search menu icon-carat-right cmu-wordmark

Supply-Chain Risk Management: Incorporating Security into Software Development

White Paper
In this paper, the authors describe practices that address defects and mechanisms for introducing these practices into the acquisition lifecycle.

Software Engineering Institute


As outsourcing and expanded use of commercial off-the-shelf (COTS) products increase, supply-chain risk becomes a growing concern for software acquisitions. Supply-chain risks for hardware procurement include manufacturing and delivery disruptions,“Supply-Chain Risk Management (SCRM) is a discipline of Risk Management which attempts to identify potential disruptions to continued manufacturing production and thereby commercial financial exposure.” [Wikipedia 2010] and the substitution of counterfeit or sub-standard components. Software supply-chain risks include third-party tampering with a product during development or delivery and, more likely, a compromise of the software assurance through the introduction of software defects. This pa-per describes practices that address such defects and mechanisms for introducing these practices into the acquisition life cycle. The practices improve the likelihood of predictable behavior by systematically analyzing data flows to identify assumptions and using knowledge of attack patterns and vulnerabilities to analyze behavior under conditions that an attacker might create.

This article was presented as a paper at the Hawaii International Conference on Systems Sciences (HICSS-43).