Name: Why CISA Secure by Design is Just a Starting Point
Start: 2023-04-27T17:11:00Z
End: 2023-04-27T17:11:05.000Z
Location: BrightTALK

ReversingLabs empowers modern software development & SOC teams to protect their software releases & organizations from sophisticated threats. 

Secure by Design is the biggest single thrust in the federal government's efforts to change the game on software risk, with the clear goal of shifting liability to software producers for supply chain security. 

But there's a big problem: Even if best practices are used, the application security tools gap, as noted in the ReversingLabs Software Supply Chain Risk Report, is leaving organizations exposed to supply chain attacks. And cybercriminals and nation state groups, which are embracing supply chain attacks as a preferred means, are evolving their methods to exploit these gaps.

What is needed for development organizations to make Secure by Design a reality? How can you trust your releases are secure? First, software producers must be able to verify the integrity of their releases. That requires modern tools that go beyond legacy application security testing (AST) and software composition analysis (SCA).

In this webinar, you will learn:

✓ About the benefits of Secure by Design — and the broader shift to making software producers liable for the security of their software.
 
✓ The real-world problem of realizing Secure by Design. The app sec tools gap is real, and companies know it’s leaving them exposed.
 
✓ What you need to be able to verify the integrity of your software releases — and to deliver the trust that Secure by Design demands.

Secure by Design: Why Trust Matters for Software Risk Management

In this episode, ReversingLabs Field CISO Matt Rose explains why it's key for teams to understand the process by which supply chain attacks happen — and the results of those attacks.

Software Supply Chain Attacks: How vs. What

Traditional software analysis tools exclusively detect vulnerabilities, leaving users unaware of active, severe threats hidden in their third-party, open source and proprietary components. The first step in reducing the risks of releasing or deploying untrustworthy code is finding and fixing those threats before software is released, acquired or deployed.

ReversingLabs Software Supply Chain Security solution leverages the world’s largest threat repository of malware to locate urgent issues that legacy tools miss.  

Join us for a quick, 20-minute demo to see how we are solving the complex risks that supply chain attacks are bringing to our enterprise customers today.

In this demo, we will demonstrate the benefits of having:

✓ A final exam for software releases and updates - capable of scanning complex, multi-GB binaries in minutes

✓ Identification of multiple types of threats and exposures (malware, tampering, vulnerabilities, mitigations, and secrets) from one platform

✓ A detailed inventory of open source, third-party and proprietary software components and the threats and exposures hidden in each component

✓ Security posture analysis to know your software’s security level and how to improve it

Know When Your Software Is Malware | Software Supply Chain Security DEMO

In the modern enterprise, the tools used to evaluate complex software packages, identifying risks and threats, are more critical than ever. 

In this webinar, we will discuss the evolution of static analysis to binary analysis, highlighting this technology’s significance in threat analysis of complex software packages. 

This webinar aims to provide an understanding of the difference in the analysis technology, illustrating how static binary analysis is leveraged to bolster a software security posture and understand the security risks prior to deployment into organizations.

Key Learnings: 
✓ Introduction to software analysis techniques and their role in the software development lifecycle.
✓ The benefits of early software risk and threat detection, reduced remediation costs, and improved compliance.
✓ How legacy tools like SAST and SCA leave gaps in the software security posturing that require this level of analysis
✓ How ReversingLabs applies the technique to gain unparalleled visibility into complex software packages

Static vs Static Binary Analysis: The Future of Complex Code Deconstruction

In this episode, Matt gives an overview of the National Institute for Standards and Technology (NIST)’s newest version of their Cybersecurity Framework (CSF). He points out what’s new in CSF 2.0, such as the addition of governance as a discipline, plus a greater focus on software supply chain security.

NIST CSF 2.0 is near: A lot has changed in 5 years

In this episode, Matt explains what the newest version of the Exploit Prediction Scoring System (EPSS) is, and how it compares to the Common Vulnerability Scoring System (CVSS) when it comes to minimizing alert fatigue — and prioritizing the highest-risk vulnerabilities.

EPSS 3.0 + CVSS: Why Prioritizing Software Risk is Key

See ReversingLabs’ latest features and get a sneak peek of what's coming next for customers.

Watch our host and Sr Dir., Product Marketing, Richard Melick, and VP of Product, Eirk Thoen, as they showcase our latest releases, take you through our platform improvements and new features, and highlight recent advancements to ReversingLabs complete product lineup.

