SolarWinds: A Path to Excellence in Software Supply Chain Security

00:06:05
https://www.youtube.com/watch?v=6TQW4zH823w

Summary

TLDRThe video focuses on the significant challenge of ensuring software supply chain security, emphasizing the necessity of understanding, assembling, and trusting software components. Tim Brown, the CISO of Soloin, discusses their security practices, highlighting the role of "Spectre Assure" and Reversing Labs. "Spectre Assure" is crucial for identifying malware, suspicious activities, and tampering in software. Reversing Labs serves as a final check tool, comparing builds to ensure no unwanted elements are present, thereby supporting product transparency. Soloin, an IT observability company with a security-first approach, utilizes tools like static code analysis and Reversing Labs to ensure their products' integrity. The video also outlines the importance of generating a Software Bill of Materials (SBOM), driven by customer demand, especially in federal and commercial sectors. This aspect is increasingly vital as it enhances transparency and helps close deals. The industry is moving towards better third-party risk management, often requiring vendors to provide transparency and detailed security assurances through SBOMs. The video stresses evolving threats in the software supply chain, advocating for continuous adaptation and the use of advanced tools like Reversing Labs to maintain security and trust.

Takeaways

  • 🔒 Software supply chain security is vital.
  • 🛠️ Spectre Assure aids in malware detection.
  • 🔍 Reversing Labs provides final software checks.
  • 📜 Software Bill of Materials (SBOM) enhances transparency.
  • 🏢 Soloin focuses on IT observability and security.
  • 🤝 Customer demand drives SBOM importance.
  • ⚙️ Improved third-party risk management is needed.
  • 📈 Industry trends push for better transparency.
  • 🛡️ Continuous adaptation to evolving threats is crucial.
  • 👥 Reversing Labs supports both vendors and consumers.

Timeline

  • 00:00:00 - 00:06:05

    The software supply chain presents significant challenges in the tech industry, necessitating full visibility and trust in software components. Tim Brown, CISO at Soloin, highlights the emphasis on security, reflecting on his 30-year career span in cybersecurity, including roles at Dell Software and CA Technology. He elaborates on his role at Soloin, an IT observability company, stressing the importance of security operations, compliance, and engineering efforts to achieve exemplary security standards, particularly following an incident. He underscores the importance of tools like Reversing Labs in providing final checks for software, ensuring no nefarious elements enter builds, and supporting the generation of ESBOMs, which have become critical for customer assurance and regulatory compliance. Reversing Labs aids in assessing third-party risk, enabling businesses to better evaluate and manage risk through comprehensive insights into software builds.

Mind Map

Video Q&A

  • What is the primary focus of the video?

    The primary focus is on software supply chain security and the roles of "Spectre Assure" and Reversing Labs in ensuring software integrity.

  • Who is speaking in the video?

    Tim Brown, the CISO of Soloin, is the speaker.

  • How long has Soloin been around?

    Soloin has been around for 25 years.

  • What tools does Soloin use to ensure software security?

    Soloin uses static code analysis, inspection tools, and Reversing Labs for final checks on software releases.

  • Why is the Software Bill of Materials (SBOM) important?

    SBOM is important for transparency and security, providing customers with details about the software components.

  • What role does Reversing Labs play in Soloin's security processes?

    Reversing Labs is used for final checks on software, identifying malware, tampering, and generating SBOMs.

  • What is the "Spectre Assure"?

    Spectre Assure is focused on identifying malware, suspicious behavior, and tampering in software.

  • How does Soloin handle third-party risk management?

    Soloin uses Reversing Labs to enhance third-party risk management by assessing software before purchasing.

  • What role does transparency play in the video?

    Transparency is emphasized as crucial for the future of software security and vendor-consumer relationships.

  • What is the industry trend highlighted in the video?

    The trend is towards improved third-party risk management and transparency in software supply chains.

