One of the toughest problems in software development is ensuring that the product being developed is built securely from the beginning. To do that, development teams have to follow established security practices, use tools that meet security requirements, and incorporate secure features. If it sounds complex, that’s because it is.
But it’s so important that the White House released Executive Order 14028 in 2021, and charged a number of federal agencies, including NIST, with implementing it.
As is the case with all Executive Orders, the rules apply directly to federal agencies, but in reality, they go farther than that. Contractors to the federal government and companies that develop products including software for the federal government are also required to follow the requirements in the EO. NIST, in turn, published its own series of best practices for developing compliant software as part of the security software supply chain.
In addition, many companies follow the lead of the federal government in regards to security even if they’re not contractors. If nothing else, it saves them the trouble of developing their own requirements, and it also makes it easier to find compliant products. In addition, by following the federal regulations, companies can also usually meet the security requirements of their industry, so even if the regulations might be overkill, they’re easily justified.
The problem, however, is finding a way to comply with the requirements during the development process. This is where companies such as Cycode come in. Cycode has developed a software development platform that provides support for meeting those requirements as well as for linking your development environment to the tools necessary to ensure compliance.
“The product is a platform that connects with the existing tools that are used as part of software development. So basically, we connect to the to the places where you manage the code,” said Lior Levy, CEO and co-founder of Cycode. He said that their software looks at the code and it looks at all of the dependencies to make sure that the entire process is secure.
Levy said that by using their platform to develop secure code and to use the development tools properly, “they use our platform to make sure that organic security issues are addressed, and also that the entire management of the tools and processes is done in the correct way.”
Levy said that users also make sure that their code repositories are properly secure and that access to them is properly controlled. “So, one concern that organization have around their code repositories is that access to the repository secure so that only the developers that need access, have it. Do the developers use two factor authentication to access the platform? What is the activity at the repository? Is the code reviewed by at least two people before it is merged to production code?”
Levy said that the Cycode platform can analyze the development code in real time, or developers can send finished code to the platform and have it analyzed. Either way, it will return results and recommendations for any changes to meet security requirements.
The goal is to help companies avoid breaches such as the SolarWinds attack in December, 2020. That breach infected software used by thousands of companies to manage their IT resources, and subsequently impacted those companies. By using Cycode, companies can detect an infection such as that attack, and prevent the attack from spreading. Cycode was actually started about six months prior to the SolarWinds breach, but the resulting demand provided fertile ground for its growth.
“Software supply chain security is one of the hottest spaces in cybersecurity right now,” Levy said.