White House Scraps 'Burdensome' Software Security Rules (securityweek.com) 56
An anonymous reader quotes a report from SecurityWeek: The White House has announced that software security guidance issued during the Biden administration has been rescinded due to "unproven and burdensome" requirements that prioritized administrative compliance over meaningful security investments. The US Office of Management and Budget (OMB) has issued Memorandum M-26-05 (PDF), officially revoking the previous administration's 2022 policy, 'Enhancing the Security of the Software Supply Chain through Secure Software Development Practices' (M-22-18), as well as the follow-up enhancements announced in 2023 (M-23-16).
The new guidance shifts responsibility to individual agency heads to develop tailored security policies for both software and hardware based on their specific mission needs and risk assessments. "Each agency head is ultimately responsible for assuring the security of software and hardware that is permitted to operate on the agency's network," reads the memo sent by the OMB to departments and agencies. "There is no universal, one-size-fits-all method of achieving that result. Each agency should validate provider security utilizing secure development principles and based on a comprehensive risk assessment," the OMB added.
While agencies are no longer strictly required to do so, they may continue to use secure software development attestation forms, Software Bills of Materials (SBOMs), and other resources described in M-22-18.
The new guidance shifts responsibility to individual agency heads to develop tailored security policies for both software and hardware based on their specific mission needs and risk assessments. "Each agency head is ultimately responsible for assuring the security of software and hardware that is permitted to operate on the agency's network," reads the memo sent by the OMB to departments and agencies. "There is no universal, one-size-fits-all method of achieving that result. Each agency should validate provider security utilizing secure development principles and based on a comprehensive risk assessment," the OMB added.
While agencies are no longer strictly required to do so, they may continue to use secure software development attestation forms, Software Bills of Materials (SBOMs), and other resources described in M-22-18.
Major Meltdown Or Epic Explosion (Score:5, Interesting)
After reading about the latest hot AI agent platform, and it's complete lack of guardrails or security, I see this as step into a massive disaster.
I guess I'm getting old. I'm deeply disturbed by our immediate tech future.
Re:Major Meltdown Or Epic Explosion (Score:4, Informative)
I see this as step into a massive disaster.
Yeah, let's hope that never happens. Oh, wait. [wikipedia.org]
Re:Major Meltdown Or Epic Explosion (Score:5, Interesting)
Well, XKCD dependency (https://www.explainxkcd.com/wiki/index.php/2347:_Dependency ) came out 5+ years ago and was already true for 10 years before that in all SaaS. And even in home rolled systems of banks, fintech and other mainstream and "sober" services, though idk about defense specifically.
And some aspects of things have gotten better, but there's still no way, afaik, for anyone to REALLY certify something like even a Linux distribution except in the sense of 'yeah we'll try to fix it when the CVEs inevitably get filed'. In practice what the original legislation required is not currently feasible, though various parts of the ecosystem have been moving in that direction slowly over the decades in some ways (signed debs and rpms, for example) but in the other direction in other ways: CI/CD. weekly (or daily) releases of libraries. Move away from semantic versioning and into linear sequential versioning...
yeah the ecosystem has proved pretty resilient overall in practice all things considered... but if you really think about how the sausage is made... idk how anyone sleeps at night.
Its definately not coming from security ppl. (Score:5, Interesting)
The thing with security is that its hard, and its annoying, and it grates on bosses who want to "move fast and break things".
Proper institutional IT security is less about keeping on top of the latest way to manipulate a malloc() to generate a buffer overflow, although thats ALSO important, and more about the procedures and practices in an organization. You got virus checkers and software solutions to handle the technical stuff, the hard part is to convince the damn receptionist to stop buying from spam mails, because THATS where most of the damage comes from.
And in an organization with thousands of people, thats going to mean procedures procedures and more procedures. You need regular audits to quantify what the risks are, what the vunerabilities are, and what is to be done to patch up those holes. You need training to teach people not to open unverified atttachments. You need up to date inventories on computers as well as a regulated and planned approach to keeping up to date with software patches, and making sure all of your software is licensed (The whole thing falls apart when ted from marketing is using a pirated version of photoshop). All of this is a lot of work, and its all essential if you dont want the chinese running rampage through your network.
But so many bosses I've had , have hated this stuff. Its not how they operated when the company was 5 guys in an industrial unit. Well, Mo' Money, Mo' Problems, what works for 5 guys will not work for 500 guys because everythings exponentially more complex now, and so are the stakes. And heres the thing, when you got a government stuffed with startup-guy posers who think they know how to run a business, they'll start thinking government departments with 20,000 employees should be run like a 5 guy start-up where the weekly payroll is paid off the bosses credit card.
You saw the height of this hubris with DOGE when they actually thought they could get 6-7 guys working for a couple of months to replace giant mainframe systems that had literal decades worth of code cruft. Yeah no, big-boy world doesnt work like that.
