Establishing Trustworthy Software Supply Chains

ABSTRACT

This session will discuss the capabilities emerging across industry and government to assess and address the challenges to providing trustworthy supplies, suppliers, and services – the building blocks of our supply chains. Trust and trustworthiness of supply chains is at the center of many of the global security challenges confronting communities around the world, including U.S. government agencies and the thousands of commercial enterprises that support them or provide our critical infrastructure. The pandemic, utility ransomware attacks, the attack on SolarWinds, and the Ever Given brought supply chain security, resilience, and trustworthiness into sharpened focus to a broader audience, and highlighted the many inadequacies in today’s supply chains regarding timely access to reliable suppliers, software, and stocks of fuel, personal protective equipment, micro-electronics, medical devices, and food supplies, to name a few. At the same time, the computerization of everything has given rise to pervasive cyber threats for more and more of the capabilities and infrastructure we and our organizations rely upon to function – including those stemming from vulnerabilities inherent in repurposed software of often dubious provenance. Further complicating this landscape is the increasingly globalized nature of the technology in these systems and lack of provenance and pedigree transparency. Adversaries seek to inject themselves into every conceivable stage of technology development, supply, and support, for both disruptive and intelligence objectives.    

BIO

Robert A. Martin is a Senior Principal Software and Supply Chain Assurance Engineer at the MITRE Corporation has dedicated his career to solving some of the world’s most difficult problems in systems and software engineering. His work focuses on the interplay of risk management, cyber security, and quality assessment and assurance. For 22 years, Robert has applied his expertise to international cybersecurity initiatives such as CVE, CAPEC, and CWE, which host large active vendor and research communities, and has been recently focused on standardizing the Software Bill of Materials (SBOM) and how organizations think about supply chain security risks. Robert is frequently invited to speak on security, supply chain security, and quality issues pertaining to software-based technology systems and has published numerous articles and presentation. He also contributed to or authored over 42 standards within ITU-T, ETSI, OMG, The Open Group, UL, The Linux Foundation, and ISO, including the new ISO/IEC 5055 software standard for trustworthiness. Robert hosts quarterly meetings on software and supply chain assurance with over 300 participants from international, commercial, academic, and government communities. Prior to joining MITRE, Robert designed and installed manufacturing control systems in Area 2 of Kodak Park and performed software integration and porting projects for both RPI and General Electric. Robert holds degrees in electrical engineering from RPI and an MBA from Babson.