For years, experts have been telling the government to take stock of the software supply chain by generating software bills of materials and defining standards and policies for use.
But it took a few big “oh !@#$%” moments like the SolarWinds and Colonial Pipeline breaches to get the wheels of government really turning around improving software supply chain security.
In May, 2021, the U.S. government issued a White House executive order on cybersecurity to use its purchasing power to create positive changes to the way cybersecurity is addressed around the world.
In this Upstream chat, Tracy Bannon from MITRE joined us to discuss why it took so long, what is happening now that will help organizations positively impact their own security preparedness, and how we can bring forward good ideas and warnings in the future.
She discussed how to talk about risk profile and ways organizations can force-rank priorities. She also discussed why it’s important to reduce cognitive load on the development teams and why it’s important to offload some tasks onto trusted vendors.
Tidelift CEO and co-founder Donald Fischer then joined the discussion and explained how all this applies to open source software specifically. Donald and Tracy discussed the recently disclosed security vulnerability in the Apache log4j project, which has been dubbed “Log4Shell”, why it’s important to address quickly, how to address it, and how to better prepare for future vulnerabilities. You won't want to miss this.