|
Work item:
|
X.2105 (ex X.st-ssc)
|
|
Subject/title:
|
Security threats of software supply chain
|
|
Status:
|
Determined on 2025-12-11 [Issued from previous study period]
|
|
Approval process:
|
TAP
|
|
Type of work item:
|
Recommendation
|
|
Version:
|
New
|
|
Equivalent number:
|
-
|
|
Timing:
|
2025-12 (Medium priority)
|
|
Liaison:
|
ISO/IEC JTC 1/SC 27, ETSI
|
|
Supporting members:
|
Korea (Republic of), Malaysia, Ghana, Luxembourg, ETRI, KISA, Soonchunhyang University
|
|
Summary:
|
In recent years, there has been a significant increase in the number of cyberattacks resulting from vulnerabilities within the software supply chain. These attacks can result in devastating, expensive and long-term ramifications for affected organizations, their supply chains and their customers. To address these threats, there is a need to identify security threats in the software supply chain life cycle. There is also a need to identify all related stakeholders. These threats can be used to develop the controls in the software supply chain life cycle.
This draft Recommendation provides high-level security threats and controls for software supply chain security, low-level security threats to the software supply chain, including open-source software (OSS) and closed-source software. It also provides fundamental principles and supply chain attack examples, identifies stakeholders involved in the development, build and distribution of software, and specifies the taxonomy of security threats in the software life-cycle processes.
It also assigns an index to security threats according to category, so that each threat can be referenced by other parts of this Recommendation and other Recommendations.
|
|
Comment:
|
-
|
|
Reference(s):
|
|
|
Historic references:
|
|
Contact(s):
|
|
| ITU-T A.5 justification(s): |
|
|
|
|
First registration in the WP:
2023-03-06 11:34:51
|
|
Last update:
2025-12-15 16:06:05
|
