Securing the 3rd Party Software Life Cycle

Presented at CanSecWest 2022, May 20, 2022, 9 a.m. (60 minutes)

Supply chain attacks have been on the rise in the past two years and are proving to be common and reliable attack vectors that affect all consumers of software. Securing an organization from third party software attacks is quite complicated, with numerous threats along the software lifecycle from Selection? Choice of Third Party Software, Deployment, Updates and finally Retirement. While point-in-time assessments help in uncovering risk before the software is selected, its practically impossible to review all solutions beforehand and these point in time assessments cannot withstand the continuous feature enhancements or updates a software may go through in its lifetime. There is no comprehensive end-to-end framework that defines both how to mitigate threats across the software supply chain and provides reasonable security guarantees. There is an urgent need for a solution in the face of the eye-opening, multi-billion-dollar attacks in recent times. In this talk we are going to present our proposed solution - Securing the 3rd Party Software Life Cycle, an end-to-end framework for ensuring the security of third-party software throughout its lifecycle.

Presenters:

• Neha Shukla - Microsoft
  Neha leads the Software Supply Chain Security Assurance program and works with various engineering teams at Microsoft to ensure they are aligned with Microsoft’s security strategy.  Neha is passionate about solving the software supply chain security problem for Microsoft and share the experience with the industry. She comes with over 16 years of solid experience in tech engineering and developments and has led key programs. Prior to working with Microsoft, she has worked with United Health Group, Hewlett Packard & TCS. Microsoft being a technology company and a cloud provider itself is among the leading enterprises designing how can one secure their critical infrastructure from supply chain attacks. Her team has deep knowledge and insights on how to design for secure use of third party and open source. Neha is passionate about both engineering and program management. She is PMP and Certified Function Point Specialist. She has taken several sessions on Data Architecture, Function Point Analysis, classroom training for CFPS.
• Kesav Nimmagadda - Microsoft
  Kesav leads the operations and strategy for Software Supply Chain Security Assurance program and works with various engineering teams at Microsoft to ensure they are aligned with Microsoft’s security strategy.  Kesav is passionate about solving the software supply chain security problem for Microsoft and share the experience with the industry. He comes with over 10 years of experience in Application Security, Audit Compliance and Penetration Testing. Prior to working with Microsoft, he has worked with Accenture, Cigniti Technologies and ZenQ. Kesav is passionate about problem solving, keeping himself upto date with latest in technology,  and program management. He has multiple security certifications like CISSP, CCSP,  Comptia Security+ and CEH. He was an active white hat researcher, who has identified and reported multiple security vulnerabilities across major applications such as (ISC)2, Indeed, Fitbit etc.

Links:

• https://cansecwest2022.sched.com/event/zt3d/securing-the-3rd-party-software-life-cycle

Similar Presentations:

• BSidesLV 2019 / The Case for Software Bill of Materials
• Kawaiicon (2019) / Finding a poisonous seed
• AppSec USA 2014 / Keynote: Gary McGraw - Bug Parades, Zombies, and the BSIMM: A Decade of Software Security