Paul Fisher delves into the multifaceted approach required to foster trustworthiness within complex software supply chains. This discussion begins by delineating the critical components of software supply chains and the potential risks associated with each link—from development and deployment to maintenance and decommissioning.
Key to establishing a chain of confidence is the adoption of transparent processes and tools that provide verifiable evidence of security at each step. The audience will be introduced to Software Bill of Materials (SBOM), cryptographic signing, and continuous integration/continuous deployment (CI/CD) pipelines fortified with automated security checks.
The talk will also consider the human aspect, emphasizing the need for cultivating a culture of security awareness and collaboration among stakeholders. This includes not only developers and security professionals but also suppliers, distributors, and end-users.
Finally, the talk will provide actionable insights and strategies for organizations to audit, monitor, and continuously improve their software supply chains.