The fast-evolving story of the compromise of voice over IP (VoIP) provider 3CX has refocused attention on the threat that software supply chain compromises pose. State-sponsored hackers tampered with 3CX’s desktop client, compromising the company’s Windows and macOS build environments, and added a backdoor to the desktop client’s code. The update was then signed and pushed to customers.
That — and more recent revelations that 3CX itself was compromised by a signed, but compromised application made by Trading Technologies — is all the proof software development teams need that their development and distribution pipelines are in the crosshairs.
Despite that, few software organizations are gearing up to address this growing risk. Instead, their focus remains where it has been for much of the last two decades: On hardening network perimeters and endpoints, and finding and patching exploitable software vulnerabilities.
[ See the ConversingLab interview with Charlie Jones: The Rise of Malware Within the Software Supply Chain | Plus: See ReversingLabs @ RSAC for sessions etc ]
It's time to think beyond vulnerabilities
What’s needed? A full reset, says Charlie Jones, Director of Product Management at ReversingLabs. Jones is speaking this week at The RSA Conference in San Francisco. His talk, The Rise of Malware within the Software Supply Chain, looks at the growing gap between threats and detection at many organizations involved in software development, as well as by the downstream customers who consume that software.
I sat down with Jones ahead of his presentation to discuss how organizations are caught off guard in the fast-moving landscape of threats and attacks, and how priorities must change.
“There's a disconnect between this hyperfocus … on the detection, the response, the mitigation of vulnerabilities in software [and] the actual threats that we see being taken advantage of and targeted in the threat landscape."
—Charlie Jones
The solution, Jones says, is for organizations to begin to reallocate their human, technical and other resources to focus on risks to development and DevOps environments.
“Focusing on vulnerabilities simply isn't enough — and it tends to not be that effective."
—Charlie Jones
Pointing to recent supply chain compromises, Jones notes that software packages known to be malicious are a much bigger risk — and a better indicator that your environment has been compromised — than is a high-priority software vulnerability that may or may not be exploitable in your environment.
Watch the full conversation with Charlie Jones
In our full ConversingLabs conversation, Jones talks about the steps development and DevOps teams should take to reduce exposure to supply chain threats, the predicament for downstream consumers of software, and what options they have to spot malicious software updates that may be coming from otherwise trusted suppliers.
[ See the ConversingLab interview with Charlie Jones: The Rise of Malware Within the Software Supply Chain | Plus: See ReversingLabs @ RSAC for sessions etc ]
Charlie Jones @ RSAC 2023
Don't miss Jones’s talk at this year’s RSA Conference in San Francisco. He will be speaking on Thursday morning, April 27th at 8:30 AM in Moscone West Room 3002.
Keep learning
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.