The sharing of cybersecurity information is one of the most effective defensive measures software consumers can take to thwart hacker attacks. This past week REA has been working to open up the Software Assurance Guardian Community Trust Registry ™, SAG-CTR ™ for public access. We are happy to announce a successful deployment that will improve software consumer transparency into the trustworthiness of software apps in app stores and other software products available on the Internet. REA is pleased to provide this free public service to help software consumers identify the trustworthiness of software before any attempt to install in a device.
This means that anyone can check the Trust Score (SAGScore™) for software apps in app stores, commercial products and open-source software products before installing or procuring a software product. Trust Scores can also exist for API's used on the Internet, within SAG-CTR ™. The database of “Trusted Software” products registered in SAG-CTR ™ is quite sparse at the moment, but this will improve over time as more people submit “Trust Declarations” for inclusion in the SAG-CTR™ database. The SAG-CTR™ concept described in this article implements the NIST consumer software labeling recommendations. SAG-CTR already supports other cybersecurity label types, such as the EU CE mark and the U.S. Cyber Trust Mark, however more explicit definition will be needed for both of these "Label Types" before a consumer lookup will be implemented in SAG-CTR.
The term ”Declaration” is defined as follows: “a formal or explicit statement or announcement.”
A “Trust Declaration”, as used in the SAG-CTR™ context is defined as “a formal statement expressing some degree of trust in a software object or artifact”. The degree of trust in a “Trust Declaration” is expressed using a trust score from 0 to 100, called a SAGScore™. A SAGScore™ of 0 means there is no trust in a software product where a SAGScore™ of 100 means complete trust. Most software products have a SAGScore above 0 and below 100. A SAGScore™ is conceptually similar to a FICO Score with criteria and methods specific to measuring software supply chain risks to determine trustworthiness. The higher the SAGScore™ the higher the degree of trust in a software product.
The two most common “Trust Declaration Types” listed in the SAG-CTR™ are “SAG-PM Trusted Software”, this is the “strongest” type of trust declaration a party can make and a “SAGScore” which is a trust declaration that is simply a registration listing the SAGScore™ for a software product. At this time, only “Trusted Software” trust declarations are being accepted into SAG-CTR™. SAGScore™ trust declarations will be supported in the near future.
Parties that wish to supply “Trust Declarations” for insertion into SAG-CTR™ must first perform a software risk assessment using the SAG-PM™ application on a software app or product. This will produce a SAGScore™ along with evidence data generated by the risk assessment that is used to calculate the SAGScore™. A party indicates the type of trust declaration they wish to make (“Trusted Software” or “SAGScore”) within the comments section of the “Final Grade” section of the evidence data before they submit their trust declaration request and evidence data to REA for inclusion in the SAG-CTR™. At this time, only “Trusted Software” trust declarations are being accepted into SAG-CTR™.
The SAG-CTR™ Gatekeeper, REA, processes each submitted trust declaration request to determine if the evidence data submitted with the trust declaration request supports the type of trust declaration that a party is requesting to be inserted into SAG-CTR™. Presently only “Trusted Software”, the strongest form of trust declaration, is being accepted into the SAG-CTR™ database. SAGScore trust declarations will be supported in the near future. More details describing SAG-CTR operations can be found in this NIST filing on consumer software labeling.
So, when a member of the public wants to know “Is this software app trustworthy before installing in a device?” they can check the SAG-CTR™ for “Trusted Software” declarations, using a free to use 3 line Powershell script, and receive a trust score, SAGScore™, for the software in question. At present the SAG-CTR™ database is sparsely populated so many products will report a SAGScore™ of 0. This will improve over time as more parties register their trust declarations for software products. The submission of a “Trust Declaration” is one of the many ways the cybersecurity community can share important information with the public about the trustworthiness of software available on the Internet and App stores.
Small and Medium businesses that may be lacking cybersecurity staff with the skills to conduct a comprehensive software supply chain risk assessment can benefit from those parties that have this expertise, and are willing to share their calculated Trust Score results in SAG-CTR. This helps the entire community take cost effective steps to prevent harmful software from being installed by leveraging the good work of experts working on software risk assessments. A simple query to SAG-CTR can inform an SMB enterprise of software risk, without having to make costly investments in staff and tools needed to perform their own risk assessment.
Here is a copy of the Powershell script I used to check the SAGScore on the latest JRE, after downloading the latest Windows 10 64 bit JRE into my Downloads folder:
$hash = Get-FileHash Downloads\jre-8u351-windows-x64.exe
$url = "https://softwareassuranceguardian.com/SAGCTR_inquiry/getSAGScore?FileHash=" +$hash.Hash
Start-Process -FilePath $url
NOTE: Some people have asked, why is the JRE SAGScore so low. This score is calculated based on the NIST SP 800-161 Supply Chain Risk Management Standard. The following issues caused the low SAGScore:
- Digital Signature does not match Supplier Name listed in the software package
- No SBOM is available
- No NIST Vulnerability Disclosure Report (VDR) is available
- No SSDF attestation is available
Happy New Year.