Below the Surface (Audio) - The Supply Chain Security Podcast
Eclypsium
A lively discussion of the threats affecting supply chain, specifically focused on firmware and low-level code that is a blind spot for many organizations. This podcast will feature guests from the cybersecurity industry discussing the problems surrounding supply chain-related issues and potential solutions.
Get the Supply Chain Security Toolkit from Eclypsium here: https://eclypsium.com/go
Get the Supply Chain Security Toolkit from Eclypsium here: https://eclypsium.com/go
Episodes
Mentioned books
Oct 18, 2023 • 55min
Reverse Engineering BMCs and Other Firmware - Vladyslav Babkin - BTS #15
Vlad is part of the Eclypsium research team and has discovered several flaws in BMC ecosystems. He comes on the show to talk about his journey and cover the details behind BMC vulnerabilities and attacks. Segment Resources: https://forum.defcon.org/node/245714 https://eclypsium.com/research/bmcc-lights-out-forever/ https://eclypsium.com/blog/supply-chain-vulnerabilities-put-server-ecosystem-at-risk/ Show Notes: https://securityweekly.com/bts-15
Oct 4, 2023 • 54min
Protecting The Federal Supply Chain - John Loucaides - BTS #14
John Loucaides, SVP Strategy at Eclypsium, joins us on the show to discuss protecting the federal supply chain! This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-14
Sep 20, 2023 • 55min
Network Device Supply Chain Security - Nate Warfield - BTS #13
We dig into network devices/appliances, why they are still around, who is attacking them, and how. Just why are attackers using network devices in ransomware campaigns and how do we stop them? Tune-in to find out as Nate Warfield, Director of Threat Research and Intelligence at Eclypsium joins us for this episode! This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts-13
Jun 14, 2023 • 55min
Dealing with The Digital Supply Chain - Ramy Houssaini - BTS #12
Ramy Houssaini joins us to discuss the challenges enterprises face when dealing with supply chain threats, risks and vulnerabilities. We'll explore how to identify cybersecurity gaps in your various supply chains, discuss real-world examples such as Log4j and more! Show Notes: https://securityweekly.com/bts-12
May 31, 2023 • 58min
SCRM and Supply Chain Security Up and Down the Stack - Steve Orrin - BTS #11
Supply Chain threats and industry / government initiatives like EO 14028 are driving a deeper understanding and a set of requirements for applying supply chain risk management (SCRM) and increased transparency (ex. SBOM) across the software ecosystem up and down the stack. Platform and system firmware present unique challenges for supply chain assurance from the depths of the stack. Segment Resources: ESF: Securing the Software Supply Chain for Customers https://media.defense.gov/2022/Nov/17/2003116444/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_CUSTOMER_SLICKSHEET.PDF https://media.defense.gov/2022/Nov/17/2003116445/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_CUSTOMER.PDF ESF: Securing the Software Supply Chain for Suppliers https://media.defense.gov/2022/Oct/31/2003105572/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_SUPPLIERS_SLICKSHEET.PDF https://media.defense.gov/2022/Oct/31/2003105368/-1/-1/0/SECURING_THE_SOFTWARE_SUPPLY_CHAIN_SUPPLIERS.PDF ESF: Securing the Software Supply Chain for Developers https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_ SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF CISA SBOM Site https://www.cisa.gov/sbom Show Notes: https://securityweekly.com/bts-11
May 17, 2023 • 60min
Learning About Firmware Security - Xeno Kovah - BTS #10
Firmware security is a deeply technical topic, that's hard to get started in. In this talk, Xeno will discuss some past work in firmware security, and how he has organized resources such as a low level timeline (with over 300 talks), and free MOOC classes, to help teach people about firmware security. Segment Resources: https://ost2.fyi https://darkmentor.com/timeline.html Show Notes: https://securityweekly.com/bts10
May 3, 2023 • 1h
Accidentally Learning about Security: From Firmware to the Cloud, Brian Richardson - BTS #9
Brian Richardson didn't start out wanting to do marketing or computer security... but after starting his career as a BIOS programmer, he tripped and fell into technical marketing (aka "Binary to English translator"). Brian's here to talk about the importance of hardware & firmware security in a SaaS world. Segment Resources: https://www.youtube.com/watch?v=I2FwiEH6dg4 https://www.youtube.com/watch?v=i9PrWw4ljeg https://medium.com/intel-tech/security-built-on-a-foundation-of-trust-1fa1dbb74cbc https://archive.fosdem.org/2020/schedule/event/firmware_culisfu/ Show Notes: https://securityweekly.com/bts9
Apr 19, 2023 • 57min
BTS #8 - Richard Hughes
The LVFS is a project used by over 130 different vendors, from all positions of the supply chain. It decompresses, decompiles, then analyses firmware looking for issues, and then automatically builds a SBoM for each download. Segment Resources: https://fwupd.org/ https://github.com/fwupd Show Notes: https://securityweekly.com/bts8
Apr 5, 2023 • 48min
Nicholas Starke - BTS #7
Discuss current events in firmware security, such as the techniques utilized in BlackLotus. We will compare Baton Drop with Grub2 capabilities. Segment Resources: https://starkeblog.com/ Show Notes: https://securityweekly.com/bts7
Mar 22, 2023 • 55min
BTS #6 - Vincent Zimmer
This session will provide an overview of the history of host firmware, or BIOS, focusing on the arc of the Unified Extensible Firmware Interface. It will include the development of defenses like UEFI Secure Boot and the challenges in scaling assurance across a broad ecosystem. It will close on works-in-progress and opportunities to build upon the school-of-hard-knocks learnings in this space. Show Notes: https://securityweekly.com/bts6
