Keynote - Software Supply Chain Lifecycle Management: Reducing Attack Vectors and Enabling Rugged DevOps

Presented at AppSec USA 2016, Oct. 13, 2016, 8 a.m. (60 minutes)

As the cyber threat landscape evolves and as software dependencies grow more complex, understanding and managing risk in the software supply chain is more critical than ever, and it must focus on the entire lifecycle that includes development, acquisition, and DevOps.  The Internet of Things (IoT) is contributing to a massive proliferation of a variety of types of software-reliant, connected devices.  With IoT increasingly dependent upon third-party software of unknown provenance and pedigree, software composition analysis and other forms of testing are needed to determine 'fitness for use' and trustworthiness in terms of quality, security, safety, and licensing.  Application vulnerability correlation and management should leverage automated means for detecting threat indicators, weaknesses, vulnerabilities, and exploits.  Using standards-based automation also enables the exchange of information internally and externally with vendors in the global supply chain for IoT/ICT products.  Addressing supply chain dependencies throughout the lifecycle enables enterprises to harden their attack surface by:  comprehensively identifying exploit targets; understanding how assets are attacked, and providing more responsive course of action mitigations.

Presenters:

• Joe Jarzombek
  Joe Jarzombek is the former Director for Software Assurance in the National Cyber Security Division of the U.S. Department of Homeland Security (DHS). He led government inter-agency efforts with industry, academia, and standards organizations to shift the security paradigm away from patch management by addressing security needs in work force education and training, more comprehensive diagnostic capabilities, and security-enhanced development and acquisition practices.After retiring from the U.S. Air Force as a Lt. Col. in program management, Joe Jarzombek worked in the cyber security industry as vice president for product and process engineering. He served in two software-related positions within the Office of the Secretary of Defense prior to accepting his current DHS position. Throughout his career he has actively lead process improvement initiatives, including serving on the CMMI Product Development Team and later on the CMMI Steering Group. He has continued to co-lead efforts to integrate safety and security into integrated Capability Maturity Models (CMMs).

Links:

• https://appsecusa2016.sched.com/event/7tC1/keynote-software-supply-chain-lifecycle-management-reducing-attack-vectors-and-enabling-rugged-devops
• https://www.youtube.com/watch?v=pzv3XP7R_5g

Similar Presentations:

• BSidesLV 2019 / Supply Chain Security
• AppSec USA 2016 / Making Invisible Things Visible: Revealing Secrets from 25,000 Applications
• AppSec USA 2015 / Threat Modeling the IoT Supply Chain