The MITER Trust System: A Proposed Standard for Software Supply Chain Security

MITER’s Trust System Framework aims to standardize how software supply chain security is assessed. explains Robert Martin of MITRE.

Software supply chain security is one of the biggest topics at this week’s RSA conference in San Francisco, where dozens of presentations and panels will examine all aspects of software risk, attack and defense. the supply chain.

But what constitutes software supply chain security? And how does one company’s (or vendor’s) security compare to another? In the absence of an agreed definition of supply chain security, supply chain security assessments are often narrowly focused and tailored.

What is needed is something closer to a framework for measuring supply chain risk. At the RSA conference on Tuesday, Robert Martin, a senior executive at MITER Labs Cyber ​​Solutions Innovation Center, presents an idea for achieving something close to this: a “trust system” framework that MITER says, will provide a means of assessing the relative risks associated with the software supply chain of organizations across the economy.

The SoT, which has been described by MITER in a series of articles (PDF), is designed as a sort of “GAAP” (Generally Accepted Accounting Principles) for software supply chain security. Just as GAAP standardizes financial accounting practices and measures (at least among North American companies), MITER SoT seeks to do the same for supply chain security. To draw attention to its work on supply chain security, MITER has launched a new website, sot.mitre.org.

In a conversation for our ConversingLabs podcast recorded at RSA, Martin said the trust system builds on decades of work MITER has done — dating back to the Cold War — on behalf of federal government agencies and contractors. : help them identify quality suppliers and also avenues of threats and attacks, such as industrial espionage.

The Creation of the MITER Trust System

“It’s the ‘next step’ for things that have been going on for a number of years,” Martin told me during an interview at the RSA conference in San Francisco. “This movement in the supply chain is really ramping up in the organization. These issues are not for technologists. This is a business issue that needs corporate attention,” he said.

Although questions about supply chain security date back decades, the increasing reliance on information and communications technology (ICT) in recent years has complicated an already difficult task, Martin notes in the 2021 report:

“The computerization of everything has given rise to pervasive cyber threats, including those stemming from inherent vulnerabilities in reused software of often dubious origin. Our adversaries seek to inject themselves into every conceivable stage of technological development, for both disruptive and intelligence purposes.

The COVID pandemic has also highlighted supply chain risk by contributing to supply chain disruptions. But many organizations currently lack a holistic way to assess supply chain security and integrity. “Either they build their own little lists of these issues, or they borrow something from another project that they thought was good,” Martin said. “Both aren’t really going to give you the holistic context you need to get started.”

The trust system provides a framework on which to begin to answer some of the questions about supply chain risk, not only within government, but also in the private sector. The SoT provides a “consistent and repeatable methodology” for evaluating vendors, supplies and service providers, says MITER.

MITER Trust System: Key Categories

The trust system is organized into key categories of supply chain participants, including suppliers, supplies, and services. For each, the SoT focuses on a small number of risk areas that government agencies and companies are asked to assess during the acquisition process and then “make decisions on” whether that assessment has identified a risk of ‘cancelation.

For example, when evaluating supplies or components used in a product or service, organizations using the Trust System framework are asked to look for issues related to possible counterfeit products, assess “hygiene of supplies and to search for evidence of “malicious flavor”. by evaluating the source of the software, how it was produced (composition of the software) and any updates.

Organizations assessing supplier security are asked to consider 5 risk categories comprising 26 risk factors. They include “organizational security” (both IT security and data security) as well as “maliciousness” – for example, being named on a sanctions list or being investigated for fraud and corruption . The financial health and ownership of a vendor is part of the as-is assessment of its internal cybersecurity practices and how it achieves software and hardware assurance.

Trust what the software or service is

The goal is to enable an acquirer of software or services to make “a clear, well-informed decision on whether to purchase from a particular entity, and whether to purchase a specific item/part number from this entity,” MITER said.

Assessments begin with general “framing” questions for the potential supply chain partner with the aim of directing the framework of the trust system to the product, service or supplier in question. From there, topic-specific questions are asked about the presence (or absence) of “aspects of concern”. These questions may reflect government and industry best practices.

Identified risks are scored using what MITER describes as a “set of contextual, customizable, weighted metrics that are used as inputs into a scoring algorithm.”

MITER said it used the SoT to assess a set of 11 publicly traded companies with promising results. The risk scores obtained ranged from 15 to 58 out of 70, with lower scores indicating lower risk. For the company that scored “58”, IT security and its financial stability raised red flags in the SoT assessment.

Putting the trust system into action

Martin said the trust system is a “starting point” for organizations to address supply chain security. Even if individual organizations may not feel the need to implement the entire trust system internally, simply engaging in the process can give them a quick read on whether they face any risks of supply chain that deserve their attention.

Martin takes the example of “counterfeits”, which is one of the risk areas for supplies. The methodology for detecting counterfeit components in your supply chain varies greatly depending on whether you manufacture microelectronics or, for example, handbags. However, just being aware that the counterfeit issue is one your organization needs to know about and address is an important first step, Martin said.

*** This is a syndicated Security Bloggers Network blog from the ReversingLabs blog written by Paul Roberts. Read the original post at: https://blog.reversinglabs.com/blog/software-supply-chain-security-mitre-system-of-trust

About Aldrich Stanley

Check Also

Disputed accounting method confirmed: “Communities of continuous life”

In general, taxable income must be computed according to the method of accounting used by …