Session 1: Continuous Validation and Security Assessment

Talk:

• Risk Explorer for Software Supply Chain (Piergiorgio Ladisa from SAP France)

Open-Source Software (OSS) has become pervasive in contemporary applications, often comprising over 90% of the code in commercial software. Its widespread adoption spans the entire technology stack and the various stages of development and operations. Given the intricate nature of the modern software supply chain, malicious actors find numerous entry points to introduce harmful code into open-source components, thereby compromising downstream users.

During this presentation, we introduce the Risk Explorer for Software Supply Chains, a tool enabling interactive exploration of a comprehensive and technology-agnostic taxonomy outlining methods through which attackers introduce malicious code in the software supply chain. We further showcase its practical applications in industrial contexts.

• Security bill of materials and continuous threat analysis (Riccardo Scandariato from TUHH)

Architectural threat and risk analysis is one of the pillars of software security. However, integrating this practice in the context of continuous software development remains as a challenge. In this panel contribution, we will discuss how automatic techniques can be leveraged to seamlessly extract a so-called security bill of materials and to continuously link architectural security properties (as well as issues) to the code base.

• Mandatory updates and EU Regulation (Prof. Fabio Massacci from VU Amsterdam)

The EU is implementing new regulations that require mandatory software updates. These regulations pose a challenge for software companies that need to keep up with the fast-paced development and use of multi-party open software and services. The AssureMOSS project is developing automated techniques to help companies comply with the new regulations and create more secure software.