{"id":5819,"date":"2023-11-10T17:40:50","date_gmt":"2023-11-10T22:40:50","guid":{"rendered":"https:\/\/solutionsreview.com\/network-monitoring\/?p=5819"},"modified":"2023-11-10T17:46:20","modified_gmt":"2023-11-10T22:46:20","slug":"preparing-for-the-impact-of-eo-14028-on-software-security","status":"publish","type":"post","link":"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/","title":{"rendered":"Preparing for the Impact of EO 14028 on Software Security"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-5820\" src=\"https:\/\/solutionsreview.com\/network-monitoring\/files\/2023\/11\/2-2.jpg\" alt=\"EO 14028\" width=\"800\" height=\"400\" srcset=\"https:\/\/solutionsreview.com\/network-monitoring\/files\/2023\/11\/2-2.jpg 800w, https:\/\/solutionsreview.com\/network-monitoring\/files\/2023\/11\/2-2-300x150.jpg 300w, https:\/\/solutionsreview.com\/network-monitoring\/files\/2023\/11\/2-2-768x384.jpg 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/p>\n<p><em><strong>Solutions Review\u2019s\u00a0<a class=\"fui-Link ___1idfs5o f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh ftqa4ok f2hkw1w fhgqx19 f1olyrje f1p93eir f1h8hb77 f1x7u7e9 f10aw75t fsle3fq f17ae5zn\" title=\"https:\/\/solutionsreview.com\/solutions-review-contributor-guidelines\/\" href=\"https:\/\/solutionsreview.com\/solutions-review-contributor-guidelines\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Link Contributed Content Series\"><u>Contributed Content Series<\/u><\/a> is a collection of contributed articles written by thought leaders in enterprise software categories. Curtis Yanko of <a href=\"https:\/\/codesecure.com\/\" target=\"_blank\" rel=\"noopener\">CodeSecure<\/a> examines the dark side of executing Executive Order 14028 and how it will impact private-sector software security.<\/strong><\/em><\/p>\n<p>Despite the fact that the Cybersecurity Executive Order, known as EO 14028, governs software designed for use by government agencies, these guidelines will eventually extend to and reshape private sector software security practices&#8211; especially for hardware used in critical infrastructure and safety-critical industries, including automotive, aerospace, IoT, medical devices, and more.<\/p>\n<p>We can expect EO 14028, which requires software supplies to adopt NIST SSDF, a set of guidelines and best practices for secure software development, to force profound changes in private sector software security requirements. Specifically, it calls for a proactive shift to integrating security considerations across the software development lifecycle, from design and coding to testing and deployment. While this transition will necessitate a shift in mindset and resource allocation, it is a critical step toward minimizing software supply chain vulnerabilities and hardening digital assets.<\/p>\n<p>Here are five ways EO 14028 and SSDF are likely to impact private-sector software security:<\/p>\n<ol>\n<li><strong>Influence on industry standards<\/strong>: Private sector organizations, including those developing safety-critical products and software used in critical infrastructure, may need to adopt SSDF standards and guidelines voluntarily to align with recognized best practices.<\/li>\n<li><strong>Market expectations<\/strong>: With increasing customer expectations regarding the security and integrity of software products, especially for critical infrastructure, product selection may favor suppliers that demonstrate adherence to recognized cybersecurity practices, specifically those influenced by NIST, CISA, and EO 14028.<\/li>\n<li><strong>Enforcement of supply chain security practices<\/strong>: Suppliers developing safety-critical software will likely be required to implement supply chain security practices, such as conducting thorough vendor assessments, ensuring software integrity throughout the supply chain, and implementing secure development practices.<\/li>\n<li><strong>Collaboration with federal agencies<\/strong>: Private sector organizations may need to collaborate with federal government agencies on information sharing, participation in working groups, or joint initiatives to strengthen cybersecurity measures in the broader software ecosystem.<\/li>\n<li><strong>Potential future regulations<\/strong>: While EO 14028 is specific to federal agencies, subsequent cybersecurity regulations or industry-specific standards may be created for and require compliance by private sector hardware and software providers.<\/li>\n<\/ol>\n<p>Given these current trade winds, private-sector software suppliers should closely monitor any subsequent developments, guidelines, or standards that emerge as a result of EO 14028. Engaging with industry associations, staying informed about evolving cybersecurity practices, and consulting legal and cybersecurity experts can help organizations navigate potential impacts and adapt their practices accordingly.<\/p>\n<p>One of the ways to prepare for greater regulation within the software security supply chain is through the proactive adoption of NIST SSDF guidelines and best practices for secure software development. It emphasizes proactive identification and mitigation of security risks and promotes a continuous improvement mindset to enhance software security over time. NIST has also published <em>Guidelines on Minimum Standards for Developer Verification of Software (NISTIR 8397)<\/em>, which recommends techniques for meeting the guidance outlined in EO 14028.<\/p>\n<p>While safety-critical software already undergoes testing for security vulnerabilities, the integration of the NIST framework can further strengthen secure development processes in the following ways:<\/p>\n<ul>\n<li><strong>Stronger security<\/strong>: SSDF best practices, which can be applied during development, including threat modeling, secure coding practices, secure configuration management, secure authentication and access controls, secure communication protocols, and vulnerability assessments.<\/li>\n<li><strong>Security-by-Design Approach<\/strong>: Modern safety-critical systems should integrate security considerations from the early stages of the development process, not as an afterthought. Alongside safety risk assessment, developers should incorporate security requirements and risk assessments into the software development life cycle, conduct security-focused design reviews, and implement security controls at each development phase.<\/li>\n<li><strong>Collaboration<\/strong>: The SSDF encourages collaboration among developers, testers, security professionals, and management. This helps foster a security-focused culture and ensures that security considerations are effectively communicated and understood across the development team. Additionally, training and awareness programs on secure software development practices are essential for success.<\/li>\n<li><strong>Security tools<\/strong>: the use of secure development tools and automation can assist in identifying vulnerabilities, enforcing secure coding practices, and automating security testing. Integrating such tools into existing development processes and pipelines can augment security testing efforts and provide developers with real-time feedback on potential security issues.<\/li>\n<li><strong>Compliance<\/strong>: Verification and auditing are common practices for safety-critical software development, while compliance with security standards may soon be, or already is, a requirement in many industries. Following SSDF guidelines for regular security assessments, code reviews, and security testing can help demonstrate the effectiveness of security controls and identify areas for improvement during an audit.<\/li>\n<\/ul>\n<p>Private sector critical infrastructure and safety-critical software developers can expect some or all of Cybersecurity Executive Order 14028\u2019s requirements to apply to them at some point. With concerns over software supply chain security risks now front and center with customers, product security should be a focal point for embedded, IoT, and safety-critical suppliers. By integrating the NIST Secure Software Development Framework into their development processes, organizations can elevate the security, overall quality, and integrity of their products.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Solutions Review\u2019s\u00a0Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Curtis Yanko of CodeSecure examines the dark side of executing Executive Order 14028 and how it will impact private-sector software security. Despite the fact that the Cybersecurity Executive Order, known as EO 14028, governs software designed for [&hellip;]<\/p>\n","protected":false},"author":747,"featured_media":5820,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1,21],"tags":[],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Preparing for the Impact of EO 14028 on Software Security<\/title>\n<meta name=\"description\" content=\"Curtis Yanko of CodeSecure examines the dark side of executing Executive Order 14028 and how it will impact private-sector software security.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Preparing for the Impact of EO 14028 on Software Security\" \/>\n<meta property=\"og:description\" content=\"Curtis Yanko of CodeSecure examines the dark side of executing Executive Order 14028 and how it will impact private-sector software security.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Network Monitoring Tools &amp; Performance Software | Solutions Review\" \/>\n<meta property=\"article:published_time\" content=\"2023-11-10T22:40:50+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-11-10T22:46:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/solutionsreview.com\/network-monitoring\/files\/2023\/11\/2-2.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Curtis Yanko\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Curtis Yanko\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/\",\"url\":\"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/\",\"name\":\"Preparing for the Impact of EO 14028 on Software Security\",\"isPartOf\":{\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/solutionsreview.com\/network-monitoring\/files\/2023\/11\/2-2.jpg\",\"datePublished\":\"2023-11-10T22:40:50+00:00\",\"dateModified\":\"2023-11-10T22:46:20+00:00\",\"author\":{\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/#\/schema\/person\/7c030657fbd363d2febe335169636343\"},\"description\":\"Curtis Yanko of CodeSecure examines the dark side of executing Executive Order 14028 and how it will impact private-sector software security.\",\"breadcrumb\":{\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/#primaryimage\",\"url\":\"https:\/\/solutionsreview.com\/network-monitoring\/files\/2023\/11\/2-2.jpg\",\"contentUrl\":\"https:\/\/solutionsreview.com\/network-monitoring\/files\/2023\/11\/2-2.jpg\",\"width\":800,\"height\":400,\"caption\":\"EO 14028\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/solutionsreview.com\/network-monitoring\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Preparing for the Impact of EO 14028 on Software Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/#website\",\"url\":\"https:\/\/solutionsreview.com\/network-monitoring\/\",\"name\":\"Network Monitoring Tools &amp; Performance Software | Solutions Review\",\"description\":\"Evaluating Enterprise NPM Software, Network Observability &amp; Packet Analysis Tools.