The Application Security Podcast

Matt Rose -- Software Supply Chain Security Means Many Different Things to Different People

Jun 11, 2024

Matt Rose takes listeners on a journey through the intricate world of software supply chain security. He highlights how perceptions vary across the industry and critiques the buzzword 'shift left.' The discussion dives into the roles of digital twins and AI, revealing their potential risks and benefits. Emphasizing threat modeling as a crucial early step, Matt argues for a comprehensive security approach. The conversation also touches on industry trends, the pitfalls of jargon, and the importance of navigating current and emerging security challenges.

46:14

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Software supply chain security requires a comprehensive approach that goes beyond Software Composition Analysis to address various associated risks.

The integration of artificial intelligence in security processes offers potential benefits in managing alert fatigue but necessitates careful oversight to avoid new vulnerabilities.

Deep dives

Defining Software Supply Chain Security

Software supply chain security encompasses various perspectives depending on the individual's background, with some viewing it as a buzzword while others consider it a serious and critical issue. This concept includes elements such as malware, tooling, and firmware, indicating that it is not confined to just one aspect of software development. Many professionals erroneously equate Software Composition Analysis (SCA) as the foundation of supply chain security, which limits the broader understanding of potential risks. The need for a comprehensive view is crucial, especially given the complexities of application development where security should be addressed across the entire lifecycle rather than just at early stages.

Intro

4min

Navigating Knowledge and Definitions in Software Security

2min

Rethinking Software Security Practices

4min

Integrating Security: The Role of Threat Modeling

17min

Navigating Software Supply Chain Security

11min

Emerging Trends in LLM Security and Industry Buzzwords

2min

Agile Confusion and AI Illusions

3min

Adapting Learning in Tech Security

4min

Matt Rose, an experienced technical AppSec testing leader discusses his career journey and significant contributions in AppSec. The conversation delves into the nuances of software supply chain security and exploring how different perceptions affect its understanding. Matt provides insights into the XZ compromise, critiques the buzzword 'shift left,' and discusses the role of digital twins and AI in enhancing the supply chain security. He emphasizes the need for a comprehensive approach beyond SCA, the relevance of threat modeling, and the potential risks and benefits of AI in security.

Mentioned in the episode:

The Application Security Program Handbook by Derek Fisher
https://www.manning.com/books/application-security-program-handbook

Podcast Episode: Derek Fisher – The Application Security Program Handbook
https://youtu.be/DgmlHgNT-UM

Authors mentioned:
Steven E. Ambrose https://www.simonandschuster.com/authors/Stephen-E-Ambrose/1063454
Mark Frost https://en.wikipedia.org/wiki/Mark_Frost

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~