Cybersecurity incidents are among the greatest threats facing organizations today. Now, in the wake of high-profile software supply chain attacks, the U.S. Federal government is taking bold action to strengthen the country’s cyber resilience. On May 12, President Biden issued a widely anticipated Executive Order on Improving the Nation’s Cybersecurity calling for stringent new security guidelines for software sold to the federal government, with wide-ranging implications that will ripple across the entire software market.
The new policies come as sophisticated cyberattacks are rising in frequency and severity, most recently illustrated by the ransomware attack on the largest fuel supply source in the U.S., Colonial Pipeline. Yet, despite the troubling upswing of malicious campaigns, most organizations still have only a partial view of the make-up of their software applications, leaving them exposed to unknown software component vulnerabilities and hampering response efforts.
How Anaconda supports a secure software supply chain
At Anaconda, we support the administration’s plans to establish an industry-standard format to enable complete visibility and accurate identification of software components. By requiring government contractors to provide purchasing agencies with a standardized Software Bill of Materials (SBOM) for each product, the administration is leveraging the unrivaled power of the U.S. Federal procurement to set a new standard for cybersecurity and governance practices.
Anaconda is committed to providing value for the open-source community and a secure software supply chain to our over 25 million open source users. Our private, secure build systems include malware scanning, signing, and improved Common Vulnerabilities and Exposures (CVE) matching and remediation information, enabling organizations to build their secure supply chain tailored to their unique needs and policies.
We are working diligently to adhere to a standard SBOM, which will allow rapid generation of data in a readily understandable format. Anaconda is updating our toolset to provide the CycloneDX SBOM format for our package metadata, including license details, dependencies, and curated CVE scores. CycloneDX facilitates actionable SBOM sharing between systems, customers, partners, and regulators.
Providing security and trust in open source
Developers and data scientists require security and governance capabilities that address the layers of complexity and interdependencies embedded into modern software packages. The Anaconda repository, where open-source and proprietary packages are stored, retrieved, or shared, is evolving to meet these needs.
Anaconda also takes steps to promote strong cybersecurity practices among developers and users. For example, regularly consulting CVE databases and scores to guard against the risk of using vulnerable packages and binaries in applications is a foundational cybersecurity practice. Anaconda automates this process by allowing administrators to filter access to packages and files against our curated database of known vulnerabilities, allowing teams to focus on building models. Anaconda also offers content trust features like conda signature verification. This tool assures that packages and metadata are unchanged from when they were produced on our secure build network, providing transparency into possible compromises while reducing the impact of man-in-the-middle attacks, compromised mirrors, and more.
Collaborating to confront risks head-on
This Executive Order is an essential step toward reversing this tide of malicious cyber campaigns that imperil information and operational technology across the country. At Anaconda, we are committed to doing our part by continuing to innovate tools that support our customers’ abilities to harness open-source software while maintaining the highest enterprise security standards. While vulnerabilities are inevitable, if we work together in the spirit of transparency and collaboration, breaches and hacks don’t have to be.
