Software supply chain security is target of industry group best practices

Guidelines may address security worries

The Software Assurance Forum for Excellence in Code has released a set of best practices for assuring the security of the software supply chain. The sort of security vulnerabilities that plague federal information technology managers are usually introduced as software goes from design to shipment, and the new guidelines could reduce the risks.

The report, “An Overview of Software Integrity Controls,” is a consensus from seven major software vendors for minimizing the risk of vulnerabilities making their way into software during its sourcing, development and distribution. The report is available online. It builds on earlier SAFECode efforts to identify secure software development practices and to define a taxonomy for supply chain security.

No matter how secure the development process is, “if you can’t do the supply chain security well you are going to have problems, whether from malicious actors or from inadvertent weaknesses,” said SAFECode Executive Director Paul Kurtz. “All of the pieces fit together.”

Contributors to the paper include Adobe Systems Inc., EMC Corp., Juniper Networks Inc., Microsoft Corp., Nokia, SAP AG, and Symantec Corp.

Assuring the security of the supply chain has emerged as a significant concern in IT security, both for hardware products and components such as finished computers and chips and for software. The Homeland Security Department's National Cyber Security Division has established a Software Assurance Program in response to the National Strategy to Secure Cyberspace, and supply chain risk management is the first element of the software assurance model.

Just as automobiles are built from components supplied by a number of suppliers, software rarely is the product of a single in-house process. Although a software vendor can have secure in-house development processes, the finished application often is the product of a series of companies and engineers developing individual elements that eventually are compiled by the vendor.

The integrity controls identified in the paper already are used by major software vendors to address the risks in the global supply chain that insecure processes or a malicious attacker could undermine the security of a product. The controls aim to secure the processes used to source, develop, deliver and sustain software. They cover issues ranging from contractual relationships with suppliers though securing source code repositories to helping customers confirm that software is not counterfeit.

Although the goals are not controversial and the practices already are in use, it took about nine months of sometimes spirited discussion to reach the consensus, Kurtz said. “The biggest surprise was the lack of clarity on the meaning of certain terms,” he said.

Although there was a large degree of agreement on practices, contributors had to come to agreement on common terms to describe controls and their goals. Basic phrases such as “supply chain security” had to be defined and differentiated from similar terms such as “supply chain assurance” and “integrity,” each of which had different meanings for different companies, said Stacy Simpson, editor of the paper.

The controls cover three broad areas:

  • Sourcing, including vendor contractual integrity controls and technical integrity controls for suppliers.
  • Development and testing, including technical controls and security testing controls.
  • Delivery and sustainment, including publishing and dissemination controls, authenticity controls and product deployment and sustainment controls.

“Producing secure software is an evolving science,” Kurtz said. Mistakes will inevitably be made, but, “we have to have a common set of best practices to work from” to make improvements in the long term. “I think this is a good starting point.”

Future SAFECode efforts will examine:

  • Supplier management and communication along the supply chain;
  • Research on software testing;
  • Ease of use for authentication schemes;
  • Authenticating software at runtime;
  • Software integrity and cloud computing;
  • Improving collaboration in supply chain management;
  • Software assurance metrics; and
  • Gathering more comprehensive data on best practices.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected