OWASP 2022 Global AppSec San Francisco

From medications to aircraft, car parts to computer parts -- humans have figured out how to secure the process of sourcing and building some of our most complicated products. With software supply chain security only now getting started, what can we learn from parallel industries that can give us a leg up on securing the supply chains of our digital world? If most of us can agree that industry involves taking in materials and processing them to make something new, why is there still this view of software developers as artisans who write everything from scratch? The fact is that most organizations today write only a small part of their software. Most software is sourced, either as finished products or as components for internal software development. This is especially true for Cloud Native applications, which are based on open source components, running in open source or Cloud-provided orchestration, and are spread across multiple types of workloads. The result is that organizations end up assuming security responsibility for an application, where much of the code was written elsewhere, and assembled in a build pipeline with varying degrees of governance and oversight.

Over the years, manufacturing has developed a set of tools and processes to ensure quality and security in the supply chain and assembly lines. Similarly, Application Security needs to account for how software is sourced and used in the modern application pipeline.

This presentation will show the similarities between manufacturing supply chains and software supply chain. We will use the pharmaceutical industry as a model to outline the required controls, where to place them and how to use gathered information to make better decisions and produce more secure software.