Software Supply Chain Security: The Differences Between Vulnerabilities and Malware
In this episode of ReversingGlass, Matt explains the key differences behind two major threats to software supply chains: vulnerabilities and malware. He demonstrates how vulnerabilities are unintentional risks, while malware is an intentionally nefarious action.
- See post: 6 reasons app sec teams should shift gears and go beyond vulnerabilities
- ReversingGlass: The DNA of Software Supply Chain Security
- Report: The Software Supply Chain Risk Report
MATT ROSE: Hi, everyone. Welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs. Today's episode of ReversingGlass is Vulns versus Malware. And this is a conversation I hear a lot, especially when it relates to software supply chain security. Let's start on the left side because that's where Vulns are.
Vulns are vulnerabilities in your application. And when you think about vulnerabilities, you're thinking about an issue like, uh, XSS, XSS, sorry, or a SQL Injection, so cross site scripting or SQL Injection. When a developer or a third party organization develops a piece of software, they write it to do a functional spec.
And within writing the software, sometimes mistakes are made, and vulnerabilities are introduced into the code base. And, SQL Injection, cross site scripting, vulnerabilities that are people, hopefully, are very familiar with, but really what it is, is going outside the bounds of the intended purpose.
There was a... Activity that was designed as part of the software, maybe it's I log in, I view some records, I delete some records, I change some records, I log out. That's the functionality of the application. But based on insecure coding practices, improper sanitization, for example, there could be vulnerabilities like a SQL injection or cross site scripting looking for script tags or single quotes for a SQL injection type of vulnerability. Most of the solutions we're talking about out there today in terms of application security testing solutions are looking for vulnerabilities they're looking for things that are just an application or a piece of software isn't supposed to do and there's security risk: PII data, sensitive information, secrets leakage, those type of things.
Malware on the other side of the equation is short for malicious software. And guess what? Goodware is good software. So malicious software. And what malicious software is, it is written... And designed to do a nefarious act. The whole purpose of malware is to do something to compromise your application, your piece of software, insert a functionality that is not supposed to be there.
So the whole design of malware is to do something specific in a nefarious way. Vulnerabilities, on the other hand, are issues in the code that aren't supposed to be there, but just happened without, again, I mentioned proper sanitization, or, escalation of privileges, those type of things. So, as you do that investigation in software supply chain security, and all these vendors that are saying they're doing it, most of them are more on malware side, not the malware side but on the vulnerability side, where malware's intended purpose is to just be bad or malicious software.
Food for thought. Vulns and malware, two issues that you got to address, but they are two different beasts to attack. I'm Matt Rose. Have a great day, everybody.