When Security Best Practices Meet Your Supply Chain presented at SupplyChainCybersecuritySummit 2019

by Curt Dukes,

Summary : IT is developed globally. Chip design and fabrication is done in China, Japan, Korea, UAE, and the US. IT R&D is done in China, the EU, IS, Japan, Korea, and the US. Software development is done, well, just about everywhere. Supply Chain Risk Management is increasingly a concern as we have seen examples where nation-states seek to implant or weaken IT products. This talk highlights the life cycle issues organizations face such as whether a product: adheres to a specification in a standard, has been tampered with, has been developed robustly, is authentic and is being supported correctly. It addresses the dependencies an organization has on best practices adopted by the developer to: source components responsibly, follow robust development practices, track versions and prevent malicious alterations, sign software to ensure no tampering during distribution, and provide timely updates. Norms for life cycle management is in and of itself a standards effort. We’ll discuss how these norms have the greatest effect if the steward for their instigation is independent of government and has no financial interest in the choices.