SECURE SOURCING OF COMMERCIAL OFF-THE-SHELF (COTS) PRODUCTS
Dr. Dan Shoemaker of University of Detroit Mercy Topic: Secure Sourcing of COTS ProductsSECURE SOURCING OF COMMERCIAL OFF-THE-SHELF (COTS) PRODUCTS Systems are built out of components that are integrated from the lowest level of a supply chain up to a finished product. This creates a serious weakness in that malicious code, or counterfeit parts can be inserted at the bottom of the process without scrutiny and then integrated up into the end-product, as was demonstrated by the recent SolarWinds hack. The possibility of such a thing occurring is so obvious that you would think that there have been practical efforts to address it. However, even though we’ve expended much time and effort to ensure robust, efficient and defect free code, we have done very little to ensure against compromises that could occur during the integration process. Thus, the aim of this talk will be to outline the challenge of supply chain risk, as well as present a couple of potential solutions. Biography: Dr. Dan Shoemaker received a doctorate from the University of Michigan in 1978. He taught at Michigan State University and then moved to the Directorship of the information systems function for the Medical schools at MSU. He held a joint teaching and Department Chair position at Mercy College of Detroit. When Mercy was consolidated with the University of Detroit in 1990 he moved to the Business School to Chair their Department of Computer Information Systems (CIS). He attended the organizational roll-out of the discipline of software engineering at the Carnegie-Mellon University Software Engineering Institute in the fall of 1987, and he was already teaching a SEI based software engineering curriculum, which he established as a separate degree program to the MBA within the UDM College of Business Administration. Dr. Shoemaker’s specific areas of scholarship, publication and teaching were the process based stages of the waterfall; specification, SQA and acceptance/sustainment. He was also a primary consultant in the Detroit area on the CMM/CMMI. Dr. Shoemaker’s transition into cybersecurity came as a result of the audit and compliance elements of that body of knowledge, as well as the long established SQA/SCM elements of their curriculum. They were designated the 39th Center of Academic Excellence by the NSA/DHS at West Point in 2004, and they have tried to stay on the leading edge in the architectural aspects of cybersecurity system design and implementation as well as software assurance. As a result of Dr. Shoemaker’s associations with NSA/DHS and his interest in software assurance, he participated in the earliest meetings of the software assurance initiative. He was one of the three authors of the Common Body of Knowledge to Produce, Acquire and Sustain Software (2006), and he Chaired the Workforce Education and Training committee from 2007-2010. He was Chair of Workforce Training and Education for the Software Assurance Initiative at DHS (2007-2012), and he was a subject matter expert for NICE (2009 and NICE II – 2010-11), Securely Provision. Dr. Shoemaker was also an SME for the CSEC2017 (Human Security). He also published frequently in the Build-Security-In website. This exposure led to a grant to develop curricula for software assurance and the founding of the Center for Cybersecurity where he currently resides. The Center is a free-standing academic unit in the College of Liberal Arts, which is the administrative locus for Research Centers within UDM. Dr. Shoemaker’s final significant grant was from the DoD to develop a curriculum and teaching and course material for Secure Acquisition (in conjunction with the Institute for Defense Analysis and the National Defense University). A book was subsequently published by CRC press. Email: [email protected] Agenda 6:00 - 6:05 PM Introduction - Dr. Alvin Chin, Chair of IEEE Computer Society Chicago and Dr. Ping-Tsai Chung, Chair of IEEE Computer Society New York 6:05 - 6:45 PM Presentation - Dan Shoemaker, University of Detroit Mercy 6:45 - 6:55 PM Q&A 6:55 - 7:00 PM Conclusions and Adjournment