#Solarwinds breach software
The idea is to create a sort of “nutrition facts” reference for software that provides insight and inventory about what’s in a finished product and what potential exposures it may have as a result.
And researchers at Google also created a software supply chain integrity framework for developers known as SLSA (pronounced “salsa”).ĬISA has been working to expand a 2018 project to develop and popularize “SBOMs,” or software bills of materials. A decentralized project known as Sigstore, launched in June, is working to make it simple for open source projects to implement “code signing," an important integrity check used in proprietary software that open source projects often omit. Other initiatives from companies like GitHub, which is owned by Microsoft, aim to automatically spot security vulnerabilities and other weaknesses in open source projects. Brewer and his colleagues, for example, have spent several years working on a project called OpenSSF, a scorecard framework that allows developers to assess the potential risks of open source software. At a White House cybersecurity meeting with major tech companies at the end of August, Google announced $10 billion in security investment over five years, listing software supply chain as a high priority focus. The federal software supply chain security initiative also has a major focus on public-private cooperation. “But I think because it has been such a clear priority, agencies have been able to meet the deadlines thus far, and I think it’s also helped the broader software community understand that the whole administration is serious about this.” “I think the White House set some very aggressive time frames, which raised eyebrows both in the private sector and among government agencies,” says Allan Friedman, a senior advisor and strategist at the Department of Homeland Security's Cybersecurity and Infrastructure Security. But Dan Lorenc, a longtime software supply chain security researcher and CEO of the startup Chainguard, says he's been pleasantly surprised to see federal agencies actually adhering to the timelines set by the White House, perhaps an early indicator that the software supply chain security epiphany will have some staying power. The US government has a poor track record when it comes to actually following through on fixing its cybersecurity weak spots.
“There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.” “The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors,” the order states. It outlined requirements for federal agencies to generate guidelines, conduct evaluations, and implement improvements. The Biden White House addressed numerous aspects of government cybersecurity, with a specific section dedicated to the supply chain. But the magnitude of the SolarWinds crisis significantly raised awareness, sparking a year of frantic investment in security improvements across the tech industry and US government.Īn executive order in mid-May was one tangible sign of progress. They ultimately broke into fewer than 100 choice networks-including those of Fortune 500 companies like Microsoft and the US Justice Department, State Department, and NASA. In this case, it meant that Russian intelligence had potential access to as many as 18,000 SolarWinds customers. It laid bare how extensive the fallout can be from so-called supply chain attacks, when attackers compromise widely used software at the source, in turn giving them the ability to infect anyone who uses it. To say the SolarWinds attack was a wake-up call would be an understatement. It was a thread that would unspool into what is now known as the SolarWinds hack, a Russian espionage campaign that resulted in the compromise of countless victims. Sophisticated hackers had silently slipped into the company's network, carefully tailoring their attack to evade the company's defenses. A year ago today, the security firm FireEye made an announcement that was as surprising as it was alarming.
0 kommentar(er)