View more video summaries

Get instant access to free YouTube video summaries powered by AI!
Subtitles
en
Auto Scroll:
  • 00:00:03
    [Music]
  • 00:00:04
    software supply chain is one of the
  • 00:00:07
    biggest challenges that we face as an
  • 00:00:09
    industry reason being is that we need to
  • 00:00:13
    know what components go into our
  • 00:00:14
    software we need to know how those
  • 00:00:17
    components are put together we need to
  • 00:00:19
    know what appropriate usage we really
  • 00:00:21
    need to be able to know how much we
  • 00:00:23
    trust that piece of software and that's
  • 00:00:26
    where Spectre assure comes
  • 00:00:28
    in I'm Tim Brown I'm the ceso for
  • 00:00:30
    soloing I've been in cyber security for
  • 00:00:32
    about 30 years I built products I ran
  • 00:00:35
    engineering teams I was CTO for a number
  • 00:00:38
    of large Organization for security units
  • 00:00:41
    of places like Dell software and CA
  • 00:00:44
    technology so always focused on security
  • 00:00:48
    I've either built it or I've run it or
  • 00:00:50
    I've deployed it and then joined soloin
  • 00:00:53
    about 8 years ago to be the
  • 00:00:56
    SEO soloin has been around for 25 years
  • 00:01:00
    we are an IT observability company we
  • 00:01:02
    provide product for it people for devops
  • 00:01:06
    people for help Des people we are a
  • 00:01:08
    software company that's what we
  • 00:01:10
    do at soloin my mission is really to
  • 00:01:13
    protect the company when we look at that
  • 00:01:16
    role right as the head of security right
  • 00:01:20
    it has a lot of different components to
  • 00:01:22
    it so I've got a team that runs security
  • 00:01:25
    operations so all the monitoring that we
  • 00:01:27
    do around the company monitoring for
  • 00:01:30
    everything that is running whether it be
  • 00:01:32
    cloud services or on premise Services I
  • 00:01:34
    have a compliance team that really
  • 00:01:36
    manages our our sock tws and our isos
  • 00:01:40
    and compliance with all sorts of
  • 00:01:42
    different regulations and then I have
  • 00:01:44
    indirect teams that help with the way
  • 00:01:46
    that we build products and those
  • 00:01:48
    indirect teams our product Architects
  • 00:01:52
    and our security Architects within the
  • 00:01:54
    solutions and within the engineering
  • 00:01:58
    team at solo and one of the things after
  • 00:02:01
    our incident we really wanted to be
  • 00:02:02
    exemplary so we've done things such as a
  • 00:02:05
    tests to the secure software development
  • 00:02:07
    framework we've attested to the enduring
  • 00:02:09
    security framework reversing Labs plays
  • 00:02:12
    a very important role in that next
  • 00:02:14
    Generation process that we'll looking to
  • 00:02:16
    do now we use static code analysis we
  • 00:02:19
    use other inspection tools that look at
  • 00:02:21
    source code along the way but as a final
  • 00:02:23
    check reversing labs always plays that
  • 00:02:26
    important final check to say is anything
  • 00:02:28
    else in here that is
  • 00:02:31
    suspect we run reversing lab on our
  • 00:02:34
    releases to be able to look at a couple
  • 00:02:37
    of different things first one is that
  • 00:02:40
    the software was built as we expected it
  • 00:02:43
    that the software didn't have unexpected
  • 00:02:45
    things go into the software but we can
  • 00:02:47
    use the comparison features of one build
  • 00:02:50
    to the next build you at the executable
  • 00:02:53
    so not looking at the source code but
  • 00:02:55
    from the executable side that allows us
  • 00:02:57
    to make sure nothing nefarious got into
  • 00:03:00
    a
  • 00:03:02
    release Spectre assur is focused on
  • 00:03:04
    identifying malware suspicious behavior
  • 00:03:07
    and tampering one of the other important
  • 00:03:10
    areas that reversing Labs helps us is
  • 00:03:12
    generating the esbon the concept of a
  • 00:03:15
    software bill of materials has been
  • 00:03:18
    being pushed by cisa and its leadership
  • 00:03:20
    for the last few years we've just
  • 00:03:22
    reached a critical Milestone that
  • 00:03:24
    critical Milestone is that you know
  • 00:03:27
    customers have been starting to ask for
  • 00:03:29
    ES bombs from vendors in our case
  • 00:03:32
    Federal customers and a few commercial
  • 00:03:34
    customers have asked for ES bombs for
  • 00:03:37
    our products before purchase reversing
  • 00:03:39
    Labs is what we use to generate that
  • 00:03:41
    esom our customers are requesting them
  • 00:03:44
    our customers need them the ability to
  • 00:03:46
    produce ESP boms helps us close our
  • 00:03:49
    deals we like the rest of the industry
  • 00:03:52
    are really looking to improve our
  • 00:03:54
    thirdparty risk management software and
  • 00:03:56
    our thirdparty risk management process
  • 00:03:58
    reversing labs compl important role in
  • 00:04:00
    that so when we look at how we evaluate
  • 00:04:03
    do we have enough to evaluate in
  • 00:04:06
    Industry today very common practice for
  • 00:04:09
    people to look for sock 2 for people to
  • 00:04:13
    look for isos for people to look for
  • 00:04:16
    filling out questionnaires or look for
  • 00:04:18
    standard information gathering
  • 00:04:20
    spreadsheets and that's a lot of the way
  • 00:04:23
    evaluation is done today but that
  • 00:04:26
    evaluation doesn't really give you
  • 00:04:28
    enough to be be able to truly assess the
  • 00:04:31
    risk of the product that you're buying
  • 00:04:34
    so when we look at procurement of
  • 00:04:35
    software the AAL case is that you're
  • 00:04:38
    running reversing Labs on everything
  • 00:04:41
    prior to purchase I not only get the
  • 00:04:43
    esom I also get insights into malicious
  • 00:04:46
    code or
  • 00:04:48
    tampering reversing Labs can really play
  • 00:04:51
    a dual role as a software provider I
  • 00:04:53
    need to provide information knowledge es
  • 00:04:56
    Bombs all of those things to my
  • 00:04:58
    consumers
  • 00:05:00
    and with that reversing Labs can produce
  • 00:05:03
    those things for me it can give me
  • 00:05:04
    checks it can give me great deal of
  • 00:05:06
    information about my build process it
  • 00:05:08
    can look for malware now on the other
  • 00:05:11
    side as a consumer of software I can run
  • 00:05:14
    reversing Labs on things that I buy and
  • 00:05:17
    software that I buy and I can get that
  • 00:05:19
    same level of assurance that I'm
  • 00:05:21
    providing as a vendor I can get as a
  • 00:05:24
    consumer the threat landscape is always
  • 00:05:26
    evolving we Face new threats every day
  • 00:05:28
    what we did 10 years ago simply isn't
  • 00:05:30
    enough one of those Evolutions that we
  • 00:05:32
    see is in software supply chain when we
  • 00:05:36
    look there we always look for new tools
  • 00:05:37
    we look for new things that can help us
  • 00:05:40
    we look to be as transparent as possible
  • 00:05:42
    we're entering a new realm where the
  • 00:05:45
    expectation of vendors is
  • 00:05:48
    transparency reversing Labs plays a very
  • 00:05:51
    important role in that next Generation
  • 00:05:53
    process that we're looking to do
  • 00:05:58
    [Music]
Tags
  • software supply chain
  • Spectre Assure
  • Reversing Labs
  • security
  • transparency
  • software integrity
  • SBOM
  • third-party risk
  • cybersecurity
  • Tim Brown