2024-08-06 –, Firenze
In today’s rapidly changing digital landscape, the need for strengthening cybersecurity defenses has never been more critical. The recent years have seen major supply chain attacks such as Log4j and Solarwinds which have urged governments and industries to rethink their defenses and incorporate strong security measures. One key strategy which has gained significant attention is SBOM - “Software Bill of Materials”. The Cybersecurity & Infrastructure Security Agency (CISA) defines SBOMs as a “nested inventory, a list of ingredients that make up software components” and further calls it “a key building block in software security and software supply chain risk management”. An SBOM lists all of components and software dependencies used right from developing an application to its delivery. It serves as a record to keep track of third-party component usage in an organization. Some may recognise this as similar to a traditional bill of materials (BOM) used in the supply chain and manufacturing industry. This presentation will cover:
-the growing relevance of SBOMs in the cybersecurity industry
-how SBOMs empower an organization to measure their cybersecurity risk
-using SBOMs to identify and remediate vulnerabilities in the organization’s applications
-guidance for organizations to use SBOMs and uplevel their defense strategy.
The target audience for this presentation is aimed to be inclusive of professionals in various verticals such as software engineering, security, product management, etc as SBOMs have emerged as a highly essential topic to anyone who contributes to the development and/or distribution of applications today.
- Introduction:
- Opening remarks on cybersecurity trends in the industry today, and specific focus on the software supply chain
- Examples of recent supply chain attacks
An application often involves multiple components, dependencies and third party packages for its development and delivery, forming a software supply chain. Software supply chain attacks involve compromising the development or distribution process of legitimate software. Attackers inject malicious code or vulnerabilities, leading to data breaches, system disruptions, and financial losses. High-profile incidents, such as the SolarWinds attack, demonstrate their widespread impact, posing a significant threat to organizations, governments, and individuals.
- SBOMs
a. Define SBOMs and explain what they mean
b. Historical context of SBOMs
c. How SBOMs have become increasingly essential in cybersecurity
d. Who are SBOMs for?
3.SBOMs’ role in vulnerability management and software supply chain
For sections 2 and 3:
SBOM is an essential tool for software supply chain security (SSCS), software vulnerability remediation, and license compliance. When an open-source software risk is detected, SBOMs are an invaluable resource for security teams to precisely identify where vulnerable code sections have been used. This enables cybersecurity teams to begin vulnerability remediation processes immediately. Such swift responses are incredibly important especially when dealing with vulnerabilities like that found in Apache log4j. According to Gartner, by 2025, 60% of organizations building or procuring critical infrastructure software will mandate and standardize SBOMs in their software engineering practice, which means more opportunities with those who have knowledge of SBOMs.
-
Government advisories and standards on SBOMs today:
a. The US government has released advisories on SBOMs as a ‘must-have’.
b. SBOM best practices released by NIST
The Biden administration is pushing for organizations to adopt SBOMs, as the government wants transparency into software components. This allows organizations to manage software licenses, helping companies to better understand their legal obligation, demonstrate compliance with licensing requirements, and mitigate cybersecurity risks. -
Tools which organizations can use to leverage SBOMs (+short demo if time)
a. Various tools such as Trivy, Anchore, CyloneDX, etc. that can help you generate a SBOM.
The knowledge of knowing how to generate a SBOM at different stages of the build lifecycle is beneficial. Depending on the audiences, purposes and type of data, a relevant tool can be picked.
- Challenges in software supply chain security
- Q&A and concluding remarks; pointing attendees to further learning resources on the topic.
I'm a Product Security Engineer at Salesforce, where I have led several security reviews for new products and features in Tableau. Aside from acting as a security liaison during incidents, I have also been working on Generative AI security, as well as using GenAI to build security tooling :) Lately, I have been leading a project in the supply chain security space to identify vulnerabilities in third party packages and remediate them efficiently.
I completed my Master's in Electrical and Computer Engineering at Carnegie Mellon University, and have completed coursework in the areas of network security, reverse engineering, and security analysis of software systems. Being part of various organizations, I have experience in carrying out research and development of security products and features for users. I also worked with the National University of Singapore on an acoustic side-channel attack and co-authored papers at international conferences. Aside from professional activities, I have largely been associated with international cybersecurity communities for women in voluntary positions. I'm currently on the Advisory Board of a non-profit, Breaking Barriers for Women in Cybersecurity, to lead initiatives in the academic and research space for women.
I am working as an Application Security Engineer, after graduating with a Master's in Science Information Science, and a diverse skillset and experience in data management, qualitative and quantitative analysis of data, troubleshooting, posture management, security scanning, cloud security, and container security, in a cross-functional collaborative work environment.
I appreciate new perspectives, love talking to people, and am on the lookout to learn and grow more.