The US Government has wanted to purchase secure software for years, but recently something changed. Now they want proof that the software is secure.

Building off the May 12, 2021 executive order from President Joe Biden, the Office of Management and Budget (OMB) published memorandum M-22-18 last year requiring federal agencies to get guarantees from software vendors that their software is secure. The guidance is named “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices”.

What could constitute such guarantees? “At a minimum level, such guarantees should be provided as a self-attestation form, but agencies may also require a software bill of materials (SBOM) and other artifacts, or may require the vendor to run a vulnerability disclosure program.”

A Vulnerability Disclosure Program

What is a vulnerability disclosure program (VDP)? A VDP is a centralized process for anyone to report security flaws in an organization’s internet-facing applications. VDPs need to include a trusted methodology for organizations to receive and triage these reports.

The key phrase here is “a trusted methodology for organizations to receive and triage these reports.” In other words, the organizations providing secure software not only must have a way to understand the potential vulnerabilities of their software, but they must also have a reliable way of dealing with those vulnerabilities.

What are some options for reliably dealing with uncovered software vulnerabilities?

Dealing With Software Vulnerabilities

Whatever option you choose to deal with vulnerabilities in your software, it should definitely produce some report or artifact that can serve as the proof that you’ve addressed the vulnerabilities. With this requirement, there are a few options.

Some tools that help address software vulnerabilities and produce an artifact as proof include the following:

  • Static application security testing (SAST): to spot known problematic coding practices
  • Software composition analysis (SCA): helps to identify vulnerabilities in the code
  • Dynamic application security testing (DAST): to probe application endpoints and find live vulnerabilities
  • Threat modeling: to identify system-wide threats and provide compensating controls

All these tools produce an artifact as “proof” of secure software, but only one can tie into a vulnerability disclosure program. Only one can have a library of threats and vulnerabilities updated in near-real-time with sources like the Common Vulnerabilities and Exposures (CVE) database. The CVE, which provides a reference method for publicly known information-security vulnerabilities and exposures, is exactly the kind of vulnerability disclosure program the US Government is looking for to ensure secure software.

So, while each of these tools does provide an additional way of securing software, only one meets the implied requirement of accommodating vulnerability disclosure: threat modeling.

The practice of threat modeling used to be limited to security experts creating data flow diagrams in Visio. But those days are gone. Today, there are automated threat modeling tools that do most of the work for you. More importantly, their threat libraries are updated dynamically to reflect the ever-changing-nature of the threat landscape. And of course, the best threat modeling tools produce reports that show that you not only identified vulnerabilities in your software, but that you also addressed them.

Who makes such a threat modeling tool? Well, ThreatModeler. ThreatModeler is a close to one-click threat modeling as there is. It requires little to no security expertise and was designed specifically to accommodate SaaS products. It’s ideal for helping you sell your software to the US Government. To learn more about ThreatModeler, contact us here.