Tuesday, October 10, 2023
When risk becomes reality: Overcoming a third-party security crisis

We spend a lot of time talking about how organizations can shore up their vendor security assessments and enforce cyber policies with business partners in order to minimize their exposure to third-party risk. But despite our best efforts, attacks WILL happen, so what do you when a close partner of yours experiences a full-scale cyber emergency?

This session will address the tough questions, like what kind of timely intelligence you should expect to receive from the affected partner, what recourse you have to mitigate your own risk and when it's time to end a third-party relationship or pursue legal action due to blatant cyber negligence.

Elizabeth Bemah Amankwah
Seeking safer shortcuts for devs: Snyk’s 2023 state of open source security report

Open source code provides developers with the shortcuts they need to innovate and
iterate faster. But due to a host of open source vulnerabilities, some shortcuts are
safer than others. Metaphorically speaking, are your organization’s developers
taking a well-lit, mapped-out shortcut, or straying down a mysterious, risky, and foreboding
Snyk's "2023 State of Open Source Security Report" explores the adoption of
security tools, practices, and technologies, as well as the impact of automation and
AI in software development. Leveraging findings from both a survey of security practitioners from organizations across the United States and anonymized Snyk product usage data, the report reveals that the software supply chain is lagging in terms of the adoption of fundamental security measures and tools, such as software composition analysis and static application security testing.
Join this webcast to learn more about the report's key takeaways, including:
•    Why supply chain and open source security tools can’t keep up with the pace of development, and why organizations are failing to fully shift left
•    How organizations are responding to recent attacks by ramping up their code scanning and SBOM efforts, while adopting more formal software supply chain security programs
•    The mixed impact of AI, and how usage can reduce the burden on security-minded developers, but also potentially introduce additional vulnerabilities or create false alerts

Jamie Smith
Factoring supply-chain risk into cyber insurance coverage

This informative session will examine how cyber insurance firms are factoring third-party and supply-chain risks into their coverage and payouts. To qualify for coverage, it may no longer be enough to show that you have reached or exceeded compliance with insurance industry standards. You may have to show that the partners you worth with aren't drastically altering your risk profile.

Joseph Brunsman
The intersection of CMMC compliance & third-party risk

As of 2025, all defense contractors who are members of the defense industrial base will be expected to follow the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) as a means of assessing their compliance with current governmental security requirements. And there's no question that third-party risk must be factored into this critical assessment. This session will look at the intersection between CMMC compliance and third-party/supply-chain security practices, and how even organizations outside the DIB can learn and improve their supply chain security practices from this Herculean effort.

Christina Bray
Wednesday, October 11, 2023
Best supply chain security practices for CI/CD pipelines

August In 2023, NIST published an initial draft of a document that recommends actionable measures for integrating the fundaments of software supply chain security assurance into CI/CD pipelines to prepare organizations that plan to deploy cloud-native applications. This session will feature one of this paper’s key authors, NIST’s Ramaswamy Chandramouli, who will detail these recommendations and explain how they can help organizations better company with the tenets of Executive Order 14028 and NIST’s Secure Software Development Framework (SSDF).

Enforcing least privilege

Join Delinea’s Chief Security Scientist and Ethical Hacker Joseph Carson as he explains how a ransomware attack progresses from initial credential compromise to escalated privileges, exfiltrated data, and ultimately the ransomware deployment and ransom demand.

Joseph Carson
What's the prognosis? An examination of Health3PT's supply-chain security efforts

Health3PT, aka the Health 3rd Party Trust Initiative, has brought together thought leaders from across the healthcare industry to tackle the ever-prevalent problem of third-party information security risk. This session will look at how this initiative is progressing in its mission to encourage best practices that will lead to -- in the words of the organization's website -- "more reliable assurances, consistent information security program reporting, and better visibility into downstream relationships with third parties and beyond."

Glen Braden John Houston Matthew Webb
How managed services make 3rd-party risk assessments repeatable and scalable

It sounds ironic, maybe even a little paradoxical, but it might just take hiring a third party to help an organization assess and mitigate the risk posed by their other third-party partners. For organizations that cannot or prefer not to spearhead this task internally, MSSPs can provide a scalable and consistent third-party risk assessment program that yields insightful, enforceable and actionable recommendations. This session will examine the benefits of having MSSPs evaluate third-party partnerships that exist outside of their clients’ organizational boundaries, plus best practices when conducting outsourced risk assessments.

Craig Searle