Supply Chain Security Summit

As organizations increase their reliance on third parties, CISOs become responsible for securing an exponentially expanding digital footprint. As this web of interconnectivity and outsourced services grows, new attack vectors are introduced. That is particularly true for software vendors who rely on third party and open source components which are increasingly exploited by malicious actors. During this session, we will outline key actions that enterprises can take to gain visibility and control over commercial software and the supply chains they rely on to operate their business.

Many organizations look to NIST for direction when setting their cybersecurity strategy. The new version of the Cybersecurity Framework (CSF 2.0) has recently been released and will provide best practices to help navigate the evolving threat landscape. This session will discuss the new Governance category added to the framework and the prominent role that supply chain security will play. Key Topics:

>> Timeline of Activity from the US Government NIST SP 800-161 and SP 800-53

>> US Government guidance on BMCs and UEFI

>> Learn about the CSF updates and how they can be used to communicate the importance of reducing risk in supply chain security.

Given the rapid increase in software complexity and the rising number of vulnerabilities, current security tools are struggling to keep up with the magnitude of the problem. Even worse, the dramatic surge in adoption of AI and co-pilots will create a new generation of software developers writing code faster than ever before, even though they may not fully understand the inner workings of the technologies. As developers become less technical than previous generations, we are sure to see AI-generated software development processes with increased numbers of security problems. This means we must take a radical shift-left approach with deeper code analysis and contextualization of the results to keep pace with the scale of the software supply chain security problems. Security teams deal with overwhelming numbers of alerts from static analysis tools that produce 80% of false positives by detecting non-exploitable issues and draining time and money by hunting ghosts. As an industry, we need to rethink how to deal with the current scale of the software supply chain problem. In this talk, Binarly chief executive officer Alex Matrosov will shed light on multiple incidents the company has worked on, including problems in Intel/AMD/Qualcomm reference code, Base Management Controllers (BMC), and vulnerabilities related to third-party components (think LogoFAIL).

Please visit our sponsors in the Exhibit Hall. They're standing by to engage with you now and answer any questions you may have.

In this exclusive fireside chat, SecurityWeek editor-at-large Ryan Naraine interviews Abhishek Arya, Director of Engineering on Google’s open source and supply chain security teams. Expect a frank discussion of the value of fuzzing in security and the development of OSS-Fuzz, a project initiated at Google to enhance software security through automated testing.

The conversation is expected to explore scenarios where fuzzing is most effective, its current limitations, and future research directions in the field. We cover the evolving landscape of Software Supply Chain security, highlighting key advancements, challenges, and research priorities. The conversation touches on the industry's potential overemphasis in certain areas and the commercial opportunities within the sector. The role of global government regulations and the shifting landscape of software liability are also discussed, along with strategies for organizations to measure the effectiveness of their Software Supply Chain security efforts.

In this presentation, David A. Wheeler, Director of Open Source Supply Chain Security at The Linux Foundation, will explore various types of supply chain attacks on open source software and present some countermeasures. The discussion will include an overview of the Open Source Security Foundation (OpenSSF) and how developers and security engineers are working together to secure open source software for the greater public good. Attendees will also learn about key projects and working groups under OpenSSF that are tackling these security challenges.

Please visit our sponsors in the Exhibit Hall. They're standing by to engage with you now and answer any questions you may have.

Source code analysis tools lack context leading to massive amounts of false positives. This creates alert fatigue, contributing to vulnerability blindspots and makes these tools impossible to rely on effectively at scale. With Binarly, transparency is created across the software supply chain by examining the binary file – not source code – at each step of the build and deploy lifecycle. Firmware developers gain visibility into the actual binary file, validating exactly what is being shipped to customers while product security teams can detect the presence of known and more importantly, unknown vulnerabilities hiding in the firmware modules, cryptographic materials, and statically linked dependencies within the packages they are receiving. In addition to near zero false positives, remediation teams are also aided with AI-assisted playbooks for quick vulnerability resolution.

Software represents the largest under-addressed attack surface in the world, and classic AppSec tools cannot address the full scope of threats impacting the software supply chain. ReversingLabs Spectra Assure rapidly deconstructs large, complex software packages and detects threats and exposures that lead to sophisticated, widespread, and costly attacks. Have more trust in software before it is released, acquired, deployed, or updated by empowering software producers and buyers to eliminate coverage gaps, prioritize alerts, enforce custom policies, streamline remediation, and validate build integrity.

Often the most ignored component of Zero Trust and Trusted Supply Chain – Hardware and Firmware Integrity. Let’s understand why attackers are targeting areas outside the OS, how to ensure your IT hardware doesn’t have any hidden threats, and how you can integrate this into your existing controls.

Please visit our sponsors in the Exhibit Hall. View resources and chat with their experts. They're standing by to answer your questions!

Software represents the largest under-addressed attack surface in the world, and classic AppSec tools cannot address the full scope of threats impacting the software supply chain. ReversingLabs Spectra Assure rapidly deconstructs large, complex software packages and detects threats and exposures that lead to sophisticated, widespread, and costly attacks. Have more trust in software before it is released, acquired, deployed, or updated by empowering software producers and buyers to eliminate coverage gaps, prioritize alerts, enforce custom policies, streamline remediation, and validate build integrity.

Often the most ignored component of Zero Trust and Trusted Supply Chain – Hardware and Firmware Integrity. Let’s understand why attackers are targeting areas outside the OS, how to ensure your IT hardware doesn’t have any hidden threats, and how you can integrate this into your existing controls.

Source code analysis tools lack context leading to massive amounts of false positives. This creates alert fatigue, contributing to vulnerability blindspots and makes these tools impossible to rely on effectively at scale. With Binarly, transparency is created across the software supply chain by examining the binary file – not source code – at each step of the build and deploy lifecycle. Firmware developers gain visibility into the actual binary file, validating exactly what is being shipped to customers while product security teams can detect the presence of known and more importantly, unknown vulnerabilities hiding in the firmware modules, cryptographic materials, and statically linked dependencies within the packages they are receiving. In addition to near zero false positives, remediation teams are also aided with AI-assisted playbooks for quick vulnerability resolution.