EP 41 — SAP’s Helen Oakley on Protecting Human Well-Being by Securing Software Supply Chains

In this episode of the Future of Application Security, Harshil speaks with Helen Oakley, Lead Architect for Software Supply Chain Security at SAP, which develops enterprise software for business operations. They discuss the need for software supply chain security, especially considering how much of software is open source today, and what the current state of adoption is across industries. They also discuss how you can optimize SBOMs and the misconceptions around them, where organizations can start implementing software supply chain security, and why it’s needed to protect both infrastructure and human life.

Topics discussed:

• What software supply chain security is, and the different considerations — like open source components — that make it a priority for organizations today.
• The current state of adoption for software supply chain security, the challenges to adoption, and which industries are on the forefront while others lag behind.
• How software supply chain security and SBOMs will evolve, especially considering the need for safety around digitally-connected devices that can impact human well-being.
• Some of the misconceptions around what SBOMs offer, and what more has to be done in addition to SBOM implementation to make supply chains more secure.
• Advice for organizations looking to get started on or ramp up their software supply chain security approach, which includes improving SBOM quality and automation.
• How to be prepared to receive and consume SBOMs from vendors, and what tools to use to analyze that data.
• What types of benefits and risks AI will pose for software supply chain security in the future, especially around transparency.

Guest Quotes: 

“Securing the software supply chain means we need to understand what we have, what components we use in our software. There are statistics, reports by Synopsys just recently that they identified about 97% of all our software contains open source. That means that we need to pay more attention and really understand what we have.” (3:20)

“The challenge, of course, is the exchange of things like SBOM and what do we do with SBOM? How do we manage, how do we operationalize SBOMs? That’s part of the discussion of the CISO forums to enable industries to do that and provide help and guidance for them.” (9:30)

“The risks are so high with software supply chain that can even involve risk to human well-being, to human life. Because if you’re talking about IoT/OT, that’s where we can see direct interaction with humans, but also critical infrastructure and so on.” (12:29)

“Start acting on implementing safeguards around infrastructure and CI/CD pipelines. Do the threat modeling assessment. What are the risks in your infrastructure and CI/CD pipelines and processes? And prioritize that and start implementing that rather soon.” (21:29)

“A lot of businesses are now being powered by AI and machine learning, and we need to have the transparency of, what are the training models and what data is being used? … What risks are we taking by using this solution that has this AI capability?” (27:46)