The fast-evolving story of the compromise of voice over IP (VoIP) provider 3CX has refocused attention on the threat posed by software supply chain compromises. 3CX’s desktop client were tampered with by state-sponsored hackers. The company’s Windows and macOS build environments were compromised, and a backdoor added to the desktop client’s code. The update was then signed and pushed to customers.
That — and more recent revelations that 3CX itself was compromised by a signed, but compromised application made by the firm Trading Technologies — is all the proof software development teams need that their development and distribution pipeline are in the crosshairs.
Despite that, however, few software organizations are gearing up to address this growing risk. Instead, the focus of security investments and activity remains where it has been for much of the last two decades: On hardening network perimeters and endpoints, as well as finding and patching exploitable software vulnerabilities.
[ See the ConversingLab interview with Charlie Jones: The Rise of Malware Within the Software Supply Chain | Plus: See ReversingLabs @ RSAC for sessions etc ]
It's time to think beyond vulnerabilities
What’s needed? A full reset, says Charlie Jones, a Director of Product Management at ReversingLabs. Jones is speaking this week at The RSA Conference in San Francisco. His talk, The Rise of Malware within the Software Supply Chain, looks at the growing gap between threats and detection at many organizations involved in software development, as well as by the downstream customers who consume that software.
I had the opportunity to sit down with Jones ahead of his presentation. We discussed how organizations are caught off guard the fast-moving landscape of threats and attacks, and how priorities must change.
“There's a disconnect between this hyperfocus … on the detection, the response, the mitigation of vulnerabilities in software [and] the actual threats that we see being taken advantage of and specifically targeted in the threat landscape."
—Charlie Jones
The solution, Jones says, is for organizations to begin to reallocate their human, technical and other resources to focus on risks to development and DevOps environments.
“Focusing on vulnerabilities simply isn't enough — and it actually tends to not be that effective."
—Charlie Jones
Pointing to recent supply chain compromises, Jones notes that software packages that are known to be malicious are a much bigger risk — and a better indicator that your environment has been compromised — than a high priority vulnerability in software that may, or may not, be exploitable in your environment.
Watch the full conversation with Charlie Jones
In our full ConversingLabs conversation, Jones talks about some of the steps that development and DevOps teams can take to reduce their exposure to supply chain threats. He also focuses on the predicament of downstream consumers of software, and what options they have to spot malicious software updates that may be coming from otherwise trusted suppliers.
[ See the ConversingLab interview with Charlie Jones: The Rise of Malware Within the Software Supply Chain | Plus: See ReversingLabs @ RSAC for sessions etc ]
Charlie Jones @ RSAC 2023
Don't miss Jones’s talk at this year’s RSA Conference in San Francisco. He will be speaking on Thursday morning, April 27th at 8:30 AM in Moscone West Room 3002.
Article Link: The rise of malware in the software supply chain – and what to do about it