US Military Forces Major Software Vendors to Improve Security

Some of the software you use may be getting a security upgrade - thanks to the US Department of Defense (DoD).

The National Defense Authorization Act for Fiscal Year 2023 requires that the DoD only pay for software free from "all known vulnerabilities or defects affecting the security of the end product or service."

What are the Implications for UK Organisations?

If you use Microsoft Windows, Microsoft Office, Red Hat Linux, Adobe Creative Cloud or Salesforce, you're buying from a firm that wants to keep selling to the DoD.

Patches created to help keep the DoD happy won't just protect the DoD, but your organisation too.

As a small purchaser ordering from a giant software firm, your organisation may only be entitled to 'best efforts, with no guarantees' when it comes to patching, but the DoD spends enough that it can demand more on your behalf - pressuring suppliers to focus more on security, even if that means slowing down work on new features.

Microsoft has already decided to take that route, delaying the next version of Exchange Server from 2021 to 2025, so developers have more time to improve security.  

Zero Trust Architecture to the Rescue?

Large, complicated software almost always has serious security bugs. It's just that most bugs haven't been discovered yet. When a few are found and disclosed to the software vendor, the race is on to create patches. Patching can take weeks, especially if a bug is long-standing, resulting in a need to test patches on numerous versions of the software.

That would create a major headache for the DoD - with random freezes in procurement whenever a new unpatched bug is revealed. So there's a loophole: the DoD can buy software with known security bugs provided the seller supplies a mitigation plan for all known vulnerabilities.

One popular mitigation will no doubt be to promise to patch such bugs within a reasonable timeframe, with the DoD relying on Zero Trust Access - and other measures - to cut the practical risk posed by such bugs in the interim.

Back in 2021, President Biden signed an executive order on "Improving the Nation's Cybersecurity." This required the Federal Government to "advance toward Zero Trust Architecture." Federal agency heads had to create a ZTA implementation plan within 60 days and report back on their progress in implementing such plans.

Zero Trust architecture is an approach whereby users, devices and networks tend not to be trusted by default. They have to earn trust instead. For example, by proving their identity. Once identity is established, users/devices/networks should only have enough permissions to do their job. In practice, this often means granular permissions tied to membership of narrowly defined groups of users/devices.

Zero Trust can help reduce the impact of unpatched software vulnerabilities in two ways. Firstly, it reduces the number of devices/users that can see or interact with the insecure system. Secondly, it sensibly reduces what systems can see/do - making it harder for compromised systems to do damage to neighbouring systems.

Another Mitigation Measure: Multi-Factor Authentication

Multi-Factor Authentication requires users to prove they have two or more factors out of 'something you know' (such as a password), 'something you have' (such as mobile phone with a one-time passcode generator app installed) and 'something you are' (such as a human with a fingerprint matching fingerprints stored locally on a trusted mobile device). MFA makes it harder for hackers to access vulnerable systems, as they only have part of what they need.

MFA isn't foolproof. For example, end-users can be tricked into entering username, password and one-time passcodes into an Adversary-in-the-Middle's fake login page. Zero Trust Access can help defeat many such attacks, for example, by disallowing access from unrecognised devices or from unexpected countries.

Multi-factor authentication and Zero Trust architecture are often used together, with the MFA enabling strong user authentication and Zero Trust determining what authenticated users can do.

If you'd like to learn more about applying Zero Trust Architecture to your network, check out our Zero Trust Network Access service.

It can work with numerous popular MFA systems, including Azure AD, so access to your network is tied to an MFA-compatible identity-and-access-management system.