In the span of just a few years, software supply chain security has evolved from being a niche security topic to a top priority for development organizations, security practitioners and CISOs alike. That shift is evident when you take a peek at the schedule for this year’s RSA Conference in San Francisco, where talks related to software supply chain cyber risk abound.
In an effort to help you plan your schedule for the conference, the RL Blog team gathered a list of the eight software supply chain security sessions that shouldn’t be missed at RSA Conference 2024.
[ See also: What’s hot at RSAC 2024: 7 must-see talks for security operations teams | Join RL @ RSAC 2024: Schedule a meeting with the team to learn more ]
Cybersecurity’s Next Legal and Policy Frontier: Software Liability
Monday, May 6, 2024, 8:30-9:20am
In the past three years, the White House has issued a string of Executive Orders to shore up the cybersecurity of software used by federal agencies. Less clear is what software vendors should do to meet the new federal guidelines. In this panel discussion, moderator James Dempsey, Senior Policy Advisor for Stanford’s Geopolitics, Technology, and Governance Program will speak with Nick Leiserson, Asst. National Cyber Director at the White House, Bruce Schneier, Security Technologist at the Harvard Kennedy School, and Chinmayi Sharma, Associate Professor at Fordham Law School, about how the federal government can best establish standards for secure software development.
AI, the Software Supply Chain, and Other (Not So) Puzzling Pieces
Monday, May 6, 2024, 2:20-3:10pm
Not only have software supply chain attacks been increasing, they’ve also been evolving. Cybercriminals are using new strategies in-the-wild each year. In order for developers and security teams to best meet this challenge, Jacob DePriest, VP and Deputy Chief Security Officer at GitHub, believes we must evolve too. In this talk, DePriest will make the argument that coding assistants and other artificial intelligence (AI) technology, such as ChatGPT or Copilot, have the potential to better secure organizations from worsening software supply chain threats.
Teaching Software Engineers to Threat Model: We Did It, and So Can You
Tuesday, May 7, 2024, 8:30-9:20am
Threat modeling can be a powerful tool, and has been traditionally used by Security Operations (SecOps) teams to better understand the threats posed by malware. But threat modeling can be applied in other security scenarios too, such as software development. Jamie Dicken, Director of Security Assurance at New Relic, shares a case study in this RSAC talk where dozens of software engineering teams learned how to threat model, allowing them to take greater ownership of their product’s security. Those who attend this session will get a look at the framework used in the case study, in addition to guidance on how to make threat modeling a reality for software development.
The Cost of Innovation: Complexities of Software Regulation
Tuesday, May 7, 2024, 8:30-9:20am
In this panel session, moderated by Ari Schwartz, Managing Director for Cybersecurity Services at Venable, a collection of cybersecurity leaders from the public and private sectors will discuss the evolving changes in government policies and regulation happening in the U.S., Europe, and around the rest of the world in regards to software supply chain security. Mickey Bresman, CEO of Semperis, Sam Curry, CISO of Zscaler, and Nick Leiserson will discuss how new policy items – such as mandated SBOM generation and material disclosure – are impacting both the public and private sectors in the short and long term.
Hackers vs. Devs - Attacking Dev Tools and Infrastructure
Tuesday, May 7, 2024, 1:15-2:05pm
Over the past few years, ReversingLabs’ Threat Research team has been hard at work discovering incidents in which cybercriminals exploit common developer tools, such as open source repositories, tools in GitHub, and more. Threats to these platforms have increased by almost 1300% in the past three years, in addition to attackers becoming more skilled and stealthy in how they carry out attacks. In this session, Mitiga Chief Technology Officer Ofer Maor gives insight into how these attacks have been happening, as well as how development and AppSec teams can become more resilient to them.
Reducing Toil in Your AppSec Program
Tuesday, May 7, 2024, 2:25-3:15pm
“Toil” can be defined by Merriam-Webster as “long strenuous fatiguing labor,” and it’s safe to say that many AppSec teams see themselves as “toiling” to secure porous software applications. Considering the growing number of threats to software supply chains, AppSec teams have a lot to balance – and cannot afford to spend their labor inefficiently. Join this talk, presented by Akira Brand, Application Security Engineer at Akira Brand Consulting, and Jennifer Czaplewski, Senior Director of Cybersecurity at Target to learn strategies for how AppSec teams can reduce this toil based on real-world scenarios.
SBOMs for Evil: From Software Supply Chain Documentation to an Attack Path
Wednesday, May 8, 2024, 8:30-9:20am
In this talk, Larry Pesce, Product Security Researcher and Analysis Director at Finite State explains why all kinds of organizations that are weary of cybercriminals and nation-state adversaries should incorporate software bills of materials (SBOMs) to their testing toolbox. An SBOM serves as an ingredients list for all kinds of components residing within a software application, in addition to verifications like digital signatures. SBOMs are an essential first step in supporting software supply chain security, but it’s also imperative that organizations that use them ensure that their data is protected. Attendees of this session will learn how SBOMs can provide benefits to security teams, as well as challenges (like SBOMs winding up in the wrong hands).
Secure and Privacy by Design Converge with Threat Modeling
Wednesday, May 8, 2024, 2:25-3:15pm
In the age of software supply chain attacks, the goal to make software resilient against threats has never been clearer. And in addition to this concern for making modern software products secure, organizations are also rightfully concerned for their personal information and privacy. This session by Chris Romeo, CEO of Devici and AppSec expert, addresses how these two priorities can both be supported when using threat modeling at a practical scale. In this talk, attendees will learn how to make a successful threat modeling program for their AppSec teams that will also keep their organization’s privacy safe.
Join ReversingLabs on the expo floor at Booth #4528, where the team will be ready to chat — and answer any questions you might have. Here are the team's presentations happening live at RL's booth:
Monday, May 6
- 6:00 pm: RL Spectra Overview
Tuesday, May 7
- 10:45 am: XZ & Log4j: The SBOM Won’t Save You
- 2:00 pm: RL Book Club - Software Supply Chain Security by Cassie Crossley
- 3:45 pm: Breaking the Black Box of Commercial Software
Wednesday, May 8
- 12:45 pm: Somebody Cooked Here: Tampering in Commercial Software
- 4:00 pm: Trust Secured: Conquer Software-Based Threats in the CI/CD Pipeline
Thursday, May 9
- 10:45 am: Make Software, Not Malware: A Guide for Software Producers