In this quarterly webinar, you will learn:

✓  Exciting updates to our software supply chain security and malware analysis offerings

✓  Use cases on the best ways to use these features

✓  A sneak peak at some coming updates

Malware Analysis,Threat Hunting & Software Supply Chain Security Product Updates

Security teams struggle with alert fatigue caused by a variety of factors, which impacts the overall security posture of an enterprise. Too much time is wasted chasing false positives and investigating anomalies that turn out to be normal application behaviors. 

The information provided by software supply chain security during the normal application review process can aid security teams long term by helping tune alerts before software is deployed, or address specific concerns or risks with extra layers of detections as needed. 

This addition to the application review process can lead to significant resource savings, and increased network security.

Key episode takeaways: 

✓ Enterprise security team pain points related to detections and false positives

✓ Identifying behaviors likely to trigger host based security alerts

✓ Reviewing network traffic elements for inclusion in relevant allow lists across security applications and appliances

Reducing False Positives in the SOC with Software Anlaysis

Watch as ReversingLabs Software Threat Researcher Lucija Valentić digs into the recent string of software supply chain attacks targeting developers on PyPI and npm. 

Valentić will unpack the details of Brainleeches, VMConnect and Luna Grabber campaigns including the methods and malicious deliverables used by both sophisticated and unsophisticated actors to compromise development organizations. 

You won't want to miss these insights.

Threats Uncovered: Unpack the Latest PyPI and npm Supply Chain Attacks

Enterprise applications performing similar functions can vary greatly from one vendor to another. Understanding those differences can help when choosing one to purchase or support, and enable an informed risk assessment. 

In this episode we will look at a few popular cloud storage applications, including OneDrive and Dropbox to see how they behave, how much bloat and risk they bring with them, and some interesting easter eggs hidden within the packages.

Key episode takeaway: 

✓ How to perform rapid repeatable comparison and risk assessment using the ReversingLabs Software Supply Chain Security platform

Deconstructing OneDrive & Dropbox: A Cloud Storage App Throwdown

In this episode, Matt explains why CISA's Secure by Design, Secure by Default policy is great in concept, but is actually difficult to execute in the real-world. This is because the policy can really only be applied to new software that hasn't been released yet to the market.

CISA Secure by Design/Secure by Default is HARD

From Black Hat to BSides to DEF CON, ReversingLabs gathered 3 top notch experts who were there and ready to share their perspectives. 

Watch this special post-Black Hat event for a post-mortem on the highs and lows of one of the biggest weeks in cybersecurity. Presenters will talk about takeaways from sessions attended, input on key trends at the shows and predictions for what’s next in cybersecurity. 

✓ Key findings at Black Hat about what’s next for our industry
✓ Insight into the biggest security revelations from the talks
✓ How enterprises can apply these lessons to stay safe
 
About the presenters: 

Derek Fisher is the author of Application Security Program Handbook: A guide for software engineers and team leaders and Head of Security at Envestnet. He is also an External Advisor on the Cyber DIA Advisory Board and Adjunct Professor Secure Software Development Temple University.

Freakyclown is the author How I Rob Banks: And Other Such Places and Co-Founder and Co-CEO of Cygenta. Additionally he is a well-known ethical hacker and social engineer. He has been working in the infosec field for over 20 years and excels at circumventing access controls.

Chris Hughes is the author of Software Transparency: Supply Chain Security in an Era of a Software-Driven Society and Co-Founder and CISO at Aquia. He has spent his career building a reputation as a proven Cloud/Cybersecurity leader with nearly 20 years of experience in Federal and commercial industries.

Black Hat...Now What? Tips & Takeaways From the Biggest Week In Cybersecurity.

In this episode of ReversingGlass, Matt makes the essential point that trust in your software supply chain is all or nothing. He explains that trusting anything less than 100% of the components in your software package will set your organization up for major risk. This is why trust in software supply chains needs to be complete, so that the risk of a software supply chain attack to your organization can be minimized.

Trust in Your Software Must be Complete

87% of companies have detected software issues in their software supply chain in the last 12 months, according to a recent survey.  A majority of respondents also said their organization’s software supply chain security was not as mature as it should be.[1] 

CI/CD environments are appealing targets for malicious actors intent on using your software delivery processes as their attack pipeline.  

Join Daniel Gallo, Solution Engineer, JetBrains -TeamCity and Igor Lasic, SVP Engineering, ReversingLabs, as they discuss approaches to overcome the challenges that DevSecOps teams face in defending their CI/CD environments against multiple attack vectors and threats.

