How to build security into your software supply chain
March 22, 2018
By Joe Jarzombek, Director for Government, Aerospace & Defense Programs at Synopsys
The supply chain; that is, the sequences of processes involved in the production and distribution of commodities, represent potential issues for a variety of businesses as its mismanagement can lead to financial implications. However, for software companies, the supply chain represents a series of places between the conception of a product and the end user where the integrity of the software could become compromised, and the impact can go far beyond than just financial.
Many enterprises have become more effective in protecting their cyber perimeters; yet they have vulnerable vectors of attack via their supply chains. Enterprises have become increasingly dependent on third-party suppliers for software, hardware with firmware, and cyber-related services that increase risks attributable to products with ‘tainted’ components containing vulnerabilities, exploitable weaknesses, and/or malware.
Threats often manifest in use, not in the supply chain; so most of the risk and liability is to enterprises using the products; not to the suppliers.
What measures can firms take to protect themselves and their supply chain from threats?
Addressing this question requires some additional background explanation in the following areas: what standards are available to use for supply chain risk management (SCRM)? What resources exist for specifying SCRM in contracts or requirements? And ultimately, on what independent testing and certification programs can enterprises rely?
To begin tackling the supply chain risk management (SCRM), the US National Institute of Standards and Technology (NIST) Special Publication 800-161 “Supply Chain Risk Management” provides guidance to federal agencies and other enterprises on identifying, assessing, and mitigating information communications technology (ICT) supply chain risks at all levels of their organizations. The publication integrates ICT supply chain risk management (SCRM) into risk management activities by applying a multi-tiered, SCRM-specific approach, including guidance on supply chain risk assessment and mitigation activities.
Another resource is The Open Group Trusted Technology Forum, which provides open standards and accreditation programs for product integrity and supply chain security focused on mitigating the risk of tainted and counterfeit parts. The Consortium for IT Software Quality (CISQ) offers Automated Quality Characteristic Measures to measure and manage the structural quality of IT application software.
The automated measures for Security, Reliability, Performance Efficiency, and Maintainability are approved standards of the Object Management Group (OMG®) making them global standards for use by IT organizations. These measures were developed from coding rules covering some of the most serious violations of good architectural and coding practices that should be avoided and can be detected through static code analysis.
Governments and enterprises that use global standards in their technology strategy and purchasing decisions can rely on a more comprehensive approach to risk management and product assurance when selecting third-party technology products. Vendors and suppliers that adhere to these practices will be able to better protect the integrity of their products and services as they move through the global supply chain.
Independent testing and certification programs are available for enterprises related to SCRM. Many enterprises have independent acceptance test requirement that are used prior to third-party products being operationally deployed. As an extension of their SCRM programs, enterprises can require ICT/IoT products and software that have been independently tested and certified by the Underwriters Laboratory (UL) Cybersecurity Assurance Program or similar programs.
For many companies, the security standards of any partners are of crucial importance. Many enterprises have due-diligence processes in place, intended to build trust with suppliers and their products; essentially using preferred suppliers, along with accessed and cleared products lists.
Such practices need to include due-diligence that assesses supplier security processes and means for mitigating known vulnerabilities, exploitable weaknesses and malware in the supply chain. This reflects the reality that enterprises have a growing awareness that their security is highly linked to their external dependence of third-party components.
Legally speaking, contract law addresses recourse for ‘non-conforming’ products, and this could be used to mitigate risks attributable to products with ‘tainted’ components – those software or firmware components with known vulnerabilities, exploitable weaknesses, and/or malware. The challenge is that most enterprises and customers do not specify unacceptable taint; nor do they have acceptance testing in place or have independent certification requirements for third-party components. Sample procurement language is freely available to those who desire to address security in contracts with third-party suppliers.
There is no shortage of resources for companies concerned about the security of their supply chain. The hard part is convincing organizations that security is of paramount importance in every step. Procurement and testing are key parts of SCRM in ensuring the integrity of software products.