TalkSecure

Automating Supply Chain Integrity

Posted on

by

Interview with Bob Martin, principal engineer over Software Supply Chain Assurance for the Cyber Solutions Innovation Center at MITRE Labs, and Chair of the Industry IoT Consortium Steering Committee 

Recently, the IETF announced its Supply Chain Integrity Transparency and Trust (SCITT) initiative and emerging frameworks to come out of the initiative. One of those frameworks, MITRE’s supply chain “System of Trust,” is already available to help identify and score risk, while providing a common taxonomy for software, hardware and service providers.

“The work in SCITT with the IETF is to enable evidence about risks. People make claims, and you have evidence about those claims, and can make that evidence available to customers on demand. So, in essence, System of Trust is all the things you should ask about, while SCITT is going to enable many people to have answers when they get asked about those things.”

Of the fourteen top-level practices recommended in MITRE’s System of Trust, seven apply to the developers of commercial software and embedded products. To developers of commercial and embedded software products, he says that no matter what industry you’re developing to, it comes down to three aspects of risk: malicious taint, good hygiene, and counterfeits.

“Do they have legitimate licensed modules or is someone getting it from a wrong repository or gray market? Those would be in the counterfeit area. Maliciously tainted would mean, how do I know if someone hasn’t trojanized a library, module, or maintenance update? The bulk of the issues, however, are in the good hygiene area.”

Helpful Resources:

Related Posts

Check out all of CodeSecure’s resources and stay informed.

view all posts

Book a Demo

We’re ready to help you integrate SAST and SCA security into your DevSecOps flow. Get a personally guided tour of our solution offerings to ensure you are receiving the right solution for your development team. 

book now