{"id":19382,"date":"2022-06-19T23:10:05","date_gmt":"2022-06-20T07:10:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/06\/19\/news-13115\/"},"modified":"2022-06-19T23:10:05","modified_gmt":"2022-06-20T07:10:05","slug":"news-13115","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/06\/19\/news-13115\/","title":{"rendered":"Securing the software supply chain, with Kim Lewandowski: Lock and Code S03E13"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Mon, 20 Jun 2022 06:11:56 +0000<\/strong><\/p>\n

At the start of the global coronavirus pandemic, nearly everyone was forced to learn about the “supply chain.” Immediate stockpiling by an alarmed (and from a smaller share, opportunistic) public led to an almost overnight disappearance of hand sanitizer, bottled water, toilet paper, and face masks.<\/p>\n

In time, those items returned to stores. But then a big ship got stuck in the Suez, and once again, we learned even more about the vulnerability of supply chains. They can handle little stress. They can be derailed with one major accident. They spread farther than we know. <\/p>\n

While the calamity in the canal involved many lessons, there was another story in late 2020 that required careful study in cyberspace\u2014an attack on the digital supply chain. <\/p>\n

That year, attackers breached a network management tool called Orion, which is developed by the Texas-based company SolarWinds. Months before the attack was caught, the attackers swapped malicious code into a legitimately produced security update from SolarWinds. This malicious code gave the attackers a backdoor into every Orion customer who both downloaded and deployed the update and who had their servers connected online. Though the initial number of customers who downloaded the update was about 18,000 companies, the number of customers infected with the attackers\u2019 malware was far lower, somewhere around 100 companies and about a dozen government agencies.<\/p>\n

This attack, which did involve a breach of a company, had a broader focus\u2014the many, many clients of that one company. This was an attack on the software supply chain, and since that major event, similar attacks have happened again and again. <\/p>\n

Today, on the Lock and Code podcast with host David Ruiz, we speak with Kim Lewandowski, founder and head of product at Chainguard, about the software supply chain, its vulnerabilities, and how we can fix it.<\/p>\n

\n
\n

“Our software supply chains are as brittle and sort of filled with weaknesses, similar to a physical supply chain. When you think about every step of the path from when a developer starts writing software all the way to where it\u2019s pushed to production, or where end user is using it, there\u2019s different attack vectors across that entire path.”<\/p>\n

Kim Lewandowski, founder, head of product, Chainguard Inc. <\/cite><\/p><\/blockquote>\n<\/figure>\n

Tune in to hear about why the software supply chain is so difficult to secure, what is at stake if we continue to ignore the problem, and what steps we can take today\u2014and tomorrow\u2014to ensure that future software builds are secure and trustworthy. <\/p>\n

\n