U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Insights

a NIST blog

Cybersecurity Awareness Month 2023 Blog Series | Updating Software

By: Michael Ogata and Paul Watrobski

Share

Banner with a cityscape and pictures of cybersecurity-related imagery
Credit: NIST

It’s week three in our Cybersecurity Awareness Month blog series! This week, we interviewed NIST’s Michael Ogata (Computer Scientist) and Paul Watrobski (IT Security Specialist) about the importance of updating software.

  1. This week’s Cybersecurity Awareness Month theme is ‘updating software.’ How does your work/specialty area at NIST tie into this behavior?

NIST’s Applied Cybersecurity Division’s core mission is to explore, measure, and evaluate both the cybersecurity guidance NIST provides as well as industry best practices. One of our current projects involves putting the practices described in NIST 800-218 Secure Software Development Framework (SSDF) into action. Many people think of updating software in the context of “that thing that happens randomly after I purchase a piece of software”…but today’s continuous integration and continuous delivery (CI/CD) environments—and the rapid pace of software evolution—tightly couple software updates into the daily functionality of many systems. Because these modalities deliver both new features and important security updates to customers, it is vital that the entire development process and supply chain be secure.

Our work at the National Cybersecurity Center of Excellence (NCCoE) will build a reference implementation of multiple secure software development pipelines. The primary output of pipelines like these will be more secure software. The resources that come out of this NCCoE project will provide individuals and teams of developers with the tools and guidance they need to produce and maintain more secure software. This will enable them to release software more rapidly and effectively for their users to update, better protecting themselves and their organizations.

The Profile of the IoT Core Baseline for Consumer IoT Products is a guidance from NIST’s Internet of Things (IoT) Working Group that identifies cybersecurity measures commonly needed for consumer IoT products, of which “software update” is a core capability. This is important information for both customers and manufacturers to be aware of at purchase and during development.

  1. How does updating software help people and/or businesses when it comes to cybersecurity? Why is it so important?

Over the past 40 years, software as a product has transformed from static and discrete to fluid and nebulous. People's relationship with software used be closer akin to the other physical tools in our lives. You bought them, brought them home, and used them. Now, with the ubiquity of the internet, software can change on a near constant basis. It's like if you opened your toolbox only to find your trusty screwdriver had subtly (or completely) changed. Whether it is the apps the average smartphone user has in their pocket or the microservices that power a corporation’s internal infrastructure, software changes and updates more quickly than ever. Today’s world of move-fast-and-break-things coupled with the need for ever faster time to market necessitates the constant delivery of software updates for feature updates, bug fixes, and security patches.

Security in the modern software supply chain landscape has likewise become increasingly complex. With development teams distributed in and around traditional corporate network boundaries and the increased reliance on code that originates from outside the organization (i.e., open source, 3rd party libraries, and software as a service), there is more need than ever for the codification and attestation of secure development practices. It is only through these actions can people and businesses timely and effectively apply updates to their software systems.

As users may be conducting more work on personal devices through bring-your-own-device (BYOD) programs, and working through less secure networks (e.g., working from home, a coffee shop, or a hotel on vacation), it becomes even more important to maintain up-to-date software. The attack surface has increased, and there are more avenues for attackers to get in. Now, more than ever, attackers are taking advantage of recently discovered vulnerabilities to break into devices and systems. As such, one of the simplest actions you can take to improve the protection of your finances, data, safety, etc. is to install software updates as soon as they are available. If you don’t, you’re putting yourself and your company at greater risk.

  1. What is NIST currently doing in this area (or planning for the future)?   

Michael and Paul:

The Software Supply Chain and DevOps Security Practices project at the NCCoE will bring together experts in the software development field to build reference implementations of secure software development pipelines. The landscape of software development is incredibly diverse; while no single implementation can hope to be the authoritative definition of cybersecurity for all organizations, we aim to build multiple highly relevant pipelines that model real world environments. To this end, the project will focus on two use cases for software development: 1) Free and open-source software (FOSS) development and 2) closed source software development. As with most NCCoE projects, the output of this project will be a reference guide that will not only detail how we built each of our environments, but also describe how the design choices we made achieve the outcomes described in the Secure Software Development Framework (SSDF).

