By Byron V. Acohido
One of the nascent security disciplines already getting a lot of buzz as RSA Conference 2023 gets ready to open next week at San Francisco’s Moscone Center is “software supply chain security,” or SSCS.
Related: How SBOMs instill accountability
Interestingly, you could make the argument that SSCS runs counter-intuitive to the much-discussed “shift left” movement. I think it’s fair to say, at the very least, SSCS extends shift left a bit more to the right.
Shift left advocates driving code testing and application performance evaluations as early as possible in the software development process.
By contrast, SSCS vendors are innovating ways to direct automated inspections much later in DevOps, as late as possible before the new software application is deployed in live service.
Guest expert: Matt Rose, Field CISO, ReversingLabs
I had the chance to visit with Matt Rose, Field CISO at ReversingLabs, which is in the thick of the SSCS movement. We discussed why reducing exposures and vulnerabilities during early in the coding process is no longer enough.
“True software supply chain security is about looking at the application in a holistic way just prior to deployment,” Rose observes. “Most software supply chain issues are novel, so looking for problems too early, before the code is compiled, won’t tell you much.”
Like everyone else, SSCS solution vendors are leveraging machine learning and automation – to focus quality checks and timely remediation in very specific lanes: on open-source components, microservices containers and compiled code, for instance. For a drilll down please give a listen to the accompanying podcast.
I’m looking forward to attending RSAC in person, after a couple of years of remote participation. No doubt there’ll be some thoughtful discussion about how best to protecting software in our software defined world.
I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
April 18th, 2023 | For technologists | Podcasts | RSA Podcasts | Steps forward | Top Stories
