Software supply chain security is not a game. Or is it?
Jasmine Noel from ReversingLabs changed it up a bit at the RSA conference with her”Software supply chain security is not a game, is it? » presentation and made it an interactive experience for viewers. His game show for attendees made it fun, but also covered key insights into the state of ReversingLabs’ software supply chain security. recent survey of 300 global IT and security professionals.
Here are some of the questions posed to the public from this survey.
Question 1: What is the software supply chain risk that software vendors are most concerned about today?
The answer: software vulnerabilities. Noel pointed out that the results of this survey make sense when considering the impact of Log4j, which has made the industry more aware of the risks associated with software vulnerabilities. Moving on, she asked participants what percentage of organizations can actually detect software tampering, another major supply chain risk.
An audience member who guessed the answer correctly: only a few (37%) of software vendors can actually detect tampering. Pushing the tampering further, Noel asked for a follow-up: how many of these organizations that check for tampering, check after the construction process is finished? Participants, unable to answer the question correctly, were amazed to learn that about half of these organizations don’t check after construction.
Question 2: What are the main reasons organizations use SBOMs?
Moving on from direct supply chain risks, Jasmine discussed the importance of using software bills of materials (SBOM) in the fight to secure software. She again drew on our survey findings to ask participants about their knowledge of the state of SBOMs. First, she asked the audience what were the top reasons organizations use SBOMs.
Participants guessed correctly: Wanting to find out if risks are present in a software product, as well as wanting to follow best practices.
Issue 3: Why are many organizations still not generating and reviewing SBOMs?
Next, Noel asked participants why many organizations still do not generate and review SBOMs, despite all the attention given to them by the federal government and beyond.
The answer: A general lack of internal expertise and personnel to do the job properly. To finish,
Question 4: Which SBOM components are the most reviewed?
Jasmine tested the participants on the most reviewed components of an SBOM. A number of audience members answered correctly, saying that in-house developed components as well as open source components are the key factors for most organizations when considering an SBOM.
The Real Price: Understanding the Risk of Software Supply Chain Attacks
People who answered Noel’s questions were rewarded with prizes, providing a true game show experience. But there is no doubt that software supply chain security is a game or not.
Based on the results of these polls…that is definitely not the case. It is clear that the industry as a whole lacks the ability to secure software and needs modern solutions to address this ever growing problem. To learn more about the state of software security, check out ReversingLab’s new report on the recent investigation.
ReversingLabs offers innovative solutions that meet the needs of the software industry. If you want to learn more about how we help organizations software assurance strategies, check out secure.software, our modern solution to address software supply chain risk. We are now offering early access to the full launch of this solution, so be sure to talk to us to get all the benefits this solution could bring to your organization.
*** This is a Security Bloggers Network syndicated blog from the ReversingLabs blog written by Carolynn van Arsdale. Read the original post at: https://blog.reversinglabs.com/blog/software-supply-chain-security-is-no-game.-or-is-it