Senior decision-makers come together to connect around strategies and business trends affecting utilities.

Post

A Momentous Day for Consumer Visibility into Software Trust and SBOM Adoption

image credit: Author
Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software and SAGScore™...

  • Member since 2018
  • 1,462 items added with 611,825 views
  • Jul 30, 2022
  • 218 views

On July 28, 2022 the Internet Engineering Task Force (IETF) took the first step in committing to create standards that will give consumers visibility into software trustworthiness. The new initiative is called Supply Chain Integrity, Transparency and Trust (SCITT) and its work begins on August 1, 2022. The problem statement, which the initiative is being setup to address, reads as follows:

Software is an inherent part of everyday digitally-enabled life, from smartphones to IoT to datacenters. Widely discussed attacks on the software supply chain have helped raise awareness of the risks.

Many other vulnerabilities highlight the need for greater visibility into supply chain integrity, transparency, and trust to make an informed decision.

Use Case:

Software Supply Chain focusing on SBOM as evidence to a claim

The proposed charter that will define the scope of work for this IETF initiative is still undergoing some minor changes, but this should be completed shortly. The meeting scheduled for 8/1/2022 should give the group an opportunity to reach a consensus on the SCITT Charter.

There are several reasons why this IETF SCITT initiative is an imperative now, but perhaps the most compelling driver was provided by the May 12, 2021 Cybersecurity Executive Order # 14028, which states:

the Secretary of Commerce acting through the Director of NIST, in coordination with the Chair of the FTC and representatives from other agencies as the Director of NIST deems appropriate, shall identify secure software development practices or criteria for a consumer software labeling program, and shall consider whether such a consumer software labeling program may be operated in conjunction with or modeled after any similar existing government programs, consistent with applicable law. The criteria shall reflect a baseline level of secure practices, and if practicable, shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone. The Director of NIST shall examine all relevant information, labeling, and incentive programs, employ best practices, and identify, modify, or develop a recommended label or, if practicable, a tiered software security rating system. This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize participation

On February 4, 2022 NIST published guidance and recommendations to implement a labeling program for consumer software in order to meet the Executive Order requirements for consumer software labeling.  At the time of this writing, I am not aware of any government initiatives to foster the development of a consumer labeling program for commercial or open-source software products. Recently, meetings have been hosted at the White House to discuss the need for greater visibility into open-source software, but I’m not aware of any government initiatives to address the need for greater visibility into the trustworthiness of commercial consumer software products. The opportunity exists now to create a “trust” labeling program for consumers to provide visibility into the trustworthiness of applications sold and installed from the many app stores in operation today from Companies such as Apple, Google, Microsoft, Amazon and others. Collectively, these app stores represent the largest software distribution channel on the planet for consumer software used on smart devices, i.e., smart phones, tablets, game consoles and other devices which are able to download and install software from an Internet location. There is no doubt that consumers want visibility into a software application’s trust worthiness before buying and installing an app, but there’s a big problem today; There is no widely adopted standard method to communicate the trustworthiness of apps across all app stores that a consumer could use to compare the trustworthiness of an app, before installing in a device.

The IETF SCITT initiative could, potentially, provide the forum to reach broad adoption of technical standards that will provide software consumers the visibility they need to determine the trustworthiness of commercial and open-source software before buying and installing an application, in alignment with NIST recommendations, guidelines and criteria for software trustworthiness and consumer software labeling.

I encourage parties interested in this very important work to engage in the IETF SCITT initiative by signing-up to receive SCITT communications on this site: https://www.ietf.org/mailman/listinfo/scitt

I’m looking forward to seeing your contributions on the IETF SCITT mailing list and in working collaboratively on a solution for consumer visibility into software trust.

Never trust software, always verify and report!™

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Matt Chester's picture
Matt Chester on Aug 1, 2022

Appreciate you always keeping our community up to date on this, Dick. Seems like a major breakthrough that's long been fought for!

Richard Brooks's picture
Richard Brooks on Aug 1, 2022

Thanks, Matt. This is indeed a step forward toward achieving NIST's Cybersecurity vision for consumer software labeling to provide visibility into the trustworthiness of software. Honestly, I was a bit surprised that the existing entities that provide "trust declarations", like FICO for credit scoring and credit rating agencies weren't at the table. This could be a whole new opportunity for them to provide "trust scores" for software, following NIST recommendations and the Federal Government requirements for consumer software cybersecurity labeling.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »