With the June software development attestation form deadline looming, Lineaje conducted a survey while at RSA Conference 2024 to see just how prepared companies were. In this episode, Nick Mistry, SVP and CISO at Lineaje, discusses their survey findings, the requirements for complying with the deadlines, and how Lineaje is helping companies secure their software supply chain. On discussing the survey findings, he says, “We were surprised by the fact that about 80% of the respondents were not familiar with the recent Executive Order (EO).”

Findings from Lineaje’s survey and awareness of recent executive orders

• Mistry explains that they surveyed cybersecurity professionals at the RSA conference, to gauge awareness of government and the U.S. Cybersecurity & Infrastructure Agency (CISA) efforts to ensure software producers provide attestation letters and comply with software supply chain security requirements.
• Mistry was somewhat surprised to find that while companies acknowledged the need for security, many were still in the early stages of awareness and implementation of software bills of materials and supply chain security measures.
• Mistry noted they expected awareness of software supply chain security risks but were surprised that about 80% of respondents were unfamiliar with EO 14028  and CISA requirements.
• Mistry explains how the security industry can bridge the gap between government mandates and consumer awareness, emphasizing the importance of outreach and awareness.

Upcoming deadlines for complying with software supply chain deadlines

• Incidents like SolarWinds and Log4j stress the need for securing the supply chain. He feels that the industry should formalize software supply chain security as its own discipline to address these challenges more effectively.
• Mistry discusses the June 11 deadline, saying that while companies providing critical software to the government are likely to meet this initial deadline, many companies may not meet even the second deadline in September.
• The second deadline requires companies to attest to the security of their build pipeline, validate their software supply chain, maintain software provenance, and have a timely vulnerability disclosure program per EO 14028.
• It is crucial for companies to ensure compliance before signing the attestation letter due to liability concerns. He explains how Lineaje is helping clients automate compliance processes to confidently meet these requirements.

How Lineaje helps customers secure their software supply chain

• Lineaje helps companies understand their software’s components and verify the integrity of each component from development to deployment. Mistry explains how this ensures the software supply chain’s security.
• Mistry discusses the government’s influence on security standards, emphasizing Lineaje’s active role in government working groups to develop standards and improve industry security practices and compliance through feedback.
• Mistry emphasizes that viewing security as critical to business rather than just a compliance requirement is crucial. He highlights a cultural shift towards understanding security as a business enabler.

Importance of understanding supply chain security for AI applications

• Mistry talks about the post-executive order evolution of Software Bill of Materials (SBOMs), highlighting ongoing efforts with CISA to enhance standards for accurate software documentation and effective risk management beyond initial National Telecommunications and Information Administration (NTIA)  requirements.
• Artificial intelligence (AI) and machine learning (ML) applications often consist of approximately 90% of open-source components, making understanding supply chain security and threats crucial.
• Mistry discusses how Lineaje uses AI to identify and remediate risks within software supply chains, including assessing compatibility, avoiding new risks, and addressing vulnerabilities without available patches.
• He emphasizes Lineaje’s ongoing efforts to use AI for swift fixes and contributions to open-source projects, demonstrating their commitment to managing open-source risks with AI-driven solutions.

Guest: Nick Mistry (LinkedIn)
Company: Lineaje (Twitter)
Show: Let’s Talk

This summary was written by Emily Nicholls.