Learn tips & tricks for delivering trustworthy software, including:

✓ Securing CI/CD infrastructure
✓ Creating secure software
✓ Validating security levels before shipping

TIPS FOR OVERCOMING THE TOP CHALLENGES IN DELIVERING TRUSTWORTHY SOFTWARE

In this episode, Matt explains why organizations need to strengthen their software supply chain security efforts immediately, given the increase in both the speed and complexity of development environments.

Why the time is NOW for Software Supply Chain Security

In this episode of ReversingGlass, Matt explains the key differences behind two major threats to software supply chains: vulnerabilities and malware. He demonstrates how vulnerabilities are unintentional risks, while malware is an intentionally nefarious action.

The Differences Between Vulnerabilities and Malware

In this episode, we will focus on code signing certificates, the role they play in software, and the many ways they can be abused. Understanding these elements will help us define and tune our baselines in that area.

Key episode takeaways: 

✓ The function of code signing certificates and how they work

✓ The risks of file tampering and how can it be detected

✓ Evaluating the risks of different certificate policies and adjusting the baseline to support specific needs or use cases.

Fine Tuning Your Risk Baseline With Code Signing Certificates

SolarWinds and the more recent 3CX attack put software supply chain security front and center for organizations. While they recognize risk is enterprise-wide, traditional app sec tools are not up to the job. Learn why modern tooling and a mature supply chain security program are now a requirement for managing software risk.

In ReversingLabs’ new Software Supply Chain Security Risk Report, Chris Wilder, Research Director at TAG Cyber and author of the report, will analyze the key findings from a Dimensional Research survey of more than 300 IT pros and Matt Rose, Field CISO at ReversingLabs, co-author of the report, will discuss the evolution of application security — and how a mature software supply chain security approach is now a requirement for managing risk. 

Key Webinar Learnings:

✓ The software supply chain pain points for modern development organizations
 
✓ How gaps in existing application security tooling leave development organizations and security teams exposed to supply chain attacks. 
 
✓ The limitations of narrowly scoped software supply chain initiatives and the need for comprehensive approaches to securing supply chains. 
 
✓ How organizations can operationalize software supply chain security and move beyond “checkbox” compliance, including using Software Bills of Materials (SBOMs) to provide a comprehensive overview of software risk and dependencies.

Why Modern Tooling is Now a Requirement for Full Software Supply Chain Security

In this episode of ReversingGlass, Matt explains how trust is foundational to software supply chain security. Software producers and consumers alike need to continually question whether or not the software they are making or buying is trustworthy.

Trust and Software Supply Chain Security

SBOMs (software bills of materials) have become an essential tool in securing software supply chains. But what’s the right way to use them? In this episode, Matt Rose explains how software publishers need to shift up their SBOMs, so that they showcase the entire threat landscape posed to software supply chains.

Shift Up Your SBOM

In this episode, Matt explains how development and security teams need to move away from strategies like shift left, which only focus on one part of the software development process. The alternative, Matt argues, is that teams should instead "shift up" to gain greater visibility of all software supply chain risks.

Software Supply Chain Security = Shift Up

In this episode, Matt explains how a modern Software Supply Chain Security platform prevents hacks that traditional app sec tools like SAST/DAST miss, such as malware insertion.

Application Hacks vs Software Supply Chain Hacks

In this episode, Matt Rose explains how software supply chain security is better with the wonder duo of behavior and differential analysis.

Behaviors and Diffs: Better Together for Software Supply Chain Security

In this episode, Matt answers a simple yet important question: Who is ReversingLabs? Matt does this by recalling the company’s history, dating back to 2009, which began with ReversingLabs hosting the world’s largest reputational database for malware. He then details ReversingLabs’ growth into a leading provider of software supply chain security.

Who is ReversingLabs?

In this episode, Matt touches on the newfound popularity of AI in relation to Software Supply Chain Security, pointing out the concerns he has for this technology being used by both good and bad actors.

AI and Software Supply Chain Security: Proceed with Caution!

In this episode, Matt uses the analogy of America’s beloved boxed mac n’ cheese to define what a software bill of materials (SBOM) is and should be. He then points out that when making SBOMs, organizations should look to approved and standardized SBOM formats for them to be as clear and transparent as possible.

What the heck is an SBOM

In this episode, Matt touches on real-life software supply chain security cases such as the recent 3CX hack, and how popular media from past and present both imitates and forewarns this kind of threat.

