AppSec USA 2016

As the cyber threat landscape evolves and as software dependencies grow more complex, understanding and managing risk in the software supply chain is more critical than ever, and it must focus on the entire lifecycle that includes development, acquisition, and DevOps.  The Internet of Things (IoT) is contributing to a massive proliferation of a variety of types of software-reliant, connected devices.  With IoT increasingly dependent upon third-party software of unknown provenance and pedigree, software composition analysis and other forms of testing are needed to determine 'fitness for use' and trustworthiness in terms of quality, security, safety, and licensing.  Application vulnerability correlation and management should leverage automated means for detecting threat indicators, weaknesses, vulnerabilities, and exploits.  Using standards-based automation also enables the exchange of information internally and externally with vendors in the global supply chain for IoT/ICT products.  Addressing supply chain dependencies throughout the lifecycle enables enterprises to harden their attack surface by:  comprehensively identifying exploit targets; understanding how assets are attacked, and providing more responsive course of action mitigations.