Evaluating and Mitigating Software Supply Chain Security Risks

May 2010 • Technical Note

Robert J. Ellison, John B. Goodenough, Charles B. Weinstock, Carol Woody

In this 2010 report, the authors identify software supply chain security risks and specify evidence to gather to determine if these risks have been mitigated.

Publisher:

Software Engineering Institute

CMU/SEI Report Number

CMU/SEI-2010-TN-016

DOI (Digital Object Identifier):

10.1184/R1/6573497.v1

Subjects

Software AssuranceSoftware Assurance

Abstract

The Department of Defense (DoD) is concerned that security vulnerabilities could be inserted into software that has been developed outside of the DoD’s supervision or control. This report presents an initial analysis of how to evaluate and mitigate the risk that such unauthorized insertions have been made. The analysis is structured in terms of actions that should be taken in each phase of the DoD acquisition life cycle.

Download PDF

Part of a Collection

Cybersecurity Engineering Research: Supply Chain and Commercial-Off-the-Shelf (COTS) Assurance Collection

Cite This Report

SEI

Ellison, Robert; Goodenough, John; Weinstock, Charles; & Woody, Carol. Evaluating and Mitigating Software Supply Chain Security Risks. CMU/SEI-2010-TN-016. Software Engineering Institute, Carnegie Mellon University. 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9337

IEEE

Ellison. Robert, Goodenough. John, Weinstock. Charles, and Woody. Carol, "Evaluating and Mitigating Software Supply Chain Security Risks," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Note CMU/SEI-2010-TN-016, 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9337

APA

Ellison, Robert., Goodenough, John., Weinstock, Charles., & Woody, Carol. (2010). Evaluating and Mitigating Software Supply Chain Security Risks (CMU/SEI-2010-TN-016). Retrieved March 25, 2023, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9337

CHI

Robert Ellison, John Goodenough, Charles Weinstock, & Carol Woody. Evaluating and Mitigating Software Supply Chain Security Risks (CMU/SEI-2010-TN-016). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9337

MLA

Ellison, Robert., Goodenough, John., Weinstock, Charles., & Woody, Carol. 2010. Evaluating and Mitigating Software Supply Chain Security Risks (Technical Report CMU/SEI-2010-TN-016). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9337

BibTex

@techreport{EllisonEvaluatingand2010,
title={Evaluating and Mitigating Software Supply Chain Security Risks},
author={Robert Ellison and John Goodenough and Charles Weinstock and Carol Woody},
year={2010},
number={CMU/SEI-2010-TN-016},
institution={Software Engineering Institute, Carnegie Mellon University},
address={Pittsburgh, PA},
url={http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9337} }

Ask a question about this Technical Note

Software Engineering Institute