The Solarwinds Sunburst attack shocked the world and has heightened awareness of software supply chain and third-party risks. These types of attacks can exploit a wide range of technologies, from software infrastructure, code-sign certificates, and commercial software and managed services to hardware and IoT devices. When it comes to attacks on software, COTS software isn't the only target of supply chain attacks. Attacks targeting open-source software projects are a major issue for organizations, with 90% of all applications containing open-source code and 11% of those having known vulnerabilities.
On April 6th, Micro Focus Chief Strategist Rob Aragao will host a Fireside chat styled-webinar titled “Securing The Software Supply Chain,” with Steve Lipner, John Pescatore, and me to discuss software supply chain risks and how to address them. Steve is currently the Executive Director of SAFECode and John is the Director of Emerging Technologies at the SANS Institute. We all worked together at Trusted Information Systems (TIS) back in the mid-90’s, where Steve led the Gauntlet Firewall business unit (one of the first firewalls) and John led the commercial consulting practice. I was a consultant at the time who worked for John. Subsequently, we’ve all been involved with software supply chain risk mitigation efforts is some way.
Steve Lipner is a pioneer in cybersecurity with over 40 years’ experience as a general manager, engineering manager, and researcher. During his eleven years at Digital Equipment Corporation, Lipner led and made technical contributions to the development of numerous security products and to the operational security of Digital’s networks. At Microsoft, he was the creator and long-time leader of their Security Development Lifecycle (SDL) team. While at Microsoft, Lipner also created initiatives to encourage industry adoption of secure development practices and the SDL and served as a member and chair of the SAFECode board. In October, prior to the revelations of the Sunburst attack, Lipner wrote A Brief Overview of Software Security Resources Supporting the Supply Chain Security Discussion. In the article Lipner provides pointers to guidance from SAFECode, NIST, FS-ISAC, and the Linux Foundation that are intended to help developers achieve supply chain security, and to help customers gain confidence in the security of their supply chains.
John has over 35 years of experience in computer, network and information security. He was Gartner’s Lead Security Analyst for 13 years, working with global 5000 corporations and major technology and service providers. Prior to joining Gartner Inc. in 1999, Pescatore was Senior Consultant for Entrust Technologies and TIS. Pescatore also spent 11 years with GTE developing secure computing systems. Pescatore began his career at the National Security Agency, where he designed secure voice systems and at the United States Secret Service, where he developed secure communications and surveillance systems. In 2019 John wrote a SANS white paper Success Patterns for Supply Chain Security and is a proponent for additional testing of software to mitigate supply chain risks.
In 2005 to 2007, I co-chaired a DHS working group on software acquisition and supply chain risks. In Software Assurance: Five Essential Considerations for Acquisition Officials, my co-chair and I shared:
“…acquisition officials must become educated consumers in the purchase of secure software, and each phase of the acquisition process must be leveraged to build security in to ensure the delivery of reliable software that functions as promised and software free from security vulnerabilities and malicious code.”
The outcome of our working group (Guideline, Pocket Guide) relied on arming software buyers and evaluators with questions and contract language to hopefully enable greater security-risk insight into acquired or open source software. Honestly, I don’t think this approach would have disrupted the Solarwinds Sunburst attack given that the malware was injected during the build process. But I do think use of the questions and contract language can hold software suppliers more accountable for producing more secure software.
All of our perspectives will be brought together on April 6th during the Securing The Software Supply Chain Fireside chat. Join us by registering here!