Security Assurance Guidance for Third-Party IP

Abstract

System OEMs are increasingly adopting the motto “Trust but verify” when it comes to their supply chains. After several public incidents in which trusted vendors unknowingly provided vulnerable components, OEMs are requesting evidence of security assurance before integrating components into their products. It can be problematic for semiconductor vendors to provide such evidence since their products often contain 3 rd party components that are typically treated as black boxes. Moreover, asking 3 rd party vendors to provide such evidence for their components is equally problematic due to the many integration unknowns and a lack of applicable literature on security assurance for standalone technologies. We address these issues by defining a security process and relationship between semiconductor vendors and trusted 3 rd party component providers and a practical methodology to produce standardized quality security assurance evidence. We provide example applications of the methodology using several open source components.