Just last Thursday, I submitted the final manuscript for my 20th book. It’s all about Supply Chain Attacks, with a heavy emphasis on both Crowd Strike and Solar Winds. Of course, there are a lot of Supply Chain Attacks that have happened as well in the last few years, and I covered them as well. P
one of the
more notable was the Colonial Gas Pipeline breach, which impacted the flow of all
gasoline by products on the East Coast, here in the United States. To alleviate the financial damage that it was
causing, the CEO even paid a ransom, up to the tune of about $4 million.
I also spent
a lot of time reviewing how the other components of the US Critical Infrastructure
are also at grave risk of becoming victim of a Supply Chain Attack. But apart from this, there is also another
source in which this kind of Threat Vector can be launched. And, that is through the use of Open Source
Software.
For those out
there who do know what this is all about, it can be considered as a software application
of sorts that are free to use and distribute.
Because of this, there are no exorbitant licensing fees, which is what you
find in those applications that make use of Closed Source Software.
In other
words, you do not know what kind of programming went behind the scenes in building
out these apps. Given the nature of Open
Source, there is also the huge freedom to collaborate with others, to make the programming
(here on referred to as “Source Code”) optimized the way it should be, so it
can best meet the needs of the client.
Many of the Open-Source
platforms can be downloaded quickly from libraries that are available on the Internet,
one of the most popular ones being that of Git Hub. Normally, software developers and their teams
go on the blind assumption that the people who manage these libraries will keep
these platforms updated and evaluate them on a regular basis so that they are
as secure as possible.
But the truth
of the matter is that they typically do not do this, and thus, there are many “backdoors”
that are left wide open for the Cyberattacker to quite easily penetrate into. And it
is from there that the next Supply Chain Attack could quite conceivably happen,
with devastating attacks.
One of the key
differentiators of Supply Chain Attacks from other. eat Variants is that just
one point of entry is needed through just one system in the IT/Network Infrastructure
of targeted business. From here, will all
the interconnectivity that has taken place over time, millions of people can be
impacted in just a matter of a few hours, as we saw with the Crowd Strike
fiasco.
So, now this begs
the question, what will be done in 2025 to make sure that the Open-Source
Software Platforms that are being used to create software applications will be
made more secure? Well, a consortium known
as the Open-Source Security Foundation (“OpenSSF”) has
come out with a list of recommendations that software developers all over the
world should implement as quickly as possible.
Here is a sampling of what they have produced:
1)
The
Use Of AI:
Yes,
we all have heard of this at ad nauseum, but one of the biggest benefits of it is
that it can be used to help automate the repetitive processes of a
project. Take the case of a web development
project. Most likely, at each module,
there will be tasks that have to be done regularly over and over again. Well, this is an area in which Generative AI
can play a huge role in, by automating these tasks. But a huge word of warning is needed
here. As much as Generative AI
can help, it can also be a huge security risk as well!!! Given the explosion of its use, this has now
become of the prized targets of the Cyberattacker, especially when it comes to Model
Poisoning and Data Leakage Attacks. Therefore,
it has been very highly suggested that guardrails be put into place, to curb
off these Threat Variants and others like it that may come, especially if
automation is used in the software development process.
2)
More
Regulations:
Just
as much as there has been an uptick with the Data Privacy Laws (such as the
GDPR and the CCPA), there will now be similar pieces of legislation that come about
for compliance with Open-Source Software Compliance. In this regard, there will be tenets and
provisions included in them that call for software development to instill a system
of checks and balances, so that the compiled Source Code will be checked for
any vulnerabilities and be quickly remediated.
In fact, the European Union is already one step ahead here, by launching
what is known as the “Cyber Resilience Act”, or “CRA” for short. Although it is geared towards the Internet of
Things (IoT), there is a heavy emphasis on Source Code Security as well from
within it. Further, it also requires that
a detailed Software Bill of Materials (“SBOM”) be created before the start of
any sort of software development project.
Essentially, this lists out and details all of the software components that
will be used. Therefore, everybody will
have firsthand knowledge of what is being used.
Also, anytime the SBOM goes through any new iterations, it must be thoroughly
documented and be submitted into a Change Management Process.
My
Thoughts on This:
It is great
to see that more substantial efforts are being made to ensure the overall
software development process (which makes use of Open-Source Platforms) is
going to be made as secure as possible.
After all, the reputation of all the relevant key stakeholders could be
at risk.
If you are
CISO, or even the head of a software development team, it is imperative that
you stay up to date with the latest vulnerabilities that are being found in the
Open-Source Software Platforms. To do
this, you can simply subscribe to the mailing list of OpenSSF. More information about this can be found at
the link below: