The supply chains for developing software have become more complex than ever before, with an increasing number of stakeholders — as well as the number of components in today’s software products. Alongside this increase in supply chain complexity, there has been a dramatic uptick in attacks on these supply chains. News headlines frequently tout new software supply chain attacks, making end users and stakeholders concerned with the security and integrity of the software products they depend on.
For stakeholders to build greater trust with the products they are using, software development organizations need to communicate what risks their software products pose to end users. But many obstacles stand in the way. Chief among them: The lack of a common language to discuss software supply chain risk, which prohibits stakeholders from becoming more trustworthy of the software they rely on, said Cassie Crossley, Vice President of Supply Chain Security at Schneider Electric.
“We do not have a common language when speaking about risk and it's not only cyber risk. We are facing so much business risk with resilience and, how does everything affect it?”
—Cassie Crossley
MITRE’s System of Trust (SoT), released in 2020, aims to solve that “lack of trust” problem. SoT is a framework for supply chain security risk assessment that organizations of all kinds can use to assess their products, and communicate with stakeholders on their security posture. SoT establishes a consistent language and review processes that upholds standardization across the industry.
[ Learn more: MITRE’s System of Trust: A proposed standard for software supply chain security ]
How does the System of Trust work? How does it integrate with existing cybersecurity frameworks? At this year’s RSA Conference in San Francisco, ConversingLabs host Paul Roberts sat down Crossley, and Senior Software and Supply Chain Assurance Principal Engineer at MITRE, Robert Martin, to get answers to those questions.
Martin and Crossley presented the most up-to-date version of SoT at RSA. In this conversation, Martin addresses some of the specifics of how SoT works, while Crossley discusses how MITRE’s SoT has proven to be highly beneficial for Schneider Electric.
Here is their full conversation on ConversingLabs:
![](https://play.vidyard.com/2YLBEnELGBbtpZUMuqTXdQ.jpg)
The ConversingLabs episode is available to watch on-demand here — or listen to wherever you get your podcasts.
Keep learning
- Gartner is redefining software supply chain security, and calling on enterprises to make some big changes. Get the new Gartner Leader's Guide — and learn more in our Special Report.
- Learn about complex binary analysis and why it is critical to software supply chain security in our Special Report. Plus: Take a deep dive with RL's white paper.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
- Understand key trends and get expert insights with our special report package: The State of Supply Chain Security (SSCS) 2024. Plus: Download the full State of SSCS report.
- Read about why you need to upgrade your AppSec tools for the SSCS era. Plus: Download and share our Definitive Guide to SSCS.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.