Last Friday, July 18th, Secretary of Defense Pete Hegseth issued a memo on sending a strong message to any vendor selling software to the federal government: “The DoD will not procure any hardware or software susceptible to adversarial foreign influence that presents risk to mission accomplishment and must prevent such adversaries from introducing malicious capabilities into the products and services that are utilized by the Department.”
Put simply: If elements of your software are being owned, controlled, or influenced by foreign adversarial nations, then it has no place in the US defense apparatus.
What’s the Risk?
Offshore open source maintainers, particularly from adversarial nations, pose a significant supply chain risk with their ability to introduce backdoors or malicious code into commonly used open source software. For a well-regarded maintainer, there is nothing stopping them from quietly introducing backdoors, embedding malware, or manipulating systems from within.
Just last week, a Chinese-based maintainer introduced malware into an NPM package with millions of weekly downloads. Hunted Labs recently exposed easyjson, a Russian-controlled serialization package buried deep in critical infrastructure tools like Kubernetes, ArgoCD, and Isti.
Packages like these directly undermine the DoD’s ability to ensure the integrity and trustworthiness of the software powering its critical systems. Warfighters employ zero fail systems that must ensure the utmost confidentiality, integrity, and availability of that system. Relying on software updates from Beijing and Moscow immediately jeopardizes DoD readiness.
The good news is that the DoD plans to tackle this head on.
Software Provenance Now Includes Humans
The industry has maintained for many years that cryptographically signing software, commits, builds, and releases is best practice. However, it left out one of the most critical pieces in software supply chain risk management: the human element.
Now, the DoD is taking the stance that it will not only check and continuously monitor vulnerability and exploit activity in software, but also continuously evaluate where this software is coming from and who is behind the keyboard.
This problem has existed for far too long. Our threat intelligence platform indicates that even the most popular open source projects that are part of CNCF and Linux foundation have heavy adversarial foreign influence from both China and Russia. In some cases, projects can be owned by a sole maintainer working for a sanctioned organization or have ties to foreign intelligence who provide a piece of open source that vendors rely on for their applications to run effectively. Easyjson represents just one of endless examples of a dangerous package being leveraged by numerous major software vendors supporting the DoD today.
It’s time we change this status quo.
Entercept™: The Easy Button for Intercepting Foreign Influence
Hunted Labs built Entercept to help organizations identify, monitor, and eliminate adversarial influence in their software supply chains. Entercept integrates directly into your software workflows, allowing you to:
- Identify and mitigate risks from foreign adversarial influence to comply with the DoD’s new software trust standards
- Generate, store, and secure SBOMs using exploitation scoring against all components
- Continuously monitor your software pipelines for foreign influence, vulnerabilities, and exploits
- Achieve peace of mind knowing your software is protected from adversarial actors
By enriching your software workflows with threat intelligence on the humans behind the code, Entercept delivers a new layer of visibility and protection that traditional scanners can’t.
Can you meet the new standard for software trust?
The DoD has drawn the line: It’s no longer enough to trust code without knowing who built it.
At Hunted Labs, we’re setting the new standard for software security across your code base, giving users the visibility and control to meet and exceed the new bar laid out in the DoD’s latest directive.
Stay ahead of evolving federal requirements. Book a meeting with the Hunted team here.
