Tuesday, June 15, 2021

Reminder: Webinar on “Cyber Security Perspectives on the Executive Order”

The Executive Order on “Improving our Nation’s Cybersecurity” seemed very important to me when it was issued on May 12. And now that I’ve had a month to discuss it with others, it seems…more important than ever. As luck (and a timely suggestion) would have it, I’ll be participating in a webinar on the EO next Tuesday. The speakers form a great not-the-usual-talking-heads group, all of whom will have very interesting perspectives on the issue of software supply chain cybersecurity - which IMHO is the number one source of supply chain cybersecurity threats nowadays, and perhaps the number two cybersecurity threat worldwide, after ransomware.

I can almost guarantee you’ve never heard from any of the panelists before (other than me, of course. I can’t help that), and that you probably haven’t even heard of some of the things they’re going to talk about. But that’s good – I can also almost guarantee that before last December, you had never even considered the idea that the SolarWinds software development process could be the locus of the most consequential cyberattack on the US in many years, if not ever. I certainly hadn’t, but here we are…

The speakers and their topics are:

·        Cole Kennedy, Director of Defense Initiatives, BoxBoat – on why software bills of materials are needed.

·       Jon Meadows, Managing Director, Citi – on verifying software. Jon’s title doesn’t tell you much about him, but from having talked with him, I can guarantee that he has a great understanding of supply chain security – especially the software supply chain – and how the different parts all fit together. He’s not to be missed.

·        Rob Slaughter, CEO, Defense Unicorns – on DoD’s Platform One Customer DevSecOps platform.

·       Andres Vega of VMWare. He’s in charge of product security for VMWare’s Tanzu platform and will discuss how VMWare is addressing the EO.

·       Me – on “critical software”, perhaps the most important term in the EO. This is quite controversial, and many different groups are weighing in on how this should be interpreted (the EO asks NIST to define it). Of course, they're doing this because of the big consequences of the decision on what will and won't fall within that definition. However, I’m happy to report that all parties agree on one thing: The EO’s own suggestion for how “critical software” should be defined misses the point. But they all have a different idea of what "the point" should be.

Signup is here. I hope to see you next Tuesday!

 

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the National Technology and Information Administration’s Software Component Transparency Initiative, for which I volunteer. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment