AppSec And The Ghost In The Supply Chain

Tomorrow afternoon, Security Ledger, with help from our sponsor Veracode, will record its first video conversation. The show’s name: Talking Code (#talkingcode). The topic: application security, and – in particular – securing the supply chain. Joining me for the discussion will by Chris Wysopal, the co-founder and CTO of Veracode and Joshua Corman, the Director of Security Intelligence at Akamai Inc.

Two things: you can send us questions or comments on Twitter. Our discussion will be filmed in studio, not live, but we’ll be tweeting comments live and engaging in realtime via Twitter. Just use the hashtag #talkingcode to pose questions.

Say the term “supply chain,” and people immediately think of automobile and electronics manufacturers, who must assemble products from components makers scattered around the globe.

These days, however, its not just manufacturers who have to worry about supply chains. Almost every company has a “supply chain” in one form or another. Very often, it’s at least in part to supply software products that help a company run (i.e. that are consumed internally), or that are rolled into the company’s own products (hardware and software) and services and resold.

The issue has become more prominent as discussion of nation-state based attacks and cyber espionage has moved to the top of the agenda in Washington D.C. Congressional hearings on the danger posed by products from Chinese equipment makers ZTE and Huawei last September made good political theater, but did little to answer questions about  whether Chinese made products and (more important) components pose a real security risk to American companies.

But the issues surrounding supply chain security are even thornier than the Huawei hearing would suggest. That hearing was about whether Chinese telecom equipment has secret back doors that might be used by the People’s Liberation Army to penetrate US firms and the US government. The bigger question is about the security implications of all the third party and open source software that’s being recycled and repurposed into enterprise and consumer applications.

As this recent post at GovInfoSecurity.com notes, consumer-focused products and services like DropBox.com are becoming a kind of “shadow” supply chain at many companies – exempted from the kinds of scrutiny that traditional software suppliers get (at least in theory) but that are adopted – often ad-hoc – within countless private- and public sector organizations.

Chris, Josh and I will tackle some of these vexing issues and try to sort it all out. Among the questions we’ll be asking:

  • What threat does insecure software from third party suppliers pose to ordinary businesses?’
  • How can companies monitor the security of their supply chain?
  • How will insecurity in the software supply chain security affect the growth and advancement of the “Internet of Things” – in which everything from automobiles to toothbrushes is powered by software and connected to the global Internet.

Join us tomorrow on Twitter. And keep a watch out for video of the whole conversation in the days ahead.

–Paul.

Comments are closed.