General Info

The recent surge in high-profile software supply chain attacks has exposed a soft underbelly of modern computing and prompted a major global response to address security defects and third-party risk management.

Join us as SecurityWeek’s editorial team moderate an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Agenda

Agenda

March 20, 2024 11:00

Verify Trust in Commercial Software

As organizations increase their reliance on third parties, CISOs become responsible for securing an exponentially expanding digital footprint. As this web of interconnectivity and outsourced services grows, new attack vectors are introduced. That is particularly true for software vendors who rely on third party and open source components which are increasingly exploited by malicious actors. During this session, we will outline key actions that enterprises can take to gain visibility and control over commercial software and the supply chains they rely on to operate their business.

speaker headshot

Charlie Jones
ReversingLabs, Director, Product Management

March 20, 2024 11:30

NIST CSF 2.0 - A Playbook for Supply Chain Security

Many organizations look to NIST for direction when setting their cybersecurity strategy. The new version of the Cybersecurity Framework (CSF 2.0) has recently been released and will provide best practices to help navigate the evolving threat landscape. This session will discuss the new Governance category added to the framework and the prominent role that supply chain security will play. Key Topics:

>> Timeline of Activity from the US Government NIST SP 800-161 and SP 800-53

>> US Government guidance on BMCs and UEFI

>> Learn about the CSF updates and how they can be used to communicate the importance of reducing risk in supply chain security.

speaker headshot

Paul Asadoorian
Eclypsium, Principal Security Evangelist

March 20, 2024 12:00

Decoding the Puzzle: Navigating Through Modern Software's Supply Chain Complexity

Given the rapid increase in software complexity and the rising number of vulnerabilities, current security tools are struggling to keep up with the magnitude of the problem. Even worse, the dramatic surge in adoption of AI and co-pilots will create a new generation of software developers writing code faster than ever before, even though they may not fully understand the inner workings of the technologies. As developers become less technical than previous generations, we are sure to see AI-generated software development processes with increased numbers of security problems. This means we must take a radical shift-left approach with deeper code analysis and contextualization of the results to keep pace with the scale of the software supply chain security problems. Security teams deal with overwhelming numbers of alerts from static analysis tools that produce 80% of false positives by detecting non-exploitable issues and draining time and money by hunting ghosts. As an industry, we need to rethink how to deal with the current scale of the software supply chain problem. In this talk, Binarly chief executive officer Alex Matrosov will shed light on multiple incidents the company has worked on, including problems in Intel/AMD/Qualcomm reference code, Base Management Controllers (BMC), and vulnerabilities related to third-party components (think LogoFAIL).

speaker headshot

Alex Matrosov
Binarly, CEO & Founder

March 20, 2024 12:30

BREAK

Please visit our sponsors in the Exhibit Hall. They're standing by to engage with you now and answer any questions you may have.

March 20, 2024 12:45

Fireside Chat: Abhishek Arya, Head of Google's Open Source Security Team

In this exclusive fireside chat, SecurityWeek editor-at-large Ryan Naraine interviews Abhishek Arya, Director of Engineering on Google’s open source and supply chain security teams. Expect a frank discussion of the value of fuzzing in security and the development of OSS-Fuzz, a project initiated at Google to enhance software security through automated testing.

The conversation is expected to explore scenarios where fuzzing is most effective, its current limitations, and future research directions in the field. We cover the evolving landscape of Software Supply Chain security, highlighting key advancements, challenges, and research priorities. The conversation touches on the industry's potential overemphasis in certain areas and the commercial opportunities within the sector. The role of global government regulations and the shifting landscape of software liability are also discussed, along with strategies for organizations to measure the effectiveness of their Software Supply Chain security efforts.

speaker headshot

Abhishek Arya
Google Open Source and Supply Chain Security Team, Director of Engineering

March 20, 2024 13:15

OSS Supply Chain: Challenges & How the Open Source Community Can Help

In this presentation, David A. Wheeler, Director of Open Source Supply Chain Security at The Linux Foundation, will explore various types of supply chain attacks on open source software and present some countermeasures. The discussion will include an overview of the Open Source Security Foundation (OpenSSF) and how developers and security engineers are working together to secure open source software for the greater public good. Attendees will also learn about key projects and working groups under OpenSSF that are tackling these security challenges.

speaker headshot

Dr. David A. Wheeler
The Linux Foundation, Director of Open Source Supply Chain Security

March 20, 2024 13:45

BREAK

Please visit our sponsors in the Exhibit Hall. They're standing by to engage with you now and answer any questions you may have.

