Presented at
Black Hat USA 2021,
Aug. 4, 2021, 9 a.m.
(60 minutes)
<p>Defending against supply chain compromises in the Before Times was tough enough. But last year was … special, and safely managing the integrity of the software supply chain has become harder than ever.<br><br>Some of these problems are not new and have been growing in complexity year by year, from the explosion of third-party dependencies; to the sheer scale and depth of the modern software stack; to the vicious-cycle of needing ever more diverse sets of privileged programs to manage infrastructure that, in turn, introduce new entry-points into networks.<br><br>2020 added rocket fuel to that fire. Overnight, virtually everyone in office environments, including everyone in software development, suddenly become a remote worker. Keeping personal and corporate devices separate—a hard enough problem under normal circumstances—is, at least for now, essentially a lost cause for most businesses. And corporate environments designed for few (if any) remote accesses had to open up, bringing new ways of work but also new opportunities for intrusion.<br><br>In case we needed a reminder of what happens when supply chains go bad, 2020 did not disappoint. SolarWinds, CodeCov, and even more recently, the Kaseya ransomware incident, all act as stark reminders of what happens when the supply chain goes rogue. And a world where software delivery systems aren’t secure is a world where nothing is.<br><br>Governments are also now starting to take notice. With concerns ranging from national origin of consumer applications to the 2021 Executive Order on Improving the Nation’s Cybersecurity, it’s obvious that supply chain risks are increasingly seen as national security risks, and with good reason.<br><br>In this talk, we’ll look at the current state of supply chain risks, what happens when they go wrong, and what steps we, as an industry, can take to mitigate some of them.<br><br>With his experience inside government, in the cybersecurity industry, and in and around platform security, Matt will take us on a whirlwind tour of where we are on supply chain integrity. What are the key risks, and what are the core dilemmas underpinning why they aren’t fixed yet? Which issues are we not paying enough attention to? And what does the future hold? Can we get to a place where we can have confidence our software doesn’t come bundled with any unpleasant surprises?</p>
Presenters:
-
Matt Tait
- Chief Operating Officer, Corellium
Matt Tait is the Chief Operating Officer of Corellium and is currently responsible for overseeing Corellium’s engineering division developing virtualized mobile devices used in application and operating-system level security testing, malware analysis, and threat-intelligence.<br><br>Matt’s work in information security spans well over a decade, primarily focusing on security research, platform mitigations, and modern platform security. His career in cybersecurity began at GCHQ, and he subsequently entered the private sector as a principal consultant at iSEC Partners focusing on platform security at Microsoft, before joining Google Project Zero as a security researcher. Matt also taught cybersecurity to law and public policy students as a professor and Senior Fellow at the Robert Strauss Center for International Security and Law at the University of Texas at Austin, before joining mobile and IoT-focused security research and training firm Azeria Labs as a Partner.<br><br>Matt has previously presented talks at multiple information security conferences, including keynoting the Microsoft BlueHat, Infiltrate, and Kaspersky SAS security conferences, and has consulted to both the White House and Congress both publicly and privately on numerous occasions on issues ranging from cybersecurity through to foreign election interference.<br>
Links:
Similar Presentations: