ConversingLabs: Conversations About Threat Hunting and Software Supply Chain Security

When it comes to secure software development, Steve Lipner is one of those information security industry leaders who was there at the creation, so to speak. Lipner, the current Executive Director of the non-profit SafeCode, served as the Director of the Microsoft Security Response Center (MSRC) and from 2004 to 2013 - a critical period that saw Microsoft launch the now renowned Security Development Lifecycle (SDL) initiative, which Lipner oversaw. As part of SafeCode, Lipner has worked to promote secure development principles more widely in industry. SafeCode provides free resources on secure software development as well as advice and recommendations for development organizations in the form of white papers, blog posts, social media posts, and more.

ConversingLabs host Paul Roberts chatted with Lipner as a part of our ConversingLabs Cafe series of chats at the recent 2022 RSA Conference in San Francisco.

In this conversation, Lipner explains what secure software is, recounts his own experiences on Microsoft’s Software Security Development Lifecycle Team at as the point of the spear in Microsoft’s Trustworthy Computing Initiative. Lipner stresses that secure software must come from within (so to speak). Outside consultants may be able to promote best practices, but they will never be able to grasp what needs fixing as well as members of your own development team. That’s why an organization’s developers need to be trained and motivated to write secure code, which means seeing mistakes as they write code and throughout the entire development process.

Lipner also talks about the Biden Administration’s Executive Order (EO) on Improving the Nation’s Cybersecurity, released in May 2021. Lipner believes that the impact of the EO is still a work in progress. He noted that Safe Code’s member companies have made it a priority to demonstrate that they are meeting the requirements set forth in the EO. He’s particularly a “fan” of Section 4 of the EO, which lists the requirements for a robust software security program.

MITRE, the non-profit corporation, has been instrumental in developing systems to help with issues related to software assurance. That includes the development of CVEs (Common Vulnerabilities and Exposures) and CWEs (Common Weakness Enumeration) not to mention the ATT&CK taxonomy of adversarial methods.

Now MITRE is taking things further and “stepping up into the organization” to focus on supply chain risk, according to Robert Martin, a Senior Principal Engineer at MITRE. COVID has highlighted supply chain risks - whether its availability, counterfeit products or - of course - cyber risk, he said. But solving supply chain problems is not simply a job for the IT group, but something that needs to be driven from the very top echelons of an organization.

His organization published a framework in early 2021 called the System of Trust (sot.mitre.org), which provides a framework for supply chain security risk assessments that is customizable, evidence-based, scalable and repeatable. Once implemented, the SoT will give organizations within the supply chain confidence in each other as well as different service offerings and supplies.

Martin sat down with ConversingLabs host Paul Roberts on the sidelines of the RSA Conference in early June.

In this conversation, he talks about how the software supply chain is highly complicated, due to an increasing number of things in society becoming cyber-enabled.

Martin explained how software is not written neatly end to end, but rather is built with drivers, dependencies, and frameworks that give the supply chain depth and magnitude. If software practitioners are not given visibility into this complicated picture, they will miss the software supply chain risks that pose a threat to their organizations.The SoT’s goal is to promote transparency, allowing developers to see all of the players in the supply chain.

We chatted with ReversingLabs Reverse Engineer Karlo Zanki about how NPM packages have been caught serving malware via compromised software updates.

We chatted with ReversingLabs’ very own Hrvoje Samardžić and Independent Malware Hunter Luigi De Mori/JAMESWT (@JAMESWT_MHT) about what kinds of internal threat intelligence are the most useful, where to find it, and how to leverage this data to improve your organization’s defenses.

In this podcast, we dig deep on the Emotet malware with two noted experts: Dado Horvat of ReversingLabs and Dragan Damjanovic of KPMG and talk about the evolution of the threat and the latest Emotet IOCs.

Ransomware groups are changing up their game. To see where things are heading, look no further than the Conti group, says Yelisey Boguslavskiy, a Security Studies Expert at the firm AdvIntel. He joined ConversingLabs host Paul Roberts for this latest episode of the podcast to dig into Conti Ransomware Group’s recent activity. They also discuss what lessons Conti holds for organizations who want to defend against evolving ransomware threats.

Check out our new podcast, ConversingLabs. Airing every two weeks, ConversingLabs features conversations with the top minds in threat hunting, reverse engineering and cyber defense. Join host Paul Roberts as he interviews threat hunting and threat intelligence experts from ReversingLabs and around the world.