Conferences and supporting programme
X-Ray Your Software Supply Chain. Automate Your Security Gates
As seen with the IoT-based MIRAI botnet, security vulnerabilities can have their root cause several layers down in the supply chain. This is particularly threating for complex and deep supply chains as prevalent in domains such as automotive and industrial control systems. In this talk, we present our results from security scanning over 120,000 embedded software packages across a wide range of application domains. We automatically decomposed each software package into its component and cross-matched each component with its known security vulnerabilities as recorded in the National Vulnerability Database (NVD). We explain the purpose of the NVD, how to use it and how to make sense of the recorded Common Vulnerability Exposure (CVE) entries. We detail our findings by listing the components that are most commonly used, those that have most commonly a vulnerability as well as their age and the likelihood of existing patches that would remedy the situation. Moreover, we give an overview of the most critical vulnerabilities and the prevalence of “celebrity” bugs still active in embedded software. To remedy the situation, we explain how an automated, trustworthy supply chain process could look like that is built on various scanning and security gates across embedded suppliers, integrators and vendors. In particular, we take into account that many embedded vendors are not security experts. We explain how modern development and automated analysis solutions and methods such as static analysis, fuzz testing and composition analysis can assist market participants to deliver safer and more secure products faster. Finally, we highlight the role regulators are starting to play and demonstrate this by current activities in the supply chain certification space. We round off the talk by presenting lesson learnt and immediate suggestions the audience can explore in their own supply chain and software development lifecycle.
--- Date: 28.02.2018 Time: 4:30 PM - 5:00 PM Location: Conference Counter NCC Ost