White House cybersecurity plan collides with SecOps reality
The White House Cybersecurity Strategy sets lofty goals. But recent market research suggests a significant number of enterprises don't follow existing SecOps best practices.
Listen to this article
Market research suggests many IT organizations still struggle with basic SecOps best practices, dimming the prospects for the Biden Administration's call for sweeping improvements to the nation's cybersecurity posture.
The White House Cybersecurity Strategy document, published March 2, addressed a wide range of issues, from the need to protect critical infrastructure to fighting ransomware gangs. It also proposed "fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace," most notably holding software vendors liable if they "fail to take reasonable precautions to secure their software."
However recent reports on the state of security operations (SecOps) in general, and open source security in particular, reflect an industry already struggling to achieve less ambitious security improvements.
For example, more than five years after a failure to patch systems resulted in a high-profile breach at credit bureau Equifax, the 2023 Open Source Security and Risk Analysis (OSSRA) report by software composition analysis vendor Synopsys found "troublingly high numbers of known vulnerabilities that organizations had failed to patch" in the open source codebases that comprise most enterprise software.
Two years after the Log4Shell vulnerability was discovered in a widely used Java library, 5% of all codebases scanned by Synopsys still contained the vulnerability, including 11% of Java codebases, according to the OSSRA report.
"Despite the media attention it received, and the numerous avenues organizations can take to confirm its presence in their codebases and remediate it, we still identified it in our audits this year," the report stated.
Assessing the health of open source software (OSS) projects, not just the security of their codebases, also remains a frequently overlooked SecOps challenge, one industry analyst said.
"There are no established standards for building and maintaining OSS despite the litany of OSS projects," said IDC analyst Katie Norton. "Unfortunately because many OSS projects are underfunded or rely solely on volunteer contributors, there is a lot of variation in how the projects are maintained. There are also fewer software supply chain [security products] in the market that offer [project health assessment] capabilities."
Cloud migration, organizational divides hinder SecOps
Cloud-native technologies such as containers and Kubernetes only muddy the waters further for enterprises. Security was cited as the top challenge by respondents that use containers for a majority of their applications in the Cloud Native Computing Foundation (CNCF) 2022 member survey. Initial government guidance on software bills of materials (SBOM) specifically excluded cloud-native systems. Efforts to help SBOM catch up, such as the GUAC project, remain nascent. Even high-level guidance for what constitutes good software supply chain security policy remains an open issue within CNCF.
SecOps shortfalls also worsened as the workloads hosted on public cloud platforms increased by 8% in 2022, according to a report published by security vendor Palo Alto Networks this week. Ninety percent of 2,500 respondents to the Palo Alto State of Cloud-Native Security survey said that their organization cannot detect, contain and resolve threats within an hour. DevSecOps efforts that hold developers accountable for insecure code are under way for more than 75% of respondents. But 47% said that a majority of their overall workforce does not understand their security responsibilities.
Amid increased attention to open source and cloud-native security, there remains a disconnect between the compliance and supply chain risk management tools used by businesses and those adopted by IT teams, said David Strauss, co-founder and CTO at WebOps vendor Pantheon in San Francisco.
"The business side has long been tracking the licenses and the provenance of software that's been used in open source to ensure that the actual assembled products are defensible from an intellectual property perspective," Strauss said. "On the other side, engineers and technical authors have things like build tools, dependency management tools and package managers. … I don't know that the industry has a well-conceived view of how all these things come together yet."
Biden plan "lip service" without specifics, funding
Against this backdrop, the White House Cybersecurity Strategy comes up short on specifics in many areas, IT experts said. These include details on how organizations can make progress toward its stated goals, the federal legislation the White House plans to propose to Congress and the level of funding the federal government is prepared to put behind these initiatives.
"A lot of it is lip service. Although the good news about lip service is that it can create emphasis and shift priorities," said Chris Riley, senior manager of developer relations at marketing tech firm HubSpot in Cambridge, Mass.
Still, for some government agencies, shifting tech priorities will be a difficult fight, he said.
Robert SlaughterCEO, Defense Unicorns
"The government needs to have a full, sweeping IT and technology perspective shift," Riley said. "You have pockets of places in the government that are doing amazing things. And then you have organizations like the [General Services Administration] that are extremely behind in technology, and it's absurd."
Funding, particularly for open source security initiatives, is also imperative for the new cybersecurity strategy to be viable, IT pros said. The Open Source Security Foundation (OpenSSF) remains at work on a previous cybersecurity strategy document issued with input from the White House last year, its $150 million Open Source Software Security Mobilization Plan. Some initiatives within that plan have begun to gain momentum, but OpenSSF leaders said they have yet to raise anything near that initial funding goal.
"Policy means nothing without a way to enforce it or funding to support it," said Robert Slaughter, CEO at IT defense contractor Defense Unicorns in Colorado Springs, Colo. "One percent of the defense budget should go toward securing our software supply chain, specifically the open-source projects not only our defense systems, but the entire world leverages."
Long-term rays of hope
In the long run, despite the many hurdles to improved national cybersecurity posture, some industry experts said they believe that progress is not just possible but imminent. One engineer cited the example of past initiatives in other industries, such as food safety regulations and auto manufacturing quality standards.
"There are social constructs that need to change, but I believe they can," said Jacques Chester, senior staff software developer at Shopify, who noted that he was speaking as an individual, not a company representative. "The history of quality improvement in other industries shows that you can take what seems to be impossible and make it the ordinary, given some time and determination."
Cloud-native tech and more sophisticated IT automation come with an initial SecOps learning curve. But they may be the way out of longstanding failures to adhere to best practices such as patch management, according to Norton.
"What is going to have to happen is more automated remediation," she said. "We will see more and more of this technology and capabilities emerging in the next year or so."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.