And you can't do security by just keeping Norton up to date, not when China is literally hiring hundreds of top tier hackers to break in and steal anything not nailed down.
Re: (Score:3)
I was hired in part to write my employer's IT security policies and standards, and to guide the various IT groups in building their procedure documentation. Most of it has gone reasonably well since I started mostly with established methods and tightening things here and there. There have been some areas of contention, but the things that have received the most pushback are around development. For example, the idea that developers for enterprise systems with deployment tiers (dev, test, UAT, prod) should no
Re: Its definately not coming from security ppl. (Score:1)
Yeah, that line about the receptionist was pretty off. The receptionist has no access roles that would allow them to do damage. Nor do they have authority that could be leveraged by a multi-stage intrusion using their email address.
Middle management is the perfect target for hackers because theyâ(TM)re not as security conscious as development and operations, and they have greater access and authority. Theyâ(TM)re also more likely to send requests by email.
Re: (Score:2)
Thats what happens when your doing it right. But so many places just have everyone sitting on a giant shared OneDrive with no concept of actually using the AD roles to control access to shit, meaning that Jane the receptionist that spends half her time secretly scrolling facebook has acceess to the companies top secret merger plans, even if she doesn't know it.
Re: Its definately not coming from security ppl. (Score:1)
> the idea that developers for enterprise systems with deployment tiers (dev, test, UAT, prod) should not have direct, full-time access to prod sparked heated debate.
I do not want direct Prod access. Thatâ(TM)s too much liability for my tastes. Iâ(TM)m a developer. Iâ(TM)d much rather go through the once or twice a year hassle of working through someone with access, rather than let the Prod databases be compromised because I had an off day and fell victim to some 0-day or social engineerin
Re: (Score:2)
That's what we explained. We'll give them access where necessary. Their response was a constant series of what-ifs.
"But what if I need to fix something?" That's what test and UAT are for.
"But what if it worked in UAT but not in prod?" Then figure out what makes prod different from UAT (they're supposed to be identical), apply it to UAT, break UAT, fix UAT, deploy to prod.
"But what if it's an emergency?" We can make an exception at the time.
"But what if you're not fast enough?" We can get it done in half an
Re: (Score:2)
Indeed. Also add that AI "coding" basically only helps attackers, and we have the makings of a nice disaster. Only that it will be a tiny bit larger than any other disaster the human race has ever experienced.
Re:Major Meltdown Or Epic Explosion (Score:5, Insightful)
Re: (Score:2)
Things will get interesting for sure. And not because we could not secure the tech, but because greed and stupidity are the new "smart".
Watch out for those buttery males! (Score:4, Interesting)
Meanwhile Donald Trump continues to be the best investment Russia ever made. Did you hear we are funding insurgents in canada? That is a real sentence that I wrote that has real meaning and isn't just a shitpost.
And those dumb right wingers are stupid because (Score:1, Informative)
Of their identity markers. It's an identity marker. In right wing circles growing bananas became an identity marker to indicate that you were a good little maga. You see this a lot in religious circles. It's also why homophobia is so common it's because it becomes an identity marker where you can use it to determine who is and who isn't in their in group.
If you can't see that then you are so far gone I don't even know where to begin. This is an identity marker for you it has nothing to do with reality. Some
Re:And those dumb right wingers are stupid because (Score:4, Interesting)
>Trans people are less than 1/10 that. This means that it's easy to go your entire life without ever knowing one.
Treatments are getting a lot better, so the odds that you know one are a bit higher than you might think. But knowing that you know one is harder because the treatments are better and because they're unwilling to bring it up. When gay marriage was legalized in the US, a lot of people only realized that they had gay friends and family because wedding announcements started coming. It caused a lot of people -- some of whom had been actual leaders of movements against gay marriage -- to rethink things.
Re: (Score:2)
Did you hear we are funding insurgents in canada? That is a real sentence that I wrote that has real meaning and isn't just a shitpost.
Someone must have told him Alberta has half as much oil as Venezuela, and it’s a whole lot closer.
Re: (Score:1)
"Meanwhile Donald Trump continues to be the best investment Russia ever made." There ought to a corollary to Godwin's Law that when you repeat a provenly false story about Trump that anything else you say is discounted as nonsense.
Re: (Score:2)
> when you repeat a provenly false story about Trump that anything else you say is discounted as nonsense.
Unsurprising that you don't understand why Godwin's is a useful meme and your partisan "corollary" never will be.
It was too hard for Putin to read Trumps email. (Score:5, Insightful)
So they had to remove the firewall and complex passwords. Haha
Re: (Score:2, Insightful)
I'm sure Trump sends email in bulk to Putin along with the Ukraine intel
Re: (Score:2)
Trump doesn't use email, and he never has.
And as of last summer, NIST recommends against complex passwords and expiration [nist.gov] while calling for a 15-character minimum. Forced password changes should happen only when they're suspected to have been compromised.
