In this episode of ReversingGlass, Matt explains how trust is foundational to software security. Software producers and consumers alike need to continually question whether or not the software they are making or buying is trustworthy.
Keep learning
-Blog: Do you trust your software? Why verification matters
-Report: The State of Supply Chain Security
-Report: Why Traditional App Sec Testing Fails on Supply Chain Security
Episode Transcript
MATT ROSE: Hi everyone, welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO, at ReversingLabs. Today's episode is Trust and Software Supply Chain Security. The foundational aspect of software supply chain security, in my opinion, is trust. How do you trust all aspects of software supply chain security?
But before we dig into some details, I always like to give the analogy, and maybe a movie quote or two, you know how I work. The reference today is the 2006 film, The Departed, great gangster film, loosely based on Whitey Bulger, if you're a Boston guy or you know the story, great movie. But if I see this movie poster, I have to hear the song because the song is everything.
Well, that's enough of that. If you don't know the song, it's associated with the movie, Dropkick Murphys, "Shipping Up to Boston." I'm a Boston guy, so we had to put that in there. But where am I going with this trust? There, Frank Costello, was the main mobster character and his quote in this movie was, "you just can't trust a guy who acts like he's got nothing to lose." Sound familiar? We're in cybersecurity. What do we have to lose? Well, it's the hackers that have nothing to lose. They are constantly trying to leverage your applications, your software, and how do you trust them if there's that constant onslaught of manipulation, of social engineering, so on and so forth.
So, in order for you to trust your applications, your software, you need to have trust of a few different things, and how do you get that? You need to be able to trust your software. That's the first step. You need to actually trust your software release. You need to trust your files, your email, and your downloads.
These are the things you need to trust. This is just the beginning stage of software supply chain security, but you need to trust these things to ensure that you have a secure software supply chain program, the software itself, whether you're developing that yourself, or it's a third party, your new release of your software, is it still trustworthy?
Field CISO at ReversingLabs. Matt Rose has an extensive background in application security, object-oriented programming, multi-tier architecture design and implementation, and internet/intranet development. His areas of expertise include Application Security, SAST, DAST, IAST, SCA, DevSecOps, and Threat Modeling. Matt is an accomplished public speaker and has been quoted in 50+ AST industry media publications.
