|
|
|
|
|
The Bill for Software Supply Chain Security Comes Due
|
|
|
|
|
|
The security of the software supply chain is a growing priority for companies in 2023, as government mandates come into effect in the post-SolarWinds era.
Last September, the Office of Management and Budget issued deadlines for improving the software supply chain, at least when it comes to the government. The memorandum requires each Federal agency to comply with National Institute of Standards and Technology guidance when using third-party software on the agency’s information systems. By Sept. 14 of this year, the memorandum said, agencies will have to collect attestation for all software subject to the requirements.
|
|
Understanding the tech supply chain is no easy task, given that 90% or more of the code in many applications is open-source, meaning that anyone can use it, according to Dan Lorenc, co-founder and CEO of Chainguard Inc., a startup focused on software supply chain security. The idea is to create visibility into where a company’s software comes from so that it can assess the codes' safety. The software supply chain can be compromised by deliberate attack, as in the SolarWinds case, or it can be affected by an unintentional
|
|
|
flaw that goes undetected for years, as in the case of the Log4j vulnerability, he said.
He sees the need to produce a so-called software bill of materials as a huge challenge that many enterprises and tech companies will have to address. “Banks have more engineers than big tech companies. It's actually crazy,” he said. “They're all doing their own development and then, when an auditor comes and says, where is Log4j running, they can't produce a report that you can email every single person.”
Is your company working to understand its software supply chain? Let us know how that’s going. Contact information for the Cybersecurity team is at the end of this email.
|
|
|
CONTENT FROM OUR SPONSOR: Netscout
|
|
TCP Floods Are Leading the DDoS Attack Vector
Cybercriminals have become more sophisticated in bypassing defenses with new DDoS attack vectors. Like the good guys, criminals also change their tactics, but for nefarious reasons. A hybrid approach remains to be the best strategy to slow attackers down
Learn More
|
|
|
|
|
|
|
|
‘Firebrick Ostrich’ is on the rise. The so-called Firebrick Ostrich threat group has become one of the leading perpetrators of business email compromise attacks, or BEC, where scammers try to trick employees into sending money or confidential information via email. The group specializes in impersonating third parties like an accounts payable specialist to obtain bank details, according to research from email security provider Abnormal Security. (Dark Reading)
Medical research and energy organizations were the latest target of a cyberattack from the North Korean hacking group Lazarus, according to researchers from Finnish cybersecurity firm WithSecure. Hackers managed to steal about 100 gigabytes of data over two months but were eventually brought down by their own mistakes—one showing a network log with a North Korean IP address. (Bleeping Computer)
|
|
|
|
|
Lisa Hayes, TikTok’s head of safety and public policy in the Americas, at the company’s Transparency and Accountability Center in Culver City, Calif. PHOTO: GEORGIA WELLS/THE WALL STREET JOURNAL
|
|
|
|
TikTok’s transparency campaign echoes effort by Huawei to ease security concerns. The Chinese-owned app is trying to win Washington’s trust with a playbook recalling the unsuccessful strategy another Chinese-owned company, Huawei Technologies Co., took in the U.S. and swaths of Europe, The Wall Street Journal reported. The move comes as TikTok has been publicizing its plan to silo off its U.S. operations and have third parties monitor them, a proposal designed to assuage fears that the Chinese government could force the app’s owner, ByteDance Ltd., to spy on American users.
|
|
|
Layoffs at Okta. Business-software maker Okta Inc. is laying off about 300 employees, or 5% of staff, it said Thursday. The company went on a hiring spree during the Covid-19 pandemic, as demand for its identity-verification software surged. “This led us to overhire for the macroeconomic reality we’re in today,” Chief Executive Todd McKinnon said, adding that the company will reduce spending moving forward.
|
|
|
|
|
|
|