Supply Chain Assurance

Organizations are increasingly acquiring commercial-off-the-shelf and open source software products or outsourcing development instead of developing their own software. Current approaches to acquisition don’t account for the risk management issues of complex software supply chains. On-time delivery and costs often get the most attention when organizations acquire software developed through a supply chain, but some of the most serious risks are associated with system assurance, the confidence that the system behaves as expected. Software defects, such as design and implementation errors, can lead to unexpected behaviors, system failure, or vulnerabilities that can lead to attacks.

Our approach to assure the security of supply chains can help acquirers in several ways.

1. Apply existing techniques to reduce software supply chain risk. The immediate problem isn’t the need for new techniques but the application of known effective methods. For example, countermeasures for SQL injections are well established, yet SQL injections still rank second on the MITRE/SANS list of the top 25 most dangerous software errors. We can help organizations apply the appropriate techniques in these acquisition scenarios:

• commercial products: asses a specific product as well as supplier capabilities to develop secure software
• custom-developed software: as part of selecting a supplier, assess the supplier’s ability to evaluate and mitigate supply chain risks associated with product selection and integration and with subcontractor supplier software; also monitor supply chain risks during development
• supply chain integrity: protect components during development and in transit among participants in a supply chain

2. Manage supply chain risks after deployment. The most significant supply chain risks can occur after deployment. Risk assessments done with the initial acquisition are invalidated over time by new threats and attack patterns, product upgrades or replacements, and changes in consequences with expanded usage. Frequently there is a change in contractors from development to sustainment with a potential change in supplier capabilities.

3. Help acquirers most effectively use their resources in considering supply chain risks. We can provide a framework that helps acquirers understand the supply chain factors that arise from tradeoffs among business risks, sources of those risks (suppliers, features, and usage), and possible risk mitigations (supplier selection, feature usage, integration, and risk acceptance). For example, retailers, manufacturers, and suppliers that participate in a distributed inventory system can be at risk when one of the other participating systems is compromised.

For more information, contact us at info [@] sei.cmu.edu.