ConversingLabs Podcast

In this episode, host Paul Roberts chats with Karlo Zanki, a Reverse Engineer at ReversingLabs, about the state of software supply chain security in 2024. The two will review key findings on the software supply chain threat landscape in 2023, as well as what security and development teams can expect from malicious actors in 2024. Zanki will also highlight several of the major software supply chain security incidents discovered by RL threat researchers in the past year.

In this episode, host Paul Roberts chats with Mikaël Barbero, Head of Security at the Eclipse Foundation, about the state of open source software security. Eclipse has been around for more than two decades and has for a long time prioritized the mitigation of threats to open source projects. In their conversation, Mikaël chats with Paul about where Eclipse stands today, what current threats are being posed to open source repositories, as well as how nation-states and international organizations are working to combat these threats.  

In this episode, host Paul Roberts chats with Devin Byrd, Director of Threat Intelligence at Kandji on the sidelines of the 2023 Black Hat USA conference. In their conversation, Byrd discusses how Kandji has grown into a major security provider for macOS users, and how the attack vector for macOS and iOS users has increased in recent years. He explains that only dealing with adware and junkware on these devices was a thing of the past, but now, macOS devices are being targeted with malicious back doors and even software supply chain attacks. 

In this episode, host Paul Roberts chats with Kelly Shortridge, a Senior Principal at Fastly, on the sidelines of the 2023 Black Hat USA Conference. In their conversation, they discuss her new book, Security Chaos Engineering: Sustaining Resilience in Software and Systems, as well as her Black Hat talk, “Fast, Ever-Evolving Defenders: The Resilience Revolution.”  

In this episode of ConversingLabs, host Paul Roberts chats with Thomas Pace, the CEO & co-founder of the firmware security firm NetRise. Thomas and Paul talk about the shifting ground of threats and attacks as the Internet of Things grows and works its way into homes, businesses and industries - including critical infrastructure. They also talk about the growing specter of software supply chain threats and attacks. 

In this episode, host Paul Roberts chats with Daniel Woods, a Cybersecurity Lecturer at The University of Edinburgh on the sidelines of the 2023 Black Hat USA conference about his briefing: “Lemons and Liability: Cyber Warranties as an Experiment in Software Regulation.” 

In this episode, host Paul Roberts chats with Robert Martin of MITRE and Cassie Crossley of Schneider Electric about their session at this year’s RSA Conference. They explained how MITRE’s System of Trust can serve as a standard for software supply chain risk. The two also chatted with Paul about the greater issues facing software supply chains today, such as standardization and transparency. 

In this episode, host Paul Roberts chats with Naveen Srinivasan, an OpenSSF Scorecard Maintainer, about his talk at this year’s RSA Conference on how to better trust open source software. In their conversation, Naveen explains how the OpenSSF Scorecard tool can help developers understand the security posture of open source dependencies.

In this episode, we interview Chris Romeo, CEO of Kerr Ventures and long-time application security (app sec) practitioner on the sidelines of the 2023 RSA Conference. He gives a rundown on the state of app sec and comments on other software threats posed to organizations today. 

In this episode of ConversingLabs, host Paul Roberts chats with John Jackson, a security researcher, about the work he and research group Sakura Samurai did in looking at exposed secrets and other threats on Indian government websites. 

In this special Café edition of ConversingLabs, host Paul Roberts interviews Joshua Corman, the Vice President of Cyber Safety Strategy at Claroty and the Founder of I Am The Cavalry on the sidelines of the RSA Conference 2023 in San Francisco. Josh speaks with Paul about his RSAC track session, The Opposite of Transparency, which takes on skepticism of software bill of materials (SBOMs) and makes an argument for greater transparency around software supply chain risk. 

In this special edition episode of ConversingLabs, host Paul Roberts interviews ReversingLabs Director of Product Management, Charlie Jones, on the sidelines of the 2023 RSA Conference in San Francisco. Charlie speaks with Paul about his RSAC track session: The Rise of Malware Within the Software Supply Chain.

