Security Software Supply Chain: Is What You See What You Get?
2-Hour live event Tuesday, March 22, 2016
Start Time: 9:00 a.m. US-Pacific/ 12:00 p.m. US-Eastern/ 5:00 p.m. London
Click here to Register!
Overview:
Software is the foundation of our computer eco-system and, just like in the real world, it doesn’t take a lot to upset them. In the non-cyber world, it has been often said ‘We are what we eat’. In the Cyber world this is still true–especially when we consider an organizations inclusion (or consumption) of software. When we buy products and include them in our infrastructure, we perform acceptance testing, in order to make sure they work and have no known vulnerabilities. Unfortunately we don’t know what components are in the products. We also don’t know if the product was built entirely by the software provider or did they use components from somewhere else.
This session will cover issues with software supply chain and development operations. It will cover the basics, including the current state of software supply chain analysis, and attempt to provide pointers on how to figure out what is in a supply chain and what the information can be used for.
Moderator
Mark Kadrich
Chief Information Security & Privacy Officer, San Diego Health Connect
For the past 25 years, Mark Kadrich has worked in the security community, building knowledge, and contributing solutions. Most recently, Mr. Kadrich has been working with his colleagues at Emagined Security filling positions as a CISO and a PCI compliance architect. He is responsible for crafting new policy and procedures regarding installation, use, testing, and compliance for both a health information exchange and a large and diverse retail service enterprise. Recently, Mark architected large crypto services environments and secure network environments. He holds degrees in Management Information Systems, Computer Engineering and Electrical Engineering.
Speakers
Michael F. Angelo
CRISC, CISSP
Michael is well known in the security community with his work designing, developing, implementing and deploying security products and architectures for multi-national corporate environments. His work includes participating, driving, and creating security standards, working on corporate policies, national and international legislation, multi-national regulatory issues, and participation in numerous international and national advisory councils. He has been a featured speaker at numerous national and international security conferences including RSA, ISSA, and InfoSec. He has also participated on the RSA national program committee. Currently, he chairs the ISSA International Webinar Committee and is a technology contributor to the U.S. Department of Commerce Information Systems Technical Advisory Council. Michael currently holds 53 U.S. patents, is a former Sigma-Xi distinguished lecturer and is the recipient of the Trusted Computing Platform Alliance (TCPA) lifetime achievement award. In 2011 he was recognized by ISSA as the Security Professional of the Year and in 2013 he was named to the ISSA Hall of Fame.
Jonathan Knudsen
Cybersecurity Engineer, Synopsys
At Synopsys, Jonathan enjoys breaking software and teaching how to make software better. Jonathan is the author of books about 2D graphics, cryptography, mobile application development, Lego robots, and pregnancy. He lives in Raleigh, North Carolina.
Derek E. Weeks
VP and Rugged DevOps Advocate, Sonatype
In 2015, Derek led the largest and most comprehensive analysis of software supply chain practices to date across 106,000 development organizations. His research detailed the consumption of billions of open source and third-party software components while also shedding new light on the scale of known vulnerable software being ingested by development organizations worldwide. Derek is a huge advocate of applying proven supply chain management principles into development and application security practices to improve efficiencies, reduce security risks, and sustain long-lasting competitive advantages. He currently serves as vice president and Rugged DevOps advocate at Sonatype. Derek is a distinguished international speaker, having delivered his research at AppSec USA, InfoSec Europe, LASCON, HP Protect, Air Force Cyber Security Forum, and numerous OWASP meet-ups.
Henrik Plate
Senior Security Researcher, SAP SE
Henrik Plate works as a Senior Researcher in the Product Security Research group within SAP since 2007. During this time, he was coordinator and scientific lead of the European FP7 research project PoSecCo, built up an SAP-wide security training for application developers and performed security assessments of SAP applications. Currently, he researches new approaches and tooling for ensuring a secure consumption of third party components in the software supply chain. Before joining the SAP research group, Plate held different positions as a software engineer, and studied computer science and business administration at the University of Mannheim. He holds a diploma from the University of Mannheim and is a CISSP.
