I never get tired of saying it
So how's that cloud thing working for ya?
Major supply-chain attacks of recent years – we're talking about SolarWinds, Kaseya and Log4j to name a few – are "just the tip of the iceberg at this point," according to Aanchal Gupta, who leads Microsoft's Security Response Center. "All of those have been big," she said, in an interview with The Register at RSA Conference …
Because in noway has Microsoft software itself been vulnerable to its own dirty laundry list of bugs, faults and vulnerabilities....
At the end of the day, no software is an island these days and when it's large or pervasive enough it becomes worth taking the time in finding an exploit. Having robust update policies, actively looking for unusual behaviour as well as reducing attack surface areas apply to anything on the Internet be it MS, penguin flavoured or even more obscure.
Would be difficult - if you include some library that includes another library in it, do you have to list that too or rely on the person reading the list to track down that library's ingredients list?
Likely some companies would be gunshy about doing so as they might not be in full compliance with licenses, especially with GPL software.
Then there's the inevitable worry that the ingredients list would be used as a roadmap to help with exploits. Yes, that's security through obscurity in some sense, but if a new exploit comes out against library X and someone has built a nice centralized repository of all reported ingredients lists with a nice search interface it would take a bad guy seconds to learn what all includes library X and is therefore vulnerable they can choose the most valuable targets for attack.
No reason why a company should not be able to generate a software BOM all the way through the chain (though that's a lot easier if you're designing a stand-alone widget as opposed to a major desktop application). But easy or not, surely you need to know what secret sauce you're including in your project, and that surely extends to the libraries linked to that secret sauce, all the way down. How else would you know?
Is there a specialist position to manage such a task, or is it one of those 'ah, Joe'll look into it when he has a minute?' things? I feel it could become a full time task... software auditor?
p.s. don't do as a colleague once did in an airport check-in queue: reply to a phone call and state that you can't get to the BOM right now as it's in your luggage...
Quote (Aanchal Gupta): ".... trust but verify...."
No mention at all here about ALMOST UN-DETECTABLE tampering........thanks to Ken Thompson in 1984.
See here for a discussion: https://www.schneier.com/blog/archives/2006/01/countering_trus.html
What is interesting is just how hard this attack might be to detect.....also interesting is to wonder just how many organisations will mobilise the significant resources required EVEN TO TRY!!
So.......somewhere ten deep in the supply chain, some small but valuable supplier has a corrupt compiler.........
Don't you just love Microsoft, front and centre, posturing about something.......when their own supply chain is likely twenty deep!!!
Biting the hand that feeds IT © 1998–2022