S2E2: Cole Kennedy - Software Supply Chain Security, SBOM and Open Source

I was reading the CISA document "Defending Against Software Supply Chain" and was curious if the guidance within was helpful or informative for anyone who wants to start a S-SCRM program? 

What role do you feel compliance frameworks play in SCRM? We are seeing sources such as NIST 800-53 include SCRM specific controls now. Will it help?

What would you say is the most resilient component an individual could add to their own organization to recover quickly in the event of a software supply chain attack?

From the perspective of Cloud, do you feel cloud adoption can help, or hinder when it comes to driving down risk associated with the supply chain?

What are the biggest concerns / risks when it comes to building a secure software supply chain program

I know you've been involved with projects such as TUF and in-toto. Can you help folks understand what those are and why they are valuable?

What does the term "Cyber Resilient" mean to you?

Find out more from Cole at Testify Sec - https://www.testifysec.com/