In this episode, Matt explains why organizations need to strengthen their software supply chain security efforts immediately, given the increase in both the speed and complexity of development environments. 

Learn More

- See post: 6 reasons app sec teams should shift gears and go beyond vulnerabilities
- ReversingGlass: The DNA of Software Supply Chain Security
- Report: The Software Supply Chain Risk Report

Episode Transcript

MATT ROSE: Hi everyone. Welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs. Today's episode is Why The Time Is NOW. What does that mean? Why the time is now for software supply chain security programs to up their game. And I just wanted to have a conversation about this.

This is more opinion based on a little bit of fact. But let's start with a little bit of data. 87%, which is a pretty big number, know that software tampering, when I say know, I'm talking about companies, know software tampering can compromise their applications. And 37%, which is a big difference, can actually detect software tampering.

These are statistics coming off of a dimensional data survey that ReversingLabs sponsored with over 300 participants, but just look at that opportunity: 87% of acknowledging "yes, there is an issue," 37% are like "hey, we got the issue covered." That's a gap of roughly, not exactly, 50%. So, why is this a problem?

Why is the time for software security programs or software supply chain security programs to be upping their game? The first thing is, we're a victim of our own success. Software development, application development, the speed has increased dramatically with DevOps programs.

You're potentially releasing software 100, 200, whatever the number is times a day, that's opportunity for many different things happening, making sure you checked all the boxes, did all the right things. The second piece is complexity. We have a lot of different things happening when we develop software and applications and large groups of people are doing this probably in silos.

If you're talking cloud native development where everybody is focused on their little piece of the puzzle, assuming everybody else is doing the same thing or doing the correct things. So there's opportunity with software supply chain attacks because of speed and complexity. Talking about these numbers too, this, if I'm a, you know, nefarious dude, as I like to say, I'm going to look at this data and say, "Hey, a lot of people know this is a problem, but hey, that, the train has not left the station yet. We still have opportunity." And instead of going down the process of hacking or trying to get information from a ton of different people. You're basically putting together: This is the social security number D.O.B, address, all this type of stuff to create a let's just say full profile of this person, PII data. Well, instead this opportunity for the software itself that all these people are using whether it's you know, a company using it to monitor their networks or transfer data or an individual looking to purchase something online or online banking, an insurance app, a mobile app, the process in the kind of attack surface is still evolving here.

There's still opportunity, so instead of going through each of these individuals, I only did three, maybe there's 300, 3000 to get something that is beneficial. By attacking the software itself, that's distributed to all these users, and I think, as people have seen, SolarWinds, for example, was delivered to, the update of that compromised piece of software was delivered to 18,000 people.

The process to develop and create software and applications is complicated. We're doing it faster than ever. We're doing it in more complex ways. Applications and software evolve over time. And one of the misnomers in the industry is, Hey, it's a new piece of software that started from scratch. It started from zero.

Always start in the beginning. Always start in the left. Software evolves. It exists and it gets updated, changed, new features, new components, new technologies added at speed and scale, which is very complicated to totally understand to keep people happy. When I say people, your customers, product management, your executives.

So why the time is now? Software is more complex. Things are happening and there is an opening, a gap. The door, as we like to say, is open for software supply chain risk. Hope you enjoyed the episode. Have a great day. Appreciate you taking the time to watch this video. Take care, everyone.