The White House Executive Cybersecurity Order Prioritizes Testing and Validating Code
By: Team CodeHunter™
In the past seven years, the United States has battled hundreds of millions of malware attacks. In recent years, those attacks have grown in both intensity and malice. Noticing the rising need to protect the Nation’s industries and the infrastructure of modern society, The Federal Government issued an Executive Order which mandates the enhanced, robust expectations for security in the cyber community. These new standards will set the pace for software development and operation system implementation as we move further and further along the path of digital progression.
Table of Contents
On May 12, 2021 the White House issued an Executive Order (EO) Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks with help from the private sector. A series of high visibility breaches and ransomware attacks perpetrated against both industry and government over the past year precipitated the action for an EO. A direct quote from the EO explains:
The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid. The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT))... All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.
The rise in malware attacks, and the increased sophistication of the attackers, poses an increasing risk to national security and overall operations. With this action, critical infrastructures, industries reliant on technology, and society must take proactive action. The time for focusing on robust methods of technical infrastructure is now.
Large-Scale Cyber Attacks Encourage Action
Responding to the impact of the recent SolarWinds and other high-profile breaches certainly was a focus of the EO to help ensure that, in the future, software supply chains do not remain primary cyber-attack vectors. Attackers first breached SolarWinds in October 2019, according to the company, suggesting that the hackers could dwell in their applications and deliver malware for over a year. Hackers used malware that appeared to be legitimate code, using signed certificates to invade their operation systems.. This breach exposed the vulnerabilities of open-source and application code bases. The massive attack is still under investigation, but as of April 2021 those affected were in the tens of thousands. NPR.org had this to say about the hacker’s plan:
By design, the hack appeared to work only under very specific circumstances. Its victims had to download the tainted update and then actually deploy it. That was the first condition. The second was that their compromised networks needed to be connected to the Internet, so the hackers could communicate with their servers.
This key information, the deep knowledge that hackers have about an organization’s internal operations practices and of the people who consume this, is only one example of why cybersecurity should be at the forefront of idealistic progress.
In another recent example, a remote monitoring and management tool for networks and endpoints became compromised at a company called Kaseya. Kaseya experienced a zero-day file upload and malicious code injection exploited by the tool’s update mechanism. The attack, based on taking advantage of IT software flaws, was a sophisticated ransomware attack potentially affecting 2,000 customers in 17 countries with financial and operational repercussions.
“According to an annual report on global cyber security, there were a total of 304 million ransomware attacks worldwide in 2020. This was a 62 percent increase from a year prior, and the second highest figure since 2014 with the highest on record being 638 million attacks in 2016.” Hackers are tireless in their efforts as agents of chaos. That being said, it’s safe to assume that any organization, industry, sector, or government could be the next target.
Incentivizing Software Security
While the EO covers many areas, from cyber-hygiene to incident response, it highlights the need to mitigate software vulnerabilities in the supply chain. Specifically, the EO called for the improvement of software security by establishing baseline security standards for any software sold to the government. This requires developers to maintain greater visibility into their software and to make their security data publicly available. It stands up to a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of Federal procurement to incentivize the market.
The latter part of the statement that calls for innovative approaches to secure development is a key starting point for everyone operating on the new digital landscape, and especially businesses who are most at risk from increasingly sophisticated hackers. Every application begins with software coding, standards are necessary to optimize and discover vulnerabilities. Visibility scanning and penetration testing that includes the verification/validation of the source code that can close gaps in security.
The Testing and Validation Process
The testing and validation process is all about finding issues before they get to production and contaminate networks and devices.
There are nuances in this process, especially at the pre-patch stages. New code, especially third-party software, needs clear identification, thorough testing, and trusted validation before being installed on the network. Third party advisory websites such as US-CERT and BugTraq are important tools used to monitor new, known vulnerabilities for any cyber security team. While new code is a threat, many applications and programs may already operate on legacy systems that include flaws and access points that leave openings for malware attacks. Therefore, legacy code needs to be reviewed for patches along with any new code as part of vulnerability assessments. That task is often easier said than done, as many IT shops lack the bandwidth and expertise for comprehensive, rapid, cost-effective scanning for detecting security risks.
In the past, validation testing manual, typically conducted on paper. Fortunately, the rise of automated tools has replaced antiquated, time-consuming processes. Highly accessible, frequently updated databases are another option used to track known threats. Previously known data can be tangible, but often, it is overlooked. An enormous challenge for the software testing, assessment and validation, is being able to expect the unknown threats common with cybersecurity breaches. These unknowns may include finding hidden malware undetectable by sandboxes, signature-based, and other behavioral identification products.
Because of the EO, proving the hygiene of their software supply chain via software composition analysis and security monitoring integration software vendors will become an expectation standard in the industry.
A New, Frictionless Security Platform
Along with new requirements for enhanced security in the cyber community, comes new software from the private sector to support developers and IT teams. As the industry moves closer to the future of cyber-technology through automated security offerings, many are exploring new methods of discovering vulnerabilities in code.
A new offering by Affirm Logic called CodeHunter™ addresses both known and unknown challenges by automating malware hunting and reverse engineering at the code level. It uses mathematical algorithms that analyze & identify malicious behavior within binary code. CodeHunter™ proactively discovers vulnerabilities in the supply chain, M&A, legacy applications, DevSecOps, and a plethora of other cases. The design of the code hunting software focuses on scalability in public and private clouds. Ultimately, it can serve as a clearinghouse of specialized and unique tools for IT teams striving to meet the new security requirements, as well as customized needs for testing and validation.
The CodeHunter™ platform provides elements critical to businesses and their cyber teams in a budget conscious environment that reduces human analysis time from weeks/months to minutes/hours. The result is, besides providing greater detection capabilities, it significantly improves efficiency and reduces cost compared to other automatic testing applications.
The Executive Order is an important step in the Nation’s efforts to enhance cybersecurity at the federal government level, including standardizing cybersecurity requirements and policies among agencies, and strengthening collaboration and cybersecurity information sharing with government contractors. While it presents a challenge for some industries working with legacy software and mainframe operating systems, it also provides the push for action in creating better defenses against vulnerabilities.
The good news is that the White House Executive Order is gaining acceptance as a plan of action for companies wary of being the next victim of a cyber-attack. This guidance stresses prevention and preparedness exemplified by platforms like CodeHunter™. That action starts with discovering the knowns and unknowns in developer code through a deep analysis of behavior and potential risk. Code functions as the backbone of the array of applications and operating networks that will determine our digital future. It is paramount that we take every precaution to keep it safe.
De Vynck, G., & Lerman, R. (2021, July 3). Widespread ransomware attack likely hit ‘thousands’ of companies on eve of long weekend. Retrieved from The Washington Post: https://www.washingtonpost.com/technology/2021/07/02/kaseya-ransomware-attack/
Johnson, J. (2021, April 13). Annual number of ransomware attacks worldwide from 2014 to 2020. Retrieved from Statista: https://www.statista.com/statistics/494947/ransomware-attacks-per-year-worldwide/
Temple-Raston, D. (2021, April 16). A 'Worst Nightmare' Cyberattack: The Untold Story Of The SolarWinds Hack. Retrieved from NPR: https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack
The White House . (2021, May 12). Executive Order on Improving the Nation’s Cybersecurity. Retrieved from The White House Briefing Room: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/