Anthony Harrison, APH10
The second day of the Nordic Software Security Summit didn’t disappoint with more great presentations and stimulating discussions. It was great to see the community sharing knowledge in areas such as improving testing and the use of digital signatures as well as developing solutions to make the capturing and managing Software Bill of Materials (SBOMs) and associated artefacts as efficient as possible.
There were two tracks today which meant I had to miss some interesting presentations but hopefully the slides will be available in the next few days which will allow me to catch up on the sessions I missed.
Some key takeaways from the presentations that I attended include:
🎯 Testing is hard and it is difficult to ensure that the coverage of the tests is sufficient. Automating test generation from an abstract model of a software application or its specification will significantly help and with the right tools the resilience of software can be improved.
🎯 Using digital signatures on their own will not make software more secure. But by using signatures for code with appropriate controls will certainly help improve the trustworthiness of software artefacts.
🎯 Appropriate legislations based on analysis of existing behaviour can bring benefits if delivered competently.
🎯 The software supply chain is over complex and the opportunities for inconsistencies in SBOMs and associated items will be amplified unless a comprehensive toolchain is implemented across all of the development teams.
🎯 One SBOM is not enough. Choosing the right type of SBOM is essential for effective risk management.
🎯 There are a lots of valuable lessons to be learnt from the Log4Shell vulnerability in 2021. Controlling feature bloat, improved testing and updated release processes will significantly help address future vulnerability remediation activities.
It was good to see that innovation in cybersecurity in Sweden is being actively encouraged (and funded!) particularly in the growth of knowledge, skills, cyber risk management and the capacity to meet the needs to support the legislations such as NIS2, DORA and CRA.
Finally it was great to see that SBOM EUROPE has now been launched and I look forward to seeing a growing community to help organisations meet the challenges in improving the security and resilience of software to meet the growing needs of legislation.
Thanks to Olle E Johansson for putting together a great conference and I look forward to seeing further progress at next year’s Nordic Software Security Summit.
This summary was first published on LinkedIn.
