Bio: Laurie Williams is a Distinguished University Professor in the Computer Science Department of the College of Engineering at North Carolina State University (NCSU). Laurie is the director of the National Science Foundation-sponsored Secure Software Supply Chain Center (S3C2), and co-director of the National Security Agency (NSA)-sponsored Science of Security Lablet at NCSU, the NSA-sponsored North Carolina Partnership for Cybersecurity Excellence (NC-PaCE), and the NCSU Secure Computing Institute. Laurie is an IEEE Fellow and an ACM Fellow. Laurie’s research focuses on software security, software processes, and empirical software engineering.
Abstract: Software organizations largely did not anticipate how the software supply chain would become a deliberate attack vector. The software industry has moved from passive adversaries finding and exploiting vulnerabilities contributed by well-intentioned developers, such as log4j, to a new generation of software supply chain attacks, where attackers also aggressively implant vulnerabilities directly into dependencies (e.g., the protestware of node-ipc). Adversaries also find their way into builds and deployments, such as occurred with SolarWinds, to deploy rogue software. Once implanted, these vulnerabilities become an efficient attack vector for adversaries to gain leverage at scale by exploiting the software supply chain.
Software supply chain attacks have grown over 700% per year over the last three years. Section 4 of the May 2021 US Executive Order on Cybersecurity 14028 is on software supply chain security. Other countries and the European Union are working on similar direction. Organizations have published influential documents prescribing tasks organizations should adopt to reduce software supply chain risk, including NIST Secure Software Development Framework (SSDF) Version 1.1 (800-218), NIST Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (800-161r1), Supply-chain Levels for Software Artifacts (SLSA) v1.0, OpenSSF Secure Supply Chain Consumption Framework (S2C2F), Cloud Native Computing Foundation – Software Supply Chain Best Practices, and OWASP Software Component Verification Standard (SCVS) Version 1.0. This talk will present the Proactive-Secure Software Supply Chain Risk Management (P-SSCRM) model comprising the union of the 72 tasks in the aforementioned documents in the categories of Governance, Product, Environment, and Deployment. This talk will also present empirical results on the adoption of these tasks by industrial organizations based on interviews with practitioners in software development organizations.