sw 1 do you have the right
TRANSCRIPT
-
8/12/2019 SW 1 Do You Have the Right
1/21
Michele Moss
Lead Associate
Booz | Allen | Hamilton
Do You Have The RightPractices In Your Cyber SupplyChain Tool Box?
-
8/12/2019 SW 1 Do You Have the Right
2/21
Todays Reality Is Deep & ComplexGlobal ICT Supply Chains
IT and Communications
products are assembled,
built, and transported by
multiple vendors aroundthe world.
Software contributions
include reusable
libraries, custom code,
commercial products,open source
-
8/12/2019 SW 1 Do You Have the Right
3/21
Simplistic Representation ofComponent List for a Dell Laptop
From The World Is Flat by Thomas Friedman
Dell Inspiron 600m Notebook: Key Components and Suppliers
-
8/12/2019 SW 1 Do You Have the Right
4/21
Supply Chain: PERSPECTIVES
Supply Chain SECURITY
Nodes of storage & throughput
Lines of transport (& communication)
DubaiJeddah
Tacoma
Colombo
Salalah
Oakland
San Juan
Melbourne
Long Beach Charleston
NhavaSheva
LosAngeles Hampton RoadsNewYork/NewJersey
Kobe
Osaka
Tokyo
Busan
Nagoya
Dalian
Ningbo
Manila
Xiamen
Tianjin
Keelung
Quingdao
ShanghaiShenzhen
Kaohsiung
Hong Kong
Guangzhou
Singapore
Port Kalang
LaemChabang
Tanjung Perak
Tanjung Priok
Tanjung Pelepas
Less than 2 million TEU
2 to 4 million TEU
4 to 7 million TEU
7 to 10 million TEU
More than 10 million TEU
Genoa
PiraeusValencia
Barcelona
AlgecirasGioia Tauro
LeHavre
FelixstoweAntwerp
Bremen/Bremerhafen
Hamburg
Rotterdam
Pacific Asia Europe
Supply Chain RESILIENCEMulti-sources
Multi-nodes
Multi-routes
Courtesy of Don Davidson, DOD
-
8/12/2019 SW 1 Do You Have the Right
5/21
Supply Chain: PERSPECTIVES
Product INTEGRITY
How do we improve our trust & confidence
in HW, SW & Services we source from aglobal supply chain?
Courtesy of Don Davidson, DOD
-
8/12/2019 SW 1 Do You Have the Right
6/21
What is the problem? Information and Communication Technology (ICT) products are
assembled, built, and transported by multiple vendors around theworld before they are acquired without the knowledge of theacquirer
Challenges range from poor acquirer practices to lack of
transparency into the supply chain Substantial number of organizations or people can touch
an ICT product without being identified
No standardized methodology or lexicon exists for managing ICTsupply chain risks
Poor ICT products and services acquisition practices contributeto acquirers lack of understanding what is in their supply chain
Counterfeit hardware and software proliferate
Acquirers do not have a framework to help enforce security andassurance compliance for vendors
-
8/12/2019 SW 1 Do You Have the Right
7/21
Why Standards?
Standards are a common language used to communicateexpected levels of performance for products and services
Countries use international standards compliance as a trade barrierand differentiator for their companies
Standards are Essential to Global Economy
Ensuring interoperability among trade partners
Facilitating increased efficiencies in the global economy
Making the development, manufacturing, and supply of products andservices more efficient, safer and cleaner
Providing governments with a technical base for health, safety andenvironmental legislation
Safeguarding consumers, and users in general, of products andservices - as well as to make their lives simpler
-
8/12/2019 SW 1 Do You Have the Right
8/21
Essential Security and Foundational Practices
Management Systems: ISO 9001 - Quality, ISO 27001Information Security, ISO 20000IT Service Management, ISO28000Supply Chain Resiliency
Security Controls: ISO/IEC 27002, NIST 800-53
Lifecycle Processes: ISO/IEEE 15288 - Systems, ISO/IEEE
12207Software
Risk Management: ISO 31000 - overall, ISO/IEC 27005 -security, and ISO/IEC 16085 - systems
Industry Best Practices: CMMI, Assurance Process ReferenceModel, Resiliency Management Model (RMM), COBIT, ITIL,
PMBOK
-
8/12/2019 SW 1 Do You Have the Right
9/21
Where Are New Standards BeingDeveloped?
Courtesy of Department of Defense
-
8/12/2019 SW 1 Do You Have the Right
10/21
The ISO/IEC/IEEE Life CycleProcess Framework Standards
Adapted from Paul Croll
Currently under revision,
15288 (CD) and 12207
(WD) comments and
contributions strengthen
the relationship to SC27
standards on IT Security
Adding references to
ISO/IEC 27036, ISO/
IEC 27034, and
ISO/IEC 27002
Adding language toincrease awareness of
operational threats and
ICT Supply Chain
considerations
-
8/12/2019 SW 1 Do You Have the Right
11/21
System and Software Engineering Relationship of Key Life CycleProcess Standards
Source: J. Moore, SC7
Liaison Report, IEEE
Software and Systems
Engineering Standards
Committee, Executive
Committee Winter
Plenary Meeting,
February 2007.
