SAFECode framework addresses software supply chain integrity
Software assurance forum publishes framework for supply chain integrity in software development
An industry group focused on the quality and reliability assurance of commercial software has published a framework for addressing supply chain integrity.
Major developers already use best practices to ensure the quality and security of code produced in-house. But as commercial software has become more complex and its development more distributed in a global economy, controls have become more difficult, said Paul Kurtz, executive director of the Software Assurance Forum for Excellence in Code (SAFECode).
Trust but verify: Security risks abound in the IT supply chain
“How do you assure that practices and controls you have put in place have not been subverted?” Kurtz asked. “One of the things we wanted to grapple with was the issue of supply chain integrity, [but] we rapidly found that we didn’t have a common understanding of what was meant by supply chain integrity.”
A paper SAFECode published today, titled "The Software Supply Chain Integrity Framework," is the first attempt to define the controls required. It was produced by developers from SAFECode member companies EMC, Juniper Networks, Microsoft Corp., Nokia, SAP and Symantec.
“This is our departure point for a common approach,” Kurtz said. “What we have published is a framework for how to think of software integrity. We are going to come back later this year with more extensive documentation on the controls.”
Integrity is one of the three elements of software assurance SAFECode identified, along with security and authenticity. The paper states that integrity means that “the processes for sourcing, creating and delivering software contain controls to enhance confidence that the software functions as the supplier intended.”
Integrity assurance is a difficult task as software development becomes more decentralized and in-house controls cannot be directly applied.
“The increased distribution of development activities globally does raise questions about what additional product security and commercial brand risks are introduced, how these risks should be assessed, and what proactive measures can minimize their occurrence,” the paper states.
The document is an effort to address the issue of software supply chain integrity from a software engineering perspective. It shares members’ current practices for mitigating risks, with an eye toward developing process guidelines that other software companies can consider adopting to protect the integrity of the software they produce through the global supply chain.
To be effective in current complex global supply chains, software integrity processes and controls must be designed to be independent of geography, accommodate diverse sources of software components, and extend from a vendor’s suppliers to its customers.
“Software supply chain integrity controls derive from established security and integrity principles,” the paper concludes. They include:
- Chain of custody: The confidence that each change and hand-off made during the source code’s lifetime is authorized, transparent and verifiable.
- Least privilege access: Users can access critical data with only the privileges necessary to do their jobs.
- Separation of duties: Users cannot unilaterally change data or control the development process.
- Tamper resistance and evidence: Attempts to tamper are obstructed, and when they occur, they are evident and reversible.
- Persistent protection: Critical data is protected in ways that remain effective even if the data is removed from the development location.
- Compliance management: The success of the protections can be continually and independently confirmed.
- Code testing and verification: Methods for code inspection are applied, and suspicious code is detected.