Adding a Software Assurance Dimension to Supply Chain Practices
Randall Brooks - Raytheon
Mar 21, 2012Size: 535.2MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractThere is a long history of supply chain management, from which many related policies, practices, processes, and enabling artifacts have been developed and employed by those business enterprises that acquire hardware and software components from a third party. Traditionally, Supply Chain Risk Management (SCRM) has been the focal point of supply chain practices and has focused on business and contractual issues, although recent efforts have increasingly included engineering expertise for product quality evaluations.
This presentation advocates the introduction of a security assurance dimension to the SCRM process. It does not, however, propose the addition of an independent, parallel track of SCRM process for security assurance evaluation, but rather practical steps for augmenting those SCRM processes that already exist.
Just as is the case in legacy SCRM, the cyber dimension of SCRM is based on assessing and balancing risk vs. cost. The goal is to minimize the added costs associated with improved information assurance by efficiently incorporating relevant practices industry, government, and academia to provide a security assurance dimension into the supply chain process.
SCRM-relevant industry and government practices will be presented in this paper in such a way that supply chain staff can easily make use of them, even without a background in information security. Also, it will be clearly noted when subcontract management, information assurance engineering, or other business or technical expertise may be needed to complement traditional supply chain activities in the pursuit of cyber-based SCRM.
Points of discussion common to both hardware and to software component acquisition will include:
1. Acquirer business risk
2. End customer mission criticality and mission assurance
3. Subcontract management
4. Supplier secure development assessment
5. Supplier management practices for their suppliers
6. Supplier business assessment
7. Product assessment
Points of discussion peculiar to hardware component acquisition will include:
1. Quality vs. counterfeiting vs. malicious alteration
2. ASICS, FPGAs, and microprocessors
3. Information storage in volatile memory
4. Information storage in non-volatile memory and permanent disk storage
Points of discussion peculiar to software component acquisition will include:
1. COTS, contracted software, open source, and freeware
2. Software pedigree and provenance
3. License management of open source
About the SpeakerMr. Brooks, a twelve year Raytheon employee, is an Engineering Fellow in the Cyber Defense Solutions business area in Largo, FL. He is a recipient of the Raytheon Excellence in Technology Meritorious and Distinguished Awards. He has developed and submitted 4 patents on Intrusion Detection and Prevention design and implementation with 3 Patents awarded. He is also a Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Systems Security Professional (CISSP), Information Systems Security Engineering Professional (ISSEP), Information Systems Security Architecture Professional (ISSAP), and an Information Systems Security Management Professional (ISSMP). He is a graduate of Purdue University with a Bachelors of Science from the School of Computer Science.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.