While travelling by train from Boston to NYC, I read two very thought-provoking papers on cybersecurity. Both are about a concept known as the cybersecurity supply chain. At a fundamental level, this thesis states that security is only as good as the whole supply chain process. Therefore, large organization must check the security of their suppliers, the integrity of their products, and the end-to-end systems created by the amalgamation of the piece parts.

I’ve long preached a similar concept called business process security but the cybersecurity supply chain extends a bit further than my model.

The first paper titled, “Software Supply Chain Integrity Framework,” can be downloaded from the SAFECode site, an organization dedicated to software assurance composed of Adobe (ADBE), EMC (EMC), Juniper Networks (JNPR), Microsoft (MSFT), Nokia (NOK), SAP (SAP), and Symantec (SYMC).

The second paper titled, “Building a Cyber Supply Chain Assurance Reference Model,” can be downloaded from this link (http://www.saic.com/cyber-supply-chain/?intcmp=hs_cybersupplychain) on the SAIC (SAI) site.

Very interesting reading for CISOs or technology vendors working with large organizations of government agencies.

Related posts:

1. Security Development Lifecycle (SDL) for Agile Development
2. Lieberman Cybersecurity Bill: Fatal Flaws and What the IT Industry Must Do
3. Are Critical Infrastructure Organizations Unaware of Security Incidents?
4. Note to Washington: You Own the Information Security Communications Gap
5. Microsoft SDL Progresses and Demonstrates Software Assurance Leadership

Tags: Cybersecurity, SAFECode