CERIAS Weekly Security Seminar – Purdue University
Randall Brooks, Adding a Software Assurance Dimension to Supply Chain Practices
There is a long history of supply chain management, from which many related policies, practices, processes, and enabling artifacts have been developed and employed by those business enterprises that acquire hardware and software components from a third party. Traditionally, Supply Chain Risk Management (SCRM) has been the focal point of supply chain practices and has focused on business and contractual issues, although recent efforts have increasingly included engineering expertise for product quality evaluations.This presentation advocates the introduction of a security assurance dimension to the SCRM process. It does not, however, propose the addition of an independent, parallel track of SCRM process for security assurance evaluation, but rather practical steps for augmenting those SCRM processes that already exist.Just as is the case in legacy SCRM, the cyber dimension of SCRM is based on assessing and balancing risk vs. cost. The goal is to minimize the added costs associated with improved information assurance by efficiently incorporating relevant practices industry, government, and academia to provide a security assurance dimension into the supply chain process.SCRM-relevant industry and government practices will be presented in this paper in such a way that supply chain staff can easily make use of them, even without a background in information security. Also, it will be clearly noted when subcontract management, information assurance engineering, or other business or technical expertise may be needed to complement traditional supply chain activities in the pursuit of cyber-based SCRM.Points of discussion common to both hardware and to software component acquisition will include:1. Acquirer business risk2. End customer mission criticality and mission assurance3. Subcontract management4. Supplier secure development assessment5. Supplier management practices for their suppliers6. Supplier business assessment7. Product assessmentPoints of discussion peculiar to hardware component acquisition will include:1. Quality vs. counterfeiting vs. malicious alteration2. ASICS, FPGAs, and microprocessors3. Information storage in volatile memory4. Information storage in non-volatile memory and permanent disk storagePoints of discussion peculiar to software component acquisition will include:1. COTS, contracted software, open source, and freeware2. Software pedigree and provenance3. License management of open source About the speaker: Mr. Brooks, a twelve year Raytheon employee, is an Engineering Fellow in the Cyber Defense Solutions business area in Largo, FL. He is a recipient of the Raytheon Excellence in Technology Meritorious and Distinguished Awards. He has developed and submitted 4 patents on Intrusion Detection and Prevention design and implementation with 3 Patents awarded. He is also a Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Systems Security Professional (CISSP), Information Systems Security Engineering Professional (ISSEP), Information Systems Security Architecture Professional (ISSAP), and an Information Systems Security Management Professional (ISSMP). He is a graduate of Purdue University with a Bachelors of Science from the School of Computer Science.
Senaste avsnitt
En liten tjänst av I'm With Friends. Finns även på engelska.