President Biden’s May 2021 “Executive Order on Improving the Nation’s Cybersecurity” was, at 34 pages, unusually long for a presidential executive order. That’s in large part because it addressed a lot of topics.
But just one of those topics—securing the software supply chain—produced guidance on cybersecurity supply chain risk management from the National Institute of Standards and Technology that was nearly 10 times as long, at 326 pages.
The guidance goes into exhaustive depth and detail, but Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center, read the whole thing and even annotated it.
In this first of two episodes of AppSec Decoded, recorded live at RSA 2022 in San Francisco, Mackey and Taylor Armerding, security advocate at Synopsys, discuss the overall focus of that guidance: How to build processes and programs around risk-based principles. That means setting priorities to fix what are the greatest risks to an organization and understanding that a software risk is a business risk.