SlideShare une entreprise Scribd logo

Risks in the Software Supply Chain

Sonatype
Sonatype

This presentation highlights the use and role of open source and 3rd party components in a software supply chain.

Technologie
1  sur  25
Télécharger pour lire hors ligne
© 2015 Carnegie Mellon University Risks in the Software Supply Chain Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Mark Sherman, Ph.D. Technical Director, CERT Jan 15, 2015
2 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Copyright 2015 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon®, CERT® and CMMI® are registered marks of Carnegie Mellon University. DM-0002130
3 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Conventional view of supply chain risk Sources: http://www.nytix.com/NewYorkCity/articles/handbags.html; http://www.laserwisetech.co.nz/secret.php; http://www.muscatdaily.com/Archive/Oman/Fake-car-parts-contribute-to-rise-in-road-accidents-Experts; http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1.shtml; http://unites-systems.com/l.php?id=191
4 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software is the new hardware – IT IT moving from specialized hardware to software, virtualized as • Servers: virtual CPUs • Storage: SANs • Switches: Soft switches • Networks: Software defined networks
5 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University • Cellular • Main processor • Base band processor • Secure element (SIM) • Automotive • Up to 100 networked CPUs in luxury cars • Vehicle to infrastructure (V2I) • Vehicle to vehicle (V2V) • Industrial and home automation • 3D printing (additive manufacturing) • Autonomous robots • Interconnected SCADA • Aviation • 80% of airplane function in software • Next Gen air traffic control • Smart grid • Smart electric meters • Smart metering infrastructure • Embedded medical devices Software is the new hardware – cyber physical
6 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software is the new hardware – everything 90 percent of [Samsung’s] products -- which includes everything from smartphones to refrigerator-- would be able to connect to the Web by 2017. In five years, every product in the company's entire catalog would be Internet connected. B.K. Yoon, Samsung co-CEO CNET Jan 5, 2015 Source: http://www.cnet.com/news/samsung-co-ceo-in-5-years-all-our-products-will-be-internet-connected/ http://www.wsj.com/articles/SB10001424053111903480904576512250915629460 Software is eating the world. Marc Andreessen, WSJ, Aug 20,2011
7 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Evolution of software development Custom development – context: • Software was limited  Size  Function  Audience • Each organization employed developers • Each organization created their own software Shared development – ISVs (COTS) – context: • Function largely understood  Automating existing processes • Grown beyond ability for using organization to development economically • Outside of core competitiveness by acquirers Supply chain: practically none Supply chain: software supplier
8 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Development is now assembly General Ledger SQL Server WebSphere HTTP server XML Parser Oracle DB SIP servlet container GIF library Note: hypothetical application composition Collective development – context: • Too large for single organization • Too much specialization • Too little value in individual components Supply chain: long
9 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software supply chain for assembled software Expanding the scope and complexity of acquisition and deployment Visibility and direct program office controls are limited (only in shaded area) Source: “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04- 678 report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks”
10 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Corruption along the supply chain is easy Knowledgeable analysts can convert packaged binary into malware in minutes Sources: Pedro Candel, Deloitte CyberSOC Academy , Deloitte http://www.8enise.webcastlive.es/webcast.htm?video=08; http://www.microsoft.com/Products/Games/FSInsider/freeflight/PublishingImages/scene.jpg; https://www.withfriendship.com/user/mithunss/easter-eggs-in-microsoft-products.php Unexpected or unintended behaviors in components
11 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Substantial open source contained in supply chain • At least 75% of organizations rely on open source as the foundation of their applications • Most applications are now assembled from hundreds of open source components, often reflecting as much as 90% of an application. Distributed development – context: • Amortize expense • Outsource non-differential features • Lower acquisition (CapEx) expense Source: Sonatype, 2014 Sonatype Open Source Development and Application Security Survey Supply chain: opaque
12 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Open source supply chain has a long path App server HTTP server XML Parser C Libraries C compiler Generated Parser Parser Generator 2nd Compiler
13 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Versions of Android illustrate open source fragmentation Source: http://opensignal.com/reports/fragmentation.php .
14 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Open source is not secure Heartbleed and Shellshock were found by exploitation Other open source software illustrates vulnerabilities from cursory inspection Sources: Steve Christey (MITRE) & Brian Martin (OSF), Buying Into the Bias: Why Vulnerability Statistics Suck, https://media.blackhat.com/us-13/US-13-Martin-Buying-Into-The-Bias-Why-Vulnerability-Statistics- Suck-Slides.pdf; Sonatype, Sonatype Open Source Development and Application Security Survey 46 million vulnerable open source components downloaded annually
15 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Reducing software supply chain risk factors Software supply chain risk for a product needs to be reduced to acceptable level Supplier follows practices that reduce supply chain risks Delivered or updated product is acceptably secure Product Distribution Operational Product Control Product is used in a secure manner Methods of transmitting the product to the purchaser guard again tampering Product Security Supplier Capability
