Sometimes security vulnerabilities are introduced when software makers exchange code -- or when it is sent out to customers, according to "An Overview of Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain" (PDF), a white paper issued today by the Software Assurance Forum for Excellence in Code (SAFECode).
"Most of the studies on software development so far have really looked only at the security issue," says Paul Kurtz, executive director of SAFECode, a nonprofit organization backed by major software vendors. "What we're saying here is that software integrity and authenticity need to be part of the discussion."
The paper outlines software integrity controls used by major software vendors to address the risk that insecure processes, or a motivated attacker, could undermine the security of a software product as it moves through the links in the global supply chain.
The controls cover issues ranging from contractual relationships with suppliers, to securing source code repositories, to helping customers confirm the software they receive is not counterfeit. The work builds on SAFECode's previously released "Software Supply Chain Integrity Framework," which defines a taxonomy for describing supply-chain security in the context of software assurance.
The paper also identifies areas that SAFECode believes deserve future industry-led collaboration and study. SAFECode encourages public comment on the paper and will consider feedback collected for future projects.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.