Keynote: Supply Chain Infections and the Future of Contactless Deliveries

The keynote presentation discusses the challenges of defending against supply chain compromises in the cybersecurity industry, particularly in the context of the COVID-19 pandemic. The speaker highlights the increasing complexity of software supply chains, the growing number of intrusions and zero-day vulnerabilities, and the need for a more secure software delivery system.

• The COVID-19 pandemic has made it harder to manage the integrity of the software supply chain, with more people working remotely and corporate environments opening up to new opportunities for intrusion.
• Supply chain risks are increasingly seen as national security risks, as evidenced by recent incidents such as SolarWinds, CodeCov, and the Kaseya ransomware attack.
• The traditional model of attackers gaining access to secret data involves target selection, finding suitable attack surfaces, using mechanisms to gain initial footholds, and using privilege escalation and lateral movement mechanisms to get to the data they want.
• Offense seems to be taking the gloves off, with more intrusions and zero-day vulnerabilities being detected and exploited in the wild.
• A more secure software delivery system is needed to mitigate supply chain risks and ensure that software doesn't come bundled with unpleasant surprises.

The speaker highlights the SolarWinds, CodeCov, and Kaseya incidents as stark reminders of what happens when the supply chain goes rogue. A world where software delivery systems aren’t secure is a world where nothing is.

Defending against supply chain compromises in the Before Times was tough enough. But last year was … special, and safely managing the integrity of the software supply chain has become harder than ever.Some of these problems are not new and have been growing in complexity year by year, from the explosion of third-party dependencies; to the sheer scale and depth of the modern software stack; to the vicious-cycle of needing ever more diverse sets of privileged programs to manage infrastructure that, in turn, introduce new entry-points into networks.2020 added rocket fuel to that fire. Overnight, virtually everyone in office environments, including everyone in software development, suddenly become a remote worker. Keeping personal and corporate devices separate—a hard enough problem under normal circumstances—is, at least for now, essentially a lost cause for most businesses. And corporate environments designed for few (if any) remote accesses had to open up, bringing new ways of work but also new opportunities for intrusion.In case we needed a reminder of what happens when supply chains go bad, 2020 did not disappoint. SolarWinds, CodeCov, and even more recently, the Kaseya ransomware incident, all act as stark reminders of what happens when the supply chain goes rogue. And a world where software delivery systems aren’t secure is a world where nothing is.Governments are also now starting to take notice. With concerns ranging from national origin of consumer applications to the 2021 Executive Order on Improving the Nation’s Cybersecurity, it’s obvious that supply chain risks are increasingly seen as national security risks, and with good reason.In this talk, we’ll look at the current state of supply chain risks, what happens when they go wrong, and what steps we, as an industry, can take to mitigate some of them.With his experience inside government, in the cybersecurity industry, and in and around platform security, Matt will take us on a whirlwind tour of where we are on supply chain integrity. What are the key risks, and what are the core dilemmas underpinning why they aren’t fixed yet? Which issues are we not paying enough attention to? And what does the future hold? Can we get to a place where we can have confidence our software doesn’t come bundled with any unpleasant surprises?