Zero-trust strategies involve more than just verifying user identities and controlling access. Successful zero trust also means securing applications across the agency.
“The intent of zero trust is [that] you have two things that are each trusted, communicating over an untrusted channel,” explained Josh Bressers, Vice President of Security at Anchore, whose software composition analysis platform helps secure public-sector applications and automate compliance with government security standards. “But if you have an untrusted channel, one trusted device and one untrusted device, there’s no trust.”
Enter the SBOM
After some dramatic supply-chain breaches in which hackers exploited vulnerabilities in commonly used software to attack all users of those applications, the government has emphasized the SBOM — software bill of materials.
The intent of the SBOM is to uncover all the pieces of software used in the modern DevSecOps environment, Bressers said. “There are cases where [the vendor] may not even know what’s in their application.” Without this insight, there is no trust.
The software in our environments is dynamic. “As soon as you start running it, your people [start] making changes to it. Has the software changed itself? There’s software that downloads data off the internet and starts running it,” he cautioned. Keeping track of what’s actually running on your system “is surprisingly more difficult than we wish it were,” Bressers said.
Anchore also works with federal software factories including DoD’s Platform One and the Navy’s Black Pearl to verify an application’s compliance with regulations and standards.
These software factories represent foundations for modern DevSecOps. Focusing on SBOMs, vulnerability detection and policy enforcement means the developer can remediate findings before the Authority to Operate stage, speeding up the process.
Speeding Up Reaction Time
“Another piece of the security puzzle is that there’s an enormous amount of information [about vulnerabilities] that we’re subjected to constantly. It can be hard to figure out which of these things actually matter,” said Bressers.
For example, the Cybersecurity & Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities Catalog — KEV.
“Vulnerabilities on the KEV list should be treated as the most serious vulnerabilities in your infrastructure.” Without automation, there’s no way we can understand what software is in use, and what vulnerabilities affect it. “The first step, the only step and the thing we haven’t done yet is understanding what we have,” Bressers said. “Having the ability to create an SBOM for our environments is the foundation of a modern DevSecOps program.”
A platform such as Anchore Enterprise helps by generating an SBOM of an agency’s whole system that’s searchable and scannable, Bressers said. The Log4j exploit, discovered in 2021, compromised countless public- and private-sector systems. Defending against the attack required knowing where the Log4j utility was used. According to Bressers, an Anchore customer was able to identify all its uses of that code in about six minutes. “A lot of other organizations were spending months just figuring out where it was,” he said.
This article appeared in our guide, “How to Build a Cyber-Savvy Workforce.” To read more about how agencies are raising their cyber game, download it here:
