Supply Chain Security Summit

Supply Chain Security and Third-Party Risk Conference

March 20, 2024

Watch on Demand

The recent surge in high-profile software supply chain attacks has exposed a soft underbelly of modern computing and prompted a major global response to address security defects and third-party risk management.

Join us as we explore the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Gold Sponsors

eclypsium

ReversingLabs

Binarly

 

Sponsorship Information

time iconMarch 20, 2024 11:00

Verify Trust in Commercial Software

As organizations increase their reliance on third parties, CISOs become responsible for securing an exponentially expanding digital footprint. As this web of interconnectivity and outsourced services grows, new attack vectors are introduced. That is particularly true for software vendors who rely on third party and open source components which are increasingly exploited by malicious actors. During this session, we will outline key actions that enterprises can take to gain visibility and control over commercial software and the supply chains they rely on to operate their business.

speaker headshot

Charlie Jones
ReversingLabs, Director, Product Management

time iconMarch 20, 2024 11:30

NIST CSF 2.0 - A Playbook for Supply Chain Security

Many organizations look to NIST for direction when setting their cybersecurity strategy. The new version of the Cybersecurity Framework (CSF 2.0) has recently been released and will provide best practices to help navigate the evolving threat landscape. This session will discuss the new Governance category added to the framework and the prominent role that supply chain security will play. Key Topics:

>> Timeline of Activity from the US Government NIST SP 800-161 and SP 800-53

>> US Government guidance on BMCs and UEFI

>> Learn about the CSF updates and how they can be used to communicate the importance of reducing risk in supply chain security.

speaker headshot

Paul Asadoorian
Eclypsium, Principal Security Evangelist

time iconMarch 20, 2024 12:00

Decoding the Puzzle: Navigating Through Modern Software's Supply Chain Complexity

Given the rapid increase in software complexity and the rising number of vulnerabilities, current security tools are struggling to keep up with the magnitude of the problem. Even worse, the dramatic surge in adoption of AI and co-pilots will create a new generation of software developers writing code faster than ever before, even though they may not fully understand the inner workings of the technologies. As developers become less technical than previous generations, we are sure to see AI-generated software development processes with increased numbers of security problems. This means we must take a radical shift-left approach with deeper code analysis and contextualization of the results to keep pace with the scale of the software supply chain security problems. Security teams deal with overwhelming numbers of alerts from static analysis tools that produce 80% of false positives by detecting non-exploitable issues and draining time and money by hunting ghosts. As an industry, we need to rethink how to deal with the current scale of the software supply chain problem. In this talk, Binarly chief executive officer Alex Matrosov will shed light on multiple incidents the company has worked on, including problems in Intel/AMD/Qualcomm reference code, Base Management Controllers (BMC), and vulnerabilities related to third-party components (think LogoFAIL).

speaker headshot

Alex Matrosov
Binarly, CEO & Founder

time iconMarch 20, 2024 12:30

BREAK

Please visit our sponsors in the Exhibit Hall. They're standing by to engage with you now and answer any questions you may have.

time iconMarch 20, 2024 12:45

Fireside Chat: Abhishek Arya, Head of Google's Open Source Security Team

In this exclusive fireside chat, SecurityWeek editor-at-large Ryan Naraine interviews Abhishek Arya, Director of Engineering on Google’s open source and supply chain security teams. Expect a frank discussion of the value of fuzzing in security and the development of OSS-Fuzz, a project initiated at Google to enhance software security through automated testing.

The conversation is expected to explore scenarios where fuzzing is most effective, its current limitations, and future research directions in the field. We cover the evolving landscape of Software Supply Chain security, highlighting key advancements, challenges, and research priorities. The conversation touches on the industry's potential overemphasis in certain areas and the commercial opportunities within the sector. The role of global government regulations and the shifting landscape of software liability are also discussed, along with strategies for organizations to measure the effectiveness of their Software Supply Chain security efforts.

speaker headshot

Abhishek Arya
Google Open Source and Supply Chain Security Team, Director of Engineering

time iconMarch 20, 2024 13:15

OSS Supply Chain: Challenges & How the Open Source Community Can Help

In this presentation, David A. Wheeler, Director of Open Source Supply Chain Security at The Linux Foundation, will explore various types of supply chain attacks on open source software and present some countermeasures. The discussion will include an overview of the Open Source Security Foundation (OpenSSF) and how developers and security engineers are working together to secure open source software for the greater public good. Attendees will also learn about key projects and working groups under OpenSSF that are tackling these security challenges.

speaker headshot

Dr. David A. Wheeler
The Linux Foundation, Director of Open Source Supply Chain Security

time iconMarch 20, 2024 13:45

BREAK

Please visit our sponsors in the Exhibit Hall. They're standing by to engage with you now and answer any questions you may have.

