Secure Software Development and a Zero Trust Supply Chain | Episode #97

How does secure software development work for industrial products (SDLC) and what is a zero-trust supply chain? Gonda Lamberink of Fortress Information Security leads us on a deep dive of what’s new in secure software development, and especially how supply chain security is impacting that lifecycle.

Listen now or Download for later

THE INDUSTRIAL SECURITY PODCAST HOSTED BY ANDREW GINTER AND NATE NELSON AVAILABLE EVERYWHERE YOU LISTEN TO PODCASTS

Gonda’s background is a little unusual for this show. Unlike the deep technical background we see for a lot of our guests, Gonda started her career as a lawyer and an economist with the United Nations, working on human rights and trade policy. Today, she sits between technical and business and executive teams and helps them connect the dots on supply chain risks in industrial security hardware and especially software products. Which only goes to show that the industrial security space is both broad and deep – we need lots of different kinds of people with lots of different kinds of perspectives to make industrial security work.

Secure Software Development Lifecycle (SDLC)

Gonda starts with a discussion of the secure software development lifecycle for industrial security products. She points out that the lifecycle is on-going – it is not something confined to the “development” phase of a product, where we figure out security requirements and implement them along with other product requirements. In particular – managing product security against a changing threat environment happens over the life of the product. From the mundane – security updates when security researchers, or worse cyber attackers, find vulnerabilities, to the arcane, where entirely new kinds of attacks are invented by our enemies and we have to evaluate our existing product against those threats, and possibly evolve the product in real time to address them. And certainly communicate with our customers throughout as these “situations” develop.

Zero Trust in The Supply Chain

Gonda then leads us into the concept of zero trust. Now – zero trust is a buzz word that started out with a specific meaning, but today is used to mean lots of different things. In this interview, Gonda looks at whether and why and how much we should trust our software suppliers, and in turn, how much our customers should trust us. Software Bill of Materials (SBOMs) are a big part of how vendors understand how vulnerable is the software they are buying and embedding into products, and an increasingly big part of how industrial product vendors’ customers look at those vendors products and try to understand how secure they are, and how committed the vendors are to security.

SBOMs, however, used to be seen by most industrial vendors as a trade secret – part of their proprietary intellectual property. Increasingly this is no longer the case, as governments and other customers large and small are demanding visibility into vulnerabilities that might be propagating through the software supply chain. Gonda gives an interesting analogy – she points out that food and beverage vendors are required by law in most jurisdictions to provide consumers with a list of ingredients in all products sold. This is analogous to the SBOM – it is far from a recipe as to how to build the industrial product, it is only a list of ingredients.

Looking Forward with Secure Software Development

After much more discussion, Gonda wraps up by pointing out that increasingly customers are becoming much less blindly trusting of suppliers, and are insisting on SBOMS and other kinds of visibility into their supply chain, and especially the open source parts of that supply chain. And she reminds us that this is one of many scopes of practice for Fortress Information Security, and that they stand ready to help if vendors or owner/operators want to dig into the problem in much greater depth.