Bose Work Remote Promo
Bose Work Remote Mobile Promo
Take Our Survey on Your IoT/Collaboration Plans & You Could Win a 60" 4K UHD Display!
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • COVID-19 Update
  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Downloads
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

How IT Leaders Can Protect Against Supply Chain Compromises

Users of software like SolarWinds can take several steps to protect their organization from supply chain compromises, Linux Foundation says.

January 15, 2021 Zachary Comeau Leave a Comment

Supply Chain Compromises

IT leaders need to do more to protect themselves from future supply chain attacks like the SolarWinds compromise, according to the Linux Foundation.

In a new blog, David Wheeler, the Foundation’s open source supply chain security director, went through how the attack went undiscovered until months after the suspected Russian state-sponsored actors compromised the SolarWinds Orion platform that was used by nearly 18,000 customers, providing them with a backdoor into thousands of IT environments.

According to Wheeler, conventional security advice failed to counter the attack.

For example, the only installing signed versions wasn’t applicable because the software was signed. Making sure software is updated actually did more harm than good because the updated software contained malicious code.

Monitoring software behavior did eventually detect the problem, but only after hackers had access to victims for nine months.

Even reviewing source of the product wasn’t a foolproof defense because the code was written in a way that made it look like normal code. The attackers had control of the build environment and could have inserted the code without even being visible to developers.

Read Next: SolarWinds CEO: Company Might Not Be the Only Compromise

In his blog, Wheeler called on developers and the software industry to harden their build environments against attackers and implement and require verified reproducible builds, which are builds that always produce the same outputs given the same inputs so that the build results can be verified.

For IT departments, this means they have to start asking for a software bill of materials  (SBOM) so they know exactly what they are using, Wheeler writes.

Once users get the SBOM, they should examine the versions included. IF there are malicious components or known vulnerabilities, ask about them, Wheeler writes.

“Some vulnerabilities may not be exploitable, but too many application developers simply don’t update dependencies even when they are exploitable,” Wheeler writes.

“To be fair, there’s a chicken-and-egg problem here: specifications are in the process of being updated, tools are in development, and many software producers aren’t ready to provide SBOMs.”

Most software producers don’t have that SBOM ready, but users need to create a demand for SBOMs.

Wheeler also writes that organizations should invest in OpenChain conformance and require suppliers to implement a process designed to improve trust in a supply chain.

OpenChain’s conformance process reveals specifics about the components you depend on that are a critical first step to countering many supply chain attacks.

Tagged With: Cybersecurity, Linux Fouindation, SolarWinds, Supply Chain

Related Content:

  • FireEye Microsoft SolarWinds FireEye, Microsoft Detail Additional Malware Linked to SolarWinds…
  • Microsoft Teams AVI-SPL, Unify Square To Co-Deliver Microsoft Teams User…
  • Nureva HDL300 Audio Conferencing System Nureva HDL300 Audio Conferencing Systems Covers Nearly 30…
  • AV installers, intelligent automation benefits, definition, knowledge management automation How Knowledge Management Automation Is Key to Post-Pandemic…

Free downloadable guide you may like:

  • Introducing the IT Pro MBA: Vetting Technology

    At some point in your career there is going to come a time when you are tasked with reviewing and vetting new tech to implement into your company. Sometimes the hardest part of the whole thing is just getting started. In this new series from My TechDecisions, the IT Pro MBA: Vetting Technology guide deep-dives […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Introducing the IT Pro MBA: Vetting Technology

At some point in your career there is going to come a time when you are tasked with reviewing and vetting new tech to implement into your company. ...

9 Technology Products to Help Combat COVID-19 Spread in the Workplace

As the Coronavirus continues on and leads us further into uncertainty, the question remains, “when do we return to the office?” For some the answer...

Top 9 Reasons Enterprise IT Leaders Are Moving Their Video Surveillance to the Eagle Eye Cloud

Working in IT has enough challenges without adding in the complications of surveillance video. Things like total cost of maintenance, how the VMA m...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Terms of Use
  • Privacy Policy
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!

© 2021 Emerald X, LLC. All rights reserved.