Course Description
Businesses and government operations live and die by their software. Regardless of the size of your organization, lethal IT supply chain risks can come at you from all directions and can severely impact your business continuity, get you in court, and possibly even put you out of business. The compromise of SolarWinds software reported in late 2020 and Colonial Pipeline computing in 2021 has put IT and software supply chain security in the spotlight. The US Federal Government has been directed by President Biden’s Executive Order 14028 to step up the nation’s CyberSecurity, including supply chain security. Auditors must be prepared to assist management to aggressively identify and reduce serious IT and software supply chain risks. In this timely and practical seminar, we will explore IT technical supply administrative and technical CyberSecurity targets and will cover best practices for securing and auditing an organization’s software supply chain.
Learning Objectives
- Identify IT and software supply chain control points/attack surfaces and attack methods
- Gain familiarity with industry best practices for IT and software supply chain security and secure software design and testing
- Evaluate different methods of CyberSecruity testing of software throughout different types of software development lifecycles (SDLCs)
- Develop comprehensive plans to perform end-to-end audits of IT and software supply chains
Course Outline
Surveying the IT Supply Chain Landscape
- Supply chain definitions
- Cyber supply chains (build vs buy)and their risks
- Notable software supply chain attacks
- Planning audits of software supply chains
Programming Concepts and Software Management
- Computer programming and software sourcing concepts
- Software testing and security assurance
- Software configuration management (SCM) and version control systems (VCS)
- Software bill of materials (SBOM)
Auditing BUILD Software Supply Chains
- Software development lifecycles (SDLCs)
- Application Programming Interfaces (APIs) integration
- Open-Source Software (OSS) integration
- Content management systems (CMS) – WordPress and beyond
- Low code-No code
- End-user computing and shadow IT
Auditing BUY Software Supply Chains
- Commercial off-the-shelf software (COTS)
- Software as a service (SaaS)
Wrap-up
- End-to-end cyber supply chain security and audit checklist
- Sources of information, checklists, and tools
Additional Information
Who Should Attend
- IT Auditors
- Information Security Managers, Analysts, and Architects
- IT Management, IT Architects
- Web Site Administrators, System Administrators
- Application Architects, Developers and Analysts
- Consultants
Learning Level
Intermediate
Delivery
Group-Live
Field
Auditing
Recommended Prerequisites
Auditing IT Application Systems or equivalent training. A basic understanding of IT audit controls and terminology is assumed.
Session Duration
On Site: 1 day
CPE Credits: 8