At last year’s RSA Conference, software supply chain security was a common theme, whether in track sessions or on the exhibition floor. This year, the conference’s focus on the threat to the software supply chain has ratcheted up.
This isn’t surprising. Last year set a record for these kinds of attacks, and many experts expect supply chain attacks to become more common and more damaging in 2023. The recent VS Code Hack, which targeted developers’ use of the VS Code Extensions Marketplace, as well the 3CX voice over IP attack, serve as key examples.
The conversation surrounding software supply chain attacks is a major theme at RSA Conference 2023. Here are the must-see sessions that your security teams will benefit from in understanding software supply chain security to the fullest.
[ See ReversingLabs @ RSAC for speaking sessions and more | Plus: New Software Supply Chain Security Survey key takeaways ]
Scaling Software Supply Chain Source Security in Large Enterprises
For bigger organizations that have complex infrastructures, are dependent on third-parties to operate, and serve a great number of customers, software supply chain risk is imminent. Not only do these organizations need to pay attention to what their own software products are composed of, such as open source components and internally developed software, but they also need to review the inventories of any other software product they are interfaced with. To touch on this perspective, JP Morgan Chase’s Product Security Director, Rao Lakkakula, will be presenting on why it is essential for larger enterprises to use tools such as comprehensive software bills of materials (SBOMs) to track their dependencies and products in a responsible and efficient manner.
When: Monday, April 24, 2023 9:40-10:30 AM Pacific
Running in the Shadow: Perspectives on Securing the Software Supply Chain
It will take a collective of perspectives to come together and determine how to best secure software supply chains, considering that there are a variety of stakeholders who contribute to a supply chain’s downfall or success. In this RSAC track session, Jessica Hardcastle, Cybersecurity Editor for The Register, will be moderating a panel discussion between three experts who represent the different perspectives of software supply chains’ key stakeholders: CISO, developer, and policymaker. James Higgins, Google’s CISO, Dan Lorec, CEO and Co-Founder of Chainguard, as well as Camille Stewart Gloster, Deputy National Cyber Director for Technology and Ecosystem Security, will take to the RSAC stage to discuss and debate the question of how to best secure today’s software supply chains.
When: Monday, April 24, 2023 1:10-2 PM Pacific
The World on SBOMs
SBOMs have become recognized as a key tool in better securing software supply chains, since a high-quality one will provide transparency into a software artifact, making organizations who rely on it more aware of its dependencies. In this track session, experts Chris Blask, Chief Evangelist at Cybeats, and Kate Stewart, VP of Dependable Embedded Systems at the Linux Foundation will outline how a high-quality SBOM that represents the various parts of the software lifecycle can improve risk management activities for organizations looking to lower operational costs, improve IP control and strengthen business relationships.
When: Tuesday, April 25, 2023 9:40-10:30 AM Pacific
How Do You Trust Open Source Software?
As a result of quickening DevOps processes and the increased use of shared cloud-based platforms, the use of software components from open source repositories is a must for developers today. However, attackers have caught on to how widely used open source repositories are by developers, and have made these platforms a bed for software supply chain security risk. This is why projects like the OpenSFF Scorecard, which assess these components for software supply chain security, will become essential to the DevOps process. To explain the benefits of this tool, Google Product Manager Brian Russel and OpenSSF Scorecard Maintainer Naveen Srinivasan will demonstrate the tool’s effectiveness in minimizing software supply chain risk.
When: Tuesday, April 25, 2023 2:25-3:15 PM Pacific
The Opposite of Transparency
The benefits of SBOM use are a popular topic for several of this year’s RSAC track sessions, but one session in particular plans on highlighting the current opposition posed to SBOM adoption, and why this skepticism is fueled by mis- and disinformation as well as slighted motivations. Claroty’s VP for Cyber Safety Strategy, Joshua Corman, who also has experience tackling supply chain security in the public sector, will be using this track session to point out the flaws in SBOM opponents' arguments. And in doing so, he will make the case for why the use of SBOMs is essential to provide transparency into the supply chains we rely on.
Wednesday, April 26, 2023 8:30-9:20 AM Pacific
Creating the Standard for Supply Chain Risk: MITRE's System of Trust
Robert Martin, Sr. Software and Supply Chain Assurance Principal Engineer at MITRE, is returning to RSAC with Cassie Crossley, VP of Supply Chain Security at Schneider Electric, to revisit the topic of how MITRE’s System of Trust (SoT), released originally in 2021, has evolved to consider the risks that stand in the way of software supply chain security. At last year’s RSAC, Martin presented on this same topic and chatted with ConversingLabs host Paul Roberts about his presentation. This year, Martin and Crossley will present on the current state of SoT, and how software publishers and consumers are benefiting from it.
When: Wednesday, April 26, 2023 9:40-10:30 AM Pacific
The Rise of Malware Within the Software Supply Chain
When discussing software supply chain risk, many will point to software vulnerabilities as being the major threat to securing these chains. Meanwhile, vulnerabilities are actually just one of several risks posed to supply chains. One of these risks that’s often overlooked is the insertion of malware into development pipelines, open source platforms and third-party software components. To paint the picture on why organizations need to begin paying attention to this risk, ReversingLabs Director of Product Management Charlie Jones will present the likely scenarios in which an organization can be hit with a malware-delivering software supply chain attack.
When: Thursday, April 27, 2023 8:30-9:20 AM Pacific
DevSecOps Worst Practices
DevOps has transformed in recent years to incorporate security into these processes in an effort to minimize software supply chain risk. But as DevSecOps has evolved over the years, so have the standards for what is considered to be a best practice in this space. In an effort to summarize what good-quality DevSecOps entails, Tanya Janca of We Hack Purple will use her track session to point out the DevSecOps practices that have failed, and why the industry should continue to avoid these counter-intuitive practices.
When: Thursday, April 27, 2023 9:40-10:30 AM Pacific
ReversingLabs @ RSAC
ReversingLabs looks forward to seeing you at RSAC 2023, at Booth N-5428. You can follow all of our news from the event here.
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.