ReversingGlass Video Series

In this episode, Matt Rose gives an overview of the U.S. Executive Order 14028 and Memorandum M-22-18, which now mandate that any software provider in business with the Federal Government self-attest to having secure software. Matt explains that starting with a comprehensive Software Bill of Materials (SBOM) is the best way to do this.

A Software Bill of Materials (SBOM) is a great first step in an organization's software supply chain security journey. But, as Matt explains in this episode of ReversingGlass, organizations need to go beyond using just the SBOM to have a robust secure software program.

In this episode, Matt breaks down the components of a typical software application, and points out that while traditional application security testing features are important, they miss key threats that arise in the software supply chain.

In this episode, Matt breaks down the recent CircleCI hack by visualizing the integrated development environment (IDE) process. In doing so, he points out that not only does source code need to be secure, but also the development process itself in order to prevent incidents like the CircleCI secrets hack.

In this episode, ReversingLabs Field CISO, Matt Rose explains why it is essential to integrate automatic software supply chain security scanning into the traditional DevOps process.

In this episode, Matt dives into typosquatting, an attack in which malicious actors will copy and slightly misspell the names of legitimate software packages. As a result of the speed of DevOps and human error, these typosquatted packages get downloaded, causing software supply chain attacks.

In this episode, AppSec expert Matt Rose refers to The Software Composition Analysis Landscape, Q1 2023 report from Forrester and makes the point that Software Composition Analysis does not equal Software Supply Chain Security.

In this episode, Matt shares why CISA's new Cyber Supply Chain Risk Management (C-SCRM) office — which will help to operationalize both industry and government efforts on software supply chain security — is key to maturity.

In this ReversingGlass episode, Matt explores the history of application security — and why software supply chain security is where app sec is now, driven by the speed and complexity of modern software development.

In this episode of ReversingGlass, Matt visually explains the components and processes of a software supply chain, from the development process all the way to the continuous delivery of a software package. He then points out the various opportunities attackers can take to compromise a supply chain.

In this episode, Matt specifies what “good” software supply chain security (SSCS) looks like. By pointing out all of the pieces to the complex puzzle that is SSCS, Matt showcases that you need an SSCS solution that is comprehensive enough to cover all of these parts, but is smart enough to best serve busy development and SOC teams.

In this episode of ReversingGlass, Matt defines software supply chain security by pointing out the different links that the chain comprises. Each link covers different threats, but each is connected to the creation of a complete software artifact, making comprehensive coverage of the software supply chain a must.

In this episode, Matt lists and explains the various areas of the software supply chain that need to be covered with a modern security solution. He points out that just looking at the build system or open source software alone for threats will not provide full software supply chain security (SSCS) coverage.

n this episode, Matt quantifies the various use cases surrounding software supply chain security (SSCS): Home-grown apps, third-party risk management (TPRM), mergers and acquisitions, and cybersecurity insurance.

In this episode of ReversingGlass, Matt Rose explains what's included in the CISA's new initiative: Secure by Design, Secure by Default. He points out that while it's a good starting point for companies to refer to, it shouldn't serve as the end point for practicing software supply chain security.

In this episode, Matt touches on real-life software supply chain security cases such as the recent 3CX hack, and how popular media from past and present both imitates and forewarns this kind of threat.

In this episode, Matt uses the analogy of America’s beloved boxed mac n’ cheese to define what a software bill of materials (SBOM) is and should be. He then points out that when making SBOMs, organizations should look to approved and standardized SBOM formats for them to be as clear and transparent as possible.

In this episode, Matt touches on the newfound popularity of AI in relation to Software Supply Chain Security, pointing out the concerns he has for this technology being used by both good and bad actors.

In this episode, Matt answers a simple yet important question: Who is ReversingLabs? Matt does this by recalling the company’s history, dating back to 2009, which began with ReversingLabs hosting the world’s largest reputational database for malware. He then details ReversingLabs’ growth into a leading provider of software supply chain security.

In this episode, Matt Rose explains how software supply chain security is better with the wonder duo of behavior and differential analysis.

In this episode, Matt explains how a modern Software Supply Chain Security platform prevents hacks that traditional app sec tools like SAST/DAST miss, such as malware insertion.

In this episode, Matt explains how development and security teams need to move away from strategies like shift left, which only focus on one part of the software development process. The alternative, Matt argues, is that teams should instead "shift up" to gain greater visibility of all software supply chain risks.

SBOMs (software bills of materials) have become an essential tool in securing software supply chains. But what’s the right way to use them? In this episode, Matt Rose explains how software publishers need to shift up their SBOMs, so that they showcase the entire threat landscape posed to software supply chains.

In this episode of ReversingGlass, Matt explains how trust is foundational to software supply chain security. Software producers and consumers alike need to continually question whether or not the software they are making or buying is trustworthy.

In this episode of ReversingGlass, Matt explains the key differences behind two major threats to software supply chains: vulnerabilities and malware. He demonstrates how vulnerabilities are unintentional risks, while malware is an intentionally nefarious action.

In this episode, Matt explains why organizations need to strengthen their software supply chain security efforts immediately, given the increase in both the speed and complexity of development environments.

In this episode of ReversingGlass, Matt makes the essential point that trust in your software supply chain is all or nothing. He explains that trusting anything less than 100% of the components in your software package will set your organization up for major risk. This is why trust in software supply chains needs to be complete, so that the risk of a software supply chain attack to your organization can be minimized.

In this episode, Matt explains why CISA's Secure by Design, Secure by Default policy is great in concept, but is actually difficult to execute in the real-world. This is because the policy can really only be applied to new software that hasn't been released yet to the market.

In this episode, Matt explains what the newest version of the Exploit Prediction Scoring System (EPSS) is, and how it compares to the Common Vulnerability Scoring System (CVSS) when it comes to minimizing alert fatigue — and prioritizing the highest-risk vulnerabilities.

In this episode, Matt gives an overview of the National Institute for Standards and Technology (NIST)’s newest version of their Cybersecurity Framework (CSF). He points out what’s new in CSF 2.0, such as the addition of governance as a discipline, plus a greater focus on software supply chain security.

In this episode, ReversingLabs Field CISO Matt Rose explains why it's key for teams to understand the process by which supply chain attacks happen — and the results of those attacks.