Today, SAFECode publicly announced its efforts to address software supply chain integrity with the release of a new paper, “The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain.” The paper outlines the first industry-driven framework for analyzing and describing the efforts of software suppliers to mitigate the potential that an IT solution could be compromised by the intentional insertion of malicious code into the solution’s software during its sourcing, development or distribution.

As the software industry has become increasingly globalized, questions have been raised about what additional product security and brand risks are introduced by the increased distribution of software development activities, how these risks should be assessed, and what proactive measures can minimize their occurrence.  These questions are of interest to both customers and suppliers and have been aggregated under the label “software supply chain integrity.”

The challenge we faced when we started this project was that the concept of “software supply chain integrity” and its key components of “software supply chain” and “software integrity” were not commonly understood.  As such, we felt that there was great value in developing a framework and common taxonomy that would serve as the foundation for our subsequent work aimed at identifying and analyzing software integrity best practices.  Releasing the framework publicly provides us with an opportunity to solicit feedback on our approach, helping to ensure that our future papers are as useful and relevant as possible.

However, the development of this framework is just the first step in our effort to address software supply chain integrity.  Our members are working together to identify the threats, assess the risks, share current practices for mitigating those risks, and develop process guidelines that other software companies should consider adopting to protect the integrity of the software they produce through the global supply chain.  SAFECode will be publishing our findings later this year to extend these practices across the industry and provide customers with additional insight into how to view and evaluate the processes by which software integrity is achieved.

Though experts have concluded that the software supply chain is not the most likely attack vector, the fact that a risk does exist requires preventative action. Further, the interdependencies of the IT ecosystem require software suppliers to not only be able to demonstrate the security of the products they produce, but also evaluate the integrity of products they acquire and use.  For these reasons, we believe that every software supplier has a significant stake in the identification, communication and evaluation of best practices for ensuring software integrity.

I will be highlighting key elements of our framework in a series of blog entries.  Next up: what is software integrity and how does it relate to software assurance?