The Case for Supply Chain Integrity

A couple of recent incidents are shedding some light on the complexity of ensuring software code integrity throughout the supply chain.

In the first incident, nothing more than a USB battery charger connected to an USB port can turn your PC into a zombie under the control of attackers (see US CERT’s note: Energizer DUO USB battery charger software allows unauthorized remote system access) . While there is nothing new in this type of attack, recent headlines showing how attackers can mount complex schemes by compounding well-known attack vectors demonstrate that trustworthy software is an essential part of the solution.

So, how do we get there? Clearly, signing software is not sufficient. The USB battery charger program was digitally signed. Signing software guarantees you that the software comes from a trusted vendor, it does not tell you whether the software itself is trustworthy or not. Only strong software assurance programs can increase the trust we put in the software we buy or we download.

In its recent report, SAFECode defines software assurance as “confidence that software, hardware and services are free from intentional and unintentional vulnerabilities and that the software functions as intended.” This can only be achieved by ingraining software security practices in the development process which includes two dimensions:

  1. Reducing the occurrence of unintentional vulnerabilities by training developers and by performing threat modeling, source code scanning and security testing during the software development lifecycle.
  2. Controlling code integrity throughout the lifecycle to prevent (a) the addition of malware to the software binary by an infected computer involved in the software development lifecycle and (b) the insertion of malicious software directly in the source code by an attacker.

The second incident shows that the security of the final system does not solely depend on the trustworthiness of the software it is made of. Recently, Vodafone smart phones powered by the Google Android software were found to be infected by the Mariposa Botnet (see Malware found on HTC Android phone from Vodafone). In this case the malware does not appear to come from the Android software itself, but rather has been inserted later in the assembly process when the components were integrated by the phone manufacturer.

This is a great illustration of how all actors involved in the software supply chain play a role in delivering trustworthy solutions or systems to end customers. Software vendors need to apply controls in their software development process for the software they develop and for the software they integrate in their own products. System integrators need to do the same when they assemble the final solution for their customers.

Recent work by SAFECode (Software Supply Chain Integrity Framework) and by the University of Maryland in collaboration with SAIC (A Cyber Supply Chain Assurance Reference Model) has started defining how software assurance spans across the software supply chain. These are the first steps towards a better understanding of a very complex problem that can only be solved through close collaboration between the actors involved in the software supply chain.

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize