The supply chains for developing software have become more complex than ever before, with an increasing number of stakeholders — as well as the number of components in today’s software products. Alongside this increase in supply chain complexity, there has been a dramatic uptick in attacks on these supply chains. News headlines frequently tout new software supply chain attacks, making end users and stakeholders concerned with the security and integrity of the software products they depend on.
For stakeholders to build greater trust with the products they are using, software development organizations need to communicate what risks their software products pose to end users. But many obstacles stand in the way. Chief among them: The lack of a common language to discuss software supply chain risk, which prohibits stakeholders from becoming more trustworthy of the software they rely on, said Cassie Crossley, Vice President of Supply Chain Security at Schneider Electric.
“We do not have a common language when speaking about risk and it's not only cyber risk. We are facing so much business risk with resilience and, how does everything affect it?”
—Cassie Crossley
MITRE’s System of Trust (SoT), released in 2020, aims to solve that “lack of trust” problem. SoT is a framework for supply chain security risk assessment that organizations of all kinds can use to assess their products, and communicate with stakeholders on their security posture. SoT establishes a consistent language and review processes that upholds standardization across the industry.
[ Learn more: MITRE’s System of Trust: A proposed standard for software supply chain security ]
How does the System of Trust work? How does it integrate with existing cybersecurity frameworks? At this year’s RSA Conference in San Francisco, ConversingLabs host Paul Roberts sat down Crossley, and Senior Software and Supply Chain Assurance Principal Engineer at MITRE, Robert Martin, to get answers to those questions.
Martin and Crossley presented the most up-to-date version of SoT at RSA. In this conversation, Martin addresses some of the specifics of how SoT works, while Crossley discusses how MITRE’s SoT has proven to be highly beneficial for Schneider Electric.
Here is their full conversation on ConversingLabs:
The ConversingLabs episode is available to watch on-demand here — or listen to wherever you get your podcasts.
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.