The National Security Agency, the Office of the Director of National Intelligence and the Cybersecurity and Infrastructure Security Agency have issued guidance outlining best practices that developers can adopt to secure the software supply chain.
The guidance document titled Securing the Software Supply Chain for Developers recommends ways on how developers can develop secure code, harden the build environment, verify third-party components and deliver the code, NSA said Thursday.
For the secure code development aspect, the document recommends several measures to mitigate the risks of intentional or unintentional use of malicious code in a project.
Recommended practices include implementing a well-balanced authenticated source code check-in process, performing nightly builds with security and regression tests and mapping features to requirements.
The Enduring Security Framework, a public-private working group led by CISA and NSA, developed the document and intends to introduce versions of the guidance for supplier and customer software.