Posts Tagged ‘supply chain assurance’

EMC Product Security Sessions at the RSA Conference

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

This week in San Francisco, tens of thousands of security professionals are gathering for the the RSA Conference. For the seventh year in a row, representatives from EMC’s Product Security Office have been selected by the conference program committee to speak in a session. If you are at the conference, come an meet one of us: (more…)

Open Trusted Technology Provider Accreditation Program

Dan Reddy

Dan Reddy

With 17+ years at EMC, Dan Reddy leads supply chain assurance in EMC’s Product Security Office where he has addressing product integrity since 2007. Dan also spent 15 years at New England Electric, an electric utility with nationally critical infrastructure. More ...
Dan Reddy

Latest posts by Dan Reddy (see all)

How does one measure the best product-related practices that may be in place in the world of Commercial Off-the-Shelf Technology (COTS)? Often specific versions of an Information and Communication Technology (ICT) product are certified by a third party “Lab” that can examine the state of that version in terms of meeting the security requirements for the identified scope. There are some process aspects of product evaluations that come into play such as one’s approach to handling a found vulnerability with a version of software. The advantage of the product version approach is that if one is acquiring a specific version then one knows that it has been specifically reviewed and evaluated. However there are process gaps in product evaluations that are these days focusing less on secure engineering practices and not yet on supply chain security. (more…)

Open Group’s New Open Trusted Technology Provider Standard: How Trustworthy are Your Products?

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

The English saying “You are what you eat”, just like many other aspects of culinary history, has its origin in France and more precisely from Jean Anthelme Brillat-Savarin’s “The Physiology of Taste: Or Meditations on Transcendental Gastronomy” who first wrote

“Tell me what you eat, and I shall tell you what you are.”

In French: “Dis-moi ce que tu manges, je te dirai ce que tu es.”

This week’s release by the Open Group of the Open Trusted Technology Provider Standard (O-TTPS) subtitled “Mitigating Maliciously Tainted and Counterfeit Products” (more…)

The BSIMM Nouveau Has Arrived

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

Gary McGraw’s team at Cigital just released version 4 of the BSIMM, the Building Security In Maturity Model. BSIMM is a survey of how software development organizations across many industries approach software security. It provides a good picture of the arsenal of techniques available to software security practitioners. EMC has been associated with BSIMM since its first release; we were one of the nine firms surveyed when the model was first built. We are delighted to see that the survey has grown to 50+ firms without major changes to the model. It tells me that we are certainly focusing the right activities.

My preferred addition to the BSIMM4 model (more…)

The Case for Supply Chain Integrity

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

A couple of recent incidents are shedding some light on the complexity of ensuring software code integrity throughout the supply chain.

In the first incident, nothing more than a USB battery charger connected to an USB port can turn your PC into a zombie under the control of attackers (see US CERT’s note: Energizer DUO USB battery charger software allows unauthorized remote system access) . While there is nothing new in this type of attack, recent headlines showing how attackers can mount complex schemes by compounding well-known attack vectors demonstrate that trustworthy software is an essential part of the solution.

So, how do we get there? Clearly, signing software is not sufficient. The USB battery charger program was digitally signed. Signing software guarantees you that the software comes from a trusted vendor, it does not tell you whether the software itself is trustworthy or not. Only strong software assurance programs can increase the trust we put in the software we buy or we download.

In its recent report, SAFECode defines software assurance as “confidence that software, hardware and services are free from intentional and unintentional vulnerabilities and that the software functions as intended.” This can only be achieved by ingraining software security practices in the development process which includes two dimensions:

  1. Reducing the occurrence of unintentional vulnerabilities by training developers and by performing threat modeling, source code scanning and security testing during the software development lifecycle.
  2. Controlling code integrity throughout the lifecycle to prevent (a) the addition of malware to the software binary by an infected computer involved in the software development lifecycle and (b) the insertion of malicious software directly in the source code by an attacker.

The second incident shows that the security of the final system does not solely depend on the trustworthiness of the software it is made of. Recently, Vodafone smart phones powered by the Google Android software were found to be infected by the Mariposa Botnet (see Malware found on HTC Android phone from Vodafone). In this case the malware does not appear to come from the Android software itself, but rather has been inserted later in the assembly process when the components were integrated by the phone manufacturer.

This is a great illustration of how all actors involved in the software supply chain play a role in delivering trustworthy solutions or systems to end customers. Software vendors need to apply controls in their software development process for the software they develop and for the software they integrate in their own products. System integrators need to do the same when they assemble the final solution for their customers.

Recent work by SAFECode (Software Supply Chain Integrity Framework) and by the University of Maryland in collaboration with SAIC (A Cyber Supply Chain Assurance Reference Model) has started defining how software assurance spans across the software supply chain. These are the first steps towards a better understanding of a very complex problem that can only be solved through close collaboration between the actors involved in the software supply chain.