ConversingLabs PODCAST

Season 1, EP 6

Robert Martin of MITRE on Supply Chain System of Trust

ConversingLabs PodcastJune 23, 2022

MITRE, the non-profit corporation, has been instrumental in developing systems to help with issues related to software assurance. That includes the development of CVEs (Common Vulnerabilities and Exposures) and CWEs (Common Weakness Enumeration) not to mention the ATT&CK taxonomy of adversarial methods.

Now MITRE is taking things further and “stepping up into the organization” to focus on supply chain risk, according to Robert Martin, a Senior Principal Engineer at MITRE. COVID has highlighted supply chain risks - whether its availability, counterfeit products or - of course - cyber risk, he said. But solving supply chain problems is not simply a job for the IT group, but something that needs to be driven from the very top echelons of an organization.

His organization published a framework in early 2021 called the System of Trust (sot.mitre.org), which provides a framework for supply chain security risk assessments that is customizable, evidence-based, scalable and repeatable. Once implemented, the SoT will give organizations within the supply chain confidence in each other as well as different service offerings and supplies.

Martin sat down with ConversingLabs host Paul Roberts on the sidelines of the RSA Conference in early June.

In this conversation, he talks about how the software supply chain is highly complicated, due to an increasing number of things in society becoming cyber-enabled.

Martin explained how software is not written neatly end to end, but rather is built with drivers, dependencies, and frameworks that give the supply chain depth and magnitude. If software practitioners are not given visibility into this complicated picture, they will miss the software supply chain risks that pose a threat to their organizations.The SoT’s goal is to promote transparency, allowing developers to see all of the players in the supply chain.

EPISODE TRANSCRIPT

PAUL ROBERTS
Okay, so we're here with a special kind of RSA edition Cafe edition of our Conversing Labs podcast. And with us we have Robert Martin from MITRE. Robert, welcome.
 
ROBERT MARTIN
Thank you.
 
PAUL ROBERTS
Great to see you. And how are you enjoying RSA conference after a couple year hiatus?
 
ROBERT MARTIN
Yeah, 27 months, I guess, since we were here. That's a common refrain from many of the people I'm reconnecting with, but it's really good. A lot of people here, a lot of good discussions and good interactions going on.
 
PAUL ROBERTS
I'm glad. So, Robert, for listeners who aren't familiar with you or your work at MITRE, just introduce yourself and tell the audience a little bit about what you do at MITRE. ROBERT MARTINOkay, well, I am a senior principal software and supply chain assurance engineer. I am in what's called MITRE Labs. MITRE, for those of you that don't know, is a not for profit that runs federally funded research and development centers for many parts of the US. Government. And my role has been in the area of assurance. How do you convey it, how do you capture it? And that really ends up with a lot of engagement with external groups, industry consortiums, and across the government as well. PAUL ROBERTSSo we're talking to you because you're a speaker at RSA this year, and you gave a presentation based on a paper that MITRE put out that you authored back in early 2021 on what you're calling a sort of System of Trust for supply chain, not just software supply chain, but it includes software, obviously. Talk about that paper and kind of what is behind it, because obviously there's a lot of work and from MITRE's standpoint, years of work on this, behind this idea of a system of trust. ROBERT MARTINRight, and so there's actually been four papers, and now there's a public website, actually, so there's a lot of background information for people: SOT.Mitre.org. But basically this work is, in retrospect, it's the next step on a lot of efforts that have been going on for many years. So if you think about supply chain, there's many elements. There's logistics, there's acquisition, there's organizational risk management. And for more and more of our things coming through the supply chains, it's about the cyber element of those things, whether it's your traditional IT, your mobile devices, or now everything in your building systems, your car. A lot of things now are cyber-enabled. And so that's a new aspect. But our work here, we at MITRE have done a lot of engagements in software assurance in the CVE program for vulnerabilities that are publicly known, CWE, which is the weaknesses that cause those vulnerabilities. So a lot of this is about... PAUL ROBERTSAttack taxonomy as well. ROBERT MARTINYes, all of these are about the conversation between those who create products and those who are using them, about what was done, what is an issue or not. And so this movement into supply chain is really just stepping up into the organization because these issues are not for the technologists this is a business issue and it needs business attention. And unfortunately the COVID pandemic has highlighted that supply chains, whether it's the resilience of them or your susceptibility to poor quality or counterfeits just all these different aspects or even an organization going out of business. So all of these are part of what System of Trust is trying to put as a basic, what is it you should consider when you think about supply chain risks. And a lot of people are either building their own little list of these issues or they're borrowing something from some other project they thought was good. And both are not really going to give you the holistic context you need to start with. Now, I'm not saying everybody needs to look at all these kinds of risks, but you need to look at that overall set to figure out which subset is appropriate for the decision you're trying to make. PAUL ROBERTSGot it. ROBERT MARTINAnd so that's what System of Trust is about. PAUL ROBERTSAnd you mentioned MITRE has been working with organizations including government and intelligence sector, defense contractors, industry around this for decades, really going back to the Cold War. Back then it was more about just making sure your suppliers are trustworthy, that they hadn't been infiltrated, potentially... ROBERT MARTINAnd the products weren't tampered with. PAUL ROBERTSRight. What most of us probably think of as supply chain security. Now we hear a lot about software supply chain. How does software change things? How does it fit into that paradigm? And is it amenable to the same types of controls? ROBERT MARTINWell, I think so. You know, one big part of a lot of supply chain is the transparency. You need to understand who are the players in your supply chain. So you think about any complex microelectronics device. It's got resistors and PCB boards and connectors and it's got a parts explosion that's huge. Well, that's really what we have in software these days. We don't sit down and write software from end to end. We bring in drivers, we bring in libraries, we bring in frameworks, we bring in whole functional parts of it and we invoke services. So these are just the sub assemblies of your software. And what we don't have is the visibility. When you get something from Ikea, you have here's what's in the box and check that you have all of it before you start your assembly. But... PAUL ROBERTSPlus an Allen wrench. You get an Allen wrench too? ROBERT MARTINRight, that's true. You need some assembly mechanism, right? Sometimes you get a screwdriver. PAUL ROBERTSSometimes. ROBERT MARTINBut in the software world we have never really had that kind of transparency. That's what NTIA and now CISA at DHS are leading the charge on software bills of materials. But that's just one element of how you would want to secure a supply chain. So the second part of my talk here at RSA, where the first was about the system of trust, this holistic way of managing actually focused on software supply chain back to the SolarWinds issues, how SBOMs can bring one element kind of foundational, but then you need to tie those SBOMs to the activities that produce them, the actual vetting or testing or other types of claims that you're going to make about that, and then chain them together so that you know who did it, what did it? What version of the building tool, how was it configured? Where memory safe operations and boats and so on. And these are things that you may be able to figure out after the fact, but they're much easier, much more straightforward if during the process they are captured and conveyed. And so the other thing I talked about was an IETF and Linux Foundation effort called Supply Chain Integrity, Transparency and Trust Skit, which is about distributed confidential ledgers for capturing these different kinds of claims in a permissioned way so that you can pull them out when you need to show them to your customer or show them to auditors. Just kind of unravel a problem that happened and you need to go trace the sources. That's another aspect of all this. And that's one of the things in the Executive Order 14028 came out last year, is it offered that we needed SBOMs if you're going to sell to the government, but it also wanted you to make claims about what you did in building that software. So industry is already on that issue because they need that kind of information of their own suppliers. Because most people are not at the end of a supply chain. They're in the middle. They're both a producer and a consumer. PAUL ROBERTSRight. ROBERT MARTINThere's a lot of business motivation and that's really a key of what MITRE tries to look at in doing these kinds of standardizations, is where is the motivation? It can't be only the hammer, right? There needs to be a carrot. There needs to be an internal motivation. This simplifies something, this restructures a problem into a more tractable way. I think getting the System of Trust topics, it's really about due diligence. What is the expected way organizations, boards, officers, address supply chain and have their organization implement the appropriate risk management and processings? PAUL ROBERTSYeah, I mean, you liken it to a GAP (Generally Accepted Accounting Principles), which is a kind of standard measure of the financial practices of companies. And you liken it to that. Is that... ROBERT MARTINYeah, basically GAP is a whole set of things that you can apply and anyone who sets up a finance approach for a project or a company will use that as their starting point, but then tailor it down to what makes sense for that kind of business, those kinds of transactions. In the same way, System of Trust is going to be this broad set of all the different kinds of risks that you may need to address in supply chain, in your services' offerings, in your suppliers, in your supplies. But then you need to go in and identify a subset. We call it a profile. So the things that make sense for your business environment, for your kind of product, your kind of acquisition decision. And then also you can tailor we have a waiting scoring kind of approach in here, so you can go in and tailor the weights. But different people have different risk aversion, risk tolerance, and so different issues are more important or less important. And then the last part of this is you take that profile and step into assessment. And here we're also trying to drive a data driven basis for assessment. So there's a place in System of Trust to record on what basis did you decide that this is the evaluation of this