{"id":327,"date":"2009-11-12T10:00:32","date_gmt":"2009-11-12T15:00:32","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=327"},"modified":"2009-11-12T23:55:55","modified_gmt":"2009-11-13T04:55:55","slug":"keynote-collaboratively-advancing-strategies-to-mitigate-software-supply-chain-risks","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/keynote-collaboratively-advancing-strategies-to-mitigate-software-supply-chain-risks\/","title":{"rendered":"Keynote: Collaboratively Advancing Strategies to Mitigate Software Supply Chain Risks"},"content":{"rendered":"<p>It&#8217;s my second year at the OWASP AppSec Conference and this year it is in Washington, DC.\u00a0 The New York City Conference last year proved to be probably the best conference I&#8217;ve ever been to.\u00a0 Based on the agenda and the facilities, this year is looking very promising.\u00a0 Today&#8217;s keynote is by Joe Jarzombeck, the Director for Software Assurance at the National Cyber Security Division for the Office of the Assistant Secretary of Cybersecurity and Communication.\u00a0 Man, is that a mouthful.\u00a0 My notes on the presentation are below:<\/p>\n<p>DHS NCSD Software Assurance Program<\/p>\n<ul>\n<li>A public\/private collaboration that promotes security and software resilence throughout the SDLC<\/li>\n<li>Reduce exploitable software weaknesses<\/li>\n<li>Address means to improve capabilities that routinely develop, acquire, and deploy resilent software products<\/li>\n<li>IT\/Software Security risk landscape is a convergence between &#8220;defense in depth&#8221; and &#8220;defense in breadth&#8221;<\/li>\n<li>Applications now cut through the security perimeter<\/li>\n<li>Rather than attempt to break or defeat network or system security, hackers opt to target application software to circumvent security controls\n<ul>\n<li>75% of hacks are at the application level<\/li>\n<li>Most exploitable software vulnerabilities are attributed to non-secure coding practices<\/li>\n<\/ul>\n<\/li>\n<li>Enable software supply chain transparency\n<ul>\n<li>Acquisition managers and users factored risks posed by software supply chain as part of the trade-space in risk mitigation efforts<\/li>\n<\/ul>\n<\/li>\n<li>DHS Software Assurance program scoped to address:\n<ul>\n<li>Trustworthiness<\/li>\n<li>Dependability<\/li>\n<li>Survivability<\/li>\n<li>Conformity<\/li>\n<\/ul>\n<\/li>\n<li>Standalone Common Body of Knowledge (CBK) drawing upon contributing companies\/industries<\/li>\n<\/ul>\n<p>Build Security In: https:\/\/buildsecurityin.us-cert.gov<\/p>\n<ul>\n<li>Focus on making software security a normal part of software engineering<\/li>\n<li>Process agnostic lifestyle<\/li>\n<li>There was an interesting slide on touchpoints and artifacts that I took a picture of with my phone and I will try to post here.<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Resources to Check Out<\/strong><\/span><\/p>\n<p>&#8220;Software Security Engineering: A Guide for Project Managers&#8221;<\/p>\n<p>&#8220;Enhancing the Development Lifecycle to Produce Secure Software&#8221;<\/p>\n<p>Fundamental Practices for Secure Software Development<\/p>\n<p><a href=\"http:\/\/www.safecode.org\/publications\/SAFECode_Dev_Practices1008.pdf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Click to access SAFECode_Dev_Practices1008.pdf<\/a><\/p>\n<p>The Software Assurance Pocket Guide Series<\/p>\n<p>Software Assurance in Acquisition: Mitigating Risks to the Enterprise<\/p>\n<ul>\n<li>Check out Appendix D &#8211; Software Due Diligence Questionnaires<\/li>\n<\/ul>\n<p>&#8220;Making the Business Case for Software Assurance&#8221;<\/p>\n<p>&#8220;Measuring &#8230; Assurance&#8221;<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Common Weakness Enumeration (CWE)<\/strong><\/span><\/p>\n<ul>\n<li>If you have this weakness, then it&#8217;s not a matter of if, but when you&#8217;ll be breached.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>It&#8217;s my second year at the OWASP AppSec Conference and this year it is in Washington, DC.\u00a0 The New York City Conference last year proved to be probably the best conference I&#8217;ve ever been to.\u00a0 Based on the agenda and the facilities, this year is looking very promising.\u00a0 Today&#8217;s keynote is by Joe Jarzombeck, the [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[307],"tags":[313,332,330,333,312,89,329,331],"class_list":["post-327","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-dc-2009","tag-assurance","tag-chain","tag-mitigate","tag-risks","tag-software","tag-strategies","tag-strategy","tag-supply"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-5h","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/327","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=327"}],"version-history":[{"count":2,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/327\/revisions"}],"predecessor-version":[{"id":329,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/327\/revisions\/329"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=327"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=327"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=327"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}