The fast-evolving story of the compromise of voice over IP (VoIP) provider 3CX has refocused attention on the threat that software supply chain compromises pose. State-sponsored hackers tampered with 3CX’s desktop client, compromising the company’s Windows and macOS build environments, and added a backdoor to the desktop client’s code. The update was then signed and pushed to customers.
That — and more recent revelations that 3CX itself was compromised by a signed, but compromised application made by Trading Technologies — is all the proof software development teams need that their development and distribution pipelines are in the crosshairs.
Despite that, few software organizations are gearing up to address this growing risk. Instead, their focus remains where it has been for much of the last two decades: On hardening network perimeters and endpoints, and finding and patching exploitable software vulnerabilities.
[ See the ConversingLab interview with Charlie Jones: The Rise of Malware Within the Software Supply Chain | Plus: See ReversingLabs @ RSAC for sessions etc ]
It's time to think beyond vulnerabilities
What’s needed? A full reset, says Charlie Jones, Director of Product Management at ReversingLabs. Jones is speaking this week at The RSA Conference in San Francisco. His talk, The Rise of Malware within the Software Supply Chain, looks at the growing gap between threats and detection at many organizations involved in software development, as well as by the downstream customers who consume that software.
I sat down with Jones ahead of his presentation to discuss how organizations are caught off guard in the fast-moving landscape of threats and attacks, and how priorities must change.
“There's a disconnect between this hyperfocus … on the detection, the response, the mitigation of vulnerabilities in software [and] the actual threats that we see being taken advantage of and targeted in the threat landscape."
—Charlie Jones
The solution, Jones says, is for organizations to begin to reallocate their human, technical and other resources to focus on risks to development and DevOps environments.
“Focusing on vulnerabilities simply isn't enough — and it tends to not be that effective."
—Charlie Jones
Pointing to recent supply chain compromises, Jones notes that software packages known to be malicious are a much bigger risk — and a better indicator that your environment has been compromised — than is a high-priority software vulnerability that may or may not be exploitable in your environment.
Watch the full conversation with Charlie Jones
In our full ConversingLabs conversation, Jones talks about the steps development and DevOps teams should take to reduce exposure to supply chain threats, the predicament for downstream consumers of software, and what options they have to spot malicious software updates that may be coming from otherwise trusted suppliers.
[ See the ConversingLab interview with Charlie Jones: The Rise of Malware Within the Software Supply Chain | Plus: See ReversingLabs @ RSAC for sessions etc ]
Charlie Jones @ RSAC 2023
Don't miss Jones’s talk at this year’s RSA Conference in San Francisco. He will be speaking on Thursday morning, April 27th at 8:30 AM in Moscone West Room 3002.
Keep learning
- Gartner is redefining software supply chain security, and calling on enterprises to make some big changes. Get the new Gartner Leader's Guide — and learn more in our Special Report.
- Learn about complex binary analysis and why it is critical to software supply chain security in our Special Report. Plus: Take a deep dive with RL's white paper.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
- Understand key trends and get expert insights with our special report package: The State of Supply Chain Security (SSCS) 2024. Plus: Download the full State of SSCS report.
- Read about why you need to upgrade your AppSec tools for the SSCS era. Plus: Download and share our Definitive Guide to SSCS.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.