It is common for the security industry to get disturbed when new vulnerabilities are discovered in software. Two new vulnerabilities were reported in OpenSSL in late October and early November 2022, which overwhelmed news feeds. This never-ending vulnerability cycle begins with the discovery and disclosure of vulnerabilities. The impact of a cyber-attack is felt acutely by those who work on the front lines of information technology, as the need for remediation is harsh.
To filter some of the noise from new vulnerabilities, consider the impact on supply chains and take the necessary steps to secure their assets, security leaders must maintain an effective cybersecurity strategy.
Supply Chain Attacks Aren't Going Away
There have been several severe vulnerabilities in Log4j, Spring Framework, and OpenSSL components in the last year which have caused us to lose significant amounts of data. As long as implementations are misconfigured or rely on known vulnerable dependencies, it is also certain those older vulnerabilities will be exploited in the future. It was learned in November 2022 that a state-sponsored Iranian operation had been mounted against the Federal Civilian Executive Branch (FCEB), which was attributed to an attack campaign launched against it by the Iranian regime. In this case, a United States federal entity ran VMware Horizon infrastructure. This infrastructure contained the Log4Shell vulnerability, which was the initial attack vector. This vulnerability allowed an attacker to gain access to the network. There was a series of attacks on FCEB. This attack chain included lateral movements, credential compromises, system compromises, network persistence, endpoint protection bypasses, and crypto-jacking in the course of a single attack.
After security incidents involving vulnerable packages like OpenSSL or Log4j, organizations are likely to wonder why they are consuming open-source software at all. According to a recent report, supply chain attacks continue to be on the rise because suppliers and partners are reusing components.
Instead of building systems from scratch, the team of strategic planners for cybersecurity at Sysdig repurposes existing code. As a result, engineering effort will be reduced, operational scalability will be achieved, and delivery will be fast. In general, open-source software (OSS) has a high reputation for reliability due to the public scrutiny it receives due to its open-source nature. Software is, of course, a constantly changing field, and problems can arise as a result of coding errors or dependency problems. Moreover, the improvement of testing and exploitation techniques also enables the discovery of new issues over time.
Supply Chain Vulnerabilities: How to Address Them
To secure the modern design of an organization, it must have the appropriate tools and processes in place.
In this rapidly changing environment, traditional approaches based on vulnerability management or point-in-time assessments cannot be relied upon alone. Even though these approaches may still be permitted by regulations, they perpetuate the division between "secure" and "compliance." Most organizations aim to reach some level of maturity in DevOps. There are several characteristics of DevOps practices that are common to both continuous and automated processes. Processes related to security should not be different from other processes. The security strategist must ensure that they maintain a steady focus on security throughout the phases of development, testing, and deployment, and during runtime.
Continuously scan code in CI/CD: In addition to following the best security practices (e.g., shift left), you need to recognize that you will not be able to scan all the code and nested code. Several factors can limit the success of shift-left approaches scanner effectiveness, correlation of scanner output, automation of release decisions, and scanner completion within the release timeframes. Using the right tool can help you prioritize the risks associated with your findings. Your architecture may not be able to exploit all found vulnerabilities, and some vulnerabilities may not be exploitable in the first place.
Continuous scanning during delivery: it is essential to prevent component compromises and environment drifts from happening. The digital supply chain, which is the process by which applications, infrastructure, and workloads are sourced from registries, and repositories, and booted up from them, need to be scanned in case something has been compromised along the way.
Continually scan at runtime: To protect against cyber threats, most organizations are looking to continually scan at runtime, and security monitoring is the backbone of their efforts. As part of your system architecture, you need mechanisms to collect, correlate, and interpret telemetric data from all types of systems, including cloud environments, containers, and Kubernetes deployments. Insights collected during the runtime should feed back into the earlier stages of the build and delivery process. In the context of identity and services, there is an interaction between them.
Secure strategy and cybersecurity preparedness are essential in the wake of the latest OpenSSL vulnerability and Log4Shell. CVE-IDs are merely identifiers of vulnerability issues that are known to exist in publicly available software or hardware. Many vulnerabilities remain unreported, particularly those rooted in undocumented code or those resulting from environmental misconfiguration or homegrown code. Modern designs are based on distributed and diverse technologies, and cybersecurity strategies must take this into consideration. The technology you need to manage vulnerabilities requires a modern tool that uses runtime insights so that engineering teams can prioritize remediation tasks based on the information they have. Additionally, for you to avoid sudden attacks, you need to have the ability to detect and respond to threats across a wide range of environments.
.jpg "Concerns About Supply Chain Risks Need Strategies")
.jpg)