back to article Supply chain attacks will get worse: Microsoft Security Response Center boss

Major supply-chain attacks of recent years – we're talking about SolarWinds, Kaseya and Log4j to name a few – are "just the tip of the iceberg at this point," according to Aanchal Gupta, who leads Microsoft's Security Response Center. "All of those have been big," she said, in an interview with The Register at RSA Conference …

  1. ecofeco Silver badge

    I never get tired of saying it

    So how's that cloud thing working for ya?

  2. Alpharious

    >"The reason we will have a continuation of these supply chain attacks is our reliance on third party software and open source software is only growing," she said. "It's not going to come down anytime soon."

    And there is the sales pitch. "Live in the microsoft shop or else"

    1. Sgt_Oddball Silver badge

      Indeed...

      Because in noway has Microsoft software itself been vulnerable to its own dirty laundry list of bugs, faults and vulnerabilities....

      At the end of the day, no software is an island these days and when it's large or pervasive enough it becomes worth taking the time in finding an exploit. Having robust update policies, actively looking for unusual behaviour as well as reducing attack surface areas apply to anything on the Internet be it MS, penguin flavoured or even more obscure.

  3. DS999 Silver badge

    Releasing a complete "ingredients list"

    Would be difficult - if you include some library that includes another library in it, do you have to list that too or rely on the person reading the list to track down that library's ingredients list?

    Likely some companies would be gunshy about doing so as they might not be in full compliance with licenses, especially with GPL software.

    Then there's the inevitable worry that the ingredients list would be used as a roadmap to help with exploits. Yes, that's security through obscurity in some sense, but if a new exploit comes out against library X and someone has built a nice centralized repository of all reported ingredients lists with a nice search interface it would take a bad guy seconds to learn what all includes library X and is therefore vulnerable they can choose the most valuable targets for attack.

    1. druck Silver badge

      Re: Releasing a complete "ingredients list"

      Publicly searchable BoMs would undoubtedly identify targets faster than scanning systems for known exploits. However, I think the advantage of customers knowing earlier that they have a vulnerable system would outweigh that risk.

  4. Pascal Monett Silver badge

    "companies should know the sources of the ingredients"

    I have to say that I completely agree with that idea.

    She should add, though, that companies should not download libraries directly to the production server.

    Test servers have a use, it's to protect production servers.

    1. Neil Barnes Silver badge

      Re: "companies should know the sources of the ingredients"

      No reason why a company should not be able to generate a software BOM all the way through the chain (though that's a lot easier if you're designing a stand-alone widget as opposed to a major desktop application). But easy or not, surely you need to know what secret sauce you're including in your project, and that surely extends to the libraries linked to that secret sauce, all the way down. How else would you know?

      Is there a specialist position to manage such a task, or is it one of those 'ah, Joe'll look into it when he has a minute?' things? I feel it could become a full time task... software auditor?

      p.s. don't do as a colleague once did in an airport check-in queue: reply to a phone call and state that you can't get to the BOM right now as it's in your luggage...

  5. Anonymous Coward
    Anonymous Coward

    Microsoft and Posturing....why am I not surprised?

    Quote (Aanchal Gupta): ".... trust but verify...."

    No mention at all here about ALMOST UN-DETECTABLE tampering........thanks to Ken Thompson in 1984.

    See here for a discussion: https://www.schneier.com/blog/archives/2006/01/countering_trus.html

    What is interesting is just how hard this attack might be to detect.....also interesting is to wonder just how many organisations will mobilise the significant resources required EVEN TO TRY!!

    So.......somewhere ten deep in the supply chain, some small but valuable supplier has a corrupt compiler.........

    Don't you just love Microsoft, front and centre, posturing about something.......when their own supply chain is likely twenty deep!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft and Posturing....why am I not surprised?

      A reminder:

      https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

      Still relevant

  6. Anonymous Coward
    Anonymous Coward

    Log4j wasn't a supply chain attack, it was a critical vulnerability.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022