Software organizations largely did not anticipate how the software supply chain would become a deliberate attack vector. The software industry has moved from passive adversaries finding and exploiting vulnerabilities contributed by well-intentioned developers, such as log4j, to a new generation of software supply chain attacks, where attackers also aggressively implant vulnerabilities directly into dependencies available in open source e. Adversaries also find their way into builds and deployments, such as occurred with SolarWinds, to deploy rogue software. Once implanted, these vulnerabilities become an efficient attack vector for adversaries to gain leverage at scale by exploiting the software supply chain. Software supply chain attacks have increased exponentially since in 2020.

These attacks have heightened awareness among governments and software organizations throughout the world of the need for software development teams to adopt good software security practices – and, in the process, also good software engineering practices. This awareness has led to two US Executive Orders, the EU Cyber Resilience Act, and other actions worldwide. For example, the CEOs of software organizations who sell to the US government now need to sign a document attesting that good software security/engineering practices were used. This talk will share an overview of these actions, empirical observations in the state-the-practice in software security practice adoption, automated software practice measurement, and how these efforts can move into general software engineering.

Bio: Laurie Williams is the Goodnight Distinguished University Professor of Security Sciences in the Computer Science Department of the College of Engineering at North Carolina State University (NCSU). Laurie is the director of the National Science Foundation-sponsored Secure Software Supply Chain Center (S3C2), and co-director of the NSA-sponsored North Carolina Partnership for Cybersecurity Excellence (NC-PaCE) and the NCSU Secure Computing Institute. She was the co-director of the National Security Agency (NSA)-sponsored Science of Security Lablet at NCSU from 2011-2023. Laurie is an IEEE Fellow and an ACM Fellow. Laurie’s research focuses on software security, software processes, and empirical software engineering.