The increasingly global nature of software development has raised concerns that global supply chains could be compromised, allowing malicious code to be inserted into a delivered software product during development, or enabling a compromised product to be substituted during delivery or installation. However, the intentional exploitation of software vulnerabilities inadvertently introduced during development continues to be the most attractive means of an attack. Each step in a supply chain can be a source of such vulnerabilities, and increased assurance for the final product requires the consistent application throughout the supply chain of development techniques demonstrated to reduce the likelihood of vulnerabilities.
Commercial firms and state and federal government agencies that acquire software, have shifted responsibility for software assurance to the software contractors, integration contractors, and software product vendors that participate in the corresponding supply chain. In these instances, software assurance cannot be improved until effective techniques for reducing vulnerabilities are incorporated into the software supply chain.
This webinar will discuss an ongoing SEI effort to develop an approach for assessing software supply chains and identifying the associated software assurance risks.
About the Speakers
Bob Ellison is a senior member of the technical staff of the CERT program at the SEI. He is currently the technical leader of a project funded by the Department of Homeland Security (DHS) on supply-chain risks. He participated in the design and development of the DHS Build-Security-In website and continues to contribute articles to it. His recent work includes the development of the Survivability Analysis Framework, which considers the effects of security threats on complex operational business processes. He coauthored the book Software Security Engineering: A Guide for Project Managers, which was published by in Addison-Wesley 2008.