The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Post

Sharing Software Trust Declarations via the SAG Community Trust Registry

image credit: US DOD
Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,529 items added with 668,412 views
  • Jan 1, 2023
  • 252 views

The sharing of cybersecurity information is one of the most effective defensive measures software consumers can take to thwart hacker attacks. This past week REA has been working to open up the Software Assurance Guardian Community Trust Registry ™, SAG-CTR ™ for public access. We are happy to announce a successful deployment that will improve software consumer transparency into the trustworthiness of software apps in app stores and other software products available on the Internet. REA is pleased to provide this free public service to help software consumers identify the trustworthiness of  software before any attempt to install in a device.

This means that anyone can check the Trust Score (SAGScore™) for software apps in app stores, commercial products and open-source software products before installing or procuring a software product. The database of “Trusted Software” products registered in SAG-CTR ™ is quite sparse at the moment, but this will improve over time as more people submit “Trust Declarations” for inclusion in the SAG-CTR™ database. The SAG-CTR concept described in this article implements the NIST consumer software labeling recommendations.

The term ”Declaration” is defined as follows: “a formal or explicit statement or announcement.”

A “Trust Declaration”, as used in the SAG-CTR™ context is defined as “a formal statement expressing some degree of trust in a software product or artifact”. The degree of trust in a “Trust Declaration” is expressed using a score from 0 to 100, called a SAGScore. A SAGScore of 0 means there is no trust in a software product where a SAGScore of 100 means complete trust. Most software products have a SAGScore above 0 and below 100. A SAGScore is conceptually similar to a FICO Score with criteria and methods specific to measuring software supply chain risks. The higher the SAGScore the higher the degree of trust in a software product.

The two most common “Trust Declaration Types” listed in the SAG-CTR™ are “Trusted Software”, this is the “strongest” type of trust declaration a party can make and a “SAGScore” which is a trust declaration that is simply a registration listing the SAGScore for a software product. At this time, only “Trusted Software” trust declarations are being accepted into SAG-CTR™. SAGScore™ trust declarations will be supported in the near future.

Parties that wish to supply “Trust Declarations” for insertion into SAG-CTR™ must first perform a software risk assessment using the SAG-PM™ application on a software app or product. This will produce a SAGScore™ along with evidence data generated by the risk assessment that is used to calculate the SAGScore™. A party indicates the type of trust declaration they wish to make (“Trusted Software” or “SAGScore”) within the comments section of the “Final Grade” section of the evidence data before they submit their trust declaration request and evidence data to REA for inclusion in the SAG-CTR™. At this time, only “Trusted Software” trust declarations are being accepted into SAG-CTR™.

The SAG-CTR™ Gatekeeper, REA, processes each submitted trust declaration request to determine if the evidence data submitted with the trust declaration request supports the type of trust declaration that a party is requesting to be inserted into SAG-CTR™. Presently only “Trusted Software”, the strongest form of trust declaration, is being accepted into the SAG-CTR™ database. SAGScore trust declarations will be supported in the near future. More details describing SAG-CTR operations can be found in this NIST filing on consumer software labeling.

So, when a member of the public wants to know “Is this software app trustworthy before installing in a device?” they can check the SAG-CTR™ for “Trusted Software” declarations, using a free to use 3 line  Powershell script, and receive a trust score, SAGScore™, for the software in question. At present the SAG-CTR™ database is sparsely populated so many products will report a SAGScore™ of 0. This will improve over time as more parties register their trust declarations for software products. The submission of a “Trust Declaration” is one of the many ways the cybersecurity community can share important information with the public about the trustworthiness of software available on the Internet and App stores.

Small and Medium businesses that may be lacking cybersecurity staff with the skills to conduct a comprehensive software supply chain risk assessment can benefit from those parties that have this expertise, and are willing to share their calculated Trust Score results in SAG-CTR. This helps the entire community take cost effective steps to prevent harmful software from being installed by leveraging the good work of experts working on software risk assessments. A simple query to SAG-CTR can inform an SMB enterprise of software risk, without having to make costly investments in staff and tools needed to perform their own risk assessment.

Here is a copy of the Powershell script I used to check the SAGScore on the latest JRE, after downloading the latest Windows 10 64 bit JRE into my Downloads folder:

$hash = Get-FileHash Downloads\jre-8u351-windows-x64.exe
$url = "https://softwareassuranceguardian.com/SAGCTR_inquiry/getSAGScore?FileHash=" +$hash.Hash
Start-Process -FilePath $url

NOTE: Some people have asked, why is the JRE SAGScore so low. This score is calculated based on the NIST SP 800-161 Supply Chain Risk Management Standard. The following issues caused the low SAGScore:

- Digital Signature does not match Supplier Name listed in the software package

- No SBOM is available

- No NIST Vulnerability Disclosure Report (VDR) is available

- No SSDF attestation is available

Happy New Year.

 

Discussions

No discussions yet. Start a discussion below.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »