CanSecWest 2022

Supply chain attacks have been on the rise in the past two years and are proving to be common and reliable attack vectors that affect all consumers of software. Securing an organization from third party software attacks is quite complicated, with numerous threats along the software lifecycle from Selection? Choice of Third Party Software, Deployment, Updates and finally Retirement. While point-in-time assessments help in uncovering risk before the software is selected, its practically impossible to review all solutions beforehand and these point in time assessments cannot withstand the continuous feature enhancements or updates a software may go through in its lifetime. There is no comprehensive end-to-end framework that defines both how to mitigate threats across the software supply chain and provides reasonable security guarantees. There is an urgent need for a solution in the face of the eye-opening, multi-billion-dollar attacks in recent times.

In this talk we are going to present our proposed solution - Securing the 3rd Party Software Life Cycle, an end-to-end framework for ensuring the security of third-party software throughout its lifecycle.