EP 53 — ReversingLabs’s Dave Ferguson on Securing Your Software Supply Chains

In this episode of the Future of Application Security, Harshil speaks with Dave Ferguson, Director of Technical Product Management, Software Supply Chain Security at ReversingLabs, which offers software supply chain security analysis platform. They discuss the rising need for software supply chain security as a result of the complexities around how software is built today. They also talk about ways to identify novel attacks through analyzing software behaviors, how efforts like SBOMs and registries help increase transparency, and why software supply chain security needs to evolve from just looking for vulnerabilities.

Topics discussed:

• How Dave’s diverse background in security, as well as his piqued interest around the SolarWinds and 3CX attacks, led to his focus on software supply chain security today.
• How a product manager leads by working with development teams, meeting with customers, incorporating new features and integrations, and helping bring new solutions to market.
• How the complexities associated with building software today — like open source and automation — have increased the possibility of adversaries slipping in. 
• Why analyzing software behavior across previous builds and seeing what’s changed can help flag novel attacks.
• Today’s trends that are increasing transparency in software creation, including the rising demand for SBOMs and the possibility of trust registries for commercial software.
• Why software supply chain security approaches need to move beyond just looking at vulnerabilities to find ways to root out all malicious activity.

Guest Quotes: 

“So the complexity of the development process has allowed the adversaries to find a way to get in without being noticed. And so that’s exactly what happened at SolarWinds and 3CX, as well as other places. The complexity of how modern software is built today, now, it’s much better than it used to be. It’s a lot more automation. It happens at a very rapid pace, so you can get things out the door quickly, but at the same time, it’s allowed for some of these supply chain attacks to happen.”

“SolarWinds, 3CX … there weren’t any signatures for those attacks. They were very novel. However, if you looked at the behaviors of the software, you would have noticed some red flags.”

“There’s a movement happening for having radical transparency in software. And it’s a growing theme that you’re going to be seeing.”

“You have AI coming. The adversaries are leveraging AI. The defenders are going to have to as well. It’s an interesting time and place right now in software security.”

“Looking for vulnerabilities just isn’t enough anymore. … We still have to be concerned about them, of course, but it’s just not enough anymore. There’s going to be some recognition of that.”

Listen to more episodes: 

Listen on Apple 

Listen on Spotify

Mean Time to Remediate

The Most Important Security Metric
in 2024 and Beyond

Today, most application security tools are designed to find vulnerabilities, not fix them.

What is noise and what is risk? And, more importantly, how do you accelerate the remediation of the most critical vulnerabilities? The answer lies within one key metric — Mean Time to Remediate (MTTR)

Taking a better strategy to decrease your MTTR and keep your organization safe can begin today — download the paper to learn how.