Software SCRM during Delivery (Handover)

Question 1

Chain of Custody controlling

Answer 1

It means that each change to the software and handoff is authorized, transparent and verifiable.

Question 2

Chain of Custody - Authorized

Answer 2

The modification to the software is requested and permission to change the software is given in writing.

Question 3

Chain of Custody - Transparent

Answer 3

The requestor of the change and the entity that is making the change knows about the change being made. In other words, no hidden or unknown changes are being made to the software.

Question 4

Chain of Custody - Verifiable

Answer 4

The change that is made to the software can be attested against the request for the change and that no unauthorized or unrequested changes are made.

Question 5

How Secure Transfer can be achieved?

Answer 5

Protection in transit can be achieved using session encryption and end-to-end authentication. Not only
should the software code be protected but the contents being transmitted should be as well.

Question 6

Which encrypty technology can be used to protect during transmission of data?

Answer 6

In the transport layer (e.g., TLS, SSL) or network layer (e.g., IPSec) is advised.

Question 7

What is code escrow?

Answer 7

The activity of having a copy of the source code of the implemented software in the custody of a mutually agreed upon neutral third party known as the escrow agency or party.

Question 8

There are three parties involved in an escrow relationship:

Answer 8

The acquirer (licensee or purchaser), the publisher
(licensor or seller or supplier), and the escrow agency,

Question 9

ORR

Answer 9

Operational Readiness Reviews (ORR) include configuring the software to be operational ready and resilient to hacker threats, establishing applicable perimeter defense controls and ensuring the security of the software during integration of systems including the validation of reused code components, interfaces and interdependencies.

Question 10

What Secure Configuration means?

Answer 10

Software must be configured to be secure by default and secure in deployment.

Question 11

When the software is secure by default, it means that:

Answer 11

The installation of the software can be performed without any additional configuration changes needed to secure the software.

Question 12

SCAP

Answer 12

Security Content Automation Protocol.

Question 13

Perimeter (Network) Security Controls - Perimeter defense controls continue to be necessary in a software supply chain. Which security controls should be in place.

Answer 13

Unauthorized individuals are cannot tap into a supplier’s network and tamper the software. So, firewalls, secure communications protocols, and
session management come in handy.

Question 14

System-of-Systems (SoS) Security - risk of a security breach to all SoS participants. Which are the security concerns?

Answer 14

Weaknesses in code and lack of security controls and secure configurations in any of the software products and services.

Question 15

Operations and maintenance (sustainment) supply chain risk management includes.

Answer 15

Assuring reliable functioning (integrity) of the software when it is operational. It also includes patching and upgrades, termination access controls, custom code extension checks, continuous monitoring and incident management.

Question 16

How to ensure Runtime Integrity Assurance

Answer 16

Code signing (integrity) provides runtime permissions to the code at runtime; Trusted Platform Module (TPM) augments runtime integrity by assuring the authenticity of both hardware and software components.

Question 17

What is a weakness in the TPM?

Answer 17

If the code is not signed, the TPM checks for authenticity may not be effective as expected.

Question 18

How to ensure that the software can continue to function reliably with acceptable resilience and recoverability?

Answer 18

Discovered vulnerabilities must be tracked, managed

and resolved as quickly as possible.

Question 19

One of the most overlooked security issues in the supply chain is the correct implementation of.

Answer 19

Termination access controls.

Question 20

Lack of termination access control protection can be avoid through.

Answer 20

A appropriate termination access control protection such as development staff should be revoked of any access to the software if they are terminated or if they change roles that do not require them to have continued access.

Question 21

The primary objective of continuous monitoring activities is.

Answer 21

Periodic testing and evaluation of the software supply chain’s products, processes, and people involved, is necessary to provide insight into the effectiveness of security controls that are planned, designed, implemented, deployed or inherited.

Question 22

Useful activities to monitor the software and operational environment in a supply chain.

Answer 22

Scanning (vulnerability, network, operating systems),

penetration testing, and intrusion detection systems.