time iconMarch 20, 2024 14:00

Binarly Demo: The Binarly Transparency Platform for Software Supply Chain Security

Source code analysis tools lack context leading to massive amounts of false positives. This creates alert fatigue, contributing to vulnerability blindspots and makes these tools impossible to rely on effectively at scale. With Binarly, transparency is created across the software supply chain by examining the binary file – not source code – at each step of the build and deploy lifecycle. Firmware developers gain visibility into the actual binary file, validating exactly what is being shipped to customers while product security teams can detect the presence of known and more importantly, unknown vulnerabilities hiding in the firmware modules, cryptographic materials, and statically linked dependencies within the packages they are receiving. In addition to near zero false positives, remediation teams are also aided with AI-assisted playbooks for quick vulnerability resolution.

time iconMarch 20, 2024 14:05

ReversingLabs Demo: Spectra Assure for Software Supply Chain Security

Software represents the largest under-addressed attack surface in the world, and classic AppSec tools cannot address the full scope of threats impacting the software supply chain. ReversingLabs Spectra Assure rapidly deconstructs large, complex software packages and detects threats and exposures that lead to sophisticated, widespread, and costly attacks. Have more trust in software before it is released, acquired, deployed, or updated by empowering software producers and buyers to eliminate coverage gaps, prioritize alerts, enforce custom policies, streamline remediation, and validate build integrity.

time iconMarch 20, 2024 14:25

Eclypsium Demo: Protecting Beyond the OS – The Hardware and Firmware Integrity Journey

Often the most ignored component of Zero Trust and Trusted Supply Chain – Hardware and Firmware Integrity. Let’s understand why attackers are targeting areas outside the OS, how to ensure your IT hardware doesn’t have any hidden threats, and how you can integrate this into your existing controls.

time iconMarch 20, 2024 15:00

Networking & Virtual Expo

Please visit our sponsors in the Exhibit Hall. View resources and chat with their experts. They're standing by to answer your questions!

Solutions Theater (On-demand)

time icon

[ON-DEMAND] ReversingLabs Demo: Spectra Assure for Software Supply Chain Security

Software represents the largest under-addressed attack surface in the world, and classic AppSec tools cannot address the full scope of threats impacting the software supply chain. ReversingLabs Spectra Assure rapidly deconstructs large, complex software packages and detects threats and exposures that lead to sophisticated, widespread, and costly attacks. Have more trust in software before it is released, acquired, deployed, or updated by empowering software producers and buyers to eliminate coverage gaps, prioritize alerts, enforce custom policies, streamline remediation, and validate build integrity.

time icon

[ON-DEMAND] Eclypsium Demo: Protecting Beyond the OS – The Hardware and Firmware Integrity Journey

Often the most ignored component of Zero Trust and Trusted Supply Chain – Hardware and Firmware Integrity. Let’s understand why attackers are targeting areas outside the OS, how to ensure your IT hardware doesn’t have any hidden threats, and how you can integrate this into your existing controls.

time icon

[ON-DEMAND] Binarly Demo: The Binarly Transparency Platform for Software Supply Chain Security

Source code analysis tools lack context leading to massive amounts of false positives. This creates alert fatigue, contributing to vulnerability blindspots and makes these tools impossible to rely on effectively at scale. With Binarly, transparency is created across the software supply chain by examining the binary file – not source code – at each step of the build and deploy lifecycle. Firmware developers gain visibility into the actual binary file, validating exactly what is being shipped to customers while product security teams can detect the presence of known and more importantly, unknown vulnerabilities hiding in the firmware modules, cryptographic materials, and statically linked dependencies within the packages they are receiving. In addition to near zero false positives, remediation teams are also aided with AI-assisted playbooks for quick vulnerability resolution.

This virtual event will provide an overview of current trends and challenges with securing open-source software, hard-to-mitigate risks associated with software dependencies, how identities have become the new perimeter (people, services and devices), demanding new defensive approaches.

Hear from CISOs and corporate defenders on assessing and managing third-party vendor risks, mitigating exposure from service providers and best practices for due diligence and continuous monitoring.
Discussion topics will include:

  • Identity as the new security perimeter and the risk of cascading supply chain problems.
  • Best practices for evaluating third party vendors and tools and techniques for continuous monitoring.
  • Innovations in identity verification and authentication.
  • Compliance and legal considerations.
  • Case studies and real world discussions of managing supply chain and third party risks.
  • Crisis management and response during major incidents.
  • Future trends and predictions.
Event Details
  • Start Date
    March 20, 2024 11:00 am

    EST

  • End Date
    March 20, 2024 4:00 pm

    EST