Improving Software Transparency on the Path to Supply Chain Risk Management (C12b)
Customers and governments alike are becoming more rigorous in their scrutiny of vendors’ SDLC cybersecurity practices, frequently asking for data demonstrating that security controls have been met. Consumers desire assurances that software producers have effectively managed cyber risks throughout their supply chain. Trustworthy producers desire operational costs associated with implementing such assurances to decrease while coverage increases across their supply chain. For these needs to be met, industry and government must shift from a human-driven, compliance-based, certification approach to a machine-driven, conformance-based risk management approach. This will require that security assessors keenly understand how software is developed and the limitations that exist in using new machine-readable security assurance data such as SBOMs. It will require that software developers innovate to develop and implement new standards-based, interoperable data formats, tools, and processes into their SDLC that enable automated creation of security assurance datasets as a natural biproduct of developing, building, testing, and distributing software. In this presentation, Jeff Schutt—Cisco’s global Software Transparency Program leader and Chief Architect behind Cisco distributing SBOMs—will describe Cisco’s journey towards improving software transparency across their broad portfolio of products and services, including lessons learned and pragmatic steps software producers and consumers can take.