Abstract Details

<< Back to Schedule

9/26/2017  |   1:05 PM - 1:50 PM   |  Track 2 - Systems Engineering

Software Supply Chain Management: Reducing Attack Vectors and Enabling Cybersecurity Assurance

As the cyber threat landscape evolves and as software dependencies grow more complex, understanding and managing risk in the software supply chain is more critical than ever, and it must focus on the entire lifecycle that includes development, acquisition, and DevOps. This is particularly significant for network-connectable devices. The Internet of Things (IoT) is contributing to a massive proliferation of a variety of types of software-reliant, connected devices throughout critical infrastructure sectors. With IoT increasingly dependent upon third-party software of unknown provenance and pedigree, software composition analysis and other forms of testing are needed to determine 'fitness for use' and trustworthiness in terms of quality, security, safety, and licensing. Application weakness and vulnerability correlation and management should leverage automated means for detecting threat indicators, weaknesses, vulnerabilities, and exploits. Using standards-based automation also enables the exchange of information internally and externally with vendors in the global supply chain for IoT/ICT products. Addressing supply chain dependencies throughout the lifecycle enables enterprises to harden their attack surface by: comprehensively identifying exploit targets; understanding how assets are attacked, and providing more responsive course of action mitigations. Independent testing and certification will also be discussed as a means that organizations can rely upon others to reduce risk exposures attributable to exploitable software. One such effort available for through the Underwriters Labs Cybersecurity Assurance Program.

This presentation has not yet been uploaded.

No handouts have been uploaded.

Joe Jarzombek (Primary Presenter), Synopsys’ Software Integrity Group, joe.jarzombek@synopsys.com;
Joe leads efforts to enhance capabilities to mitigate software supply chain risks through automated analysis and testing which are integrated within the acquisition and development processes. He collaborates with industry consortia, standards bodies and government agencies in multiple sectors in evolving processes and technologies to address software assurance, supply chain risk management, and security automation. Prior to joining Synopsys, Joe served as Director for Software & Supply Chain Assurance in the Office of Cybersecurity and Communications, US Department of Homeland Security. In that role, he led public-private collaboration efforts for US government inter-agency teams, together with industry, academia and standards organizations, focusing on the assurance of Information and Communications Technology (ICT) products and services. Joe served in the Office of the Secretary of Defense, both in AT&L as Director for Software Intensive Systems, and in the Office of the CIO as the Deputy Director for Information Assurance responsible for leading the DoD Software Assurance initiative. Having served as a program manager for several software intensive systems, he is a retired Lt Colonel in the US Air Force. Joe is a Certified Secure Software Lifecycle Professional (CSSLP).

2017 Sponsors: IEEE and IEEE Computer Society