Ho hum... (Score:4, Interesting)
This abdication of effort and responsibility isn't special. Throw it on the pile with the rest. Cyber security can compost alongside health care, environmental protection, consumer protection, financial watchdogging... the list is already so well populated that this one doesn't matter much in the grander scheme.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Well, throwing out IT security is on another level. Like stopping to monitor dangerous infectious diseases. Oh, wait. They have stopped doing that too.
Tortured logic. (Score:5, Interesting)
Aside from the...curious...idea that knowing what your attack surface looks like is a diversion from developing assurance requirements; the claim that the old policy about SBOMs is being revoked for not focusing on insecure hardware is odd both on the obvious point that basically anything with a sensible scope only focuses on certain issues and leaves other issues to be handled by other things and the only slightly less obvious issue that most 'insecure hardware', unless you've qualified for a really classy covert implant or have high sensitivity TEMPEST issues or something, is not actually hardware problems; but firmware problems; which are just software problems that aren't as visible; exactly the sort of thing that SBOMs help you keep an eye on.
Not like anyone expected better; but this is exceptionally poor work.
Re: (Score:3)
The reasoning is honestly just baffling. Apparently the old requirements "diverted agencies from developing tailored assurance requirements for software and neglected to account for threats posed by insecure hardware." by requiring that people keep track of what software they were actually using.
It's definitely "organizational speak", but afaict the SBOM thing, and the attestations about the whole dependency tree is virtually impossible for the large majority of COTS systems, especially SaaS ones. Like actually doing what the old policy seems to claim that it wants would increase costs ten fold or 100 fold. So i think the thing getting repealed was not realistic and IS just a paper exercise of people exchanging lies, as well meaning as it was...
So i think it's maybe worthwhile to actually f
Re: (Score:2)
Commercial software and both commercial and institutional IT operations are much more an example of the fact that you can absolutely run on dangerous and
Re:Tortured logic. (Score:4, Insightful)
It’s very simple. This was something Biden implemented. Therefore it must be undone.
Re: (Score:2)
They'll implement basically the same thing and claim it their own.
Re: (Score:2)
Yep, this one makes no sense. All I can see is that this is possibly done to cut out some vendors from the market.
Re: (Score:2)
In with another.
I was in a DevOps position at my previous employer. We were running around like maniacs getting ready to comply with the old rules.
It's been a few years. I wonder if they ever got it squared away...
Re: (Score:2)
Responsible for their own security? (Score:2)
"Each agency head is ultimately responsible for assuring the security of software and hardware that is permitted to operate on the agency's network,"
If it's not on your network [politico.com], there is no security issue.
Re: (Score:2)
No, you're right -- it's TOTALLY a "valid" point that vendors shouldn't have had to attest to the security of a "major version change." Afterall, major version changes are known for minor changes in the platform's design.
And it's TOTALLY a "valid" point that Officers of companies signing the attestation shouldn't have to face criminal liability for willfully providing false or misleading i
Previous policies (Score:2)
so that readers could see that they weren't "universal, one-size-fits-all method of achieving [the security goal]", and that it was as usual a lie, one that will surely weaken our security posture to disastrous consequences.
just imagine if (Score:1, Informative)
This was actually my job at a previous employer and I actually know something about this, and I didn't form an opinion based on a cursory review of some links, like apparently you just did.
Yes, software security is a real problem these days. The xz debacle showed everyone where the real risks are. There are so many ways now to get backdoors injected into major open source projects by finding the tiniest vulnerability and social engineering the hell out of it -- in the case of xz they found a stable, basical
Re: (Score:2)
Giving all our secrets to Russia (Score:3, Insightful)
Trump decided that we no longer need security in government software because it impedes Vladimir Putin's attempts to know everything about everybody.
Fucking traitors.
Re: (Score:2)
Translation: (Score:1)
...each of Don's sub-clowns wants their own circus.
Addendum (Score:1)
Imagine a Beowulf cluster-fuck of clowns.
You don't have to, they arrived.
Seatbelts no longer required! (Score:2)
Project 2025 (Score:3, Informative)
https://www.project2025.observ... [www.project2025.observer]
My best guess is this will help achieve the objections with "Remove Cybercom from the oversight of the National Security Agency" followed by "End Cybercom's participation in federal efforts to "fortify" U.S. elections."
And no, I'm not a conspiracy theorist nut. Its all about timing for when to execute the actions. With the risk of the midterms losses coming up - now is the right time to execute this action. It will allow more claims of election fraud - this time with less oversight to prove them wrong.
Thankyou Donald (Score:2)
As the citizen of a nation that has been threatened with American annexation, I can only rejoice in this relaxing of US government security. Along with our country's membership in Five Eyes and our recent position as close allies, it will undoubtedly help CSIS to gather the intelligence we need to defend ourselves.
They'll never upgrade anything (Score:2)