Data security depends on a secure software-development supply chain

/in


As 2020 finally came to an end and 2021 began, The New York Times reported that Russia used SolarWinds’ hacked program to infiltrate at least 18,000 government and private networks. As a result, it is presumed that the data within these networks (user IDs, passwords, financial records, source code), is in the hands of Russian intelligence agents. While the media has written numerous stories about the effects of the breach, there has been a noticeable lack of discussion around the type of attack that was perpetrated, that is, a supply-chain hack. This article will describe in more detail the nature of this type of attack along with some proposed best practices about supply-chain security to thwart nefarious incidents in the future. Finally, we’ll explore if the open source community (which is designed to be transparent and collaborative), can provide some guidance on better security approaches to developing software with a security-first mindset.

What is a supply-chain hack? As an analogy, consider the Chicago Tylenol Murders that took place in the 1980s. It started when somebody broke into a pharmacy in Chicago, opened the Tylenol bottles, laced pills with cyanide and returned the bottles back to the shelves. As a result, people who consumed these laced Tylenol pills got very sick resulting in multiple fatalities. This concept is analogous to a supply chain attack (software or infrastructure) in that a hacker breaks into where the software is consumed through a small backdoor or sneaks in malicious code that’s going to take over the computer or cause any sort of damage to the eventual consumer of the software. In the case of the SolarWinds hack, the attacker hacked a particular vendor field server most used by military and government contractors.

The consequence of a small stealthy attack into the infrastructure used to deliver software (or the software itself) can have a lot of impact. It’s stealthy because it’s very hard to track all the way to the left of the supply chain exactly what went wrong. In a similar manner, those responsible for lacing the Tylenol back in the eighties were never caught. Here’s the thing — supply-chain attacks are not new; we’ve…

Source…