Joe Jarzombek is Global Manager for Software Supply Chain Solutions in the Software Integrity Group at Synopsys. He leads efforts to enhance capabilities to mitigate software supply chain risks via testing technologies and services that integrate within acquisition and development processes; enabling detection, reporting, and remediation of defects and security vulnerabilities to gain assurance and visibility within the software supply chain. Focused on software security and quality, he collaborates with industry consortia, standards bodies, and government agencies in evolving processes and technologies addressing software assurance, supply chain risk management, and security automation.
Prior to joining Synopsys, he served as the Director for Software & Supply Chain Assurance in the US Department of Homeland Security Office of Cybersecurity and Communications. In that role, he led public-private collaboration efforts for US government interagency teams with industry, academia, and standards organizations focused on the assurance of information and communications technology (ICT).
As the cyber threat landscape evolves and external dependencies grow more complex, managing risk in the software supply chain must focus on the entire lifecycle. This is particularly significant for network-connectable devices. The Internet of Things (IoT) is contributing to a massive proliferation of a variety of types of software-reliant, connected devices throughout critical infrastructure sectors. With IoT increasingly dependent upon third-party software of unknown provenance and pedigree, software composition analysis and other forms of testing are needed to determine 'fitness for use' and trustworthiness. Application vulnerability management should leverage automated means for detecting weaknesses, vulnerabilities, and exploits. Addressing supply chain dependencies enables enterprises to harden their attack surface by: comprehensively identifying exploit targets; understanding how assets are attacked, and providing more responsive mitigations. Security automation tools and services, and testing and certification programs now provide.