Supply Chain Risks in Art and Life...even the "Simpsons"

n this episode, Matt quantifies the various use cases surrounding software supply chain security (SSCS): Home-grown apps, third-party risk management (TPRM), mergers and acquisitions, and cybersecurity insurance.

Software Supply Chain Security Use Cases

In this episode, Matt lists and explains the various areas of the software supply chain that need to be covered with a modern security solution. He points out that just looking at the build system or open source software alone for threats will not provide full software supply chain security (SSCS) coverage.

Full-Coverage Software Supply Chain Security Explained

In this episode of ReversingGlass, Matt defines software supply chain security by pointing out the different links that the chain comprises. Each link covers different threats, but each is connected to the creation of a complete software artifact, making comprehensive coverage of the software supply chain a must.

How to Define Software Supply Chain Security

In this episode, Matt specifies what “good” software supply chain security (SSCS) looks like. By pointing out all of the pieces to the complex puzzle that is SSCS, Matt showcases that you need an SSCS solution that is comprehensive enough to cover all of these parts, but is smart enough to best serve busy development and SOC teams.

Get Smart With Your Software Supply Chain Security

In this episode of ReversingGlass, Matt visually explains the components and processes of a software supply chain, from the development process all the way to the continuous delivery of a software package. He then points out the various opportunities attackers can take to compromise a supply chain.

The DNA of Software Supply Chain Security

In this ReversingGlass episode, Matt explores the history of application security — and why software supply chain security is where app sec is now, driven by the speed and complexity of modern software development.

A Brief History of App Sec: Why Software Supply Chain Security is Now

In this episode, Matt shares why CISA's new Cyber Supply Chain Risk Management (C-SCRM) office — which will help to operationalize both industry and government efforts on software supply chain security — is key to maturity.

C-SCRM: Much needed definition for software supply chain policy & processes

In this episode, AppSec expert Matt Rose refers to The Software Composition Analysis Landscape, Q1 2023 report from Forrester and makes the point that Software Composition Analysis does not equal Software Supply Chain Security.

ReversingGlass | SCA is good.  Software Supply Chain Security is better.

In this episode, Matt dives into typosquatting, an attack in which malicious actors will copy and slightly misspell the names of legitimate software packages. As a result of the speed of DevOps and human error, these typosquatted packages get downloaded, causing software supply chain attacks.

ReversingGlass | Typsosquatting

In this episode, ReversingLabs Field CISO, Matt Rose explains why it is essential to integrate automatic software supply chain security scanning into the traditional DevOps process.

ReversingGlass | What is Software Supply Chain Scanning?

In this episode, Matt breaks down the recent CircleCI hack by visualizing the integrated development environment (IDE) process. In doing so, he points out that not only does source code need to be secure, but also the development process itself in order to prevent incidents like the CircleCI secrets hack.

ReversingLabs | CircleCI Hack

In this episode, Matt breaks down the components of a typical software application, and points out that while traditional application security testing features are important, they miss key threats that arise in the software supply chain.

DNA OF AN APP: Why Traditional AppSec Testing Misses Modern Threats

A Software Bill of Materials (SBOM) is a great first step in an organization's software supply chain security journey. But, as Matt explains in this episode of ReversingGlass, organizations need to go beyond using just the SBOM to have a robust secure software program.

ReversingGlass | Beyond the SBOM: Because what you CAN'T see CAN hurt you

In this episode, Matt Rose gives an overview of the U.S. Executive Order 14028 and Memorandum M-22-18, which now mandate that any software provider in business with the Federal Government self-attest to having secure software. Matt explains that starting with a comprehensive Software Bill of Materials (SBOM) is the best way to do this.

ReversingGlass | Understanding Executive Order 14028

ReversingGlass Video Series

In this episode of ReversingGlass, Matt Rose explains what's included in the CISA's new initiative: Secure by Design, Secure by Default. He points out that while it's a good starting point for companies to refer to, it shouldn't serve as the end point for practicing software supply chain security.

Why CISA Secure by Design is Just a Starting Point

AppSec

AppDev

DevOps

DevSecOps

Cyber Security

CISO

Breach Detection

Breach Prevention

Are you an IT service management professional interested in developing your knowledge and improving your job performance? Join the IT service management community to access the latest updates from industry experts. Learn and share insights related to IT service management (ITSM) including topics such as the service desk, service catalog, problem and incident management, ITIL v4 and more. Engage with industry experts on current best practices and participate in active discussions that address the needs and challenges of the ITSM community.

IT Service Management

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Why CISA Secure by Design is Just a Starting Point

Presented by

About this talk

ReversingLabs