MITER’s System of Trust: A Proposed Standard for Software Supply Chain Security

MITER’s System of Trust framework aims to standardize the assessment of software supply chain security. MITER’s Robert Martin explains.

Software supply chain security is one of the hottest topics at this week’s RSA conference in San Francisco, where dozens of presentations and panels will dissect all aspects of supply chain risk, attack and mitigation.

But what constitutes the security of the software supply chain? And how do we compare the security of one company (or supplier) to another? As there is no agreed definition of supply chain security, its assessments are often narrowly focused and tailored.

What is needed is something closer to a supply chain risk measurement framework. At Tuesday’s RSA conference, Robert Martin, an executive at MITER Labs Cyber ​​Solutions Innovation Center, is pitching an idea to make something similar happen: a “system of trust” framework, which MITER says will provide a way , the affiliate to assess software supply chain risk from organizations across the economy.

The SoT described by MITER in a series of articles (pdf), is intended as a type of “GAAP” (Generally Accepted Accounting Principles) for software supply chain security. Just as GAAP (at least among North American companies) standardizes financial accounting practices and measures, MITER SoT seeks to do the same for supply chain security. To raise awareness of its work on supply chain security, MITER has launched a new website, sot.mitre.org.

Speaking for our ConversingLabs podcast, recorded at RSA, Martin said the System of Trust builds on decades of work MITER has done on behalf of federal agencies and contractors since the Cold War: helping them Identify quality suppliers and also avenues for threats and attacks such as industrial espionage.

The emergence of the MITER System of Trust

“This is the ‘next step’ for things that have been going on for a number of years,” Martin told me in an interview from the RSA conference in San Francisco. “This movement into the supply chain is really amplifying in the organization. These problems are not for the technologists. This is a business issue that requires business attention,” he said.

Although supply chain security issues date back decades, the growing reliance on information and communications technology (ICT) in recent years has complicated an already difficult task, notes Martin in the 2021 report:

“The computerization of everything has led to ubiquitous cyber threats – including those stemming from vulnerabilities embedded in repurposed software, often of dubious origin. Our adversaries seek to interfere in every conceivable phase of technology development, both for disruptive and intelligence purposes.”

The COVID pandemic has also highlighted supply chain risk by contributing to supply chain disruptions. But many organizations currently do not have a holistic way to assess supply chain security and integrity. “They either make their own little lists of these problems or borrow something from another project that they think is good,” Martin said. “Both of them don’t really give you the holistic context to start with.”

The System of Trust provides a framework to start answering some of the questions about supply chain risk, not only in government but also in the private sector. The SoT provides a “consistent and repeatable methodology” for evaluating vendors, supplies and service providers, MITER says.

MITER System of Trust: Key Categories

The system of trust is organized into key categories of supply chain participants, including suppliers, supplies and services. For each, the SoT focuses on a small number of risk areas that government agencies and companies must assess during the adoption process and then “make decisions” on whether that assessment has identified undo risk.

For example, when evaluating consumables or components used in a product or service, organizations using the System of Trust framework are asked to look for issues related to possible counterfeit products, the “hygiene” of the consumables and look for evidence of “malicious contamination” by assessing the origin of the software, its manufacture (software composition) and any updates.

Organizations evaluating supplier safety are asked to consider 5 risk categories comprising 26 risk factors. These include “organizational security” (both IT and data security) and “maliciousness” – such as inclusion on a sanctions list or investigations into fraud and corruption. A supplier’s financial health and ownership are part of the assessment, as are their internal cybersecurity practices and how they achieve software and hardware assurance.

Trust what the software or service is about

The goal is to enable an acquirer of software or services to “make a clear, well-informed decision about whether to buy from a particular company and whether to purchase a specific item/part number from that company,” MITER said.

The assessments begin with general ‘scoping’ questions for the potential supply chain partner with the aim of aligning the System of Trust framework with the product, service or supplier in question. From there, subject-specific questions are asked about the presence (or absence) of “Aspects of Concern”. These questions may reflect government and industry best practices.

Identified risks are scored using what MITER describes as a “set of context-driven, customizable, weighted measures used as inputs to a scoring algorithm.”

MITER said it used the SoT to rank a series of 11 public companies with promising results. The resulting risk scores ranged from 15 to 58 out of 70, with lower scores denoting lower risk. For the company with a “58” score, both IT security and its financial stability raised red flags under the SoT score.

Put the trust system into action

Martin said the System of Trust is a “starting point” for organizations to address the issue of supply chain security. Even if individual organizations don’t feel the need to implement the entire trust system in-house, simply engaging in the process allows them to quickly identify if they face supply chain risks that require attention.

Martin gives the example of “counterfeiting” which is one of the risk areas for shipments. The method of detecting counterfeit components in your supply chain varies greatly depending on whether you manufacture microelectronics or, for example, handbags. However, an important first step is to realize that the problem of counterfeiting is one that your company needs to be aware of and address, Martin said.

*** This is a Security Bloggers Network syndicated blog from the ReversingLabs Blog written by Paul Roberts. Read the original post at: https://blog.reversinglabs.com/blog/software-supply-chain-security-mitre-system-of-trust

About Willie Ash

Check Also

Non-Native Database Management Systems Market Includes Major Players Amazon Web Services, Microsoft, Oracle, Quest Software – Designers

JCMR The recently announced Global Non-Native Database Management System Market Report 2022 is an objective …