Articles

Software supply chain security fixes gain prominence at RSA

Attendees are urged to improve asset management, use SBOMs, and collaborate with government cybersecurity agencies to better ensure software integrity.

Given the significant cybersecurity problems that the SolarWindsLog4j and other software supply chain infections created over the past two years, it’s no surprise that software security emerged as a hot topic at this year’s RSA conference. Ahead of the event, ReversingLabs released a survey it commissioned of over 300 senior software employees on the struggles their firms face in detecting supply chain attacks

Despite the recent spate of high-profile software supply chain security incidents, the ReversingLabs study found that fewer than four in ten companies say they can detect tampering with developed code. In addition, less than 10% of companies are reviewing software at each product lifecycle stage for evidence of tampering or compromises.

SBOM usage is sparse but expected to grow rapidly

When it comes to one crucial emerging tool that can better ensure software security, a software bill of materials (SBOM), ReversingLabs survey found that only 27% of the IT professionals surveyed said their employer generates and reviews SBOMs before releasing software. Of those respondents who do not develop SBOMs, 44% cited a lack of expertise and staffing needed to do so, while 32% cited a lack of budget for implementing SBOM. Only 7% of respondents at companies that don’t produce SBOMs said the reason was that an SBOM wasn’t needed.

The sparse usage of SBOMs is quickly becoming a thing of the past for two primary reasons, Allan Friedman, senior advisor and strategist at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), told RSA attendees. First, because of events like SolarWinds, organizations are starting to demand SBOMs for the software they use as a security measure to identify problematic code.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Government-mandated SBOMs to throw light on software supply chain…

The US government will soon require vendors to provide a software bill of materials to help ensure integrity of an application’s components.

President Biden’s executive order (EO) on cybersecurity, released on May 12, is a sprawling and comprehensive document that aims to redress weaknesses in the digital security ecosystem. It is peppered with nearly 50 actions that the federal government must take within extraordinarily tight timeframes, signaling the urgency of the cybersecurity crisis the country faces.

Several parts of the EO seek to shore up software security. This long-overlooked and arcane topic has taken on new urgency following the SolarWinds and Microsoft Exchange software supply chain hacks.

The first software security deadline in the EO, assigned primarily to the Commerce Department’s National Institute of Standards and Technology (NIST), is to publish a definition of what constitutes “critical software,” which in turn will trigger actions by other government agencies. NIST’s deadline for producing this definition is June 26, which is why the agency held a quickly organized workshop on June 2 and 3 attended by around a thousand interested parties.

Fifteen days after the release of NIST’s definition of critical software, another arm of the Commerce Department, the National Telecommunications and Information Administration (NTIA), will publish “minimum elements” of something that has been evolving over the past several years in the cybersecurity realm, a software bill of materials, or SBOM.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Advanced Persistent Threat

How to prepare for the next SolarWinds-like threat

It is possible to minimize the risk from nation-state attacks like SolarWinds. This is the best advice based on what experts have learned so far.

The insertion of malware into SolarWinds’ popular Orion network management software sent the federal government and major parts of corporate America scrambling this week to investigate and mitigate what could be the most damaging breach in US history. The malware, which cybersecurity company FireEye (itself the first public victim of the supply chain interference) named SUNBURST, is a backdoor that can transfer and execute files, profile systems, reboot machines and disable system services.

Reuters broke the story that a foreign hacker had used SUNBURST to monitor email at the Treasury and Commerce Departments. Other sources later described the foreign hacker as APT29, or the Cozy Bear hacking group run by Russia’s SVR intelligence agency. Subsequent press reports indicated that the malware infection’s reach throughout the federal government could be vast and includes—only preliminarily—the State Department, the National Institutes of Health, the Department of Homeland Security (DHS), and likely parts of the Pentagon.

Former director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs said in a tweet after news broke of the intrusion, “this thing is still early,” meaning that it will likely be months—possibly years—before the true scope of the damage is known. SolarWinds said that up to 18,000 of its 300,000 customers downloaded the tainted update, although that doesn’t mean that the adversary exploited all infected organizations.

CISA issued a rare emergency directive calling on all federal agencies to “review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.” The FBI, CISA and the Office of the Director of National Intelligence (ODNI) issued a joint statement acknowledging they established a Cyber Unified Coordination Group (UCG) to mount a whole-of-government response under the direction of the FBI.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by NASA – NASA, Public Domain, https://commons.wikimedia.org/w/index.php?curid=6422993