S2E2: Cole Kennedy

Software Supply Chain Security, SBOM and Open Source

Author

Chris Hughes
October 13, 2021

S2E2: Cole Kennedy - Software Supply Chain Security, SBOM and Open Source

In this episode of the Resilient Cyber podcast, hosts Chris Hughes and Dr. Nikki Robinson are joined by Cole Kennedy, co-founder of TestifySec. Cole shares insights on his transition from a military background to cybersecurity and discusses the challenges and solutions surrounding software supply chain security, DevSecOps, and automated governance. The episode also delves into the importance of securing CICD processes, the role of compliance frameworks, and the future of supply chain security.

Highlights:

  1. Introduction to Cole Kennedy:

    • Cole shares his non-traditional journey from the military to cybersecurity and his mission to secure national systems.

    • He discusses the founding of TestifySec and its focus on supply chain security and zero trust architecture.

  2. Software Supply Chain Security:

    • Cole emphasizes the need for securing the entire CICD process and the importance of developing new frameworks for software development lifecycle security.

    • He shares his thoughts on the CISA guidance and its role in starting a Software Supply Chain Risk Management (SCRM) program.

  3. Compliance Frameworks:

    • The discussion touches on the value and limitations of traditional compliance frameworks, particularly in the context of modern technologies like DevSecOps and cloud.

    • Cole shares his perspective on how compliance can be both a help and a hindrance, depending on its implementation.

  4. The Role of Metadata and Testifiable Artifacts:

    • Cole highlights the importance of metadata in verifying software supply chains and ensuring compliance.

    • He explains how TestifySec works to provide cryptographic guarantees on software builds, enhancing trust between software producers and consumers.

  5. Open Source Risk Management:

    • The episode introduces the concept of an open source risk management program, which Cole believes is crucial for organizations using open source software.

    • He discusses the need for transparency and the potential risks and benefits of incorporating open source tools.

  6. Cyber Resilience:

    • Cole defines cyber resilience as focusing on people, culture, and values within an organization. He stresses that building a resilient organization starts with trust, integrity, and honor among the workforce.

  7. Final Thoughts:

    • The episode wraps up with a discussion on the future of software supply chain security and the role of transparency and open source in driving innovation and security.