CiNPA - Security SIG

Meeting Topic: Snips and Snails and Puppy Dog Tails: Your Software Supply Chain

Speaker: Bill Sempf
Twitter: https://twitter.com/sempf

Abstract:

We are standing on the shoulders of giants. Building beautiful things out of beautiful things is at the heart of software composition today. But what happens when things aren't so beautiful? What if that dependency of a dependency of a dependency has a Bitcoin miner written into it? Is your code review catching that? It doesn't matter if you type npm-install or Install-Package or php composer.phar install or mvn install or cpan or pip install. Probably not. Let's look at the realities of your supply chain, how it is getting corrupted, and what we can do about it. You'll see how to avoid becoming a victim of the next left-pad.

Bio:

Bill Sempf is an application security architect. His breadth of experience includes business and technical analysis, software design, development, testing, server management and maintenance, and security. In his 20 years of professional experience he has participated in the creation of well over 200 applications for large and small companies, managed the software infrastructure of two Internet service providers, coded complex software happily in every environment imaginable, tested the security of all natures of applications and APIs, and made mainframes talk to cell phones. He is the author of C# 5 All in One for Dummies and Windows 8 Programming with HTML5 For Dummies; a coauthor of Effective Visual Studio.NET and many other books, a frequent contributor to industry magazines; and has recently been an invited speaker for the ACM and IEEE, BlackHat, CodeMash, DerbyCon, BSides, DevEssentials, the International XML Web Services Expo and the Association of Information Technology Professionals. Bill also serves on the board of the Columbus branch of the Open Web Application Security Project, is a Microsoft MVP, and is the Administrative Director of Locksport International.

About Us:

The CiNPA Security SIG is the Cincinnati Networking Professionals Association Security Special Interest Group. We meet monthly on the third Thursday of each month starting at 6:30 p.m.

The CiNPA Security SIG's monthly meeting format typically consists of one or two main monthly meeting topics featuring live presentations or demonstrations promoting open and interactive group discussions. Our focus is primarily on the defensive side of information security, but we delve into all other areas of cyber-security as well. Information security news, announcements, and round-table discussions follow our main meeting topics.

Attendee Benefits:

• Attendance qualifies for 2 hours of CPE or CEU credit towards certification renewals

• Maintaining awareness of new vulnerabilities and exploits

• Learning about the latest security tools, utilities, products, services, solutions, strategies, techniques, frameworks, and best practices

• Sharing of information regarding trends concerning enterprise systems and technology

• Hearing announcements of upcoming area security conferences and events

• Networking with peers in the local Information Security (InfoSec) community