As a follow-up to the release of SAFECode’s paper, “The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain,” I thought I would elaborate on a core concept of the report: the definition of software integrity and how it relates to software assurance.
Software assurance is most frequently discussed in the context of ensuring that code itself is more secure through the repeatable application of secure software development practices. These practices, however, only represent one aspect of software assurance.
SAFECode defines software assurance as “confidence that software, hardware and services are free from intentional and unintentional vulnerabilities and that the software functions as intended.” To achieve software assurance, suppliers take action in three key areas:
• Security: Security threats are anticipated and addressed in the software’s design, development and testing.
• Authenticity: The software is not counterfeit and customers are able to confirm that they have the real thing.
• Integrity: The processes for sourcing, creating and delivering software contain controls to enhance confidence that the software functions as the supplier intended.
SAFECode’s recent paper on software supply chain integrity provides a framework for analyzing and describing the efforts of vendors to ensure software integrity. I think of the difference between secure development practices and software integrity practices this way: Secure development practices address the security characteristics of the code itself, while software integrity practices address the security of the process used to source, build, test and deliver the code.
Software integrity practices complement secure development practices by minimizing the risk of malicious code being intentionally inserted in the global software supply chain. They represent one leg of the software assurance tripod. Software integrity, authenticity and security together form a sound basis for confidence that software is free from intentional and unintentional vulnerabilities and that the software functions as intended.
Next time: We’ll take a closer look how software integrity practices relate to the global software supply chain.