C4DT Conference on Software Supply Chain Security
March 30th, 2023, Swiss Tech Convention Center, EPFL
The past two years saw a new vulnerability make headlines: software supply chains. Events such as the SolarWinds and Kaseya cyberattacks or the discovery of the Log4j vulnerability forced organizations to reevaluate their cyber risk exposure.
This one-day conference provides a platform for academia, government, business, NGOs and standard-setting bodies to shed light on software supply chain risks, to outline persisting challenges, and to discuss mitigation tactics, solutions, and best practices as well as emerging frameworks and standardization initiatives.
This event is organized by the Center for Digital Trust (C4DT).
Registration
The on-site event is limited to approx. 80 attendees and preference will be given to the C4DT community. Nevertheless, you may apply for a spot via the “request onsite participation” button. You will receive an email to confirm your participation. On-site participation will allow you to interact with the speakers and network with peers. A standing lunch and coffee will be provided for all on-site participants.
The conference will be streamed live via Zoom. To register and obtain your link for the webinar please click on the “Zoom Link” button. Registration is free but mandatory.
Schedule
08h45
Welcome Coffee
09h15
Welcoming Words
Part 1: Understanding the risks landscape
We face a complex web of interdependence for both hardware and software. A supply chain of software code is behind any application or service delivered. And that software supply chain is only as strong as its weakest link – with attackers taking advantage of any weaknesses. Where do the key software supply chain vulnerabilities lie? How might we understand the threat actors’ mindset?
09h20
Introductory talk: Setting the scene on software supply chain risks
by Prof. Mathias Payer, Head of the HexHive Lab, EPFL
09h35
Talk: Inside the hacker’s mind – How do criminals operate? 2010 versus 2023
by Ege Balci, Threat Intelligence Team Lead, Prodaft
10h05
Talk: Inside the hacker’s mind – Learning from the case study on the TA551 group
by Berk Albayrak, Threat Intelligence Analyst, Prodaft
10h30
Networking coffee
Part 2: Exploring the challenges
What are the main barriers to mitigating software supply chain vulnerabilities? From software developers across suppliers to customers: What are the key challenges they are facing and how are they addressing them? A focus on open source software security will provide additional insights and help to explore different perspectives.
11h00
Panel: Insights from three stakeholder groups – software developers, suppliers and customers
What are the key challenges different stakeholders are facing in advancing software supply chain security and how are they addressing them?
Moderated by Daniel Saraga, Founder, Saraga Communications
Panelists
Alban Hessler, Senior Manager Advisory and Professional Services, ELCA Security
Siddhartha Rao, Vice President, Product Security, SAP
Mauro Vignati, Adviser Digital Technologies of Warfare, International Committee of the Red Cross (ICRC)
11h50
Talk: Open Source Software Supply Chain Security
by David A. Wheeler, Director of Open Source Supply Chain Security, Linux Foundation
On average 80%-90% of the components of today’s software are open source software (OSS). This presentation will discuss OSS supply chain security, including the most common attacks and countermeasures against them. It will especially focus on the work being done by the Linux Foundation Open Source Security Foundation (OpenSSF) to improve OSS supply chain security, including Supply chain Levels for Software Artifacts (SLSA), concise guides, education, scorecards, best practices badge, sigstore (for digital signing and verification), and giving multi-factor authentication (MFA) tokens to some widely-used OSS projects.
12h15
Talk: Open source software security and threat detection – an entry point for assault or remedy?
by Alexandre Dulaunoy, Core Team Member, MISP, and Security Researcher, Computer Incident Response Center Luxembourg (CIRCL)
12h40
Networking lunch
Part 3: Implementing solutions and best practices
13h50
Talk: Building better foundations for secure software systems
by Prof. Shweta Shinde, Head of the Secure & Trustworthy Systems Group, ETH Zürich
14h15
Panel: Advancing the practical implementation of SBOMs and international standards
Moderated by Prof. Mathias Payer, Head of the HexHive Lab, EPFL
Panelists
Hakim Mkinsi, Technical Programme Manager, ISO
Christoph Plutte, Master Security Specialist, Ericsson Product Security Incident Response Team, Ericsson
Vladimir Radunovic, Director, E-diplomacy and Cybersecurity Programmes, DiploFoundation
15h05
Networking coffee
Part 4: The Future of software supply chain security
15h30
Keynote: [Title to be confirmed]
by Florian Schütz, Federal Cyber Security Delegate, Swiss Federal Administration
16h05
Panel: Exploring the future of software supply chain security
From public-private collaboration across geopolitics to new approaches to data and information supply chain security or an evolving view of open source libraries as critical infrastructure, what factors will impact the future of software supply chain security?
Moderated by Daniel Saraga, Founder, Saraga Communications
Panelists
Tony De Bos, VP of Global Advisory, Kudelski Security
Stéphane Duguin, Chief Executive Officer, CyberPeace Institute
Prof. Mathias Payer, Head of the HexHive Lab, EPFL
Florian Schütz, Federal Cyber Security Delegate, Swiss Federal Administration