Trust and Software Supply Chain Security

In this episode of ReversingGlass, Matt explains how trust is foundational to software supply chain security. Software producers and consumers alike need to continually question whether or not the software they are making or buying is trustworthy. 

Keep learning

-Blog: Do you trust your software? Why verification matters
-Report: The State of Supply Chain Security
-Report: Why Traditional App Sec Testing Fails on Supply Chain Security

Episode Transcript

MATT ROSE: Hi everyone, welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO, at ReversingLabs. Today's episode is Trust and Software Supply Chain Security. The foundational aspect of software supply chain security, in my opinion, is trust. How do you trust all aspects of software supply chain security?

But before we dig into some details, I always like to give the analogy, and maybe a movie quote or two, you know how I work. The reference today is the 2006 film, The Departed, great gangster film, loosely based on Whitey Bulger, if you're a Boston guy or you know the story, great movie. But if I see this movie poster, I have to hear the song because the song is everything.

Well, that's enough of that. If you don't know the song, it's associated with the movie, Dropkick Murphys, "Shipping Up to Boston." I'm a Boston guy, so we had to put that in there. But where am I going with this trust? There, Frank Costello, was the main mobster character and his quote in this movie was, "you just can't trust a guy who acts like he's got nothing to lose." Sound familiar? We're in cybersecurity. What do we have to lose? Well, it's the hackers that have nothing to lose. They are constantly trying to leverage your applications, your software, and how do you trust them if there's that constant onslaught of manipulation, of social engineering, so on and so forth.

So, in order for you to trust your applications, your software, you need to have trust of a few different things, and how do you get that? You need to be able to trust your software. That's the first step. You need to actually trust your software release. You need to trust your files, your email, and your downloads.

These are the things you need to trust. This is just the beginning stage of software supply chain security, but you need to trust these things to ensure that you have a secure software supply chain program, the software itself, whether you're developing that yourself, or it's a third party, your new release of your software, is it still trustworthy?

Has something changed? Because if you got nothing to lose, just throw it out there. But a lot of people have a reputation and financial obligation to ensure that you are trusting your software release. The files that you use on a day to day basis, is there a compromise of the files themselves? Emails, are the emails of question with ransomware type of issues or even the downloads of an open source package or the download of a piece of software that you're going to use.

So, in order to trust your different areas, things, you need to basically focus on doing the correct things and having a capability to analyze these specific areas. And, there's a bunch more, but this is a great starting point is to ask yourself, do I trust my software? Do I trust my software application releases? Do I trust the files I used to operate my business? Do I trust the email that I use to communicate? Are there attachments of ransomware? Do I trust downloads? So, without trust, you don't have secure software development or a secure software supply chain. I'm Matt Rose. Hope you enjoyed the episode. Stay safe out there, everybody.