Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
For IT pros, a zero-day often means zero sleep, clarity, relief, and time not on Reddit.
Large-scale attacks on widely used tools, such as Log4j, SolarWinds, and more recently the VoIP communications app 3CX, have given tech staff plenty of practice in scrambling: finding all the instances of a vulnerability and remediating it quickly.
As software-supply-chain attacks rise, there’s an increasing momentum for vendors to take a more active role in their security designs, and for customers to confirm secure software development practices, such as code checks and software bills of materials.
“From a consumer perspective, what you want to be doing is looking to the vendors that you’re dealing with, and having them provide attestations that they are taking these precautions, that they do have these kinds of controls in place,” said Dale Gardner, senior director at the market-intelligence firm Gartner.
Supply. DEMANDS.
In a software-supply-chain attack, malicious code is injected into an application, infecting all of the app’s users.
A malicious library, for example, recently impacted the Electron framework versions of 3CX on MacOS and Windows. (3CX has since updated the Electron App, with help from Mandiant.)
New US Office of Management and Budget rules, established in September 2022, require software developers to confirm that their development practices adhere to guidance such as the National Institute of Standards and Technology’s Secure Software Development Framework and Software Supply Chain Security Guidance.
Customers can push their suppliers to make sure they follow the framework, too, Gardner said.
“By doing that, organizations can make better basically risk management decisions about the code that they're using in the environment,” Gardner told IT Brew.
Embedding security into the product itself will be a greater focus, Michael Sikorski, CTO & VP of engineering at Unit 42, Palo Alto Networks’ threat-intelligence team, told IT Brew, and customers need to get answers from their software suppliers: Do they perform checks on source code before deploying, for example?
Gardner recommends similar questions: Does a project have many maintainers, or open-source code providers? Where do those come from? What's a vendor’s track record in vulnerability response?
“I think a lot of these companies that are developing software are going to have to put in a lot more due diligence into showing their customers that they're taking security seriously, and that they're looking for these types of attacks being embedded in their software,” Sikorski said.
So IT pros can get some sleep.