (SSDF). GitLab has the built-in automation to support much of the NIST SSDF with little-to-no configuration required. Issue-based workflows, source code management, automated builds, broad-capability security scanning, code reviews, approvals, and environment visibility are all part of GitLab Ultimate.
The National Cybersecurity Strategy acknowledges that balancing short term imperatives with the vision for trust and safety in software will be a challenge for most organizations. Given the interdependencies and complexities of software development, organizations should assess the current state of their SDLC and quickly identify what design, architectural, and operational changes they have to make to align with the White House’s proposed mandates.