In Software Vendors We Trust? by Marvin Marin

In an often communicated refrain in the cybersecurity world, we tell users to keep their systems patched.  We tell them that patches, software updates, and fixes are commonly one of the easiest and fastest things that they can do to prevent their systems from being compromised, and a solid method of practicing good cyber hygiene.  Overall, that is great advice, but it assumes you can trust the patch, fix, update, or software that the vendor makes available will not do more harm than good!

As discussed in a previous article, Have Developers Become Overly Dependent on Dependencies?, I wrote about how the likelihood of a malicious event increases if a code repository does not verify the integrity of code posted to it, and how a cyberthreat could emerge without user awareness.  In two recent cases, Avast! and the Python Package Index (PyPI), software applications were modified unbeknownst to the company, and were made available for distribution to their customers. For Avast!, this means that an estimated 2.27 million users were potentially impacted by this company supplied malware. For PyPI, the issue dates as far back as June 2017, showcasing how difficult this subtle attack is to detect.

While larger organizations should follow a best practice of testing software and patches in a test environment prior to enterprise deployment, that may not help for software libraries, new patches, and development frameworks where an issue may not be known to security software (such as anti-virus tools).  Developmental frameworks and libraries can be complex and not easily understood by system administrators, system engineers, and testers prior to certifying the software as ‘stable’ and fit for production. Home users are at a decided disadvantage here!  Most home users will simply click on the update button on their operating system and accept whatever comes over the wire.  Cyber criminals have a major advantage as the focus is on “being up to date” and not “what am I really putting on my system?”

So what is an organization to do?  Here are some recommendations and thoughts to consider:

  1. Organizations should have a complete and thorough understanding of their baseline image to include what ports, protocols, and services are used. If you do not already know, you will want to gather this information.
  2. Establish and use a team to conduct security testing on any new software introduced. The team can evaluate using the baseline (above) to determine what new ports or services have been introduced and provide results to the approving authority.
  3. Maintain and test incremental backup capabilities in case a rollback is required.
  4. Limit the number of software vendors, and if possible place contractual requirements on them to provide secure code.
  5. Threat identification (intelligence) personnel should be notified of what software is being introduced so they can provide actionable intelligence to developers, administrators, and engineers if a security alert is required.
  6. Security Operations Center personnel should monitor for beaconing (traffic leaving your network destined for a hostile entity) and alert the incident response team.
  7. Consider performing a diff on open source software and evaluating changes.

Recommendations for home users:

  1. While many of the corporate suggestions are impractical for home use, and the suggestion to withhold security patches for those users would probably cause more harm than good, home users should make sure that anti-virus software is constantly up to date and from a reputable company.
  2. Backup important data (files) to the cloud or to a backup device (e.g. a writeable disk or a second hard drive) that is not continuously connected to your system.
  3. Consider purchasing and using a software suite that monitors and defends against all forms of malware (ransomware, spyware, online attacks, etc.) and integrates with or has a firewall capability.
  4. Limit software installations to those you absolutely need and require (avoid installing software just to try it out).
  5. Have a trusted individual or company check your system annually or more often as a ‘check-up.’

While these recommendations do not guarantee that you will never be a victim, you want to do as much as you can to avoid becoming one.  There is no silver bullet to address weaknesses in the software vendor supply chain.  You need to be proactive and know about the issue before it becomes one for you. Software assurance (SwA) is a very complex issue that strikes at the heart of the products we use on a daily basis.  Vendors should assume a larger mantle of responsibility in verifying that the code they provide is safe, accurate, and can be trusted.

About the author: Marvin Marin is the Principal Cybersecurity Architect for SkyePoint Decisions, Inc. and was recognized as a 2016 Finalist for the EC-Council Foundation’s Chief Information Security Officer of the Year.  Marvin is responsible for leading the development of new cybersecurity capabilities and delivering innovative solutions.

Job listings powered by the CATS Applicant Tracking System - ©2010 CATS Software, Inc.