Carolynn Van Arsdale

The U.S. Federal Government has been hard at work releasing a plethora of guidelines — and mandates — concerning software supply chain security. The initiatives have been aimed at government institutions, their contractors, and those responsible for critical infrastructure. Now, securing the health care system’s software supply chain is front and center.

All kinds of organizations, whether they sell software or only purchase it, can benefit from knowing what their software contains. The number of software supply chain attacks in recent years and the multitude of attack methods cybercriminals are now using to carry them out should be reason enough to make transparency a top priority for securing these supply chains.

RSA Conference 2024 is almost here. If you’re among the thousands of security leaders heading to San Francisco this May, you'll want to manage your schedule — and filter out the noise from the hundreds of vendors and the thousands of security industry reps who will flood the Moscone Center.

In the span of just a few years, software supply chain security has evolved from being a niche security topic to a top priority for development organizations, security practitioners and CISOs alike. That shift is evident when you take a peek at the schedule for this year’s RSA Conference in San Francisco, where talks related to software supply chain cyber risk abound.

The 32nd annual RSA Conference (RSAC) – one of the biggest cybersecurity shows in North America — was held in San Francisco last week at the Moscone Center. The who's who-event was jam-packed with hundreds of vendors, speaking sessions, and all kinds of goodies.

The concept of software supply chain security (SSCS) has taken center stage over the past few years in the wake of new federal policies, increases in the threats to open-source platforms, and the continuing struggles to patch critical vulnerabilities. However, one of the most under-addressed areas of SSCS is commercial software security.

Software bills of materials (SBOMs) are having their day — they're even government-mandated at times. In September 2023, the U.S. Food and Drug Administration issued its final version of “ Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions .” The guidance corresponds to the 2023 Consolidated Appropriations Act, H.R. 2617 PDF ), which calls on the FDA to acquire attestations, including an SBOM, from medical device manufacturers regarding their products' cybersecurity.

proponent of software bills of materials (SBOMs) as a tool that can help secure the software supply chain. The policy grew out of the White House's 2021 Executive Order 14028 and was developed further with the National Telecommunications and Information Administration's release of “The Minimum Elements for a Software Bill of Materials (SBOM)” [ PDF ]

Application security wouldn't be what it is today without “shift left,” the concept that security practices should be handled much earlier in the software development lifecycle (SDLC). Shift left brought about new era strategies such as DevSecOps that made security a priority for developers as well as AppSec teams, pushing some security responsibility to software engineers.

, a Europol-led coalition of law enforcement agencies from 10 countries, announced in February that it had disrupted LockBit — one of the most prolific ransomware gangs in the world — at “every level” of its operations. Being responsible for 25% to 33% of all ransomware attacks in 2023, LockBit had become target No. 1. However, just a week after Operation Cronos' takedown, the gang was relaunched — and continued to target organizations.