Christopher J. Alberts

A Systemic Approach for Assessing Software Supply-Chain Risk

In todays business environment, multiple organizations must routinely work together in software supply chains when acquiring, developing, operating, and maintaining software products. The programmatic and product complexity inherent in software supply chains increases the risk that defects, vulnerabilities, and malicious code will be inserted into a delivered software product. As a result, effective risk management is essential for establishing and maintaining software supply-chain assurance over time. The Software Engineering Institute (SEI) is developing a systemic approach for assessing and managing software supply-chain risks. This paper highlights the basic approach being implemented by SEI researchers and provides a summary of the status of this work.

The Landscape of Software Assurance—Participating Organizations and Technologies

The goal of our software assurance (SwA) landscape project is to create a usable framework that describes assurance participants, assurance technologies, and their contributions to accelerate the formation and adoption of solutions to the SwA challenges within the DoD and other government organizations. The SwA landscape is constantly changing as a growing group of organizations attempt to address its challenges as well as the technologies available to address it. To aid in identifying avenues for addressing assurance and to accelerate the adoption of solutions, the Carnegie Mellon ® Software Engineering Institute (SEI) is developing a way to characterize the current portfolio of assurance participants, available solutions, and their interrelationships along with the contributions each makes to assurance. We expect this to be an on-going effort as new technologies are made available and our knowledge about participants and current technology expands. Accordingly, we are developing a structure that can be refreshed periodically as the SwA landscape changes. For this paper we describe our approach for developing the current version of the framework, the elements of the characterization structure, and the reasoning behind the structure choices.