16 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Supplier security commitment evidence Supplier employees are educated as to security engineering practices • Documentation for each engineer of training and when trained/retrained • Revision dates for training materials • Lists of acceptable credentials for instructors • Names of instructors and their credentials Supplier follows suitable security design practices • Documented design guidelines • Provides evidence that design and coding weaknesses that affect security have been addressed (Common Weakness Enumeration (CWE)) • Has analyzed attack patterns appropriate to the design such as those that are included in Common Attack Pattern Enumeration and Classification (CAPEC)
17 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Evaluate a product’s threat resistance What product characteristics minimize opportunities to enter and change the product’s security characteristics? • Attack surface evaluation: Exploitable features have been identified and eliminated where possible – Access controls – Input/output channels – Attack enabling applications – email, Web – Targets • Design and coding weaknesses associated with exploitable features have been identified and mitigated (CWE) • Independent validation and verification of threat resistance
18 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Establishing good product distribution practices Recognize that supply chain risks are accumulated • Subcontractor/COTS-product supply chain risk is inherited by those that use that software, tool, system, etc. Apply to the acquiring organizations and their suppliers • Require good security practices by their suppliers • Assess the security of delivered products • Address the additional risks associated with using the product in their context
19 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Maintain attack resistance Who assumes responsibility for preserving product attack resistance with product deployment? • Patching and version upgrades • Expanded distribution of usage • Expanded integration Usage changes the attack surface and potential attacks for the product • Change in feature usage or risks • Are supplier risk mitigations adequate for desired usage? • Effects of vendor upgrades/patches and local configuration changes • Effects of integration into operations (system of systems)
20 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University What about open source? Establish a supplier for open source • Self • 3rd party focusing on open source Subject to same evaluation • Supplier capability • Product security • Product distribution • Operational product control Source: http://opensource.org/
21 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Business decisions are about risk There are many risks to a business process or mission thread • Within a system • Collection of systems Supply chain is one of many risk components Evaluate software supply chain risk in the larger context of • Supply chain risk • System risk • System of systems risk
22 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Security Engineering Risk Analysis (SERA ) 1. Establish operational context. 2. Identify risk. 3. Analyze risk. 4. Develop control plan. Mission Thread / Business Process Worksheet Risk Identification Worksheet Risk Evaluation Criteria Risk Analysis Worksheet Control Approach Worksheet Control Plan Worksheet
23 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Where to start Anywhere • 76% do not have meaningful controls over what components are in their applications • 81% do not coordinate their security practices in various stages of the development life cycle • 47% do not perform acceptance tests for third-party code Plenty of models to choose from BSIMM: Building Security in Maturity Model CMMI: Capability Maturity Model Integration for Acquisitions PRM: SwA Forum Processes and Practices Group Process Reference Model RMM: CERT Resilience Management Model SAMM: OWASP Open Software Assurance Maturity Model Sources: Sonatype, 2014 Sonatype Open Source Development and Application Security Survey; Forrester Consulting, “State of Application Security,” January 2011
24 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Further reading Alberts, Christopher, et al., “Introduction to the Security Engineering Risk Analysis (SERA) Fraemwork,” Software Engineering Institute, Nov 2014, http://resources.sei.cmu.edu/asset_files/TechnicalNote/2014_004_001_427329.pdf Axelrod, C. Warren, “Mitigating Software Supply Chain Risk,” ISCA Journal Online, Vol 4., 2013, http://www.isaca.org/Journal/Past- Issues/2013/Volume-4/Pages/JOnline-Mitigating-Software-Supply-Chain-Risk.aspx Axelrod, C. Warren, “Malware, Weakware and the Security of Software Supply Chains,” Cross-Talk, March/April 2014, p. 20, http://www.crosstalkonline.org/storage/issue-archives/2014/201403/201403-Axelrod.pdf Ellison, Robert, et al, “Software Supply Chain Risk Management: From Products to Systems of Systems,” Software Engineering Institute, Dec 2010, https://resources.sei.cmu.edu/asset_files/technicalnote/2010_004_001_15194.pdf Ellison, Robert, et al. “Evaluating and Mitigating Software Supply Chain Security Risks,” Software Engineering Institute, May 2010, http://resources.sei.cmu.edu/asset_files/technicalnote/2010_004_001_15176.pdf Ellison, Robert and Woody, Carol, “Supply-Chain Risk Management: Incorporating Security into Software Development,” Proceedings of the 43rd Hawaii International Conference on System Sciences, 2010, http://resources.sei.cmu.edu/asset_files/WhitePaper/2013_019_001_297341.pdf Jarzombek, Joe, “Collaboratively Advancing Strategies to Mitigate Software Supply Chain Risks,” July 30, 2009, http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2009-07/ispab_july09-jarzombek_swa-supply-chain.pdf Software Assurance Forum, Processes and Practices Working Group, “Software Assurance Checklist for Software Supply Chain Risk Management,” https://buildsecurityin.us-cert.gov/sites/default/files/20101208-SwAChecklist.pdf “Software Supply Chain Risk Management & Due-Diligence,” Software Assurance Pocket Guide Series: Acquisition & Outsourcing, Vol II, Version 1.2, June 16, 2009, https://buildsecurityin.us-cert.gov/sites/default/files/DueDiligenceMWV12_01AM090909.pdf
25 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Contact Information Slide Format Mark Sherman Technical Director Cyber Security Foundations Telephone: +1 412-268-9223 Email: mssherman@sei.cmu.edu U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA Web www.sei.cmu.edu www.sei.cmu.edu/contact.cfm Customer Relations Email: info@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257

