Secure Sourcing of COTS Software
October 11, 2023 @ 5:30 pm - 7:30 pm HST
Systems are built by integrating components upwards from the lowest level of the supply chain to the finished, often highly complex, product. That upward integration process represents a potential security weakness. In that, without direct scrutiny or control from the OEM it is possible to surreptitiously insert malicious code, or counterfeit parts at the bottom of a multilevel, or offshored, build. And inevitably any malicious object that is inserted down the integration ladder will then be integrated into the end-product, the most recent example being the SolarWinds hack of 2021.
The possibility of such a thing occurring is so obvious that you would think that there have been practical efforts to address it. However, even though we’ve expended a lot of time and effort to ensure robust, efficient and defect-free code production, we have done very little to ensure against compromises that might occur during the integration process. So, the aim of this talk is to outline the challenge of supply chain risk, as well as present a couple of potential solutions from the automobile industry.
- Date: 11 Oct 2023
- Time: 05:30 PM to 07:30 PM
This is a hybrid event. The speaker will present remotely and hold a live Q&A session. Please register to help us manage the headcount and food.
Dr. Dan Shoemaker received a doctorate from the University of Michigan in 1978. He taught at Michigan State University and then moved to the Directorship of the information systems function for the Medical schools at MSU.
He held a joint teaching and Department Chair position at Mercy College of Detroit. When Mercy was consolidated with the University of Detroit in 1990 he moved to the Business School to Chair their Department of Computer Information Systems (CIS). He attended the organizational roll-out of the discipline of software engineering at the Carnegie-Mellon University Software Engineering Institute in the fall of 1987, and he was already teaching a SEI based software engineering curriculum, which he established as a separate degree program to the MBA within the UDM College of Business Administration.
Dr. Shoemaker’s specific areas of scholarship, publication and teaching were the process based stages of the waterfall; specification, SQA and acceptance/sustainment. He was also a primary consultant in the Detroit area on the CMM/CMMI.
Dr. Shoemaker’s transition into cybersecurity came as a result of the audit and compliance elements of that body of knowledge, as well as the long established SQA/SCM elements of their curriculum. They were designated the 39th Center of Academic Excellence by the NSA/DHS at West Point in 2004, and they have tried to stay on the leading edge in the architectural aspects of cybersecurity system design and implementation as well as software assurance.
As a result of Dr. Shoemaker’s associations with NSA/DHS and his interest in software assurance, he participated in the earliest meetings of the software assurance initiative. He was one of the three authors of the Common Body of Knowledge to Produce, Acquire and Sustain Software (2006), and he Chaired the Workforce Education and Training committee from 2007-2010. He was Chair of Workforce Training and Education for the Software Assurance Initiative at DHS (2007-2012), and he was a subject matter expert for NICE (2009 and NICE II – 2010-11), Securely Provision. Dr. Shoemaker was also an SME for the CSEC2017 (Human Security).
He also published frequently in the Build-Security-In website.
This exposure led to a grant to develop curricula for software assurance and the founding of the Center for Cybersecurity where he currently resides. The Center is a free-standing academic unit in the College of Liberal Arts, which is the administrative locus for Research Centers within UDM. Dr. Shoemaker’s final significant grant was from the DoD to develop a curriculum and teaching and course material for Secure Acquisition (in conjunction with the Institute for Defense Analysis and the National Defense University). A book was subsequently published by CRC press.