search menu icon-carat-right cmu-wordmark

Cybersecurity Engineering Research: Supply Chain and Commercial-Off-the-Shelf (COTS) Assurance Collection

This research focuses on methods for analyzing security-related design weaknesses that cannot be corrected easily during operations.

Software Engineering Institute


Organizations are increasingly acquiring commercial-off-the-shelf and open source software products or outsourcing development. Current approaches to acquisition do not account for the risk management issues of complex software supply chains. On-time delivery and costs often get attention, but some of the most serious risks are related to system assurance, the confidence that the system behaves as expected. Software defects, such as design and implementation errors, can lead to unexpected behaviors, system failure, or vulnerabilities that can lead to attacks.

Our approach to assure the security of supply chains can help acquirers in several ways:

  1. Assist with applying existing techniques to reduce software supply chain risk.
  2. Provide guidance on managing supply chain risks.
  3. Help acquirers most effectively use their resources in considering supply chain risks.

See the following publications to learn more about CERT research related to supply chain and COTS assurance:

Collection Items