C4DT Conference on Software Supply Chain Security

March 30th, 2023, Swiss Tech Convention Center, EPFL

The past two years saw a new vulnerability make headlines: software supply chains. Events such as the  SolarWinds and Kaseya cyberattacks or the discovery of the Log4j vulnerability forced organizations to reevaluate their cyber risk exposure.

This one-day conference provides a platform for academia, government, business, NGOs and standard-setting bodies to shed light on software supply chain risks, to outline persisting challenges, and to discuss mitigation tactics, solutions, and best practices as well as emerging frameworks and standardization initiatives.

This event is organized by the Center for Digital Trust (C4DT).



Welcome Coffee


Welcoming Words

Part 1: Understanding the risks landscape

We face a complex web of interdependence for both hardware and software. A supply chain of software code is behind any application or service delivered. And that software supply chain is only as strong as its weakest link – with attackers taking advantage of any weaknesses. Where do the key software supply chain vulnerabilities lie? How might we understand the threat actors’ mindset?


Introductory talk: Setting the scene on software supply chain risks

by Prof. Mathias Payer, Head of the HexHive Lab, EPFL


Talk: Inside the hacker’s mind – How do criminals operate? 2010 versus 2023

by Ege Balci, Threat Intelligence Team Lead, Prodaft

This presentation will explore the evolution of cybercrime business models, including the emergence of Malware-as-a-service (MaaS) and Ransomware-as-a-service (RaaS) platforms, as well as credential markets and the latest trends in tailored corporate access and credential stuffing attacks.

It will also cover cutting-edge developments in the cybercrime space, such as the use of anonymity browsers and 2FA bypass methods. These techniques enable cybercriminals to evade detection and bypass two-factor authentication measures, which have traditionally been a strong defense against cyberattacks. Another key trend in the cybercrime space is the increasing targeting of corporations, with cybercriminals selling tailored access to corporate networks and launching credential-stuffing attacks. These attacks are highly effective, as they rely on the use of stolen login credentials, which are often weak or reused across multiple accounts.

Overall, the presentation will provide valuable insights into the evolving business models of cybercriminals and the latest techniques being used to launch cyberattacks. Attendees will gain a deeper understanding of the cybercrime landscape and the steps they can take to protect themselves and their organizations against cyber threats.


Talk: Inside the hacker’s mind – Learning from the case study on the TA551 group

by Berk Albayrak, Threat Intelligence Analyst, Prodaft

The year 2023 is predicted to be the most profitable year for cybercriminals through large-scale attacks. Especially a growing number of supply chain attacks became appealing for threat actors in this field, as they realised the scope of the attacks done through supply chain attacks and small points of access. 

Some cases, such as Kaseya, SolarWinds, and Colonial Pipeline, and vulnerabilities (e.g. Log4j) also attracted the attention of threat actors – by showing them the ways to succeed in this type of attack chain. Threat actors saw those attacks as an opportunity to further use them in 2023. For example, one of the threat groups that discovered this window of opportunity was TA551 and their collaborators. 

During this talk, the attendees can expect the following questions to be answered: How do the TA551 and their partners operate supply chain attacks? Which tools, techniques, and procedures do they use? Which countries and what type of institutions are being targeted?


Networking coffee

Part 2: Exploring the challenges

What are the main barriers to mitigating software supply chain vulnerabilities? From software developers across suppliers to customers: What are the key challenges they are facing and how are they addressing them? A focus on open source software security will provide additional insights and help to explore different perspectives.


Panel: Insights from three stakeholder groups – software developers, suppliers and customers

What are the key challenges different stakeholders are facing in advancing software supply chain security and how are they addressing them?

Moderated by Daniel Saraga, Founder, Saraga Communications


Alban Hessler, Senior Manager Advisory and Professional Services, ELCA Security

Siddhartha Rao, Vice President, Product Security, SAP

Mauro Vignati, Adviser Digital Technologies of Warfare, International Committee of the Red Cross (ICRC)


Talk: Open Source Software Supply Chain Security

by David A. Wheeler, Director of Open Source Supply Chain Security, Linux Foundation

On average 80%-90% of the components of today’s software are open source software (OSS). This presentation will discuss OSS supply chain security, including the most common attacks and countermeasures against them. It will especially focus on the work being done by the Linux Foundation Open Source Security Foundation (OpenSSF) to improve OSS supply chain security, including Supply chain Levels for Software Artifacts (SLSA), concise guides, education, scorecards, best practices badge, sigstore (for digital signing and verification), and giving multi-factor authentication (MFA) tokens to some widely-used OSS projects.


Talk: Open source software security and threat detection – an entry point for assault or remedy?

by Alexandre Dulaunoy, Core Team Member, MISP, and Security Researcher, Computer Incident Response Center Luxembourg (CIRCL)


Networking lunch

Part 3: Implementing solutions and best practices


Talk: Building better foundations for secure software systems

by Prof. Shweta Shinde, Head of the Secure & Trustworthy Systems Group, ETH Zürich

Software systems are ever-growing in size and complexity while being rife with vulnerabilities. Patches and defenses are continuously deployed, but the software attack surface is extremely large and attackers invariably find ways to gain a persistent foothold. An effective way to end the arms race between vulnerabilities and defense tools is by isolating the software using trusted hardware. With such isolation, what is the least amount of code that needs to be bug-free to securely run user applications? At the moment, even after using trusted hardware, this number can be upwards of a few million lines of code. Can we do any better?

In this talk, I will present a foundational approach to safeguard applications against large and potentially buggy software using trusted hardware.


Panel: Advancing the practical implementation of SBOMs and international standards

Moderated by Prof. Mathias Payer, Head of the HexHive Lab, EPFL


Hakim Mkinsi, Technical Programme Manager, ISO

Christoph Plutte, Master Security Specialist, Ericsson Product Security Incident Response Team, Ericsson

Vladimir Radunovic, Director, E-diplomacy and Cybersecurity Programmes, DiploFoundation


Networking coffee

Part 4: The Future of software supply chain security


Keynote: Cybersecurity – a Swiss perspective

by Florian Schütz, Federal Cyber Security Delegate, Swiss Federal Administration


Panel: Exploring the future of software supply chain security

From public-private collaboration across geopolitics to new approaches to data and information supply chain security or an evolving view of open source libraries as critical infrastructure, what factors will impact the future of software supply chain security?

Moderated by Daniel Saraga, Founder, Saraga Communications


Tony De Bos, VP of Global Advisory, Kudelski Security

Francesca Bosco, Senior Advisor, CyberPeace Institute

Prof. Mathias Payer, Head of the HexHive Lab, EPFL

Florian Schütz, Federal Cyber Security Delegate, Swiss Federal Administration


Wrap up and thank you


Conference end