Software Supply Chain Security
The way how commercial software is developed and deployed has changed significantly over the past years. Today, software vendors, in particular those that offer cloud services, make use of a rich ecosystem of 3rd party and open source components as well as a complex build, deploy, and operations infrastructure, that allows them to focus on their core expertise and accelerate their release processes. However, this approach also introduces numerous and complex dependencies, leading to new attack vectors emerging: the attacker does not target the code you develop, but also the code you consume through the software supply chain. To structure and understand supply chain attack vectors as well as the respective mitigation strategies, we introduce the Risk Explorer, a tool that defines a taxonomy of attacks as well as countermeasures and supports the user in addressing the supply chain risk for their development projects. The tool is available as open source itself and is continuously updated following the highly dynamic developments in the field.
Volkmar Lotz is Head of SAP Security Research, a group of researchers aiming at future-proofing SAP’s security and privacy, in line with SAP’s business and technology strategy and global trends, covering topics ranging from applied cryptography over securing AI applications to software security analysis. He has 30+ years’ experience in industrial research on Security and Software Engineering. His own research interests include Security Certification, Software Security, and application security. He is located in Sophia Antipolis, France. He contributes to shaping the European approach for Cloud Cybersecurity Certification by serving as a member of ENISA’s ad-hoc working group designing a European Cloud Cybersecurity Certification Scheme (EUCS) and by representing SAP in the European Stakeholder Cybersecurity Certification Group (SCCG), consulting the European Commission on certification strategies. Volkmar holds a diploma in Computer Science from the University of Kaiserslautern.