President Biden’s May 2021 “Executive Order on Improving the Nation’s Cybersecurity” put a major focus on securing the software supply chain. It also yielded a major document a year later from the National Institute of Standards and Technology—326 pages of guidance on software supply chain risk management.
In this second of two episodes of AppSec Decoded, recorded live at RSA 2022 in San Francisco, Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center, and Taylor Armerding, security advocate at Synopsys, continue their conversation on how the guidance can help any organization.
For example, risk management means knowing the risk profile of an organization. A vulnerability in a software product may be labeled medium risk in a generic sense by the National Vulnerability Database. But it could pose a critical risk for one organization and a low risk for another with other mitigations in place.
How do you know what you should prioritize? For a catastrophic vulnerability like Log4Shell that everybody needs to fix, it’s important to understand that one fix doesn’t fit all.
The conversation explores questions such as, Is a fix a patch? Is a fix a mitigation? Is a fix a set of mitigations? Does it include monitoring? “Now we’re starting to talk in risk-based terms,” Mackey said. “And that’s going to help people figure out where to start.”