Recommandé

Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 

Recommandé

Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint ProtectionSophos
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber Security Infotech
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingPriyanka Aash
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
NIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmapNIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmapWAJAHAT IQBAL
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attackYadnyawalkya Tale
 
Cybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainCybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainAnthony Braddy
 
Balancing speed & agility with security & governance (July 2016)
Balancing speed & agility with security & governance (July 2016)Balancing speed & agility with security & governance (July 2016)
Balancing speed & agility with security & governance (July 2016)Rajiv Renganathan
 

Contenu connexe

Tendances

Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint ProtectionSophos
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber Security Infotech
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingPriyanka Aash
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
NIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmapNIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmapWAJAHAT IQBAL
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attackYadnyawalkya Tale
 

Tendances (20)

Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint Protection
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
NIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmapNIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmap
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attack
 

En vedette

Cybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainCybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainAnthony Braddy
 
Balancing speed & agility with security & governance (July 2016)
Balancing speed & agility with security & governance (July 2016)Balancing speed & agility with security & governance (July 2016)
Balancing speed & agility with security & governance (July 2016)Rajiv Renganathan
 
Diagnosing Problems in Production - Cassandra
Diagnosing Problems in Production - CassandraDiagnosing Problems in Production - Cassandra
Diagnosing Problems in Production - CassandraJon Haddad
 
La blockchain et son impact sur le secteur public
La blockchain et son impact sur le secteur publicLa blockchain et son impact sur le secteur public
La blockchain et son impact sur le secteur publicGenève Lab
 
Mapping Experiences - O'Reilly Design Conference 2017
Mapping Experiences - O'Reilly Design Conference 2017Mapping Experiences - O'Reilly Design Conference 2017
Mapping Experiences - O'Reilly Design Conference 2017Jim Kalbach
 
Michael Collins - TBEX International 2017 - How to sell your blog to sponsors...
Michael Collins - TBEX International 2017 - How to sell your blog to sponsors...Michael Collins - TBEX International 2017 - How to sell your blog to sponsors...
Michael Collins - TBEX International 2017 - How to sell your blog to sponsors...TravelMedia.ie
 

En vedette (8)

Cybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainCybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply Chain
 
Balancing speed & agility with security & governance (July 2016)
Balancing speed & agility with security & governance (July 2016)Balancing speed & agility with security & governance (July 2016)
Balancing speed & agility with security & governance (July 2016)
 
