The Java-based logging tool is an example of the massive consolidation of risk that comes with the broad use of popular components in software, Fox argued. Similar attacks followed – including Kaseya and, most notably, Log4j. Customers who unknowingly downloaded and installed the code during the update process were then compromised. That came to the fore with the SolarWinds breach in 2020, in which miscreants linked to Russia broke into the firm's software system and slipped in malicious code. "A big notable change over the last five or so years has been the rise of intentional malware attacks on the supply chain." "The attackers have figured this out as well," he said. What's changed in recent years is the general awareness of it – not only among well-meaning developers that are creating the software from these disparate parts. This way, open source becomes the foundation of the software. Developers have been doing it for a dozen years or more, according to Brian Fox, co-founder and CTO at software supply chain management vendor Sonatype and a member of the OpenSSF (Open Source Security Foundation) governing board.ĭevelopers pull the source components together and add business logic, Fox told The Register. The trend toward using OSS packages isn't new. "This is a huge arena, yet it's been largely overlooked," he warned. Varun Badhwar, co-founder and CEO of Endor Labs – a startup working to secure OSS in app development – called it "the backbone of our critical infrastructure." But he added that developers and executives are often surprised by how much of their applications' code comes from OSS.īadhwar noted that 95 percent of all vulnerabilities are found in "transitive dependencies" – open source code packages that are indirectly pulled into projects rather than selected by developers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |