Software supply chain security: look at these four aspects of good practice

News 2023-08-15 18:49:32 views: null

Software supply chain security: look at these four aspects of good practice

2023-06-29 17:33 Prism Colorful 7cai

Enterprise software projects increasingly rely on third-party and open-source components created and maintained by individuals who do not necessarily use the same security policies as the software development organization because they are not employed by the organization that develops the critical software . This presents a certain security risk because there are discrepancies or inconsistencies between the security policies created by individuals and those created by organizations, which may lead to vulnerable areas that are easily overlooked, giving attackers the potential to Take the opportunity.

NIST launched the supply chain risk management program (C-SCRM) as early as 2008, and conducted observation reports on the supply chains of companies in different industries, and summarized an industry observation report on key practices of supply chain risk management. Based on NIST SP800-161, NIST Network Security Supply Chain Risk Management Practice - Industry Observation, and "Information Security Technology Software Supply Chain Security Requirements" (draft for review) and other documents, this paper summarizes some excellent practices related to software supply chain security.

How to ensure the security of the software supply chain

Establish a software supply chain security management organization

A software supply chain security management organization including functions such as information technology, network security, law, and enterprise risk management should be established to identify, respond to, and prevent risks in the security process of the software supply chain. At the same time, it can also form an informal leadership network, promote the trust among various departments of software development organizations in the complex software supply chain relationship, strengthen the accountability mechanism, and help software development organizations establish a rapid response mechanism in supply chain security management. At the same time, the idea of ​​software supply chain security can also be embedded in the entire culture of the enterprise, which is conducive to the continuous improvement of the enterprise.

Develop software supply chain security management requirements

Establish software supply chain security management systems and requirements to ensure the consistency and effectiveness of the organization when dealing with software supply chain risks. Mature organizations have formal plans, policies, procedures, processes and tools.

  • Establish the overall policy, security system and strategy of enterprise software supply chain security.
  • Formulate safety management systems and requirements for supply activities such as software procurement, acquisition, operation and maintenance, and abolition.
  • Determine the continuous monitoring, risk management and incident response system, etc. of software supply chain security risks.
  • Formulate enterprise personnel management system and supplier management system.

Establish a software supply chain security map

Establish a software supply chain security map, including software product information, software bill of material information, and security information. Maps can be constructed or generated by demanders, suppliers, or third-party organizations. Establishing a map is helpful to understand the components used in its software portfolio, and fully understand and understand the relationship between components, systems and source codes, and use the map to establish a supply chain security information collection and tracking mechanism for organizational management and supply activity management. .

Establish a list of third-party components, libraries, and tools within the enterprise

Software development organizations should establish their own list of third-party components, libraries, and tools internally for use by development, testing, and operation and maintenance personnel, so as to prevent software developers and testers from pulling from outside without permission, and reduce security risks caused by weak security awareness of personnel. risk. At the same time, it is also convenient for software development organizations to conduct unified management of third-party components, libraries, tools, and bug fixes.

Guess you like

Origin blog.csdn.net/LJQClqjc/article/details/131461438
Recommended
The sixth meeting of openKylin Community Ecology Committee was successfully held
Alibaba Cloud officially releases Tongyi Qianwen 2.5
Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter
Stack Overflow used my code to train large AI models and banned my account.
Pop!_OS’s COSMIC desktop completes App Store listing
Report: Django is still the first choice for 74% of developers
"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report
15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?
Ranking
Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures
Der M-Chip-Mac implementiert mehrere Android-Emulatoren
CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.
Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery
python3 pip ipython installation
A lot of python crawler source code sharing -- talk about the little thing about python crawler
Agile Sprint in Alpha Stage (7)
Access URL in Unity
FunctoinDemo form
MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq
Daily
More
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)

Code World

© 2018 codetd.com