WIBU-SYSTEMS

Perfection in Protection, Licensing, and Security

Self-Attestation – What does it mean for ISVs?

MarketingWIBU-SYSTEMS AG on July 31, 2023 at 2:59 PM

“Advancing progress toward a technology environment where all software products are safe and secure by design is a top priority for the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the broader U.S. government, and the global cybersecurity community.”

This was the statement put forth by the CISA supporting an executive order for Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. The bottom line for software developers serving the U.S. Federal Government is that they will need to self-attest that the critical software they produce was developed in conformity with specified secure software development practices.

Before we look further into some of the self-attestation requirements, let’s look at some of CISA’s cybersecurity concerns. According to the CISA, the common methods of compromise used against software supply chains include exploitation of software design flaws, incorporation of vulnerable third-party components into a software product, infiltration of the supplier’s network with malicious code prior to the final software product being delivered, and injection of malicious software that is then deployed by the customer. They are also concerned with other vulnerabilities and the potential for compromise:

  • Undocumented features or risky functionality
  • Unknown and/or revisions to contractual, functionality or security assumptions between evaluation and deployment
  • Supplier’s change of ownership and/or of geo-location
  • Poor supplier enterprise or development hygiene.

The government is most concerned with the security and integrity of critical software they define as software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources). More specifically, they define critical software as software that:

  • Is designed to run with elevated privilege or managed privileges
  • Has direct or privileged access to networking or computing resources
  • Is designed to control access to data or operational technology
  • Performs a function critical to trust
  • Operates outside of normal trust boundaries with privileged access

To help mitigate these risks, the CISA has developed a self-attestation form that software developers serving the US Government must conform to.

This self-attestation form identifies the minimum secure software development requirements a software producer must meet, assuring that software they produce was developed in conformity with specified secure software development practices.

Minimum requirements:

  1. The software was developed and built in secure environments.
  2. The software producer has made a good-faith effort to maintain trusted source code supply chains.
  3. The software producer maintains provenance data for internal and third-party code incorporated into the software.
  4. The software producer employed automated tools or comparable processes that check for security vulnerabilities.

The software self-attestation initiative is expected to go into effect later in 2023.

If you are an ISV and this forthcoming government initiative applies to you, I recommend that you speak with the software security experts at Wibu-Systems. While our CodeMeter software licensing and protection technology does not address all of the security requirements listed, our Wibu Academy can help identify areas where our secure software development practices can help in tandem with your own security measures.

You can also browse through our software security resource center and learn more about our CodeMeter solutions with white papers, case studies, tutorials, use cases, and more.

Login or register now and enjoy all the benefits of a community!

To get the whole functionality of IndustryArena Forum you need to login or register. This process is absolutely free.

Password forgotten?
Contact request
Guest Photo
Your message
The controller within the meaning of Art. 4(7) GDPR is: IndustryArena GmbH, Katzbergstraße 3, 40764 Langenfeld, Germany.
You may reach our data protection officer under [email protected].

Purpose of processing
We process your personal data concerning the use of the contact form and the communication with the company of the newsroom as well as the transmission of your data to this company in accordance to Art. 6 (1a) GDPR. This constitutes a legitimate interest for us in accordance to Art. 6 (1f) GDPR.

Recipient of the data
Within our organization, those units gain access to your data, which are necessary to fulfil the above purposes.
Personal data will only be transmitted to third parties if this is necessary for the aforementioned purposes or if another legal basis exists. If necessary, we conclude the corresponding data protection agreements with third parties, in particular pursuant to Art. 28 GDPR.

Data storing
Your data will be transmitted to the company of the newsroom for further processing. The period of storing is the duration of the processing of your request by the respective company.

Select contact person

Newsroom Logo

Design options

  • Title text color:
  • Content background:
  • Content text color:
  • Navigation background:
  • Tab text color:
  • Active tab text color:
  • Link text color:
  • Active link text color:
  • Background image Background color:

    How do you want to position the background-image?

    Please note: Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.

    Set the link for the background image

  • Banner

    How do you like to align the banner?

    Please note: Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.

    Set the link for the banner

  • Skyscraper

    Set the link for the skyscraper

Please note:

Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.