NIST SSDF and SP 800-204D: Securing the Software Supply Chain in the Digital Era

In the rapidly evolving insurance industry, continuous application improvement, reduced time to market, improved quality, and seamless collaboration are more crucial than ever. To remain competitive, insurers are replacing traditional operations and software development methods with cutting-edge technology and innovative approaches like DevOps to deliver high-quality services and products quickly. Consequently, cloud-native approaches and third-party components have grown significantly in software development, providing attackers with a wide range of angles to mount attacks. Recent data breaches exploiting the software supply chain (SSC) vulnerabilities are a stark reminder of the risks posed by the SSC in the increasingly interconnected and digital landscape of the insurance industry.  

Recognizing the growing importance of software supply chain (SSC) security, the National Institute of Standards and Technology (NIST) developed a Secure Software Development Framework (SSDF) and NIST SP 800-204D, providing invaluable guidance on secure software development and integrating SSC security into DevOps CI/CD pipelines. In this blog post, we will explore the impacts of DevOps in the insurance industry, the importance of SSC in DevOps pipelines, as well as NIST’s recommendations regarding SSC security, and how Emtech QMT aligns with these guidelines. 

DevOps – A Cultural Shift in Software Development

DevOps combines practices, tools, and approaches that enable software vendors to reliably deliver applications and services faster than traditional software development processes. In the traditional software development process, business, development, and IT teams work in silos which results in inefficiencies and miscommunications during product development. DevOps aims to break down these silos, automate processes, and create a culture of continuous integration and delivery, enabling insurers to deliver high-quality software more frequently and reliably. 

Continuous integration (CI), continuous delivery and deployment, and automation are three phases of a DevOps pipeline. The continuous integration process merges code from developers to the shared repository, initiating automated testing to confirm the stability of the application with each new integration into the main branch. After the code undergoes testing, continuous delivery takes over, packaging and staging the code for deployment. This does not mean the code or project is 100% complete, but the available feature sets in this stage of development are vetted, tested, and can be released to the pre-production environment. This stage allows the QA team to verify that the added features meet their expectations and provide feedback to the developers. Continuous deployment extends continuous delivery by seamlessly pushing code from development to production instead of manual deployments, which are error-prone and time-consuming. This is exactly what insurers need to deliver high-quality products faster without compromising the quality.  

DevOps Transforms Insurance Software Development 

DevOps enables insurers to bring business, development, and operations teams under the same umbrella, creating a culture of collaboration and shared responsibility. By automating build, test, and deployment processes with DevOps practices, insurers can reduce errors, improve customer satisfaction, speed up product delivery, and respond more swiftly to market changes.  

Here is how DevOps has revolutionized the insurance industry:  

• Enhanced Customer Experience. Insurers can update their products and improve their delivery and deployment processes more often through DevOps practices. This contributes to an improved customer experience, fostering loyalty and positive word-of-mouth. 

• Faster Time-to-Market. DevOps embraces automation, and continuous integration/continuous delivery (CI/CD), allowing insurers to speed up their software development and deployment processes.  

• Competitive Advantage. DevOps empowers insurers to respond to market demands more quickly and seize opportunities to gain a competitive advantage. 

• Improved Quality and Reliability. Automated testing, continuous integration, and continuous deployment contribute to continuous monitoring and rapid feedback loops, reducing the possibility of software defects. 

• Security Conformance. Security is integrated earlier into the development lifecycle of applications through DevSecOps, minimizing vulnerabilities more effectively and empowering insurers to launch robust business applications faster. 

• Lowers Production Costs: DevOps reduces production costs by combining QA, development, and maintenance costs under a single umbrella. 

Need for Software Supply Chain Security in DevOps  

While the DevOps CI/CD approach speeds up software development through the embedding of automated processes for integration, testing, and deployment, it also makes application security much more challenging. Today’s software development is not just done in-house, it involves integrating multiple components, libraries, and services from different sources. Each of those third-party components, while aiding in the rapid development of software, also represents a potential point of vulnerability. If one component is compromised, it could potentially affect the entire application before it is shipped to customers. Malicious actors often target CI/CD pipelines to manipulate code to gain access to sensitive data. In the event of a compromised pipeline, even the most secure code is susceptible to malicious code injection. When the infected software is passed to customers, attackers gain access to the victims’ networks and perform nefarious activities such as data and financial theft, network monitoring, demanding ransom, and disabling systems.  

