<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">

RL Blog


What’s hot at RSAC 2024: 8 SSCS talks you don’t want to miss

Software supply chain security (SSCS) remains one of the most popular talk tracks at RSA Conference. Here are the sessions that look most interesting. 

Carolynn van Arsdale
Blog Author

Carolynn van Arsdale, Writer, ReversingLabs.

RSA-Conference-2024In the span of just a few years, software supply chain security has evolved from being a niche security topic to a top priority for development organizations, security practitioners and CISOs alike. That shift is evident when you take a peek at the schedule for this year’s RSA Conference in San Francisco, where talks related to software supply chain cyber risk abound.  

In an effort to help you plan your schedule for the conference, the RL Blog team gathered a list of the eight software supply chain security sessions that shouldn’t be missed at RSA Conference 2024. 

[ See also: What’s hot at RSAC 2024: 7 must-see talks for security operations teams | Join RL @ RSAC 2024: Schedule a meeting with the team to learn more ]

Cybersecurity’s Next Legal and Policy Frontier: Software Liability

Monday, May 6, 2024, 8:30-9:20am

In the past three years, the White House has issued a string of Executive Orders to shore up the cybersecurity of software used by federal agencies. Less clear is what software vendors should do to meet the new federal guidelines.  In this panel discussion, moderator James Dempsey, Senior Policy Advisor for Stanford’s Geopolitics, Technology, and Governance Program will speak with Nick Leiserson, Asst. National Cyber Director at the White House, Bruce Schneier, Security Technologist at the Harvard Kennedy School, and Chinmayi Sharma, Associate Professor at Fordham Law School, about how the federal government can best establish standards for secure software development. 

AI, the Software Supply Chain, and Other (Not So) Puzzling Pieces

Monday, May 6, 2024, 2:20-3:10pm

Not only have software supply chain attacks been increasing, they’ve also been evolving. Cybercriminals are using new strategies in-the-wild each year. In order for developers and security teams to best meet this challenge, Jacob DePriest, VP and Deputy Chief Security Officer at GitHub, believes we must evolve too. In this talk, DePriest will make the argument that coding assistants and other artificial intelligence (AI) technology, such as ChatGPT or Copilot, have the potential to better secure organizations from worsening software supply chain threats. 

Teaching Software Engineers to Threat Model: We Did It, and So Can You

Tuesday, May 7, 2024, 8:30-9:20am

Threat modeling can be a powerful tool, and has been traditionally used by Security Operations (SecOps) teams to better understand the threats posed by malware. But threat modeling can be applied in other security scenarios too, such as software development. Jamie Dicken, Director of Security Assurance at New Relic, shares a case study in this RSAC talk where dozens of software engineering teams learned how to threat model, allowing them to take greater ownership of their product’s security. Those who attend this session will get a look at the framework used in the case study, in addition to guidance on how to make threat modeling a reality for software development. 

The Cost of Innovation: Complexities of Software Regulation

Tuesday, May 7, 2024, 8:30-9:20am

In this panel session, moderated by Ari Schwartz, Managing Director for Cybersecurity Services at Venable, a collection of cybersecurity leaders from the public and private sectors will discuss the evolving changes in government policies and regulation happening in the U.S., Europe, and around the rest of the world in regards to software supply chain security. Mickey Bresman, CEO of Semperis, Sam Curry, CISO of Zscaler, and Nick Leiserson will discuss how new policy items – such as mandated SBOM generation and material disclosure – are impacting both the public and private sectors in the short and long term.  

Hackers vs. Devs - Attacking Dev Tools and Infrastructure

Tuesday, May 7, 2024, 1:15-2:05pm

Over the past few years, ReversingLabs’ Threat Research team has been hard at work discovering incidents in which cybercriminals exploit common developer tools, such as open source repositories, tools in GitHub, and more. Threats to these platforms have increased by almost 1300% in the past three years, in addition to attackers becoming more skilled and stealthy in how they carry out attacks. In this session, Mitiga Chief Technology Officer Ofer Maor gives insight into how these attacks have been happening, as well as how development and AppSec teams can become more resilient to them. 

Reducing Toil in Your AppSec Program

Tuesday, May 7, 2024, 2:25-3:15pm

“Toil” can be defined by Merriam-Webster as “long strenuous fatiguing labor,” and it’s safe to say that many AppSec teams see themselves as “toiling” to secure porous software applications. Considering the growing number of threats to software supply chains, AppSec teams have a lot to balance – and cannot afford to spend their labor inefficiently. Join this talk, presented by Akira Brand, Application Security Engineer at Akira Brand Consulting, and Jennifer Czaplewski, Senior Director of Cybersecurity at Target to learn strategies for how AppSec teams can reduce this toil based on real-world scenarios.  

SBOMs for Evil: From Software Supply Chain Documentation to an Attack Path

Wednesday, May 8, 2024, 8:30-9:20am

In this talk, Larry Pesce, Product Security Researcher and Analysis Director at Finite State explains why all kinds of organizations that are weary of cybercriminals and nation-state adversaries should incorporate software bills of materials (SBOMs) to their testing toolbox. An SBOM serves as an ingredients list for all kinds of components residing within a software application, in addition to verifications like digital signatures. SBOMs are an essential first step in supporting software supply chain security, but it’s also imperative that organizations that use them ensure that their data is protected. Attendees of this session will learn how SBOMs can provide benefits to security teams, as well as challenges (like SBOMs winding up in the wrong hands).  

Secure and Privacy by Design Converge with Threat Modeling

Wednesday, May 8, 2024, 2:25-3:15pm

In the age of software supply chain attacks, the goal to make software resilient against threats has never been clearer. And in addition to this concern for making modern software products secure, organizations are also rightfully concerned for their personal information and privacy. This session by Chris Romeo, CEO of Devici and AppSec expert, addresses how these two priorities can both be supported when using threat modeling at a practical scale. In this talk, attendees will learn how to make a successful threat modeling program for their AppSec teams that will also keep their organization’s privacy safe. 

Join ReversingLabs on the expo floor at Booth #4528, where the team will be ready to chat — and answer any questions you might have. Here are the team's presentations happening live at RL's booth:

Monday, May 6

  • 6:00 pm: RL Spectra Overview

Tuesday, May 7

  • 10:45 am: XZ & Log4j: The SBOM Won’t Save You
  • 2:00 pm: RL Book Club - Software Supply Chain Security by Cassie Crossley
  • 3:45 pm: Breaking the Black Box of Commercial Software

Wednesday, May 8

  • 12:45 pm: Somebody Cooked Here: Tampering in Commercial Software
  • 4:00 pm: Trust Secured: Conquer Software-Based Threats in the CI/CD Pipeline

Thursday, May 9

  • 10:45 am: Make Software, Not Malware: A Guide for Software Producers

Keep learning

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts

    Special Reports

    Latest Blog Posts

    Is Cybersecurity Ready for the SolarWinds Prosecution? Is Cybersecurity Ready for the SolarWinds Prosecution?

    Conversations About Threat Hunting and Software Supply Chain Security

    Reproducible Builds: Graduate Your Software Supply Chain Security Reproducible Builds: Graduate Your Software Supply Chain Security

    Glassboard conversations with ReversingLabs Field CISO Matt Rose

    Software Package Deconstruction: Video Conferencing Software Software Package Deconstruction: Video Conferencing Software

    Analyzing Risks To Your Software Supply Chain