icon-carat-right menu search cmu-wordmark
Carnegie Mellon University

Evaluating and Mitigating Software Supply Chain Security Risks

Technical Note
By
In this 2010 report, the authors identify software supply chain security risks and specify evidence to gather to determine if these risks have been mitigated.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2010-TN-016
DOI (Digital Object Identifier)
10.1184/R1/6573497.v1
Topic or Tag

Abstract

The Department of Defense (DoD) is concerned that security vulnerabilities could be inserted into software that has been developed outside of the DoD’s supervision or control. This report presents an initial analysis of how to evaluate and mitigate the risk that such unauthorized insertions have been made. The analysis is structured in terms of actions that should be taken in each phase of the DoD acquisition life cycle.

SHARE
Download PDF
Part of a Collection

Cybersecurity Engineering Research: Supply Chain and Commercial-Off-the-Shelf (COTS) Assurance Collection
Cite This Technical Note

Ellison, R., Goodenough, J., Weinstock, C., & Woody, C. (2010, May 1). Evaluating and Mitigating Software Supply Chain Security Risks. (Technical Note CMU/SEI-2010-TN-016). Retrieved November 22, 2024, from https://doi.org/10.1184/R1/6573497.v1.

@techreport{ellison_2010,
author={Ellison, Robert and Goodenough, John and Weinstock, Charles and Woody, Carol},
title={Evaluating and Mitigating Software Supply Chain Security Risks},
month={{May},
year={{2010},
number={{CMU/SEI-2010-TN-016},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6573497.v1},
note={Accessed: 2024-Nov-22}
}

Ellison, Robert, John Goodenough, Charles Weinstock, and Carol Woody. "Evaluating and Mitigating Software Supply Chain Security Risks." (CMU/SEI-2010-TN-016). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, May 1, 2010. https://doi.org/10.1184/R1/6573497.v1.

R. Ellison, J. Goodenough, C. Weinstock, and C. Woody, "Evaluating and Mitigating Software Supply Chain Security Risks," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2010-TN-016, 1-May-2010 [Online]. Available: https://doi.org/10.1184/R1/6573497.v1. [Accessed: 22-Nov-2024].

Ellison, Robert, John Goodenough, Charles Weinstock, and Carol Woody. "Evaluating and Mitigating Software Supply Chain Security Risks." (Technical Note CMU/SEI-2010-TN-016). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 1 May. 2010. https://doi.org/10.1184/R1/6573497.v1. Accessed 22 Nov. 2024.

Ellison, Robert; Goodenough, John; Weinstock, Charles; & Woody, Carol. Evaluating and Mitigating Software Supply Chain Security Risks. CMU/SEI-2010-TN-016. Software Engineering Institute. 2010. https://doi.org/10.1184/R1/6573497.v1

Ask a question about this Technical Note