What software program provide chain safety actually means

What software program provide chain safety actually means
What software program provide chain safety actually means



The definition breaks down

A mere three months later, a brand new kind of assault materialized that didn’t match inside the present typology. A brand new assault kind referred to as “dependency confusion” was coined when safety researcher Alex Birsan self-published a Medium article sub-titled “How I Hacked into Apple, Microsoft, and Dozens of Different Corporations.” What was intelligent about this new assault kind is the way it took benefit of the non-intuitive habits of package deal managers, permitting an attacker to trick builders into downloading malicious code from an exterior package deal registry slightly than, as deliberate, an inside package deal registry. Whereas much like typosquatting, which was already a minor class in our typology, this assault didn’t truly contain a typo. Our unique definition of software program provide chain safety had already been stretched. We added one other minor class and moved on.

Then in December 2021, Log4shell happened and the “internet was on fire.” Now our typology suffered a mortal wound. The sooner typology centered completely on the insertion of malicious code, however the Log4shell vulnerability didn’t contain malicious code. However, Log4shell clearly represented a widespread vulnerability within the software program provide chain. It was an simply exploited and extreme vulnerability, launched by a flaw in a extensively widespread open supply Java logging library. The episode revealed a vital flaw in our present definition of software program provide chain safety: unintentional safety flaws in extensively used open supply software program had no place. That unique typology, for the needs of my profession, was lifeless solely 18 months after invention.

Accepting a broader definition

Upon reflection, the “provide chain” facet of software program provide chain safety suggests the essential ingredient of an improved definition. Software program producers, like producers, have a provide chain. And software program producers, like producers, require inputs after which carry out a producing course of to construct a completed product. In different phrases, a software program producer makes use of parts, developed by third events and themselves, and applied sciences to jot down, construct, and distribute software program. A vulnerability or compromise of this chain, whether or not achieved through malicious code or through the exploitation of an unintentional vulnerability, is what defines software program provide chain safety. I ought to point out {that a} comparable, rival data set maintained by the Atlantic Council makes use of this broader definition. (Full disclosure: I’m now a non-resident fellow on the Atlantic Council. Should you can’t beat ‘em, be a part of ‘em.)

Leave a Reply

Your email address will not be published. Required fields are marked *