January 6, 2022 Tweet
If 2021 taught us anything, it is that software is the new ground zero in attacker methodologies, and that developer systems are their targets for infiltrating software supply chains to amplify their attacks. They’re doing so through direct attacks on a software provider (such as in the SolarWinds case), or by infiltrating commonly-used code components in libraries to launch zero-day exploits (such as with Log4J vulnerabilities).
In this twenty-minute segment, we check in with three top experts who share their advice for navigating coming changes in 2022. To pique your interest, here’s a short quote from each of our panelists:
“Security of open-source software, more broadly software supply chain, is a critical topic heading into 2022,” Chris Hughes, co-founder of Aquia Security and cloud security leader.
“DevOps is a philosophy that has to start with the vision for the software and the architecture and engineering,” Tracy Bannon, Senior Principal with MITRE and Early-Days Software Architect.
“DevOps needs to understand that there is a bigger game, which is the application security game, and DevOps is part of that,” Mario Andrés Alvarez Iregi, Global Practice Lead of Secure Development at NCC group.
Resources discussed in this show:
- OpenSSF (Open-Source Security Foundation): https://openssf.org
- NIST Vulnerability Exploitability Exchange: https://www.ntia.gov/files/ntia/publications/vex_one-page_summary.pdf
- SBOM (Software Bill of Materials): https://shiftleft.grammatech.com/from-dbom-to-sbom
