Charlie Jones and Priyanka Raghavan discuss third-party software risks, case studies, secure software development frameworks, laws and regulations, and advise on tackling enterprise risks. They cover definitions, importance of managing risks, supply chain attack case studies, NIST secure software development framework, Salsa framework for security, transitive dependencies, automation for risk management, accountability in mitigating risks, and tools for software supply chain risk testing.
Read more
AI Summary
Highlights
AI Chapters
Episode notes
auto_awesome
Podcast summary created with Snipd AI
Quick takeaways
Understanding and managing risks from external parties is crucial for businesses, involving assessment, compliance, and oversight in third party engagements.
The Secure Software Development Framework emphasizes vulnerability identification, but critics suggest focusing on known malicious components for better risk mitigation.
The Software Supply Chain Levels for Software Artifacts framework offers tiered security progression, addressing threats across the software supply chain with visual threat models.
Effective third party risk evaluation involves maintaining vendor relationships, consistent testing methodologies, and risk management strategies for robust security measures.
Binary analysis aids in independently validating software components, assessing risks, and ensuring security claims, with automation streamlining risk assessments.
Laws like the Cyber Resilience Act impose strict requirements on software publishers and consumers to mitigate supply chain risks, leading to financial penalties in case of violations.
Deep dives
Understanding Third Party Software Risks
Third party software risks are segmented into first, second, and third party components where third parties are external to the business. This includes commercial off-the-shelf (COTS) software readily available for purchase without major modifications. The reliance on third party software varies based on business strategies, with insights from reports indicating high usage of open source components. Ensuring software security is crucial due to potential data breaches and downstream impacts.
Importance of Third Party Risk Management
Effective third party risk management involves establishing policies, procedures, and controls governing third party applications throughout their lifecycle. Additionally, providing technology tools for security practitioners to validate compliance and managing identified risks within set risk thresholds. The risk management function plays a vital role in ensuring adherence to policies, testing software compliance, and managing risks according to the organization's appetites.
Overview of Third Party Risk Management (TPRM)
Third Party Risk Management (TPRM) encompasses understanding and managing risks posed by external parties crucial to the business operations. It involves assessing third party engagements, ensuring compliance with security policies, and evaluating security postures through vendor questionnaires and oversight. TPRM programs focus on different stakeholder groups, establishing controls, and monitoring the security measures of external parties.
Introducing the Secure Software Development Framework (SSDF)
The Secure Software Development Framework (SSDF) provides best practice controls for secure software development, validated by software suppliers providing services to US government agencies. While it emphasizes vulnerability identification and remediation, criticisms suggest a shift towards identifying known malicious components for more effective risk mitigation.
Understanding SLSA Framework for Software Supply Chain Levels
The Software Supply Chain Levels for Software Artifacts (SLSA) framework offers a tiered model for securing software supply chains, promoting security progression over time. It addresses threats across the software supply chain, covering risks from typosquatting to secret leakage. SLSA emphasizes visual threat models and security controls to enhance software security.
Key Steps in Third Party Risk Evaluation
Critical steps in evaluating third party risks involve understanding software suppliers, risk ranking based on business importance, and applying a consistent testing methodology throughout the software lifecycle. Maintaining vendor relationships, risk assessment, and risk management strategies are essential for effective third party risk evaluation.
Binary Analysis for Enhanced Software Verification
Binary analysis offers a powerful tool for independently validating vendor-provided documentation and evaluating software components and dependencies. By deconstructing binary packages and analyzing embedded objects, binary analysis aids in assessing software risks, validating security claims, and enhancing software assurance. Automation of binary analysis can streamline risk assessments and ensure robust security measures.
Compliance with Laws and Regulations in Software Supply Chains
Numerous laws and regulations, such as the Cyber Resilience Act and the Digital Operational Resilience Act, enforce stringent requirements for software publishers and consumers to mitigate supply chain risks. Violations of these laws can lead to severe financial penalties and reputational damage, as seen in high-profile breaches like SolarWinds and MOVEit.
Guarding Against Transitive Dependency Risks
Transitive dependencies pose indirect risks within software supply chains, necessitating detailed inventory management and risk assessment for all components and dependencies. Automation tools, like binary analysis, help uncover transitive dependency risks and enhance visibility into software packages, bolstering security measures.
Top Strategies for Defending Against Supply Chain Attacks
To safeguard against software supply chain attacks, companies should focus on understanding software suppliers' risks, risk ranking critical vendors, and implementing repeatable testing methodologies. Leveraging automation tools like binary analysis, establishing trust through rigorous testing, and aligning security practices with business needs are fundamental strategies for effective supply chain security.
Enhancing Visibility and Assurance for Software Supply Chains
Enhancing visibility into software supply chains requires comprehensive software inventory management, periodic risk reassessments, and robust testing methodologies. Tools like binary analysis can provide deep insights into software risks, dependencies, and security threats, empowering enterprises to make informed decisions and protect against supply chain vulnerabilities.
Charlie Jones, Director of Product Management at ReversingLabs and subject matter expert in supply chain security, joins host Priyanka Raghavan to discuss tackling third-party software risks. They begin by defining different types of third-party software risks and then take a deep dive into case studies where third-party components and software have had cascading effects on downstream systems. They consider some frameworks for secure software development that can be used to evaluate third-party software and components – both as a publisher or as a consumer – and end by discussing laws and regulations with final advise from Charlie on how enterprises can tackle third-party software risks. Brought to you by IEEE Computer Society and IEEE Software magazine. This episode is sponsored by WorkOS.
Get the Snipd podcast app
Unlock the knowledge in podcasts with the podcast player of the future.
AI-powered podcast player
Listen to all your favourite podcasts with AI-powered features
Discover highlights
Listen to the best highlights from the podcasts you love and dive into the full episode
Save any moment
Hear something you like? Tap your headphones to save it with AI-generated key takeaways
Share & Export
Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more
AI-powered podcast player
Listen to all your favourite podcasts with AI-powered features
Discover highlights
Listen to the best highlights from the podcasts you love and dive into the full episode
