Today has been an exciting day for SAFECode. We are very pleased to release our latest report: “Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain.”
For the past year, we’ve been bringing together subject matter experts from all of our member companies to identify and analyze the controls they use to minimize the risk that insecure processes, or a motivated attacker, could undermine the security of a software product as it moves through the links in the global supply chain. This paper represents the best of those discussions. Using the real-world experiences of SAFECode members, we were able to develop a set of actionable recommendations for others in the industry looking to reduce the risk of vulnerabilities being inserted into a software product during its sourcing, development and distribution, which we refer to as “software integrity controls.”
It is worth noting that the paper builds upon our previously released “Software Supply Chain Integrity Framework,” which defines a taxonomy for describing supply chain security in the context of software assurance. We had never planned to develop the framework paper, hoping instead to jump into discussions of controls and practices (SAFECode members are a technical bunch, after all). However, as soon as we embarked on the project, it became immediately clear that we needed a common language to discuss software integrity issues, and more broadly, software supply chain security. So I recommend that you take a look at look at that paper as well, since it adds useful context to this discussion.
SAFECode believes that broad industry adoption of software integrity practices can greatly improve customer confidence in IT systems. And, while we are proud of the fact that this report represents the first industry-led effort on software integrity, we also recognize that this in an emerging area. As such, we encourage public comment on this paper and ideas for future software integrity projects. We look forward to continuing the conversation!
PS- You can now find us on Facebook and Twitter!