About the series
Please join NSF on December 8, 2023, from 1:00 - 2:00 p.m. ET for the Pathways to Enable Open-Source Ecosystems (POSE) Distinguished Lecture by Dr. Laurie Williams, titled "How are We Doing with Adopting Tasks to Reduce Software Supply Chain Security Risk?" NSF is delighted to host Dr. Williams for a second time to present on this important topic.
The lecture is hosted by NSF's Directorates for Technology, Innovation and Partnerships (TIP) and Computer and Information Science and Engineering (CISE).
Register in advance for this webinar:
https://nsf.zoomgov.com/webinar/register/WN_gfUhFjF8TFurb6eLpEehtQ
Abstract: Software organizations largely did not anticipate how the software supply chain would become a deliberate attack vector. The software industry has moved from passive adversaries finding and exploiting vulnerabilities contributed by well-intentioned developers, such as log4j, to a new generation of software supply chain attacks, where attackers also aggressively implant vulnerabilities directly into dependencies (e.g., the protestware of node-ipc). Adversaries also find their way into builds and deployments, such as occurred with SolarWinds, to deploy rogue software. Once implanted, these vulnerabilities become an efficient attack vector for adversaries to gain leverage at scale by exploiting the software supply chain.
Software supply chain attacks have grown over 700% per year over the last three years. Section 4 of the May 2021 Executive Order on Improving the Nation’s Cybersecurity 14028 is on software supply chain security. Other countries and the European Union are working on similar direction. Organizations have published influential documents prescribing tasks organizations should adopt to reduce software supply chain risk, including NIST Secure Software Development Framework (SSDF) Version 1.1 (800-218), NIST Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (800-161r1), Supply-chain Levels for Software Artifacts (SLSA) v1.0, OpenSSF Secure Supply Chain Consumption Framework (S2C2F), Cloud Native Computing Foundation – Software Supply Chain Best Practices, and OWASP Software Component Verification Standard (SCVS) Version 1.0. This talk will present the Proactive-Secure Software Supply Chain Risk Management (P-SSCRM) model comprising the union of the 72 tasks in the aforementioned documents in the categories of Governance, Product, Environment, and Deployment. This talk will also present empirical results on the adoption of these tasks by industrial organizations based on interviews with practitioners in seven software development organizations.
Bio: Laurie Williams is a Distinguished University Professor in the Computer Science Department of the College of Engineering at North Carolina State University (NCSU). Laurie is the director of the National Science Foundation-sponsored Secure Software Supply Chain Center (S3C2), and co-director of the National Security Agency (NSA)-sponsored Science of Security Lablet at NCSU, the NSA-sponsored North Carolina Partnership for Cybersecurity Excellence (NC-PaCE), and the NCSU Secure Computing Institute. Laurie is an IEEE Fellow and an ACM Fellow. Laurie's research focuses on software security, software process, and empirical software engineering.
Pathways to Enable Open-Source Ecosystems (POSE) is a U.S. National Science Foundation program that harnesses the power of distributed open-source development to address challenges of national, societal and economic importance. The POSE program aims to further the development of open-source products or infrastructure and foster expansion of the community of open-source users and developers to engender long-term project sustainability. It supports the establishment of managing organizations that will create opportunities and provide capabilities for their open-source ecosystems. Visit the POSE webpage for more information: https://new.nsf.gov/funding/initiatives/pathways-enable-open-source-ecosystems
Real-time captions will be displayed. Submit accessibility accommodation requests at least 10 days in advance to ccurran@nsf.gov. For help, contact NSF staff at IT Service Desk at 703-292-4357 ITServiceDesk@nsf.gov. All other participants contact Zoom support at +1-833-966-6468 or support@zoom.us.