Industry group releases software integrity framework
The Software Assurance Forum for Excellence in Code (SAFECode) on Tuesday released "The Supply Chain Integrity Framework," a 14-page document that defines software integrity, chronicles its challenges and provides a comprehensive list of principles that should be applied to the commercial software supply-chain process.
The framework, which can be freely downloaded, will address the sourcing (acceptance of code), in-house development and ultimate delivery of the software, said Paul Kurtz, the organization's executive director.
Most of the existing software security focus rests on eliminating vulnerabilities -- and not enough on preventing the subversion of software, he said. For example, someone with access to the software could install malware on a widely deployed product.
"What this is really about is an adversary targeting a specific system and undermining it from beginning all the way to continuum," Kurtz told SCMagazineUS.com last week.
The framework, developed by SafeCODE members such as EMC, Juniper, Microsoft, Nokia and Symantec, was created in response to concerns from government agencies and large businesses, Kurtz said.
He said the threat of sabotage is not much of a problem today. But with increasing worries over foreign cyber adversaries, more attention must be paid to software integrity, especially considering the amount of subcontractors who may have their hand in the supply process.
"This is not a significant avenue of attack," he said. "But in the absence of thinking about it today, it will become a much larger issue tomorrow. Bottom line is we can't have a situation where we're not anticipating where this happens."
Mano Paul, international software assurance adviser for (ISC)2, said he thinks the standards will come in most handy when dealing with outsourced code development.
"Globalization undoubtedly warrants the need for a robust, effective and implementable software assurance framework as it pertains to managing software risk throughout the supply chain," Paul told SCMagazineUS.com on Tuesday in an email. "SAFECode's attempt to develop a framework to manage software risks as it is sourced until it is delivered is a commendable first step of achieving software assurance maturity."
But he cautioned that for the framework to be successful, members of the supply chain must follow processes and their conformance be measured.
"Failing to do so will give room for open interpretation and subsequently substandard or ineffective implementation," Paul said.
The framework addresses chain of custody, least privilege access, separation of duties, tamper resistance, compliance management and code testing and verification, among other controls, according to SAFECode. The organization plans to later this year publish findings on how its member companies are using the controls to achieve software integrity.