Events , Next-Generation Technologies & Secure Development , RSA Conference

Software Supply Chain Do's and Don'ts

Phylum's Pete Morgan on How to Best Secure Software Supply Chains
Pete Morgan, co-founder and CSO, Phylum

An uptick in supply chain attacks has made organizations mindful of securing their software supply chains. But there's still a long way to go. Organizations have long been using software from open-source ecosystems without fully realizing how much software they actually pull from these libraries, but the potential downstream effects of security flaws could have a major impact, said Pete Morgan, co-founder and CSO at Phylum.

See Also: Using DPM and MITRE ATT&CK to Improve SOC Effectiveness

Organizations need to rethink their approach and consider whether the software they are using is appropriate for their security model, Morgan advised. Organizations should also consider the risks associated with using untrusted code on the internet, which is a significant factor in the open-source supply chain.

"When you start peeling back the onion of how the supply chain works, if developers want to use one package, it might have 10 dependencies, which might each have 10 dependencies in the graph of software that comes with it," Morgan said. "What ends up happening is developers hope that there's nothing wrong with it, and this creates a huge amount of technical debt because now you've taken all of that supply chain in and you require it for your software to work. Now you have to manage the security posture of that in the long term. This is where we've seen an explosion in vulnerabilities."

In this video interview with Information Security Media Group at RSA Conference 2023, Morgan also discusses:

  • How software supply chain risk has evolved in recent years;
  • How adversaries now commonly target software developers;
  • The mechanisms that current attacks are using that make them effective against other security tools.

Morgan is a security researcher with a long history in research and consulting organizations. He has over a decade of experience helping to build teams composed of software developers and vulnerability researchers.


About the Author

Varun Haran

Varun Haran

Managing Director, Asia & Middle East, ISMG

Haran has been a technology journalist in the Indian market for over six years, covering the enterprise technology segment and specializing in information security. He has driven multiple industry events such as the India Computer Security Conferences (ICSC) and the first edition of the Ground Zero Summit 2013 during his stint at UBM. Prior to joining ISMG, Haran was first a reporter with TechTarget writing for SearchSecurity and SearchCIO; and later, correspondent with InformationWeek, where he covered enterprise technology-related topics for the CIO and IT practitioner.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.