-
8/12/2019 SW 1 Do You Have the Right
12/21
ISO/IEC 27034 - Application Security
Scope: specify an application security life cycle, incorporating thesecurity activities and controls for use as part of an application lifecycle, covering applications developed through internaldevelopment, external acquisition, outsourcing/offshoring, or ahybrid of these approaches
Published
Working
Drafts
PART 1Overview and concepts
PART 2Organization normative framework
PART 3Application security management process
PART 4Application security validation
PART 5Protocols and application security control data
structurePART 6Security guidance for specific applications
Part 7 - Application Security Control Predictability
Adapted from Jed Pickel, Microsoft
-
8/12/2019 SW 1 Do You Have the Right
13/21
ISO/IEC TR 24772:Programming Language Vulnerabilities
Targets building software that is inherently less vulnerable throughimproving the programming languages, or, at least, improve theusage of them in coding
A catalog of 60+ issues that arise in coding when using anylanguage and how those issues may lead to security and safety
vulnerabilities
Each discussion includes
Description of the mechanism of failure
Recommendations for programmers: How to avoid or mitigate theproblem.
Recommendations for standardizers: How to improve programminglanguage specifications.
http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
-
8/12/2019 SW 1 Do You Have the Right
14/21
O-TTPS: Mitigating MaliciouslyTainted and Counterfeit Products
The Open Trusted Technology Provider Standard (O-TTPS)released in April, 2013set of requirements for organizationalbest practices
Apply across product life cycle. Some highly correlated to threatsof maliciously tainted and counterfeit products - others more
foundational but considered essential.
SourcingDesign Sustainment Disposal
TechnologyDevelopment Supply Chain
DistributionFulfillmentBuild
Source: Sally Long, OTTF Forum Director, The Open Group
OTTF Presentation Software & Supply Chain Assurance Workshop
December 17, 2013
-
8/12/2019 SW 1 Do You Have the Right
15/21
SAE In ternat ional, formerly theSociety of Automotive Engineers SAE AS5553 Counterfeit Electronic Parts; Avoidance,
Detection, Mitigation, and Disposition
SAE AS6081 Counterfeit Electronic Parts AvoidanceDistributors
SAE AS6171 Test Methods Standard; Counterfeit Electronic Parts
SAE ARP6178 Counterfeit Electronic Parts; Tool for RiskAssessment of Distributors
SAE AS6462 AS5553 Verification Criteria
-
8/12/2019 SW 1 Do You Have the Right
16/21
27002:2013 New ControlsA Quick List
6.1.5- Information security in project management 14.2.1- Secure development policy
14.2.5- Secure system engineering principles
14.2.6- Secure development environment
14.2.8- System security testing 15.1.1- Information security policy for supplier relationships
15.1.2- Addressing security within supplier agreements
15.1.3- Information and communication technology supply chain
16.1.4- Assessment of and decision on information security events
16.1.5- Response to information security incidents
17.1.1- Planning information security continuity
17.1.2- Implementing information security continuity
17.2.1- Availability of information processing facilities
-
8/12/2019 SW 1 Do You Have the Right
17/21
ISO/IEC 27036SupplierRelationships
Part 1Overview and Concepts
Part 2Requirements
Part 3
Guidelines for
ICT Supply
Chain Security
Part 4
Guidelines
for Securityof Cloud
Services
General overview
Requirements for
information securityactivities for any supplier
relationship to acquire any
products and services
Part 2 requirements + Part
3 guidance to manage ICT
supply chain security risks
for ICT products and
services
Part 2 requirements +
Part 3 guidance + Part
4 guidelines tostructure cloud security
services risks
Courtesy of Nadya Bartol, UTC
-
8/12/2019 SW 1 Do You Have the Right
18/21
Draft NIST SP 800-161
Supply Chain Risk Management Practices for Federal InformationSystems and Organizations
Provides guidance to federal agencies on selecting and implementingmitigating processes and controls at all levels in their organizations tohelp manage risks to or through ICT supply chains for systems
categorized as HIGHaccording to Federal Information ProcessingStandard (FIPS) 199, Standards for Security 367 Categorization ofFederal Information and Information Systems
Applies the multi-tiered risk management approach of NIST SP 800-39,355 Managing Information Security Risk: Organization, Mission, andInformation System View
Refines and expands NIST SP 800-53 Rev4 controls, adds new controlsthat specifically address ICT SCRM, and offers SCRM-specificsupplemental guidance where appropriate
Extracted from http://csrc.nist.gov/publications/drafts/800-161/sp800_161_draft.pdf
-
8/12/2019 SW 1 Do You Have the Right
19/21
Success Involves Selecting MultipleStandards To Address Program Risks
NIST Cyber Framework
Promotes private sectordevelopment ofconformity assessments
SCRM is called out asan emerging disciplinecharacterized by diverseperspectives, disparatebodies of knowledge,and fragmented
standards and bestpractices
-
8/12/2019 SW 1 Do You Have the Right
20/21
Industry efforts continue tomature the SCRM Discipline
www.microsoft.com/sdl BuildSecurityIn.us-cert.gov
www.owasp.orghttp://bsimm.com/
www.safecode.org
http://www.cert.org/secure-coding/
-
8/12/2019 SW 1 Do You Have the Right
21/21
Questions?
21