Diagnosing Problems in Production - Cassandra
Diagnosing Problems in Production - CassandraDiagnosing Problems in Production - Cassandra
Diagnosing Problems in Production - Cassandra
 
World Copper Production
World Copper ProductionWorld Copper Production
World Copper Production
 
La blockchain et son impact sur le secteur public
La blockchain et son impact sur le secteur publicLa blockchain et son impact sur le secteur public
La blockchain et son impact sur le secteur public
 
Easy Virtual Reality
Easy Virtual RealityEasy Virtual Reality
Easy Virtual Reality
 
Mapping Experiences - O'Reilly Design Conference 2017
Mapping Experiences - O'Reilly Design Conference 2017Mapping Experiences - O'Reilly Design Conference 2017
Mapping Experiences - O'Reilly Design Conference 2017
 
Michael Collins - TBEX International 2017 - How to sell your blog to sponsors...
Michael Collins - TBEX International 2017 - How to sell your blog to sponsors...Michael Collins - TBEX International 2017 - How to sell your blog to sponsors...
Michael Collins - TBEX International 2017 - How to sell your blog to sponsors...
 

Similaire à Risks in the Software Supply Chain

Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityCAST
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
 
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?CA Technologies
 
Case Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicCase Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicIBM Security
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfSolviosTechnology
 
New threats to cyber-security
New threats to cyber-securityNew threats to cyber-security
New threats to cyber-securityMark Sherman
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application SecuritySaadSaif6
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyserTim Youm
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsSonatype
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Salesforce Partners
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - PrintAndrew Kanikuru
 

Similaire à Risks in the Software Supply Chain (20)

Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software Security
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
 
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
 
Case Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicCase Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographic
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdf
 
New threats to cyber-security
New threats to cyber-securityNew threats to cyber-security
New threats to cyber-security
 
Automotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsAutomotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still Exists
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application Security
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyser
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
 
Revolution in Mobility
Revolution in MobilityRevolution in Mobility
Revolution in Mobility
 
Research Paper
Research PaperResearch Paper
Research Paper
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
 

Plus de Sonatype

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019Sonatype
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOpsSonatype
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps SurveySonatype
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseSonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandSonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealSonatype
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way ForwardSonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizSonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsSonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsSonatype
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure AutomationSonatype
 

Plus de Sonatype (20)

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
 

Dernier

IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101vincent683379
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastUXDXConf
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfChristopherTHyatt
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationZilliz
 

Dernier (20)

IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 

Risks in the Software Supply Chain

  • 1. © 2015 Carnegie Mellon University Risks in the Software Supply Chain Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Mark Sherman, Ph.D. Technical Director, CERT Jan 15, 2015
  • 2. 2 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Copyright 2015 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon®, CERT® and CMMI® are registered marks of Carnegie Mellon University. DM-0002130
  • 3. 3 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Conventional view of supply chain risk Sources: http://www.nytix.com/NewYorkCity/articles/handbags.html; http://www.laserwisetech.co.nz/secret.php; http://www.muscatdaily.com/Archive/Oman/Fake-car-parts-contribute-to-rise-in-road-accidents-Experts; http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1.shtml; http://unites-systems.com/l.php?id=191
  • 4. 4 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software is the new hardware – IT IT moving from specialized hardware to software, virtualized as • Servers: virtual CPUs • Storage: SANs • Switches: Soft switches • Networks: Software defined networks
  • 5. 5 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University • Cellular • Main processor • Base band processor • Secure element (SIM) • Automotive • Up to 100 networked CPUs in luxury cars • Vehicle to infrastructure (V2I) • Vehicle to vehicle (V2V) • Industrial and home automation • 3D printing (additive manufacturing) • Autonomous robots • Interconnected SCADA • Aviation • 80% of airplane function in software • Next Gen air traffic control • Smart grid • Smart electric meters • Smart metering infrastructure • Embedded medical devices Software is the new hardware – cyber physical
  • 6. 6 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software is the new hardware – everything 90 percent of [Samsung’s] products -- which includes everything from smartphones to refrigerator-- would be able to connect to the Web by 2017. In five years, every product in the company's entire catalog would be Internet connected. B.K. Yoon, Samsung co-CEO CNET Jan 5, 2015 Source: http://www.cnet.com/news/samsung-co-ceo-in-5-years-all-our-products-will-be-internet-connected/ http://www.wsj.com/articles/SB10001424053111903480904576512250915629460 Software is eating the world. Marc Andreessen, WSJ, Aug 20,2011
  • 7. 7 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Evolution of software development Custom development – context: • Software was limited  Size  Function  Audience • Each organization employed developers • Each organization created their own software Shared development – ISVs (COTS) – context: • Function largely understood  Automating existing processes • Grown beyond ability for using organization to development economically • Outside of core competitiveness by acquirers Supply chain: practically none Supply chain: software supplier
  • 8. 8 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Development is now assembly General Ledger SQL Server WebSphere HTTP server XML Parser Oracle DB SIP servlet container GIF library Note: hypothetical application composition Collective development – context: • Too large for single organization • Too much specialization • Too little value in individual components Supply chain: long
  • 9. 9 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software supply chain for assembled software Expanding the scope and complexity of acquisition and deployment Visibility and direct program office controls are limited (only in shaded area) Source: “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04- 678 report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks”
  • 10. 10 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Corruption along the supply chain is easy Knowledgeable analysts can convert packaged binary into malware in minutes Sources: Pedro Candel, Deloitte CyberSOC Academy , Deloitte http://www.8enise.webcastlive.es/webcast.htm?video=08; http://www.microsoft.com/Products/Games/FSInsider/freeflight/PublishingImages/scene.jpg; https://www.withfriendship.com/user/mithunss/easter-eggs-in-microsoft-products.php Unexpected or unintended behaviors in components
  • 11. 11 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Substantial open source contained in supply chain • At least 75% of organizations rely on open source as the foundation of their applications • Most applications are now assembled from hundreds of open source components, often reflecting as much as 90% of an application. Distributed development – context: • Amortize expense • Outsource non-differential features • Lower acquisition (CapEx) expense Source: Sonatype, 2014 Sonatype Open Source Development and Application Security Survey Supply chain: opaque
  • 12. 12 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Open source supply chain has a long path App server HTTP server XML Parser C Libraries C compiler Generated Parser Parser Generator 2nd Compiler
  • 13. 13 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Versions of Android illustrate open source fragmentation Source: http://opensignal.com/reports/fragmentation.php .
  • 14. 14 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Open source is not secure Heartbleed and Shellshock were found by exploitation Other open source software illustrates vulnerabilities from cursory inspection Sources: Steve Christey (MITRE) & Brian Martin (OSF), Buying Into the Bias: Why Vulnerability Statistics Suck, https://media.blackhat.com/us-13/US-13-Martin-Buying-Into-The-Bias-Why-Vulnerability-Statistics- Suck-Slides.pdf; Sonatype, Sonatype Open Source Development and Application Security Survey 46 million vulnerable open source components downloaded annually
  • 15. 15 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Reducing software supply chain risk factors Software supply chain risk for a product needs to be reduced to acceptable level Supplier follows practices that reduce supply chain risks Delivered or updated product is acceptably secure Product Distribution Operational Product Control Product is used in a secure manner Methods of transmitting the product to the purchaser guard again tampering Product Security Supplier Capability
