How Software Composition Analysis (SCA) Addresses President Biden's Executive Order (EO) 14028

Running SCA (Software Composition Analysis) on your software is an essential step in preparing the documentation you'll need for your software to meet the requirements of the USA's "Executive Order on Improving the Nation’s Cybersecurity" (EO 14028).

What is Executive Order 14028?

In 2020, Solar Winds revealed that it had been the victim of a hack that added malware to official updates to its Orion network monitoring software, distributing that malware to tens of thousands of systems. Victims included the Departments of Homeland Security, State, Commerce, and the Treasury. In response to this and other hacks targeting the federal government, the Biden White House issued an Executive Order outlining steps to improve cybersecurity. One significant element addressed in this is software supply chain security.

What is software supply chain security?

Modern software development uses a variety of third-party packages, libraries, and frameworks which are known as "dependencies." Much like parts sourced from third parties in manufacturing, they constitute the "supply chain" in respect to the software that includes them. Due to a variety of factors, ranging from innocuous to malicious, those dependencies may introduce vulnerabilities into the software that uses them.

A prime example of this is vulnerabilities discovered in the Log4J component used in many Java programs for monitoring and logging. Companies may not have even known if Log4J was included in Java-based software they had purchased, and if the company they purchased it from was out of business, there was no way to get updated versions with a repaired Log4J component or without Log4J altogether. Even a year after it was named a critical threat, it remained a threat in large part because many companies either didn't know they were vulnerable or had a heavy lift to replace the software that used it.

Knowing what's in the supply chain of software you use is crucial to being able to respond if/when a related vulnerability is discovered. As a software developer, you not only need insight into your supply chain security, but your customers are learning they need it too.

How does software composition analysis help me meet 14028's requirements?

It won't help you meet all the requirements, but it does help with some specific elements, notably in section 4, related to software supply chain security. While you should confer with your own counsel for legal advice, we'd like to point out paragraphs 4.e.iv, vi, and vii:

(iv) employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release;

(vi) maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis;

(vii) providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;

Let's look at each:

(iv): SCA is an automated tool that checks for known vulnerabilities in your open source dependencies, helping satisfy 4.e.iv. Static and/or dynamic application security testing (SAST & DAST) tools might also be considered part of this, but they would be run in conjunction with SCA, not instead of it.
(vi): The reports provided by SCA enable maintaining a large part of this data and periodic runs of SCA contribute to these audits. You may also need SBOM's from your vendors or cloud service providers.
(vii): SCA is a requisite step for creating an SBOM. In fact, our GitGuardian SCA tool can generate an SBOM for you, compliant with a well-known open source standard.

Most of these rules apply to federal agencies and those who sell software to or create software for them, but similar requirements are being adopted in the private sector. Disclosure rules implemented in late 2023 by the US Securities and Exchange Commission (SEC) require publicly traded companies to add a section to their annual report on their cybersecurity risk management. Using SCA on their internally developed software and getting SBOMs from their vendors helps them demonstrate compliance with best practices.

In an ever-evolving threat landscape, SCA helps you verify and prove that your supply chain is safe to the best of current knowledge and helps you and your customers respond quickly to new vulnerabilities as they are disclosed.