Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Supply chain concerns. #11

Open
sei-vsarvepalli opened this issue Jul 14, 2023 · 2 comments
Open

Supply chain concerns. #11

sei-vsarvepalli opened this issue Jul 14, 2023 · 2 comments
Labels
enhancement New feature or request

Comments

@sei-vsarvepalli
Copy link

sei-vsarvepalli commented Jul 14, 2023
edited by ahouseholder
Loading

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
We should highlight some of the supply-chain CVD processes and concerned areas.

Describe alternatives you've considered
There may be just a potential link to Supply-Chain Disclosure if there is such a generic thing. In this context, Disclosure could be not just Vulnerability but any other incident that supply-chain stakeholders should communicate with each other for reliable usage of products/services.

Additional context
Recent cybersecurity incidents and US National Cybersecurity Strategy have highlighted supply-chain concerns. We need to consider and perhaps expand more of the Vertical and Horizontal supply-chain concerns. The current supply chain concerns are mentioned in

We could spend a bit more information on how CVD process should inherently observe and adopt supply-chain for OEM's and their relationships to OCM (Original Component Manufacturer) and multi-level OCM providers. Concerns such as OCM being an open source project - how does supply-chain CVD work ripple impact disclosure from OEM to OCM or the other way.
@sei-vsarvepalli sei-vsarvepalli added the enhancement New feature or request label Jul 14, 2023
@ahouseholder
Copy link
Collaborator

What would you add to https://certcc.github.io/CERT-Guide-to-CVD/howto/coordination/mpcvd/#complicated-supply-chains to make it better?

(If it gets big enough we can split it into a separate page, I just don't know what we'd want to add/change based on what we already have.)

@sei-vsarvepalli
Copy link
Author

I would really like to enumerate some of these practical multiparty concern in a little more detail if possible . Perhaps with input from Coordinators?

  1. Embargo date (related publication/release) management in MPCVD
  2. Variance (not statistical but plain English) of impact
  3. Variance of fixes and their deployments
  4. The need for an alliance/agreement among the Vendors where one may not have existed (e.g., opensource and commercial or commercial to commercial)
  5. Potential inter-vendor conversations not known to other Vendors and the Coordinator himself.
  6. Expectation mismatch between the Finder and multiple Vendors

Some of these may not have any solutions but will help the Coordinator set expectations and help adhere to some communications and outreach technique that reduce the risk of MPCVD going awry.

I think as software grows the reuse of software is also likely to grow. The MPCVD is an unavoidable "wicked problem" indeed with parties that are loosely connected and benevolence is the only card to play.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ahouseholder @sei-vsarvepalli