Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure for Software Supply Chain Security
Get Free TrialMore about Spectra Assure Free TrialWhy the Time Is Now for SSCS
In this episode, Matt explains why organizations need to strengthen their software supply chain security efforts immediately, given the increase in both the speed and complexity of development environments.
Learn More
- See post: 6 reasons app sec teams should shift gears and go beyond vulnerabilities
- ReversingGlass: The DNA of Software Supply Chain Security
- Report: The Software Supply Chain Risk Report
Episode Transcript
MATT ROSE: Hi everyone. Welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs. Today's episode is Why The Time Is NOW. What does that mean? Why the time is now for software supply chain security programs to up their game. And I just wanted to have a conversation about this.
This is more opinion based on a little bit of fact. But let's start with a little bit of data. 87%, which is a pretty big number, know that software tampering, when I say know, I'm talking about companies, know software tampering can compromise their applications. And 37%, which is a big difference, can actually detect software tampering.
These are statistics coming off of a dimensional data survey that ReversingLabs sponsored with over 300 participants, but just look at that opportunity: 87% of acknowledging "yes, there is an issue," 37% are like "hey, we got the issue covered." That's a gap of roughly, not exactly, 50%. So, why is this a problem?
Why is the time for software security programs or software supply chain security programs to be upping their game? The first thing is, we're a victim of our own success. Software development, application development, the speed has increased dramatically with DevOps programs.
You're potentially releasing software 100, 200, whatever the number is times a day, that's opportunity for many different things happening, making sure you checked all the boxes, did all the right things. The second piece is complexity. We have a lot of different things happening when we develop software and applications and large groups of people are doing this probably in silos.
If you're talking cloud native development where everybody is focused on their little piece of the puzzle, assuming everybody else is doing the same thing or doing the correct things. So there's opportunity with software supply chain attacks because of speed and complexity. Talking about these numbers too, this, if I'm a, you know, nefarious dude, as I like to say, I'm going to look at this data and say, "Hey, a lot of people know this is a problem, but hey, that, the train has not left the station yet. We still have opportunity." And instead of going down the process of hacking or trying to get information from a ton of different people. You're basically putting together: This is the social security number D.O.B, address, all this type of stuff to create a let's just say full profile of this person, PII data. Well, instead this opportunity for the software itself that all these people are using whether it's you know, a company using it to monitor their networks or transfer data or an individual looking to purchase something online or online banking, an insurance app, a mobile app, the process in the kind of attack surface is still evolving here.
Field CISO at ReversingLabs. Matt Rose has an extensive background in application security, object-oriented programming, multi-tier architecture design and implementation, and internet/intranet development. His areas of expertise include Application Security, SAST, DAST, IAST, SCA, DevSecOps, and Threat Modeling. Matt is an accomplished public speaker and has been quoted in 50+ AST industry media publications.
