Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Collection - Related Assets

Cybersecurity Engineering Research: Supply Chain and Commercial-Off-the-Shelf (COTS) Assurance Collection

  • Organizations are increasingly acquiring commercial-off-the-shelf and open source software products or outsourcing development. Current approaches to acquisition do not account for the risk management issues of complex software supply chains. On-time delivery and costs often get attention, but some of the most serious risks are related to system assurance, the confidence that the system behaves as expected. Software defects, such as design and implementation errors, can lead to unexpected behaviors, system failure, or vulnerabilities that can lead to attacks.

    Our approach to assure the security of supply chains can help acquirers in several ways:

    1. Assist with applying existing techniques to reduce software supply chain risk.
    2. Provide guidance on managing supply chain risks.
    3. Help acquirers most effectively use their resources in considering supply chain risks.

    See the following publications to learn more about CERT research related to supply chain and COTS assurance:

  • Software Assurance May 2014 Author(s): Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy), Carol Woody In this book chapter, the authors discuss modern principles of software assurance and identify a number of relevant process models, frameworks, and best practices.
  • Supply Chain and Commercial-off-the-Shelf (COTS) Assurance January 2017 Author(s): The Software Engineering Institute can help your organization apply techniques to reduce software supply chain risk.
  • Improving Software Assurance July 2013 Author(s): Carol Woody, Robert J. Ellison In this paper, the authors discuss what practitioners should know about software assurance, where to look, what to look for, and how to demonstrate improvement.
  • A Systemic Approach for Assessing Software Supply-Chain Risk May 2013 Author(s): Audrey J. Dorofee, Carol Woody, Christopher J. Alberts, Rita C. Creel, Robert J. Ellison In this paper, the authors highlight the approach being implemented by SEI researchers for assessing and managing software supply-chain risks and provides a summary of the status of this work.
  • Building Assured Systems Framework (BASF) Overview September 2011 Author(s): In this section of the research report, the authors explain the benefits of investing in building assured systems.
  • Software Supply Chain Risk Management: From Products to Systems of Systems December 2010 Author(s): Robert J. Ellison, Christopher J. Alberts, Rita C. Creel, Audrey J. Dorofee, Carol Woody In this report, the authors consider current practices in software supply chain analysis and suggest some foundational practices.
  • Building Assured Systems Framework September 2010 Author(s): Nancy R. Mead, Julia H. Allen This report presents the Building Assured Systems Framework (BASF) that addresses the customer and researcher challenges of selecting security methods and research approaches for building assured systems.
  • Securing Global Software Supply Chains June 2010 Author(s): Robert J. Ellison In this 2010 webinar, Bob Ellison examines the software side pf supply chain and provides examples to help acquirers manage supply chains.
  • Evaluating and Mitigating Software Supply Chain Security Risks May 2010 Author(s): Robert J. Ellison, John B. Goodenough, Charles B. Weinstock, Carol Woody In this 2010 report, the authors identify software supply chain security risks and specify evidence to gather to determine if these risks have been mitigated.