Discovering Disruptions in Tech - with Doron Peri of Scribe Security at Blackhat

Introduction

In a recent enlightening conversation at the Blackhat conference, Howard Holton, host of "Discovering Disruptions in Tech," spoke with Doron Peri, the VP of Product for Scribe Security. The focus was on an increasingly critical subject in the cybersecurity realm: the software supply chain.

Understanding the Software Supply Chain

Doron emphasized that no organization can afford to ignore software supply chain concerns. Major incidents like Log4J, SolarWinds, and malicious SSH infections showcase the pervasive risks all organizations face. These challenges can stem not only from the software produced within an organization but also from open-source components and third-party tools, leading to inherited risks that are often not well understood.

The software supply chain encompasses several layers, including:

• Open source software,
• Commercial off-the-shelf software,
• Internal software developed by the organization itself.

Each element introduces its own vulnerabilities, necessitating a thorough understanding of the entire lifecycle of software, from creation to deployment.

The Importance of Transparency

One key aspect highlighted by Doron is transparency throughout the software supply chain. With limited visibility into the various components and their interactions, organizations struggle to identify and mitigate risks. Generating Software Bills of Materials (SBOMs) can significantly enhance this transparency, providing a detailed inventory of software components and their dependencies.

Implementing SBOMs aids in the patching process by ensuring that organizations can easily track any vulnerabilities associated with their software. Doron pointed out that effective patching strategies go hand-in-hand with proper SBOM management, creating a clearer picture of risks and dependencies.

Streamlining Processes to Enhance Security

Another critical observation was the tension between speed in development and the need for security. Developers often prioritize rapid deployment, which can lead to shortcuts in security measures and code reviews. To address this dilemma, organizations need to strike a balance through automation and robust processes.

Doron suggested that organizations begin their journey toward better supply chain security by:

1. Performing Discovery: Understanding existing workflows and mapping out relationships between components will help organizations identify risks.
2. Prioritizing Critical Assets: Focus on identifying and securing the most business-critical applications.
3. Implementing Controls: Integrate automated tools, such as SBOM generators, into development pipelines to ensure accountability and gather valuable metrics.

Transparency and control extend beyond just software artifacts; they should also encompass the human aspects of development, including access control and identity verification.

The Future of SBOM and Attestation

The conversation also touched upon the emerging concepts of software provenance and attestation, requiring more than just an SBOM. Standards like SLSA (Supply Chain Levels for Software Artifacts) and in-toto are paving the way for organizations to better understand the integrity of their software supply chain, focusing not only on components but also on the processes that produce them.

Conclusion

The dialogue concluded with a reflection on the importance of continuous improvement in software supply chain security. Companies must embrace transparency, leverage automation, and create an environment where security is integrated into the development lifecycle. As software practices evolve, so must the strategies to secure them.

Keywords

Software supply chain, cybersecurity, SBOM, transparency, software vulnerabilities, automation, risk management, provenance, attestation, SLSA.

FAQ

Q1: What is the software supply chain?
The software supply chain refers to the entire lifecycle of software—from development to deployment—encompassing open-source components, commercial software, and internally produced code.

Q2: Why is transparency in the software supply chain important?
Transparency allows organizations to identify and mitigate risks associated with their software components, thereby enhancing overall security and vulnerability management.

Q3: How can organizations improve their software supply chain security?
Organizations can improve security by performing discovery to understand workflows, prioritizing critical assets, and implementing automated tools like SBOM generators for accountability.

Q4: What are SBOMs, and why are they useful?
Software Bills of Materials (SBOMs) provide a detailed inventory of software components and their dependencies, making it easier to track vulnerabilities and manage security.

Q5: What standards can help ensure software integrity?
Standards like SLSA and in-toto focus on both software provenance and the processes involved in creating software, ensuring better security and trust in software products.