Cassie Crossley on Cybersecurity Challenges in Modern Supply Chains
Supply Chain Security: A Complex Web of Risks and Responsibilities
The supply chain for a single device involves thousands, potentially millions of people over time. It's far too large a topic to fully grasp everything. I talk daily with folks about hardware specifics, human rights management, materials, chemical makeups and more. It's much more than just the bits and bytes we normally see.
For those producing or purchasing products, it's critical to understand what you're getting into. CISOs and CIOs don't always realize the implications when buying a printer, phone, or IoT devices for their companies - not just software.
The difference between IoT and OT (operational technology) products is key. OT runs our critical infrastructure, factories, utilities, and building management systems. You don't want auto-updates on these due to safety concerns. Most shouldn't be directly internet-connected.
When designing products 15-20 years ago, cybersecurity wasn't top of mind. Now we have standards like the OWASP Top 10 and MITRE's Attack Surface to guide secure design. Following industrial control standards like ISA/IEC 62443 is crucial.
Developers need to realize the impact of their work. They're now like doctors with a scalpel, but often lack that level of training. We have a responsibility and due care that we as developers and engineers now need to follow.
Understanding the threat model, doing simulations and pen tests, and simply walking through scenarios is essential. Asset inventories are critical - if you don't know what you have, you don't know your exposure.
Chapters:
00:00 Navigating Supply Chain Complexity: Focusing on Key Interests
03:39 Complexity of Supply Chains: Many People Involved
08:48 Advancing Secure Design with Industrial Standards
12:14 Vulnerabilities in Software Distribution Methods
14:48 Supply Chain Risks: Espionage and Insider Threats
17:47 Ensuring Effective Separation in Build Management
23:17 Unvetted Code: The Hidden Security Risk for Developers
25:32 Ensuring AI Security: Importance of Developer Training
30:14 AI Startups Enhancing Developer Efficiency with Vulnerability Fixes
31:36 Finding Joy in Your Career Focus
34:38 Growing Without Leaving: Advancing Within Your Company"