MITRE, the non-profit corporation, has been instrumental in developing systems to help with issues related to software assurance. That includes the development of CVEs (Common Vulnerabilities and Exposures) and CWEs (Common Weakness Enumeration) not to mention the ATT&CK taxonomy of adversarial methods.
Now MITRE is taking things further and “stepping up into the organization” to focus on supply chain risk, according to Robert Martin, a Senior Principal Engineer at MITRE. COVID has highlighted supply chain risks - whether its availability, counterfeit products or - of course - cyber risk, he said. But solving supply chain problems is not simply a job for the IT group, but something that needs to be driven from the very top echelons of an organization.
His organization published a framework in early 2021 called the System of Trust (sot.mitre.org), which provides a framework for supply chain security risk assessments that is customizable, evidence-based, scalable and repeatable. Once implemented, the SoT will give organizations within the supply chain confidence in each other as well as different service offerings and supplies.
Martin sat down with ConversingLabs host Paul Roberts on the sidelines of the RSA Conference in early June.
In this conversation, he talks about how the software supply chain is highly complicated, due to an increasing number of things in society becoming cyber-enabled.
Martin explained how software is not written neatly end to end, but rather is built with drivers, dependencies, and frameworks that give the supply chain depth and magnitude. If software practitioners are not given visibility into this complicated picture, they will miss the software supply chain risks that pose a threat to their organizations.The SoT’s goal is to promote transparency, allowing developers to see all of the players in the supply chain.
Check out the full conversation with Martin below!