particular risk and then start summing them up? That's really the last thing I wanted to offer up is that when you get a lot of different elements being brought together to make a risk assessment, you're at the peril of a really bad thing getting washed away by lots and lots of okay or good things. Think about a security clearance. If you answer one of the dozens and dozens of pages of questions. Yes, I am a convicted felon. That's a showstopper. Well, many organizations have those kinds of risks. If this one gets triggered, then I want to know it. So we have this mechanism for letting those float up and not get washed away by... PAUL ROBERTSKind of waiting. And is the algorithm that is part of what MITRE has developed. Right. So it's a waiting mechanism? ROBERT MARTINSo right now we haven't shared that. We're trying to finish documenting it,  making sure it's as robust as we can make it. And then we'll be putting it out on our website for people to look over. And that's another big part of this, is we want feedback. We want organizations to say, well, what about this? Or you forgot about that, or there's a typo on page five, whatever the feedback is. So that's another part of what we're doing out here is engaging companies that have supply chains make sure this makes sense to them, doing the same with our sponsors. But also there's a lot of people who are offering insights for sources of information about your supply chain. And we want to make sure those people can bring their inputs into someone using System of Trust. So I want to map the Exegers, Thompson Reuters, the others, what elements in the System of Trust can they actually bring evidence to so that you can see how you can compose these different offerings to help you answer the questions you care about. PAUL ROBERTSIt's interesting because you've actually modeled this on a number of actual companies. You don't name them, but you sort of show their scores and it's really interesting to look at what comes out of it. I noted that in the paper you released back in 2021, there was one company that had a much higher kind of risk score than the others. And when you kind of delve into it, what impacted that was two things. One were higher scores, more findings in the sort of IT security, data security access, and then also some stuff on the financial side in terms of the profitability or debt to equity ratio or whatever. And it was interesting that those two things kind of combined in creating this higher score. Talk about kind of what you've seen come out of when you've run this on sample companies, like what things come out of it and what you noticed? ROBERT MARTINWell, the big thing about those early pilots that were in the paper was those were all publicly traded companies. So there's a wealth of information from SEC filings and all right, that you can leverage there. Right. And a lot of the things we showed in that paper were common practice in the financial industry, investments and people this is how they look at these companies and whether they're going to invest in them. So we're just reusing some of that type of information. But if you're actually dealing with small companies that aren't publicly traded, but you have a contractual relationship or you're building one, you can ask for that same data so that you can monitor them with the same measures and the same risk assessments. And so that was one of the things was only part of the picture can be seen in publicly available data. Now things about sanctions and debarments and lawsuits... PAUL ROBERTSRight, right. ROBERT MARTINThey don't care whether you're publicly traded or private, right. They record all of that. But also System of Trust has things looking at corporate networks. Now if you're trading with somebody, you can ask them a lot of fine grained details. There's also people who will actually look at companies from the outside and see if they can find vulnerable hosts or malware beaconing out of there. So there are a lot of things you can start to understand about somebody's security. PAUL ROBERTSRight, and part of this also is we should mention software composition analysis and actually looking at if you're using embedded software within your company or relying on it, or if you're, I guess producing software, there's that piece of it as well that can be part of these overall assessments. ROBERT MARTINRight, and that's a big thing is that when you think about supply chain, especially in the software supply chain, you can have pretty deep visibility and you can also now start asking for SBOMs and ask for some provenance data pedigree data. You may want to ask for claims about what they did in their development activity. All of these were trying to account for in System of Trust. Now, some other organizations may not want to go into those details, but it is an area of risk that you could assess. And that's the whole idea of System of Trust to give that starting point so that we have a more holistic, more common way of stepping into the question about supply chain and get that vocabulary, that set of concepts. And that's where we think this is going to be very applicable across the board. Not the whole set of System of Trust, but maybe like the top five or six areas. Basically they're independent of what kind of domain you're in, what kind of product and service. So yes, counterfeits, if you're looking at counterfeit microelectronics or counterfeit software, counterfeit sushi or counterfeit handbags, there are different techniques for determining if they are or not. But a couple of steps higher, the whole idea of having an evaluation and assessment of counterfeits and making sure that it's part of your decision process that's independent of what kind of counterfeits you're worried about. And so we think that the top levels, maybe five, maybe six levels down, is something that every board, every officer, every acquisition official, every loading doc manager down to the engineers should be aware of and have as a part of their situational awareness. PAUL ROBERTSOkay, final question, which is always we talk a lot about sort of the security poverty line in information security, which is, yeah, sure, the JPMorgan Chase or the Boeing and Lockheed will do this, they'll invest in this. But what about the millions or hundreds of thousands of just enterprises out there where this type of thing, as you're saying, clearly needed now, but might seem like a really big stretch for them in terms of internal talent and skills to be able to do it, bandwidth and resources. So how do we, GAP is used by everybody, you almost have to use it if you're a company doing business with other companies. How do we get System of Trust to have that same "got to do it" quality. ROBERT MARTINWell, so one thing we've done is we've tried to embed in the way we ask the questions about the risks, the knowledge about how to take the raw data and figure out if it is high risk, moderate risk, or low risk. So think about, and this is a poor analogy, but it's one we kind of end up using is your doctor knows how to take a couple of measurements and interpret them. Well, that rubric of how they evaluate that can actually be shared and you see it in articles about your blood pressure should be in this level and your weight at this level. And if these things are too high, then you also talk to your doctor. So there's a way of everyone being able to get some measure, not the precise details that a practitioner would, but a general feel of are you in a low risk, moderate risk, or a high risk? That's where we think most people need to be. If supply chain is a huge possible impact to you, then you need to get some experts involved. PAUL ROBERTSRight. ROBERT MARTINBut there's a lot of people that just need some general, I guess, supply chain hygiene practices. And that's where we're aiming at. PAUL ROBERTSAnd you said as we started talking, the aim here, the target audience here really is the board, is the management of the company. Not necessarily. This isn't an IT problem. This is a corporate management problem. ROBERT MARTINRight. And the other part of System of Trust, another way of thinking about it is this tree. And there are ornaments you can hang on there. There's things you're already doing that do answer some of these risk questions. So we're not trying to reinvent what's been done. We want to map those things. So there's certifications and accreditations and different assessments that organizations undergo. We want to be able to place these into the context of the system or trust so the risk of those things illuminate can be brought in and not passed over again. PAUL ROBERTSRobert, is there anything I didn't ask you that I should have or anything you wanted to say? ROBERT MARTINNo. Wish we'd been able to do this in person. PAUL ROBERTSYeah, me too. COVID had other plans... ROBERT MARTINNext year. PAUL ROBERTSHey Robert, thank you so much for coming on and speaking to us on ConversingLabs. It's been a pleasure and thanks for all the work you're doing.

FacebookFacebookXX / TwitterLinkedInLinkedInbluesky

Related episodes

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top


















































































































Bluesky
Email Us

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky
ReversingLabs: The More Powerful, Cost-Effective Alternative to VirusTotalSee Why
Skip to main content
Contact UsSupportLoginBlogCommunity
reversinglabs
ReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Product & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsRL at RSAC
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu
ConversingLabs - Sasa Zdjelar

Predictions For Software Supply Chain Security In 2026

Saša Zdjelar discusses the recent Notebook++ hack and what he thinks software supply chain security will look like in 2026.

Learn More about Predictions For Software Supply Chain Security In 2026
Predictions For Software Supply Chain Security In 2026
Can Frameworks Stop Supply Chain Attacks

Can Frameworks Stop Supply Chain Attacks?

Learn More about Can Frameworks Stop Supply Chain Attacks?
Can Frameworks Stop Supply Chain Attacks?
The State of Vulnerability Management

The State of Vulnerability Management

Learn More about The State of Vulnerability Management
The State of Vulnerability Management

The 2025 Software Supply Chain Security Report

Learn More about The 2025 Software Supply Chain Security Report
The 2025 Software Supply Chain Security Report

Get Started: Request a Demo

Learn more about how ReversingLabs can help your company reduce attack surface risks with deep software and file threat analysis to speed release and response.

Request a Demo

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.