In this episode of ReversingGlass, Matt makes the essential point that trust in your software supply chain is all or nothing. He explains that trusting anything less than 100% of the components in your software package will set your organization up for major risk. This is why trust in software supply chains needs to be complete, so that the risk of a software supply chain attack to your organization can be minimized.
Learn More
-ReversingGlass: Trust and Software Supply Chain Security
-Blog: Do you trust your software? Why verification matters
-Report: Tools gap leaves orgs exposed to supply chain attacks
Episode Transcript
MATT ROSE: Hi, everyone. Welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs. Today's episode is Trust Must Be Complete. Previous episode was talking about trust and do you trust your software supply chain, do you trust your applications. But in order to trust something, it has to be complete.
It has to encompass everything. As an example let's do a little silly example here about trust. This is my house. Not my house, but representation of my house here. So if I want to trust that my house is secure, my possessions, let's say you have fancy paintings or art or exotic animals or baseball cards or whatever, you want to trust that it is secure. And you trust that the security on your front door is effective.
You trust that this window has all sorts of sensors and lasers, sharks with lasers, if you will. All the upper windows are trust. But hey, you don't really know about this window. This window, I don't really trust that one. It's been buggy. It doesn't really work. So can you say you trust the security system on your house if you only trust the door and the windows over this side, but this window, you're not really trusting it?
Think about that as you go down the path of trusting your software supply chain, trusting the security of your applications or your software or your emails or the files that you do business with. To expand on that thought, let's create my happy birthday present here, the package, the piece of software, and as it's all separated out, we have different components of this package.
We have the open source, we have the first party code, we have dependencies, and then binary repositories. All these things are combined together during your CI/CD process. A lot of times people talk about software supply chain security in the terms of just the open source and it's a big deal.
Field CISO at ReversingLabs. Matt Rose has an extensive background in application security, object-oriented programming, multi-tier architecture design and implementation, and internet/intranet development. His areas of expertise include Application Security, SAST, DAST, IAST, SCA, DevSecOps, and Threat Modeling. Matt is an accomplished public speaker and has been quoted in 50+ AST industry media publications.



