CNSCon Keynote - Brandon.pdf

《CNSCon Keynote - Brandon.pdf》由会员分享，可在线阅读，更多相关《CNSCon Keynote - Brandon.pdf（20页珍藏版）》请在三个皮匠报告上搜索。

1、Brandon Lum(lumjjb)Software Engineer,GoogleThe Next Steps in Software Supply Chain SecuritylumjjbSUPPLY CHAIN ATTACKSSECURITYIncrease in Attacks lead to strong industry responselumjjbProducing Trusted Software&AttestationsScorecardsFRSCAlumjjbProducing Trusted Software&AttestationsScorecardsFRSCAlum

2、jjbProducing and ConsuminglumjjbProducing and Consuming?lumjjbVEXVEXVEXVEXlumjjbOutcome of ProducingA decentralized,flexibly anchored trust fabricAttestations and MetadataTrust FoundationSchemas and sources for rich security metadataVulnerability Exploitability eXchange(VEX)lumjjbAggregation and Syn

3、thesisPolicy and InsightIntelligent aggregation across artifacts and identitiesAutomation and compliance throughout the SDLCSoftware Supply Chain Integrity ConsumptionA decentralized,flexibly anchored trust fabricAttestations and MetadataTrust FoundationSchemas and sources for rich security metadata

4、Vulnerability Exploitability eXchange(VEX)ConsumelumjjbOSS Package Repository MetadataThreat intelligenceAggregation and SynthesisInternal Software/Build SystemsThird-party/Vendor SoftwarelumjjbOSS Package Repository MetadataThreat intelligenceAggregation and SynthesisInternal Software/Build Systems

5、Third-party/Vendor SoftwarelumjjbRepologydeps.devPublic Data Source AggregatorsPackage ManagersMulti-source generic aggregatorConsuming-Aggregation&SynthesislumjjbConsuming-PolicyMechanism to create and enforceHow to evaluate and enforce+Proprietary GRC/CMDB systemsWhat are checks for“Good”Supply Ch

6、ain Security”?TAG Security Issue#987lumjjbConsuming-PolicyMechanism to create and enforceHow to evaluate and enforce+Proprietary GRC/CMDB systemsWhat are checks for“Good”Supply Chain Security”?TAG Security Issue#987lumjjbConsuming-PolicyMechanism to create and