We are still in the process of establishing collaborators. Stay tuned to the NCCoE website for updates!

Paul:

While not directly related to software updates, the Trusted IoT Device Network-Layer Onboarding and Lifecycle Management project aims to demonstrate mechanisms for manufacturers and service providers to initially connect IoT products and maintain their security throughout their lifecycle (i.e., through updates to individual devices and/or network systems).

Additionally, as mentioned above, NIST’s IoT Working Group developed guidance for manufacturers of consumer IoT devices. The outcomes of the 10 core capabilities described are vital for good cybersecurity, and “software update” is one of the these. We have been tasked with developing a profile of this previously published guidance with a focus on routers. “Software Update” will again be a core capability, but as the router is often the primary point of entry for a network, the software for these devices is even more important to keep up to date.

  1. Why is cybersecurity important to you personally?

Michael:

Cybersecurity is a subject that affects us at every level of our modern lives: from my own safety and personal property to the safety of the nation and our economy. Cybersecurity is important to me because I can see and get excited for the all the good that technology can bring, but I know that we must safeguard that potential to protect the greater good.

Paul:

Cybersecurity is an exciting and fast-paced field. It’s incredibly important (and not always easy to get right). With everything going digital, cybersecurity has become even more important. As financial accounts, identification documents, private information, and physical controls become more accessible online, the risks continue to increase. I recognize my responsibility to protect myself and those around me, and I encourage others to do the same. Being aware (and spreading that awareness) is the first step—but taking simple actions, like applying or enabling automatic updates, is the second. Software IoT is evolving rapidly, putting more data, sensors, and controls online. While it is exciting and can sometimes feel like magic, it is also cause for caution and increased action.

  1. What is your favorite thing (or best memory) about working at NIST?

   Michael:

My favorite thing about working for NIST is knowing that I stand in the privileged position of serving the American people for the greater good. At NIST we can approach the problems of cybersecurity from a neutral position and focus on the science of what is true, actionable, and measurable.

     Paul:

Since my first experience as a summer intern, I have enjoyed the collaborative nature of NIST. At both the main campus in Gaithersburg and the NCCoE, we are fortunate to have the opportunity to collaborate with other internal passionate engineers and scientists as well as industry leaders to continue learning about, developing, and demonstrating state-of-the-art cybersecurity solutions. It feels good to be working on fun and exciting technology that can also provide immense benefit for the common good.

For more information about updating software, visit our Cybersecurity Awareness Month Resources page. Please also help spread the word, and don't forget to engage with us NIST on Facebook and X/Twitter (@NIST and @NISTcyber). Join in on the social conversations using the #CybersecurityAwarenessMonth hashtag and remember to use the hashtag in your own social media outreach messages.

 

About the author

Michael Ogata

Michael Ogata

Michael Ogata is a computer scientist in the Applied Cybersecurity Division. Over his 18-year career at NIST he has worked on digital forensics, healthcare standards, mobile application security, cybersecurity for public safety, and cybersecurity for the smart grid. Michael loves science fiction and proudly calls himself a Star Wars fan AND a Trekkie.

Paul Watrobski

Paul Watrobski

Paul Watrobski is an IT Security Specialist in the Applied Cybersecurity Division (ACD) of the Information Technology Laboratory (ITL) at NIST. Paul is a member of the Cybersecurity of Internet of Things (IoT) program where he helped develop the Recommended Criteria for Cybersecurity Labeling for IoT Products as part of the Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity.

Paul has also been involved with NIST’s National Cybersecurity Center of Excellence (NCCoE) on several projects. He is currently a principal investigator (PI) for the Trusted IoT Device Network-Layer Onboarding and Lifecycle Management project and the upcoming Software Supply Chain and DevOps Security Practices project. He previously participated in the Securing Small Business and Home IoT Devices project where he developed an open-source tool, MUD-PD, to assist in the generation of Manufacturer Usage Description (MUD) files integral to device-intent enforcement.

Outside of NIST, Paul is pursuing a PhD in reliability engineering focused on the cybersecurity of IoT at the University of Maryland (UMD) under the advice of Dr. Michel Cukier and Dr. John Baras. Paul previously earned a bachelor’s degree in computer engineering at Binghamton University (BU) and master’s degrees in electrical engineering at both BU and UMD.

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.