In October 2018, the topic of technology supply chain attacks landed on the front page of every newspaper in the world when
Bloomberg Businessweek broke the “Supermicro” story. While that pertained to an alleged attack on a hardware supply chain (and questions still remain about its accuracy), the scary truth was, and still is, that it’s much easier for bad actors to infiltrate and hack "software" supply chains. With "hardware," you need to physically access something in order to conduct a hack. With software, attacks can be carried out from anywhere.
Today, software development teams are consuming billions of open source components and containerized applications to improve productivity at a massive scale by leveraging open source software supply chains. The good news: they are accelerating time to market. The bad news: many of the components and containers they are using are fraught with defects, including critical security vulnerabilities. While most commercial enterprises and various government agencies are aware of software supply chain threats, cross-industry and governmental knowledge has not been fully coordinated, and proactive measures have been limited. There is little consensus on roles, responsibilities, authorities, and accountability for software supply chain security.
This session will explore recent high-profile software supply chain attacks (e.g., Equifax, India's AADHAAR, CoPay Bitcoin Wallets), including the ease and scale at which they were executed. Derek will also discuss improvements required for software supply chain security and what combination of actions are being implemented or considered to protect, fortify, and defend critical operations, consumers, missions, and core infrastructure. Derek will also share insights on current efforts spanning legislation and regulation, policy, acquisition, and technology aimed at improving software supply chain security.
See the slides.