Impact of Supply Chain Attacks on Insurance Company  

The consequences of a compromised CI/CD pipeline during insurance product development can be far-reaching and severe for the insurance industry. A successful attack on the CI/CD pipeline can lead to a severe data breach that exposes policyholder information, resulting in serious ramifications for both the software vendors and the insurance carrier. This may include revenue losses, lawsuits, and regulatory fines that erode customer trust, as well as a long-lasting negative impact on a brand’s reputation. Additionally, there is an increased likelihood of widespread disruptions due to the industry’s deep connection to other financial institutions and health networks. The exploitation of the MOVEit file transfer platform by the CL0p Ransomware Gang is a prime example of the damaging consequences of supply chain attacks. 

Ensuring the security of the software supply chain is only possible within the confines of DevOps pipelines. Software vendors must play a crucial role in maintaining a robust security posture across their infrastructure and implement adequate security measures to prevent cybercriminals from accessing the DevOps pipelines. It is impossible to secure the software supply chain from outside the DevOps pipelines.  

NIST SSDF and SP 800-204D in a Nutshell 

Securing the complex landscape of the software supply chain (SSC) in the DevOps era requires a deep understanding of the various risk factors and the strategies to counteract them. In this context, NIST published NIST SSDF and NIST SP 800-204D on August 30, 2023, entitled “Strategies for Integrating Software Supply Chain Security into DevSecOps CI/CD Pipelines”. While NIST SSDF describes high-level practices for securing the software development life cycle, NIST SP 800-204D describes ways to incorporate SSC security into CI/CD pipelines by identifying workflow tasks to meet the goals of SSDF’s high-level practices. 

NIST SSDF promotes a ‘shift left’ approach in which security considerations are integrated into the software development lifecycle (SLDC) from the early beginning. It identifies various risk factors associated with the SDLC environment and recommends best practices to counter those risks. To secure CI/CD pipelines, NIST SP 800-204D recommends various security practices based on the activities associated with CI/CD pipeline workflows. The workflows in the CI pipelines consist of build operations, push/pull operations on repositories, software updates, and code commits. Continuous deployment is the place where the culmination of development efforts meets the real-world environment. To guarantee the integrity of this transition, NIST SP 800-204D recommends a series of activities such as performing security scans before merging any pull request to detect embedded secrets, such as keys, and reviewing dependencies for vulnerabilities. Furthermore, it emphasizes rigorous vulnerability management, automated tools for continuous security assessment, and strong governance across the entire supply chain to ensure compliance. 

Benefits of Embracing SSC Security in SDLC 

Incorporating the NIST SSDF and NIST SP 800 204D into the software development pipeline is a game-changer. With these guidelines, software vendors can develop secure software more frequently and reliably by combining the agility and efficiency of DevOps with the robustness of advanced security frameworks.  

Here is a deep dive into the multifaceted advantages of this integration: 

• Enhanced security posture. NIST SSDF enforces security practices at every stage of the software development process and NIST SP 800-204D particularly emphasizes integrating security into CI/CD pipelines. By incorporating this framework and guidelines into DevOps, software vendors can mitigate vulnerabilities early, reducing security breaches and ensuring software integrity. 

• Streamlined compliance. Regulatory landscapes are constantly evolving, and non-compliance can result in hefty penalties. NIST SSDF and NIST SP 800-204D emphasize adherence to various security and industry standards and regulations. Incorporating NIST standards into the software development process helps software vendors comply with requirements and navigate security audits confidently. 

• Increased Trust and Credibility. By incorporating NIST guidelines into software development, software vendors can boost their reputation, create trust with clients, and differentiate themselves from their competitors. 

• Cost-efficiency. The inclusion of NIST standards in software development processes reduces the risk of financial and reputational loss associated with Day-2 issues.  

• Improved ROI. One of the hallmarks of DevOps is rapid deployment. Incorporating NIST SP 800-204D into the DevOps pipeline enables faster software delivery without compromising on security. 

Emtech QMT: Security Standpoint 

QMT is a high-performance model-based quality engineering software developed by Emtech for validating the insurance value chain. QMT automatically generates test cases and test data along with test scenario execution. By testing the end-to-end process of life insurance systems, and the integrations between them, insurance carriers can drive quality into product launches and eliminate embarrassing errors experienced by distributors and customers post-launch. As well as ensuring that QMT is functionally enhanced, Emtech has continually striven to conform to NIST SSDF and NIST SP 800-204D guidelines while developing QMT.  

Here are some measures that Emtech has followed during the development and deployment of QMT: 

• Secure software development environment. To protect the QMT development environment from all kinds of unauthorized access and tampering Emtech has followed the following practices. 
  • A zero-trust security model has been implemented in the development environment where every access request is fully authenticated, authorized, and encrypted before granting access to artifacts and repositories.  
  • Least privilege access to the code repository has been implemented to protect all forms of code from unauthorized access and tampering.  
  • The development team uses version control features and commit signing to track all changes made to the code with accountability to the individual developer.  
  • Strick code review processes have been implemented where at least two developers review code changes to detect potential vulnerabilities or malicious injections. Those rules are enforced by automated DevOps tools provided by GitHub. 
  • Regular auditing and monitoring have been enforced to prevent any signs of tampering or unauthorized access to the DevOps pipeline. 

• Secure coding practices. Throughout the development process, the developers have adhered to secure coding practices to reduce the chances of vulnerabilities being introduced in the first place. Developers are advised to scan vulnerabilities in open-source components before using them in application development to avoid Typosquatting attacks. Further, GitHub’s automated scanning tools are enabled for vulnerability scanning. 

• Security testing. Emtech has conducted security testing in-house and by third parties following the development process. Static code analysis has been carried out during the development of QMT to help the developer identify vulnerabilities early by comparing the code to industry standards.  

• Secure code signing process. Emtech uses digital signing certificates to sign the executable code and supporting documents to protect the software from malicious alterations and malware attacks. Code signing ensures our customers that the software is authentic and has not been tampered with.  

• Encryption. To ensure sensitive data is not accessible by unauthorized users, QMT has employed industry-accepted encryption techniques during data transmission and database encryption of sensitive information. Encryption is used to protect sensitive data at rest. In transit, customer data is encrypted by default, with the option to leave it unencrypted if desired. Emtech R&D will closely monitor the changing cryptographic landscape and update the software to address new cryptographic weaknesses as they emerge as well as implement best practices.  

• Software patching. Cyber attackers are continuously investing their time and efforts to exploit the vulnerabilities of the systems. Emtech’s vulnerability management team is responsible for reviewing, analyzing, and testing the software’s code to identify and confirm the presence of previously undetected vulnerabilities. In addition, the team monitors national vulnerability databases and reviews software composition data to identify and confirm new vulnerabilities. Accordingly, QMT is patched regularly to keep it free from any vulnerabilities. 

Final Thoughts

In today’s competitive market, insurers must enhance agility and flexibility in creating new products and regularly updating existing ones to meet customer expectations and stay ahead. DevOps plays a crucial role in these efforts. However, this rapid pace poses its own set of challenges, especially when it comes to security. If one component is compromised, it could impact the entire application. The life insurance industry is especially susceptible to cyberattacks through its supply chain because of the large amount of sensitive data it collects manages, and stores, to operate efficiently.  

All parties in the value chain need to acknowledge their responsibilities to ensure the integrity of the interconnected digital ecosystem.  As a member of the value chain, Emtech Group Inc. recognizes the importance of software supply chain security and is committed to ensuring the security of QMT and its applications. Emtech offers customers peace of mind by implementing secure software development practices recommended by NIST SSDF and NIST SP 800-204D. Emtech QMT is built with secure software development practices and integrated with adequate security measures that support SOC 2 attestation and HIPAA compliance.