Software Supply Chain Security: “Would you like malware with that order?”
Date: August 17, 2022
Time: 1:00-2:00PM Central Time
Mark F. Tannian, Ph.D, CISSP, PMP
Mark is a member of St. John's University faculty and Professional Development Provider for RBCS.
Software is integrated into nearly all aspects of business and modern living. We are all consumers within a variety of software supply chains. Some of us are software products suppliers or related services providers. The software supply chain is an ecosystem based on trust. Our trust is given explicitly or implicitly. Trust in this case often involves the surrender of control and authority in order to benefit from enhanced capabilities, economies of scale, cost avoidance, improved time-to-market, transfer of risk, and many other positive motivations.
Adoption of open source software has had the promise of visibility that allows us to “know our code” on which we depend. However, vulnerabilities, such as those related to Log4shell or Heartbleed, continue to be missed until after the related software have become pervasive in our organizations. However, not all compromises of software supply chain security are software design or programming errors. There are well-known campaigns that exploited consumer-supplier trust that have resulted in direct damages and possible loss of life. NotPetya, released through accounting software, has been estimated to have cost at least $10 billion in world-wide damages. The SolarWinds breach potentially undermined the security of thousands of customers who downloaded a tainted version of SolarWinds software. Due to the role of SolarWinds, network operations may have been exposed to the perpetrators. The threat actors in those two instances of software-supply-chain compromise were sophisticated. Neither vendor likely considered themselves to be part of geopolitics. Our risk analysis often assumes our organization’s assets are the end goal of a threat actor. As we maintain our threat register we rarely consider our suppliers as a threat source. In cyberspace where physical distance is immaterial, our business model and/or customer base is valuable. What was Target’s HVAC service provider doing about IT security before December 2013? The integration of information technology with operations technology in our organizations is another attraction for those who seek to harm. By exploiting consumer-supplier trust relationships, threat actors act within authorized data flows that can enable sophisticated campaigns within consumer environments. The cyber related power outages of 2015 and 2016 in the Ukraine are samples of what industrial control system (ICS) hackers are potentially able to do to the lives of civilians nearly everywhere. Your software supply chain may be the means by which a threat actor gains access to business critical systems or life safety controls.
In this presentation we will explore documented software supply chain risks and guidance on how to manage this risk as a supplier and consumer.
Bio: Mark F. Tannian, Ph.D., CISSP, PMP is a member of St. John’s University faculty and Professional Development Provider for RBCS. Dr. Tannian teaches in the areas of cyber security, digital forensics and computer science for St. John’s University. As an instructor for RBCS, he teaches the ISQI Advanced Security Tester certification course. He has published in the areas of cloud security, security visualization, DNA based authentication, design thinking and professional certifications. Over the six years as the former Executive Director of Education for (ISC)2 New York Metro Chapter, he presented on and coordinated speakers to discuss current challenges and recommendations in areas such as, software supply chain security, threat landscape, cyber insurance, and blockchain technologies.
There are no cancellations or registration transfers to another date within 30 days prior to the start of the webinar. You will be held responsible for 100% of the tuition if you cancel your registration within that time period. If the webinar is canceled by RBCS you will received a 100% refund or, upon your request, your tuition can be moved to another webinar.