  • 16. 16 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Supplier security commitment evidence Supplier employees are educated as to security engineering practices • Documentation for each engineer of training and when trained/retrained • Revision dates for training materials • Lists of acceptable credentials for instructors • Names of instructors and their credentials Supplier follows suitable security design practices • Documented design guidelines • Provides evidence that design and coding weaknesses that affect security have been addressed (Common Weakness Enumeration (CWE)) • Has analyzed attack patterns appropriate to the design such as those that are included in Common Attack Pattern Enumeration and Classification (CAPEC)
  • 17. 17 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Evaluate a product’s threat resistance What product characteristics minimize opportunities to enter and change the product’s security characteristics? • Attack surface evaluation: Exploitable features have been identified and eliminated where possible – Access controls – Input/output channels – Attack enabling applications – email, Web – Targets • Design and coding weaknesses associated with exploitable features have been identified and mitigated (CWE) • Independent validation and verification of threat resistance
  • 18. 18 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Establishing good product distribution practices Recognize that supply chain risks are accumulated • Subcontractor/COTS-product supply chain risk is inherited by those that use that software, tool, system, etc. Apply to the acquiring organizations and their suppliers • Require good security practices by their suppliers • Assess the security of delivered products • Address the additional risks associated with using the product in their context
  • 19. 19 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Maintain attack resistance Who assumes responsibility for preserving product attack resistance with product deployment? • Patching and version upgrades • Expanded distribution of usage • Expanded integration Usage changes the attack surface and potential attacks for the product • Change in feature usage or risks • Are supplier risk mitigations adequate for desired usage? • Effects of vendor upgrades/patches and local configuration changes • Effects of integration into operations (system of systems)
  • 20. 20 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University What about open source? Establish a supplier for open source • Self • 3rd party focusing on open source Subject to same evaluation • Supplier capability • Product security • Product distribution • Operational product control Source: http://opensource.org/
  • 21. 21 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Business decisions are about risk There are many risks to a business process or mission thread • Within a system • Collection of systems Supply chain is one of many risk components Evaluate software supply chain risk in the larger context of • Supply chain risk • System risk • System of systems risk
  • 22. 22 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Security Engineering Risk Analysis (SERA ) 1. Establish operational context. 2. Identify risk. 3. Analyze risk. 4. Develop control plan. Mission Thread / Business Process Worksheet Risk Identification Worksheet Risk Evaluation Criteria Risk Analysis Worksheet Control Approach Worksheet Control Plan Worksheet
  • 23. 23 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Where to start Anywhere • 76% do not have meaningful controls over what components are in their applications • 81% do not coordinate their security practices in various stages of the development life cycle • 47% do not perform acceptance tests for third-party code Plenty of models to choose from BSIMM: Building Security in Maturity Model CMMI: Capability Maturity Model Integration for Acquisitions PRM: SwA Forum Processes and Practices Group Process Reference Model RMM: CERT Resilience Management Model SAMM: OWASP Open Software Assurance Maturity Model Sources: Sonatype, 2014 Sonatype Open Source Development and Application Security Survey; Forrester Consulting, “State of Application Security,” January 2011
  • 24. 24 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Further reading Alberts, Christopher, et al., “Introduction to the Security Engineering Risk Analysis (SERA) Fraemwork,” Software Engineering Institute, Nov 2014, http://resources.sei.cmu.edu/asset_files/TechnicalNote/2014_004_001_427329.pdf Axelrod, C. Warren, “Mitigating Software Supply Chain Risk,” ISCA Journal Online, Vol 4., 2013, http://www.isaca.org/Journal/Past- Issues/2013/Volume-4/Pages/JOnline-Mitigating-Software-Supply-Chain-Risk.aspx Axelrod, C. Warren, “Malware, Weakware and the Security of Software Supply Chains,” Cross-Talk, March/April 2014, p. 20, http://www.crosstalkonline.org/storage/issue-archives/2014/201403/201403-Axelrod.pdf Ellison, Robert, et al, “Software Supply Chain Risk Management: From Products to Systems of Systems,” Software Engineering Institute, Dec 2010, https://resources.sei.cmu.edu/asset_files/technicalnote/2010_004_001_15194.pdf Ellison, Robert, et al. “Evaluating and Mitigating Software Supply Chain Security Risks,” Software Engineering Institute, May 2010, http://resources.sei.cmu.edu/asset_files/technicalnote/2010_004_001_15176.pdf Ellison, Robert and Woody, Carol, “Supply-Chain Risk Management: Incorporating Security into Software Development,” Proceedings of the 43rd Hawaii International Conference on System Sciences, 2010, http://resources.sei.cmu.edu/asset_files/WhitePaper/2013_019_001_297341.pdf Jarzombek, Joe, “Collaboratively Advancing Strategies to Mitigate Software Supply Chain Risks,” July 30, 2009, http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2009-07/ispab_july09-jarzombek_swa-supply-chain.pdf Software Assurance Forum, Processes and Practices Working Group, “Software Assurance Checklist for Software Supply Chain Risk Management,” https://buildsecurityin.us-cert.gov/sites/default/files/20101208-SwAChecklist.pdf “Software Supply Chain Risk Management & Due-Diligence,” Software Assurance Pocket Guide Series: Acquisition & Outsourcing, Vol II, Version 1.2, June 16, 2009, https://buildsecurityin.us-cert.gov/sites/default/files/DueDiligenceMWV12_01AM090909.pdf
  • 25. 25 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Contact Information Slide Format Mark Sherman Technical Director Cyber Security Foundations Telephone: +1 412-268-9223 Email: mssherman@sei.cmu.edu U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA Web www.sei.cmu.edu www.sei.cmu.edu/contact.cfm Customer Relations Email: info@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257