We have had the ability to produce more secure code for as long as I have been in security. Remember SPI Dynamics and their plugin for common IDEs? Here are the current fastest growing code security solutions out of 37 that specialize in code analysis for static, dynamic, even runtime, use cases.
There even used to be a Software Assurance Directorate (SAD) at the NSA, since disbanded.
The SolarWinds attack was discovered by FireEye (now part of Google Cloud) two years ago. It was astoundingly sophisticated. The attackers, the Russian spy agency, SRV, inflitrated the dev environment and modified source code on a developer’s workstation. The code was submitted, signed, sealed, and delivered to 18,000 SolarWinds customers and then exploited over at least nine months.
This was not the first time we have been brutally reminded that software updates are a gaping hole in our security architectures. In 2004 there was an attack against the Summer Olympics in Athens that involved a series of software updates to the Ericcson switches at the local telco that turned on the lawful intercept feature that allowed the attackers to listen in on conversation of at least 100 officials, and athletes. The engineer for those switches was found dead in his apartment only days later.
FLAME was an elegant exploit disguised as a Microsoft update. It was not delivered by Microsoft but used an MD5 hash collision to look authentic.
The most devastating attack of all time, Not-Petya, was seeded by a malicious software update from M.E.Doc, a supplier of accounting software in Ukraine. The embedded worm quickly spread through Europe and caused havoc. The attackers were the GRU, Russian military intelligence. SolarWinds was a copycat attack from a rival spy agency.
The entire industry is using the SolarWinds attack to hawk their code scanning, CI/CD, and process improvements. CISA jumped on board and issued Securing the Software Supply Chain: Recommended Practices Guide for Customers report. Which focuses on best practices for the software companies.
Yes, software companies should do a better job at security. No question.
But I maintain that no matter how many suppliers adopt best practices this approach will do NOTHING to stop the next attack using software updates as a vector. It is akin to asking the citizens of Denmark to reduce global carbon emissions by driving less.
We have a problem. For years the mantra of security pundits has been “Patch immediately!" Most enterprises have heeded that and improved their processes for updating systems as soon as they receive updated software releases.
How many times have you heard how important it is to patch and update immediately when a new vulnerability is discovered? Turns out that may be bad advise.
You simply can’t trust a software update. You should NOT patch immediately. If possible hold off as long as you can. Let somebody else be patient zero.
But SolarWinds was not detonated for at least nine months. Can you delay that long?
Perhaps we can use a combination of sandboxing, and network defenses to prevent the Command and Control connections, and binary scanning to act as a first line of defense. But I am hoping there is a startup out there looking for funding that has a practical solution to securing software updates.