In this episode, host Paul Roberts chats with Devin Lynch, Director of Supply Chain and Technology Security for the Office of the National Cyber Director, about the National Cybersecurity Strategy released by the White House last month. They discuss the motivations behind this policy move, what its impact will be in the short and long term, as well as what else the federal government plans to prioritize in this area. Lynch also details upcoming plans the federal government has to better secure open source software as a part of the greater effort to secure software supply chains.  

In this episode, host Paul Roberts chats with Katie Mousourris, CEO and Founder of Luta Security. Mousourris has a robust background in creating and running bug bounty programs as well as professional hacking. In their conversation, she discusses the evolution of professional hacking and how important bug bounty programs have become to the cybersecurity field. She also highlights the problems these programs have faced as well as how they can help identify risks in other spaces like software supply chains. Finally, Mousourris paints a picture of what the future holds for bug bounties and the place of professional hackers.

In this episode, host Paul Roberts chats with Steve Lasker, a former Azure Program Manager with over 20 years of experience at Microsoft. Lasker touched on his industry experience to explain how the effort to secure software has evolved into what it is today. He then explained how government standards for software supply chain security globally will benefit the industry, and will cause a great shift in the market. He points out that the software providers who meet the greatest possible compliance in this area will succeed, given the concern that companies now hold over software supply chain attacks, as well as being held liable for them. 

The U.S. Federal Government's Enduring Security Framework (ESF) Working Panel released a guidance on "Securing The Software Supply Chain" in September, 2022. The ESF is made up of both government officials and industry practitioners, and this guidance with the intention of it being a "practical guide" for software developers. 

In this episode, host Paul Roberts chats with ReversingLabs Field CISO Matt Rose about the ESF's guidance: what it entails, whether or not it serves as helpful to software developers, as well as who should be paying attention to this guidance. 

In September 2022, Microsoft released a report on a group they track as ZINC (also known as Lazarus), which is a state-sponsored group out of North Korea. The report details how ZINC has been using a set of trojanized, open source software implants dubbed ZetaNile (also known as BLINDINCAN) to attack a number of organizations since June 2022.

The ReversingLabs Research Team decided to investigate ZINC’s use of ZetaNile, which yielded several helpful results. In this conversation, host Paul Roberts chats with Joseph Edwards, a ReversingLabs Malware Researcher, about what their investigation yielded. They discuss how the malicious actors pulled off these attacks, where the malicious code resides in the open source software, and how these implants serve the criminals’ malicious goals.

Online fraud is among the most pernicious and devastating forms of cybercrime- measured by the financial and psychological toll it takes on victims. Phony tech support, online romance and business email compromise scams drain billions from our economy annually and take a huge toll on families, businesses and communities. And yet, it is often overlooked by cybersecurity experts and the larger information security industry. Scams, which frequently hinge on human frailty rather than the manipulation of software, are deemed unworthy of the attention of cybersecurity experts. Victim blaming is rife. But that dismissive attitude misses the point of these attacks and their impact.

In this episode of ConversingLabs, we’re going to go deep on scams with Ronnie Tokazowski. Ronnie is a Principal Threat Advisor at the firm Cofense and widely recognized as “That BEC guy” - an expert in Business Email Compromise scams. Ronnie also hosts a YouTube channel, RonnieRants, where he explores some of the issues related to cybercrime, online scams and more. 

Software Bills of Materials (SBOMs) are a helpful first step for an organization looking to secure its software supply chain. SBOMs serve as an ingredients list, pointing out all of the components that make up a software product, such as open source software packages, third party software and more. Federal guidance in the U.S. now strongly recommends the use of an SBOM by both software publishers and consumers. 

In this episode, host Paul Roberts chats with ReversingLabs Software Assurance Evangelist Charlie Jones on all things SBOM: what it is, how they are beneficial, who needs one, and more. 

Supply chain attacks are not limited to SaaS (software-as-a-service) applications. Specific kinds of software, such as firmware, are also at risk of suffering supply chain attacks. Firmware is typically used to control hardware devices, and sits at a lower level, connecting high-level software with an operating system.

It is important for the cybersecurity and application security industries to pay attention to this area of potential risk, and come up with mitigation strategies. That is why in this episode, Alex Matrosov, founder and CEO of Binarly.io, joined us to tell us more about the risks to firmware, and how we can better secure it from supply chain attacks.