Below the Surface (Audio) - The Supply Chain Security Podcast
Eclypsium
A lively discussion of the threats affecting supply chain, specifically focused on firmware and low-level code that is a blind spot for many organizations. This podcast will feature guests from the cybersecurity industry discussing the problems surrounding supply chain-related issues and potential solutions.
Get the Supply Chain Security Toolkit from Eclypsium here: https://eclypsium.com/go
Get the Supply Chain Security Toolkit from Eclypsium here: https://eclypsium.com/go
Episodes
Mentioned books
May 31, 2023 • 58min
SCRM and Supply Chain Security Up and Down the Stack - Steve Orrin - BTS #11
Supply Chain threats and industry / government initiatives like EO 14028 are driving a deeper understanding and a set of requirements for applying supply chain risk management (SCRM) and increased transparency (ex. SBOM) across the software ecosystem up and down the stack. Platform and system firmware present unique challenges for supply chain assurance from the depths of the stack. Segment Resources: ESF: Securing the Software Supply Chain for Customers https://media.defense.gov/2022/Nov/17/2003116444/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_CUSTOMER_SLICKSHEET.PDF https://media.defense.gov/2022/Nov/17/2003116445/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_CUSTOMER.PDF ESF: Securing the Software Supply Chain for Suppliers https://media.defense.gov/2022/Oct/31/2003105572/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_SUPPLIERS_SLICKSHEET.PDF https://media.defense.gov/2022/Oct/31/2003105368/-1/-1/0/SECURING_THE_SOFTWARE_SUPPLY_CHAIN_SUPPLIERS.PDF ESF: Securing the Software Supply Chain for Developers https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_ SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF CISA SBOM Site https://www.cisa.gov/sbom Show Notes: https://securityweekly.com/bts-11
May 17, 2023 • 60min
Learning About Firmware Security - Xeno Kovah - BTS #10
Firmware security is a deeply technical topic, that's hard to get started in. In this talk, Xeno will discuss some past work in firmware security, and how he has organized resources such as a low level timeline (with over 300 talks), and free MOOC classes, to help teach people about firmware security. Segment Resources: https://ost2.fyi https://darkmentor.com/timeline.html Show Notes: https://securityweekly.com/bts10
May 3, 2023 • 1h
Accidentally Learning about Security: From Firmware to the Cloud, Brian Richardson - BTS #9
Brian Richardson didn't start out wanting to do marketing or computer security... but after starting his career as a BIOS programmer, he tripped and fell into technical marketing (aka "Binary to English translator"). Brian's here to talk about the importance of hardware & firmware security in a SaaS world. Segment Resources: https://www.youtube.com/watch?v=I2FwiEH6dg4 https://www.youtube.com/watch?v=i9PrWw4ljeg https://medium.com/intel-tech/security-built-on-a-foundation-of-trust-1fa1dbb74cbc https://archive.fosdem.org/2020/schedule/event/firmware_culisfu/ Show Notes: https://securityweekly.com/bts9
Apr 19, 2023 • 57min
BTS #8 - Richard Hughes
The LVFS is a project used by over 130 different vendors, from all positions of the supply chain. It decompresses, decompiles, then analyses firmware looking for issues, and then automatically builds a SBoM for each download. Segment Resources: https://fwupd.org/ https://github.com/fwupd Show Notes: https://securityweekly.com/bts8
Apr 5, 2023 • 48min
Nicholas Starke - BTS #7
Discuss current events in firmware security, such as the techniques utilized in BlackLotus. We will compare Baton Drop with Grub2 capabilities. Segment Resources: https://starkeblog.com/ Show Notes: https://securityweekly.com/bts7
Mar 22, 2023 • 55min
BTS #6 - Vincent Zimmer
This session will provide an overview of the history of host firmware, or BIOS, focusing on the arc of the Unified Extensible Firmware Interface. It will include the development of defenses like UEFI Secure Boot and the challenges in scaling assurance across a broad ecosystem. It will close on works-in-progress and opportunities to build upon the school-of-hard-knocks learnings in this space. Show Notes: https://securityweekly.com/bts6
Mar 8, 2023 • 44min
BTS #5 - Community Insights: Supply Chain Threats, Critical Firmware Attacks, and more!
In this edition of Below The Surface, we discuss insights Scott collected from various members of our community. Topics include supply chain threats, critical firmware attacks, and more! We also welcome special guest Tyler Robinson! View the full report here: https://eclypsium.com/2022/12/13/december-firmware-threat-report/ This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts5
Feb 22, 2023 • 48min
BTS #4 - Supply Chain Threats, Vulnerable Drivers, OpenSSL Vulnerabilities, and more!
Paul and Scott talk about supply chain threats, vulnerable drivers, leaked source code and keys, and cover what we know about the OpenSSL 3.x vulnerability. This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts4
Feb 8, 2023 • 34min
BTS #3 - Inevitable Attacks, UEFI Vulnerabilities, and more!
This month Scott and Paul discuss the inevitability of attacks against certain sectors, UEFI vulnerabilities galore and so much more! Get the full report here: https://eclypsium.com/2022/10/03/september-firmware-threat-report/ This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts3
Jan 26, 2023 • 53min
BTS #2 - Root Of Trust (Rot)
Paul and Scott break down the Root of Trust (RoT) and other highlights from the August 2022 Below The Surface Threat Report: https://eclypsium.com/2022/08/31/august-firmware-threat-report/ This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them! Show Notes: https://securityweekly.com/bts2
