Cybersecurity Engineering Research: Supply Chain and Commercial-Off-the-Shelf (COTS) Assurance Collection
This research focuses on methods for analyzing security-related design weaknesses that cannot be corrected easily during operations.
Publisher:
Software Engineering Institute
Abstract
Organizations are increasingly acquiring commercial-off-the-shelf and open source software products or outsourcing development. Current approaches to acquisition do not account for the risk management issues of complex software supply chains. On-time delivery and costs often get attention, but some of the most serious risks are related to system assurance, the confidence that the system behaves as expected. Software defects, such as design and implementation errors, can lead to unexpected behaviors, system failure, or vulnerabilities that can lead to attacks.
Our approach to assure the security of supply chains can help acquirers in several ways:
- Assist with applying existing techniques to reduce software supply chain risk.
- Provide guidance on managing supply chain risks.
- Help acquirers most effectively use their resources in considering supply chain risks.
See the following publications to learn more about CERT research related to supply chain and COTS assurance:
Collection Contents
-
Software Assurance
May 7, 2014 • Book Chapter
By Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy), Carol Woody
In this book chapter, the authors discuss modern principles of software assurance and identify a number of relevant process models, frameworks, and best practices.
read -
Supply Chain and Commercial-off-the-Shelf (COTS) Assurance
January 24, 2017 • White Paper
The Software Engineering Institute can help your organization apply techniques to reduce software supply chain risk.
read -
Improving Software Assurance
July 5, 2013 • White Paper
By Carol Woody, Robert J. Ellison
In this paper, the authors discuss what practitioners should know about software assurance, where to look, what to look for, and how to demonstrate improvement.
read -
A Systemic Approach for Assessing Software Supply-Chain Risk
May 14, 2013 • White Paper
By Audrey J. Dorofee, Carol Woody, Christopher J. Alberts, Rita C. Creel, Robert J. Ellison
In this paper, the authors highlight the approach being implemented by SEI researchers for assessing and managing software supply-chain risks and provides a summary of the status of this work.
read -
Building Assured Systems Framework (BASF) Overview
September 1, 2011 • CERT Research Report
In this section of the research report, the authors explain the benefits of investing in building assured systems.
read -
Software Supply Chain Risk Management: From Products to Systems of Systems
December 1, 2010 • Technical Note
By Robert J. Ellison, Christopher J. Alberts, Rita C. Creel, Audrey J. Dorofee, Carol Woody
In this report, the authors consider current practices in software supply chain analysis and suggest some foundational practices.
read -
Building Assured Systems Framework
September 1, 2010 • Technical Report
By Nancy R. Mead, Julia H. Allen
This report presents the Building Assured Systems Framework (BASF) that addresses the customer and researcher challenges of selecting security methods and research approaches for building assured systems.
read -
Securing Global Software Supply Chains
June 9, 2010 • Webinar
By Robert J. Ellison
In this 2010 webinar, Bob Ellison examines the software side pf supply chain and provides examples to help acquirers manage supply chains.
watch -
Evaluating and Mitigating Software Supply Chain Security Risks
May 1, 2010 • Technical Note
By Robert J. Ellison, John B. Goodenough, Charles B. Weinstock, Carol Woody
In this 2010 report, the authors identify software supply chain security risks and specify evidence to gather to determine if these risks have been mitigated.
read