Software Acquisition and the Supply Chain

Question 1

Acquisition Lifecycle phases

Answer 1

Planning, contracting, development & testing, acceptance, delivery, deployment (installation), operations & monitoring (transitioning), and retirement.

Question 2

Secure transfer involves

Answer 2

The protection of the delivery channels and processes so that the software is not only free of being tampered but authentic in its origin when it is transitioned from one supplier to another or to the acquirer. It is in the delivery phase of the acquisition Lifecycle.

Question 3

The software can be acquired in one or more of the following ways:

Answer 3

Direct purchase, Original Equipment Manufacturer (OEM) licensing, partnering (alliance) with the software vendor, outsourcing, and managed Services.

Question 4

Software provenance is when

Answer 4

A software is handed over from one supplier to another, the responsibility for protection the software shifts as well.

Question 5

What is the primary instrument by which managed services are procured, delivered and enforced?

Answer 5

Service Level Agreements (SLAs).

Question 6

Predictable execution ensures

Answer 6

The software demonstrates justifiable confidence that it functions reliably as expected.

Question 7

Each entity of the supply chain assures the primary goal of predictable execution and minimizes the risk of a security breach meeting

Answer 7

Goals of conformance, trustworthiness, and authenticity.

Question 8

Conformance ensures

Answer 8

The software is planned and undergoes a systematic set of activities to conform to the requirement specifications, standards and best practices.

Question 9

Trustworthiness ensures

Answer 9

The software does not have vulnerabilities that are maliciously or accidentally introduced into the code. In other words, the software functions reliably assuring trust.

Question 10

Authenticity ensures

Answer 10

The materials used in the production of the software is not counterfeited, pirated or in violation of any intellectual property rights.

Question 11

How is the goal of predictable execution (integrity) is achieved?

Answer 11

When software meets the goal of conformance,

trustworthiness, and authenticity.

Question 12

The most potential and predominant threat in the

software supply chain is

Answer 12

Tampering of software to introduce malicious software (malware) in code, during or after the development
of the software.

Question 13

In the supply chain software, there are threats that are possible against the product (software or service).

Answer 13

Tampering of the code to circumvent existing security controls; Unauthorized disclosure, alteration, corruption, and/or deletion/ destruction of data; Diversion and/or re-routing of data causing disruptions and delays; Code sabotage by intentionally implanting vulnerabilities and malicious logic; Counterfeiting by substitution of legitimate products and/or data
with similar but bogus ones; Piracy and theft of intellectual property rights by reverse engineering
executable code.

Question 14

In the supply chain software, there are threats that are possible against the processes and flows.

Answer 14

Bypass of legitimate flows and surreptitious diversion of legitimate channels to pirated ones; Insecure code transfer that does not maintain chain of custody; Violation of export control requirements; Improper configuration of software allowing undocumented
modifications and operational misuse.

Question 15

In the supply chain software, there are threats that are possible against the people.

Answer 15

Undetected placement of a malicious threat agent (hacker, criminal, adversary) inside the company (e.g. insider); Social engineering insiders to commit fraud or perjury (i.e., subornation); Concerns related to Foreign Ownership and Control or Influence (FOCI). These concerns range from nation-state sponsored hackers
to individuals who are willing to do nefarious acts because of their affinity to hostile countries.

Question 16

SCRM

Answer 16

Software Supply Chain Risk Management.

Question 17

Managing risks in the software supply chain includes

Answer 17

The management of the risk arising from the supplier itself and their software development and delivery
processes.

Question 18

Software Supply chain risk management begins with rigorous processes performed initially to identify and analyze software assurance risks, followed by

Answer 18

Validation and verification of contractual and technical controls prior to acquisition. It is extended after acquisition by continuous assessment of software risks until the ultimate decommissioning of the software code and related components, and the disposal of associated data.