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/solutionsreview.com\/network-monitoring\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/#\/schema\/person\/7c030657fbd363d2febe335169636343\",\"name\":\"Curtis Yanko\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/solutionsreview.com\/network-monitoring\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d0acb5c7b60b33febbfba5f5cd3e02c4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d0acb5c7b60b33febbfba5f5cd3e02c4?s=96&d=mm&r=g\",\"caption\":\"Curtis Yanko\"},\"description\":\"Curtis Yanko is Principal Solutions Architect for CodeSecure, formerly the product division of GrammaTech. He has more than 30 years of experience in software security, and is a contributing member of the OWASP SBOM Forum.\",\"url\":\"https:\/\/solutionsreview.com\/network-monitoring\/author\/cyanko\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Preparing for the Impact of EO 14028 on Software Security","description":"Curtis Yanko of CodeSecure examines the dark side of executing Executive Order 14028 and how it will impact private-sector software security.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/","og_locale":"en_US","og_type":"article","og_title":"Preparing for the Impact of EO 14028 on Software Security","og_description":"Curtis Yanko of CodeSecure examines the dark side of executing Executive Order 14028 and how it will impact private-sector software security.","og_url":"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/","og_site_name":"Network Monitoring Tools &amp; Performance Software | Solutions Review","article_published_time":"2023-11-10T22:40:50+00:00","article_modified_time":"2023-11-10T22:46:20+00:00","og_image":[{"url":"https:\/\/solutionsreview.com\/network-monitoring\/files\/2023\/11\/2-2.jpg","width":800,"height":400,"type":"image\/jpeg"}],"author":"Curtis Yanko","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Curtis Yanko","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/","url":"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/","name":"Preparing for the Impact of EO 14028 on Software Security","isPartOf":{"@id":"https:\/\/solutionsreview.com\/network-monitoring\/#website"},"primaryImageOfPage":{"@id":"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/#primaryimage"},"image":{"@id":"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/#primaryimage"},"thumbnailUrl":"https:\/\/solutionsreview.com\/network-monitoring\/files\/2023\/11\/2-2.jpg","datePublished":"2023-11-10T22:40:50+00:00","dateModified":"2023-11-10T22:46:20+00:00","author":{"@id":"https:\/\/solutionsreview.com\/network-monitoring\/#\/schema\/person\/7c030657fbd363d2febe335169636343"},"description":"Curtis Yanko of CodeSecure examines the dark side of executing Executive Order 14028 and how it will impact private-sector software security.","breadcrumb":{"@id":"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/#primaryimage","url":"https:\/\/solutionsreview.com\/network-monitoring\/files\/2023\/11\/2-2.jpg","contentUrl":"https:\/\/solutionsreview.com\/network-monitoring\/files\/2023\/11\/2-2.jpg","width":800,"height":400,"caption":"EO 14028"},{"@type":"BreadcrumbList","@id":"https:\/\/solutionsreview.com\/network-monitoring\/preparing-for-the-impact-of-eo-14028-on-software-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/solutionsreview.com\/network-monitoring\/"},{"@type":"ListItem","position":2,"name":"Preparing for the Impact of EO 14028 on Software Security"}]},{"@type":"WebSite","@id":"https:\/\/solutionsreview.com\/network-monitoring\/#website","url":"https:\/\/solutionsreview.com\/network-monitoring\/","name":"Network Monitoring Tools &amp; Performance Software | Solutions Review","description":"Evaluating Enterprise NPM Software, Network Observability &amp; Packet Analysis Tools.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/solutionsreview.com\/network-monitoring\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/solutionsreview.com\/network-monitoring\/#\/schema\/person\/7c030657fbd363d2febe335169636343","name":"Curtis Yanko","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/solutionsreview.com\/network-monitoring\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d0acb5c7b60b33febbfba5f5cd3e02c4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d0acb5c7b60b33febbfba5f5cd3e02c4?s=96&d=mm&r=g","caption":"Curtis Yanko"},"description":"Curtis Yanko is Principal Solutions Architect for CodeSecure, formerly the product division of GrammaTech. He has more than 30 years of experience in software security, and is a contributing member of the OWASP SBOM Forum.","url":"https:\/\/solutionsreview.com\/network-monitoring\/author\/cyanko\/"}]}},"_links":{"self":[{"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/posts\/5819"}],"collection":[{"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/users\/747"}],"replies":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/comments?post=5819"}],"version-history":[{"count":0,"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/posts\/5819\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/media\/5820"}],"wp:attachment":[{"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/media?parent=5819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/categories?post=5819"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/solutionsreview.com\/network-monitoring\/wp-json\/wp\/v2\/tags?post=5819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}