March 20, 2024 14:00

Binarly Demo: The Binarly Transparency Platform for Software Supply Chain Security

Source code analysis tools lack context leading to massive amounts of false positives. This creates alert fatigue, contributing to vulnerability blindspots and makes these tools impossible to rely on effectively at scale. With Binarly, transparency is created across the software supply chain by examining the binary file – not source code – at each step of the build and deploy lifecycle. Firmware developers gain visibility into the actual binary file, validating exactly what is being shipped to customers while product security teams can detect the presence of known and more importantly, unknown vulnerabilities hiding in the firmware modules, cryptographic materials, and statically linked dependencies within the packages they are receiving. In addition to near zero false positives, remediation teams are also aided with AI-assisted playbooks for quick vulnerability resolution.

March 20, 2024 14:05

ReversingLabs Demo: Spectra Assure for Software Supply Chain Security

Software represents the largest under-addressed attack surface in the world, and classic AppSec tools cannot address the full scope of threats impacting the software supply chain. ReversingLabs Spectra Assure rapidly deconstructs large, complex software packages and detects threats and exposures that lead to sophisticated, widespread, and costly attacks. Have more trust in software before it is released, acquired, deployed, or updated by empowering software producers and buyers to eliminate coverage gaps, prioritize alerts, enforce custom policies, streamline remediation, and validate build integrity.

March 20, 2024 14:25

Eclypsium Demo: Protecting Beyond the OS – The Hardware and Firmware Integrity Journey

Often the most ignored component of Zero Trust and Trusted Supply Chain – Hardware and Firmware Integrity. Let’s understand why attackers are targeting areas outside the OS, how to ensure your IT hardware doesn’t have any hidden threats, and how you can integrate this into your existing controls.

March 20, 2024 15:00

Networking & Virtual Expo

Please visit our sponsors in the Exhibit Hall. View resources and chat with their experts. They're standing by to answer your questions!

[ON-DEMAND] ReversingLabs Demo: Spectra Assure for Software Supply Chain Security

Software represents the largest under-addressed attack surface in the world, and classic AppSec tools cannot address the full scope of threats impacting the software supply chain. ReversingLabs Spectra Assure rapidly deconstructs large, complex software packages and detects threats and exposures that lead to sophisticated, widespread, and costly attacks. Have more trust in software before it is released, acquired, deployed, or updated by empowering software producers and buyers to eliminate coverage gaps, prioritize alerts, enforce custom policies, streamline remediation, and validate build integrity.

[ON-DEMAND] Eclypsium Demo: Protecting Beyond the OS – The Hardware and Firmware Integrity Journey

Often the most ignored component of Zero Trust and Trusted Supply Chain – Hardware and Firmware Integrity. Let’s understand why attackers are targeting areas outside the OS, how to ensure your IT hardware doesn’t have any hidden threats, and how you can integrate this into your existing controls.

[ON-DEMAND] Binarly Demo: The Binarly Transparency Platform for Software Supply Chain Security

Source code analysis tools lack context leading to massive amounts of false positives. This creates alert fatigue, contributing to vulnerability blindspots and makes these tools impossible to rely on effectively at scale. With Binarly, transparency is created across the software supply chain by examining the binary file – not source code – at each step of the build and deploy lifecycle. Firmware developers gain visibility into the actual binary file, validating exactly what is being shipped to customers while product security teams can detect the presence of known and more importantly, unknown vulnerabilities hiding in the firmware modules, cryptographic materials, and statically linked dependencies within the packages they are receiving. In addition to near zero false positives, remediation teams are also aided with AI-assisted playbooks for quick vulnerability resolution.

Sponsors