Interview with Bob Martin, principal engineer over Software Supply Chain Assurance for the Cyber Solutions Innovation Center at MITRE Labs, and Chair of the Industry IoT Consortium Steering Committee
Recently, the IETF announced its Supply Chain Integrity Transparency and Trust (SCITT) initiative and emerging frameworks to come out of the initiative. One of those frameworks, MITRE’s supply chain “System of Trust,” is already available to help identify and score risk, while providing a common taxonomy for software, hardware and service providers.
“The work in SCITT with the IETF is to enable evidence about risks. People make claims, and you have evidence about those claims, and can make that evidence available to customers on demand. So, in essence, System of Trust is all the things you should ask about, while SCITT is going to enable many people to have answers when they get asked about those things.”
Of the fourteen top-level practices recommended in MITRE’s System of Trust, seven apply to the developers of commercial software and embedded products. To developers of commercial and embedded software products, he says that no matter what industry you’re developing to, it comes down to three aspects of risk: malicious taint, good hygiene, and counterfeits.
“Do they have legitimate licensed modules or is someone getting it from a wrong repository or gray market? Those would be in the counterfeit area. Maliciously tainted would mean, how do I know if someone hasn’t trojanized a library, module, or maintenance update? The bulk of the issues, however, are in the good hygiene area.”
Helpful Resources: