Candy Alexander Details the CISO's Guide to the Software Supply Chain

The many facets of the software supply chain can be challenging to juggle, considering the need to secure components, activities, and practices involved. However, it doesn’t take much to upset a harmonious supply chain and create expensive chores for business executives. Catastrophe could be as simple as one software update, misconfiguration, or vulnerability in an open-source component, which creates major disruptions to your business.

In this archived keynote session, Candy Alexander, CISO and cyber practice lead at NeuEon, explains how to get a better handle on all the code you’re running so you can support developers, manage risks, and respond to change smoothly and safely. This segment was part of our live webinar titled, “The CISO's Guide to the Software Supply Chain.” The event was presented by InformationWeek on March 21, 2024.

View the entire “CISO's Guide to the Software Supply Chain” live webinar on-demand here.

A transcript of the video follows below. Minor edits have been made for clarity.

Candy Alexander: When we talk about the software supply chain, and what it is, I'd like to suggest that this has been a concept that's been around since the beginning of engineering. However, the term software supply chain became widely used. Many people paid attention to it because of the events that we experienced as of late, starting in 2020 with the SolarWinds supply chain attack, followed immediately by the Log4J shell vulnerability in 2021.

Related:[Free Virtual Event] Cyber Resilience in 2024: Availability is Your Best Ability

It is with those occurrences that we now refer to that whole perspective of what's involved in your product or software development. So again, for unknown or unacknowledged reasons, the concept of software engineering has gotten lost over the years due to the focus on timelines and delivery. We've lost sight of the value of having a full process for looking at what is involved in your software development lifecycle or the supply chain.

I remember having a conversation with a friend and colleague, who is the CISO for Oracle, Mary Ann Davidson. So, Mary Ann and I were attending an event, and they were talking about SBOMs [pronounced “s-bomb,” for software bills of materials]. Somebody brought up that four-letter word that Mary Ann was adamantly against. I really stopped and pondered, why is that? You're going to hear me talk a lot about SBOMs or software bill of materials. I'd like to suggest that the software supply chain is not an SBOM, and an SBOM is not a bad thing.

Most importantly, at this point in my conversation with you, I'd like you to think about the fact that an SBOM is a component of the software supply chain. If we can set the pace and the ground for this conversation around those concepts, I think we'll be doing well. Now that we understand what the software supply chain is, let's move to the next conversation. Why is it so important to use or have a software supply chain? Well, there is a lot here for me to unpack.

Related:Improving Supply Chain Security, Resiliency

Watch the archived “CISO's Guide to the Software Supply Chain” live webinar on-demand today.