SigstoreCon Supply Chain Day 2024

The US Cybersecurity and Infrastructure Security Agency (CISA) leads the national effort to understand, manage, and reduce risk to critical cyber infrastructure. This requires vulnerability management processes based on well illuminated data. But gaps are visible at the intersection of software identification and supply chain management tools and automation. Software identifiers may be invisible or too opaque to be sufficiently effective for vulnerability management at scale or at later points along a supply chain. This lightning talk will describe a funding initiative recently announced by CISA and the US Department of Homeland Security’s Science and Technology Directorate to improve usability and scalable implementations of intrinsic identifiers, artifact dependency graph (ADG) generation, and distribution of ADG’s along with typical supply chain artifacts. The Silicon Valley Innovation Program (SVIP) Other Transaction Solicitation (OTS) Topic Call 70RSAT24R00000042 aims to invest in startups advancing the state of the art in ways which likely benefit CISA’s vulnerability management work. AND do so with foundational technologies implemented as open source!