EPISODE · Aug 20, 2024 · 37 MIN
Building Resilient Software: Secure by Design, Transparency, and Governance Remain Key Elements | A Conversation with Chris Hughes | Redefining CyberSecurity with Sean Martin
from The ITSPmagazine Podcast · host Sean Martin, ITSPmagazine Redefining Security, Chris Hughes
Guest: Chris Hughes, President / Co-Founder, AquiaOn LinkedIn | https://www.linkedin.com/in/resilientcyber/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesIn this episode of The Redefining CyberSecurity Podcast, host Sean Martin connects with Chris Hughes, a seasoned author and consultant in cybersecurity. The primary focus is on the intricacies of vulnerability management and software supply chain security, particularly in an era where software pervades every aspect of modern life.Chris Hughes emphasizes the paramount importance of understanding what is in the software we consume. Software Bill of Materials (SBOM) has emerged as a focal point, akin to ingredient lists in the food industry, highlighting the need for transparency. Hughes argues that transparency is not just about knowing the components; it extends to understanding the risks associated with those components. He illustrates his point by referencing infamous incidents like the Log4j vulnerability, which unveiled the critical gaps in our knowledge of software components.The conversation also shifts towards the broader challenges in software supply chain security. Hughes discusses the government's push for self-attestation and the role of third-party validators in ensuring software security. While acknowledging the complexities and potential bottlenecks, he underscores the necessity for a balanced approach that combines self-attestation with external validation to foster a secure software ecosystem.Additionally, Hughes addresses the concept of Secure by Design, advocating for practices that embed security into the software development lifecycle right from the outset. He notes the historical context of this concept, which dates back to the Ware Report, and argues for its relevance even today. Secure by Design entails building security measures inherently into products, thereby reducing the need for perpetual patching and vulnerability management.Internal risk management within organizations also gets spotlighted. Hughes insists that organizations should maintain an inventory of the software and components they use internally, evaluate their risks, and contribute to the open-source communities they rely on. This comprehensive approach not only helps in mitigating risks but also fosters a resilient and sustainable software ecosystem.On the topic of platform engineering, Hughes shares his insights on its potential to streamline software development processes and enhance security through standardization and governance. However, he is candid about the challenges, particularly the need to balance standardization with the diverse preferences of development teams.As the discussion wraps up, Hughes and Martin underline the importance of focusing on contextual risk assessment in vulnerability management, rather than merely responding to static severity scores. Hughes' advocacy for a more nuanced approach to security, balancing immediate risk mitigation with longer-term strategic planning, offers listeners a thoughtful perspective on managing cybersecurity challenges.Top Questions AddressedHow can organizations ensure transparency and security in their software supply chains?What strategies can be implemented to address the challenges of vulnerability management?How can platform engineering and internal governance improve software security within organizations?___________________________SponsorsImperva: https://itspm.ag/imperva277117988LevelBlue: https://itspm.ag/attcybersecurity-3jdk3___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYqITSPmagazine YouTube Channel:📺 https://www.youtube.com/@itspmagazineBe sure to share and subscribe!___________________________ResourcesNCF Whitepaper: https://tag-app-delivery.cncf.io/whitepapers/platforms/CNCF Platform Maturity Model: https://tag-app-delivery.cncf.io/whitepapers/platform-eng-maturity-model/Secure-by-Design at Google: What is the website URL for Secure-by-Design at Google?https://research.google/pubs/secure-by-design-at-google/Software Transparency: Supply Chain Security in an Era of a Software-Driven Society (Book): https://a.co/d/0bNaPmFEffective Vulnerability Management: Managing Risk in the Vulnerable Digital Ecosystem: https://a.co/d/6xs5saH___________________________To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcastAre you interested in sponsoring this show with an ad placement in the podcast?Learn More 👉 https://itspm.ag/podadplc Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
What this episode covers
In this episode of The Redefining CyberSecurity Podcast, Sean Martin engages with cybersecurity consultant and author Chris Hughes to explore the complexities of software supply chain security and vulnerability management. Together, they discuss practical strategies for achieving transparency in software components and the importance of adopting Secure by Design principles to build a more resilient digital ecosystem.
NOW PLAYING
Building Resilient Software: Secure by Design, Transparency, and Governance Remain Key Elements | A Conversation with Chris Hughes | Redefining CyberSecurity with Sean Martin
No transcript for this episode yet
Similar Episodes
Mar 26, 2026 ·1m
Mar 19, 2026 ·34m
Feb 18, 2026 ·11m
Feb 11, 2026 ·45m