<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">

Trust and Software Supply Chain Security

July 20, 2023

In this episode of ReversingGlass, Matt explains how trust is foundational to software supply chain security. Software producers and consumers alike need to continually question whether or not the software they are making or buying is trustworthy. 

Keep learning

-Blog: Do you trust your software? Why verification matters
-Report: The State of Supply Chain Security
-Report: Why Traditional App Sec Testing Fails on Supply Chain Security

Episode Transcript

MATT ROSE: Hi everyone, welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO, at ReversingLabs. Today's episode is Trust and Software Supply Chain Security. The foundational aspect of software supply chain security, in my opinion, is trust. How do you trust all aspects of software supply chain security?

But before we dig into some details, I always like to give the analogy, and maybe a movie quote or two, you know how I work. The reference today is the 2006 film, The Departed, great gangster film, loosely based on Whitey Bulger, if you're a Boston guy or you know the story, great movie. But if I see this movie poster, I have to hear the song because the song is everything.

Well, that's enough of that. If you don't know the song, it's associated with the movie, Dropkick Murphys, "Shipping Up to Boston." I'm a Boston guy, so we had to put that in there. But where am I going with this trust? There, Frank Costello, was the main mobster character and his quote in this movie was, "you just can't trust a guy who acts like he's got nothing to lose." Sound familiar? We're in cybersecurity. What do we have to lose? Well, it's the hackers that have nothing to lose. They are constantly trying to leverage your applications, your software, and how do you trust them if there's that constant onslaught of manipulation, of social engineering, so on and so forth.

So, in order for you to trust your applications, your software, you need to have trust of a few different things, and how do you get that? You need to be able to trust your software. That's the first step. You need to actually trust your software release. You need to trust your files, your email, and your downloads.

These are the things you need to trust. This is just the beginning stage of software supply chain security, but you need to trust these things to ensure that you have a secure software supply chain program, the software itself, whether you're developing that yourself, or it's a third party, your new release of your software, is it still trustworthy?

Has something changed? Because if you got nothing to lose, just throw it out there. But a lot of people have a reputation and financial obligation to ensure that you are trusting your software release. The files that you use on a day to day basis, is there a compromise of the files themselves? Emails, are the emails of question with ransomware type of issues or even the downloads of an open source package or the download of a piece of software that you're going to use.

So, in order to trust your different areas, things, you need to basically focus on doing the correct things and having a capability to analyze these specific areas. And, there's a bunch more, but this is a great starting point is to ask yourself, do I trust my software? Do I trust my software application releases? Do I trust the files I used to operate my business? Do I trust the email that I use to communicate? Are there attachments of ransomware? Do I trust downloads? So, without trust, you don't have secure software development or a secure software supply chain. I'm Matt Rose. Hope you enjoyed the episode. Stay safe out there, everybody.

Matt Rose

About Author: Matt Rose

Field CISO at ReversingLabs. Matt Rose has an extensive background in application security, object-oriented programming, multi-tier architecture design and implementation, and internet/intranet development. His areas of expertise include Application Security, SAST, DAST, IAST, SCA, DevSecOps, and Threat Modeling. Matt is an accomplished public speaker and has been quoted in 50+ AST industry media publications.

Related episodes

Artificial Intelligence (AI)/Machine Learning (ML)

ReversingGlass: EO on AI: What security teams need to know


Shift Up Your SBOM

Artificial Intelligence (AI)/Machine Learning (ML)

AI and Software Supply Chain Security: Proceed with Caution


What the heck is an SBOM?


What is ReversingGlass?


Sign up now to receive the latest weekly
news from ReversingLabs

Get Started
Request a DEMO

Learn more about how ReversingLabs can help your company reduce attack surface risks with deep software and file threat analysis to speed release and response.