Security Risk And The Software Supply Chain presented at OWASP Appsec 2010

by Karen Mercedes Goertzel (Booz Allen HamiltonÕs Security Research Service),

Tags: Security Others Risk


Summary : A critical aspect of the U.S. government’s effectiveness is the dependability, trustworthiness, and survivability of the ICT on which its ability to perform its functions, activities, services, and missions relies. But as our adversaries find their efforts to compromise government information systems and networks increasingly confounded by the expanded reach and effectiveness of information assurance and cyber security controls and countermeasures, they seek new targets and avenues of attack. Among these: the supply chain for software products that are the “building blocks” of those systems and networks. Supply chain attacks attempt to either proactively compromise those building blocks before they can be deployed in systems or networks, or to delay or prevent their delivery when and where they are needed. The focus of this presentation is on security risks in the supply chain for off-the-shelf software products, including commercial-off-the-shelf (COTS) and government-off-the-shelf (GOTS), open source, shareware, and free software. These include supply chain risks that involve intentional acts that compromise the integrity, trustworthiness, or availability of flows, products, or data in the off-the-shelf software supply chain, regardless of the motivation for those acts.

Karen Mercedes Goertzel: Karen Mercedes Goertzel, CISSP, leads Booz Allen HamiltonÕs Security Research Service. As a subject matter expert in software safety and security assurance, information technology supply chain security risk management, cyber security, information assurance (IA), she has supported the Defense Technical Information Center (DTIC) Information Assurance Technology Analysis Center (IATAC), the Office of the Director of Defense Research and Engineering (DDR&E) Cyber Security and Systems Engineering divisions, the Department of Homeland Security (DHS) Software Assurance Program, Naval Sea Systems Command (NAVSEA) Naval Ordnance Safety and Security Activity (NOSSA), National Aeronautics & Space Administration (NASA) Goddard Space Flight Center, the National Security Agency (NSA) Center for Assured Software, the National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC), and the Defense Information Systems Agency (DISA) IA Executive, Global Information Grid Enterprise Services Engineering Directorate, and Application Security Program, among other defense and civilian organizations. Ms. Goertzel has published, presented, and taught widely on software safety and security, the insider threat to information systems, malicious code, cross-domain information sharing, and security of Social Media, Web 1.0/Web 2.0/Web services and Cloud Computing applications, as well as on "emerging" technologies such as computer immunology and autonomic computing. She was a lead author and editor of several IATAC state-of-the-art reports (SOARs) and IA Tools Reports, including Security Risk Management for the Off-the-Shelf Information and Communications Technology Supply Chain, The Insider Threat to Information Systems, Software Security Assurance, and Malware, and contributing author the IATAC SOAR Cyber Security and Information Assurance Measurement and Metrics. She was also contributing author to several NIST Special Publications (SPs), and has written extensive software assurance and application security guidance for DHS, NASA, DISA, NSA, Dept. of State, and other departments and agencies. Her articles have appeared in CrossTalk: The Journal of Defense Software Engineering, The Journal of System Safety, the International Council on Systems EngineeringÕs (INCOSE) Insight, ExecutiveBrief, the IATACÕs IAnewsletter, and other publications. Before joining Booz Allen [as an employee of what is now British Aerospace Engineering (BAE) Systems], Ms. Goertzel was a pre-sales technical consultant specializing in high-assurance systems and cross-domain solutions, in which capacity she performed requirements analyses and architectural designs for defense and civilian government organizations in the U.S., North Atlantic Treaty Organization (NATO), Canada, and Australia.