Conference:  Global AppSec Dublin 2023

Authors: Vinod Anandan, Meha Bhargava, Niklas Jan Duster

2023-02-15

With the need to deliver software faster to clients, it is typical not to "reinvent the wheel" and instead rely on open source/3rd party components.With increased adoption of open source/3rd party components the complexity and inherited risk of software supplychain is rising. It is crucial to have a complete and accurate inventory of the open source/3rd party component usage and risk associated with it."Our software supply chain security is our responsibility".In order to achieve a complete inventory, Bill Of Material (BOM) is a fundamental building block. OWASP Dependency Track consumes BOM and helps to continuously monitor risk associated with these components.In this talk, we will explain and demonstrate OWASP Dependency Track and how it can be a foundational platform to add to your arsenal of tools to improve software supplychain security.

Conference:  Global AppSec San Francisco 2022

Authors: Tsvi Korren

2022-11-18

From medications to aircraft, car parts to computer parts -- humans have figured out how to secure the process of sourcing and building some of our most complicated products. With software supply chain security only now getting started, what can we learn from parallel industries that can give us a leg up on securing the supply chains of our digital world? If most of us can agree that industry involves taking in materials and processing them to make something new, why is there still this view of software developers as artisans who write everything from scratch? The fact is that most organizations today write only a small part of their software. Most software is sourced, either as finished products or as components for internal software development. This is especially true for Cloud Native applications, which are based on open source components, running in open source or Cloud-provided orchestration, and are spread across multiple types of workloads. The result is that organizations end up assuming security responsibility for an application, where much of the code was written elsewhere, and assembled in a build pipeline with varying degrees of governance and oversight.Over the years, manufacturing has developed a set of tools and processes to ensure quality and security in the supply chain and assembly lines. Similarly, Application Security needs to account for how software is sourced and used in the modern application pipeline.This presentation will show the similarities between manufacturing supply chains and software supply chain. We will use the pharmaceutical industry as a model to outline the required controls, where to place them and how to use gathered information to make better decisions and produce more secure software.

Conference:  SupplyChainSecurityCon 2022

Authors: Don Vosburg, Aaron Conklin

2022-06-22

The presentation discusses the importance of software security in organizations and how to maintain it while reducing the surface area. It emphasizes the need for partnering with companies that specialize in security to handle the burden. The presentation also covers key concepts of security such as confidentiality, integrity, availability, authenticity, non-repudiation, accountability, and anonymity. The speaker highlights the ebb and flow between openness and closeness needed for a functional environment and security. The presentation also discusses security certifications and standards such as Common Criteria, NIAP, DISA's Security Technology Information Guides, Phipps 140.3 Standard, and CIS Benchmarks.

• Partnering with companies that specialize in security can help reduce the burden of maintaining software security while still ensuring overall security
• Key concepts of security include confidentiality, integrity, availability, authenticity, non-repudiation, accountability, and anonymity
• There is an ebb and flow between openness and closeness needed for a functional environment and security
• Security certifications and standards such as Common Criteria, NIAP, DISA's Security Technology Information Guides, Phipps 140.3 Standard, and CIS Benchmarks are important for maintaining software security

Conference:  SupplyChainSecurityCon 2022

Authors: Josh Bressers

2022-06-21

The presentation discusses the importance of understanding the order of steps in supply chain management and the need to prioritize solutions based on the problem at hand.

• Understanding the order of steps in supply chain management is crucial to effectively addressing problems
• Prioritizing solutions based on the problem at hand is more effective than blindly implementing solutions
• The speaker shares an anecdote about the challenges of vulnerability scanning and the importance of building a vulnerability management system
• The speaker emphasizes the importance of having an S-bomb as the foundation of supply chain management