Cybersecurity Engineering Research: Supply Chain and Commercial-Off-the-Shelf (COTS) Assurance Collection
• Collection
Publisher
Software Engineering Institute
Abstract
Organizations are increasingly acquiring commercial-off-the-shelf and open source software products or outsourcing development. Current approaches to acquisition do not account for the risk management issues of complex software supply chains. On-time delivery and costs often get attention, but some of the most serious risks are related to system assurance, the confidence that the system behaves as expected. Software defects, such as design and implementation errors, can lead to unexpected behaviors, system failure, or vulnerabilities that can lead to attacks.
Our approach to assure the security of supply chains can help acquirers in several ways:
- Assist with applying existing techniques to reduce software supply chain risk.
- Provide guidance on managing supply chain risks.
- Help acquirers most effectively use their resources in considering supply chain risks.
See the following publications to learn more about CERT research related to supply chain and COTS assurance:
Collection Items
Software Assurance
• Book Chapter
By Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy), Carol Woody
In this book chapter, the authors discuss modern principles of software assurance and identify a number of relevant process models, frameworks, and best practices.
Read
Supply Chain and Commercial-off-the-Shelf (COTS) Assurance
• White Paper
By Software Engineering Institute
The Software Engineering Institute can help your organization apply techniques to reduce software supply chain risk.
Read
Improving Software Assurance
• White Paper
By Carol Woody, Robert J. Ellison
In this paper, the authors discuss what practitioners should know about software assurance, where to look, what to look for, and how to demonstrate improvement.
Read
A Systemic Approach for Assessing Software Supply-Chain Risk
• White Paper
By Audrey J. Dorofee, Carol Woody, Christopher J. Alberts, Rita C. Creel, Robert J. Ellison
In this paper, the authors highlight the approach being implemented by SEI researchers for assessing and managing software supply-chain risks and provides a summary of the status of this work.
Read
Building Assured Systems Framework (BASF) Overview
• CERT Research Report
By Software Engineering Institute
In this section of the research report, the authors explain the benefits of investing in building assured systems.
Read
Software Supply Chain Risk Management: From Products to Systems of Systems
• Technical Note
By Robert J. Ellison, Christopher J. Alberts, Rita C. Creel, Audrey J. Dorofee, Carol Woody
In this report, the authors consider current practices in software supply chain analysis and suggest some foundational practices.
Read
Building Assured Systems Framework
• Technical Report
By Nancy R. Mead, Julia H. Allen
This report presents the Building Assured Systems Framework (BASF) that addresses the customer and researcher challenges of selecting security methods and research approaches for building assured systems.
Read
Evaluating and Mitigating Software Supply Chain Security Risks
• Technical Note
By Robert J. Ellison, John B. Goodenough, Charles Weinstock, Carol Woody
In this 2010 report, the authors identify software supply chain security risks and specify evidence to gather to determine if these risks have been mitigated.
ReadPart of a Collection
Cybersecurity Engineering Research Collection