201305.pdf 43279KB May 08 2013 11:07:04 PM

10987000615243supplychainLinking design and resourcesSoftware supply chain’s soft underbellyWith all the attentionon counterfeit electroniccomponents,it’s easy to overlook the vulnerabilitiesof other supply chainsin the computing industry. Arecent Gartner report (http://gtnr.it/14hObdi) calls attentionto the importance of investigatingthe supply chains ofsoftware, services, and evendata. The report warns that the“IT supply chain” has becomealarmingly insecure.One example the reportcites is the admission in May2012 by Chinese mobile-phoneGREEN UPDATEmaker ZTE that one model ofits Android phone had a backdoorinstalled in its software.The backdoor, which wasfound only in smartphonesshipped to the United States,allowed installation of arbitraryapplications and full access toany data stored on the phone.There could be other smartphoneswith similar vulnerabilities,says the report.To protect against suchhacks, corporations need toinstitute a formal IT supply-chainrisk-management program,including investigation into theThE FUTUrE OF ClEAn MAnUFACTUrInGIn ThE UnITEd STATESrobustness of software-updatemechanisms, says the report.For smartphones, in particular,it recommends asking all hardwareand software suppliers forspecifics on how they updatefirmware and software.The Gartner report notes thatjust because this happened ina ZTE phone doesn’t necessarilymean that the companyhad a nefarious motive. Indeed,the backdoor could have been“developed and installed by adisgruntled or rogue employee,assuming he or she circumventedsource-code controlImproving supply-chain and manufacturingmethods, and educating consumers todemand greener electronics as well as lesspackaging, is a good start for any supply chainwishing to contribute responsibly to a cleanerenvironment while doing its business. I waspleased to learn that the US department ofEnergy (dOE) on March 26 launched the CleanEnergy Manufacturing Initiative (CEMI) (http://1.usa.gov/12rC2ln). The initiative focuseson “growing American manufacturing of cleanenergy products and boosting US competitivenessacross all sectors through major improvementsin manufacturing energy productivity.”So, what does the CEMI mean for the supplychain? According to the Solar Foundation,roughly 30,000 jobs in the solar sector in theUnited States are in manufacturing. In addition,the US wind supply chain has grown inrecent years. nearly 70% of the componentparts of wind installations in the United Statesare being sourced domestically. All of this efforttranslates into a means of reducing localand global air pollution. It also contributes to a7.9% reduction in computers and electronicsin the supply chain.According to the dOE, with the recentopening to manufacturers of a $35 million,state-of-the-art Carbon Fiber TechnologyFacility (CFTF) in Oak ridge, Tn, clean-energycompanies and researchers are provided witha test bed for the development of less expensive,better-performing carbon-fiber materialsand manufacturing processes. The CFTF willhelp manufacturers lower the cost of producingtheir products, which, in turn, will reduceend-consumer prices.The new facility represents a great potentialin positioning the United States in the growinginternational carbon-fiber manufacturing sector.Finally, what is good for the environment isgood for us.—by Susan FourtanéThis story was originally posted by EBn: http://bit.ly/110Cmm2.and deployment managementsystems.”Or maybe it didn’t comefrom ZTE at all. The Economistreported recently that whenan American telecommunicationscompany investigated aChinese company acquired byone of the American company’svendors, it found the Chinesecompany to be clean. Itturned out, however, that theChinese company was outsourcingsoftware developmentto a firm that was a frontfor russian intelligence (http://econ.st/110Fmif).That’s a perfect exampleof why today’s convoluted ITsupply chain is increasinglyinsecure. The Gartner reportsays software supply chainscan be easy targets becauseof increased use of outsourcedsoftware development. Evenif a company uses its owndevelopers, many use thirdpartylibraries and frameworksthat include open-source software,which can be vulnerable.In addition, with the useof increasingly active code atmany layers, the use of software-basedplatforms atopoperating systems providesnew opportunities to insertbackdoors and vulnerabilities.Finally, content itself can beused to attack. Exploits againsthidden application-layer vulnerabilitiescan change aninnocent piece of code into anattack vector.Are you doing what youshould to ensure the integrityof your software supply chain?—by Tam HarbertThis story was originally postedby EBn: http://bit.ly/ZRkSFK.56 EDN | MAY 2013 [ www.edn.com]