Question 19

Software supply chain controls must at the bare minimum demonstrate the following security principles

Answer 19

Least Privilege; Separation of Duties; Location Agnostic Protection (persistent protection); Code Inspection; Tamper Resistance and Evidence; Chain of Custody.

Question 20

Separation of Duties address the security concerns of

Answer 20

Tampering, unilateral control, collusion and fraud.

Question 21

What is the ‘Subcontracting workfor-hire’ relationship?

Answer 21

Subcontract the development of the software from other suppliers, the acquirer owns the software delivered.

Question 22

What is the ‘staff augmentation work-for-hire’ relationship?

Answer 22

Acquirers can work collaboratively with staff from other suppliers augmenting their own.

Question 23

What is the ‘arm’s length licensing’ relationship?

Answer 23

Acquirers can license software from another supplier or obtain the software from open source software (OSS) repositories.

Question 24

Supplier risk management begins with

Answer 24

The sourcing of suppliers and takes into account the intellectual property ownership and responsibilities involved, when acquiring software and services from a supplier.

Question 25

Several common SLA metrics categories

Answer 25

Performance; Disaster Recovery and Business Continuity; Issues Management; Incident Response; Vulnerability Management (Patch and Release Cycle).

Question 26

Collect input on vulnerabilities from varied sources such as

Answer 26

Vulnerabilities databases (e.g., OWASP Top 10, NVDB, OSVDB etc.), bug tracking lists, researchers and customers.

Question 27

A supplier’s organization shall be evaluated the following aspects

Answer 27

Past Performance in Supporting Other Customers; Personnel Security Knowledge, Experience and Training; Security Development Lifecycle Processes; Security Track Record (Vulnerability/Patch Management Processes); Response Evaluation (RFP, RFI).

Question 28

What is a state of security of the system?

Answer 28

An installation of your software in a client system may require a certain configuration of the host operating system. Such configuration settings has been known to put the client system in a state of compromise.

Question 29

Disclaimers

Answer 29

It provide software companies legal protection from liability claims or lawsuits that are unforeseen.

Question 30

WIPO

Answer 30

The World Intellection Property Organization (WIPO) defines IP as the creations of the mind.

Question 31

Why do we need to protect IP?

Answer 31

Protection of the IP is necessary to ensure that the owner of the software does not lose their creative works and/or competitive advantage.

Question 32

How is organized the Software Related Intellectual Property?

Answer 32

Industrial Property (Innovative and Fair Competition) and Copyright (Literary & Artistic).

Question 33

Industrial property can be categorized into

Answer 33

Innovation, design and creation of technology (e.g., inventions and trade secrets) and fair competition and protect consumers by giving them the ability to distinguish one product or service from another, and make informed decisions (e.g., trademarks).

Question 34

Copyright is used to

Answer 34

To protect authors of literary and artistic works and software programs and services are classified under this category.

Question 35

Patents

Answer 35

Protect an invention by exclusively granting rights to the owner of a novel, useful, and non-obvious idea that offers a new way of doing something or solving a problem.

Question 36

Trade secret

Answer 36

It is inclusive of any confidential business information that provides a company with a competitive advantage. E.g. design, formula, instrument, method, pattern, practice, ..

Question 37

Trademarks

Answer 37

Distinctive signs that can be used to identify the manufacturer uniquely from others who produce a similar product. When this is for a service, it is referred to as a service mark.

Question 38

Copyright

Answer 38

It protects the expression of an idea. It gives rights to the creator of literary and artistic works. It includes
the protection of technical drawings, such as software design and architecture specifications, that expresses the solution concept.

Question 39

Software license

Answer 39

A legal instrument that governs the use and/or redistribution of software.

Question 40

Byte patching attack

Answer 40

Changing instruction sets of the program at the byte level and repacking of the software program can be used to invalidate and bypass license and expiration
date checks easily.

Question 41

Software licenses can be primary grouped into

Answer 41

Closed source (source code is not available) and open source.

Question 42

EULA

Answer 42

End user licensing agreement.