Non-Malicious Taint: Bad Hygiene Is as Dangerous to the Mission as Malicious IntentFebruary 2014
Topics: Cybersecurity, Aquisition Management, Computer Security, Information Security Risk Management, Software (General)
Success of the mission should be the focus of software and supply chain assurance activities, regardless of what activity produces the risk. It does not matter if a malicious saboteur is the cause. It does not matter if it is malicious logic inserted at the factory or inserted through an update after fielding. It does not matter if it comes from an error in judgment or from a failure to understand how an attacker could exploit a software feature. Issues from bad software hygiene, like inadvertent coding flaws or weak architectural constructs are as dangerous to the mission as malicious acts. Enormous energies are put into hygiene and quality in the medical and food industries to address any source of taint. Similar energies need to be applied to software and hardware. Until both malicious and non-malicious aspects of taint can be dealt with in ways that are visible and verifiable there will be a continued lack of confidence and assurance in the delivered capabilities throughout their life-cycle.