News
CISA to establish office to tackle supply chain security issues - Unique Insight
February 2023 by Stephen Gates, Security Evangelist at Checkmarx
The U.S. Federal authorities are establishing an office to tackle supply chain security issues and help the industry and partners put updated federal guidance and policies into practice.
Stephen Gates, Security Evangelist at Checkmarx offers unique insight from two perspectives:
Commercial software (like SolarWinds) that organisations purchase for everyday operations
Open-Source software that organisations use as part of the proprietary applications that support their community and mission
He also suggests that to have swift, global impact, the CISA could further their mission by developing “some sort of global tracking site (like cve.mitre.org) where developers and AppSec teams could learn more about known malicious open source packages they may already be consuming.”
Stephen’s Comment: “In the context of the software supply chain, it often makes sense to view it from two perspectives: one being commercial software (like Microsoft, SolarWinds, etc.) that organisations purchase and consume for their everyday operations, and the other being open source software that organisations use as part of the proprietary applications that support their community and mission.
In the context of open source software, increasingly aware organisations understand that attackers are infecting that supply chain (e.g., repositories) with purpose-built malware packages that organisations inadvertently consume. This is increasing cyber risk worldwide. And unlike vulnerable open source packages, being tracked by cve.mitre.org, there is no global community tracking malicious packages. As a result, organisations aren’t even aware they’re consuming malware, and thus making it part of their applications.
In light of these challenges, some vendors who specialize in open source supply chain security are beginning to offer threat intelligence designed to help an organisation become attentive to malicious packages, and obviously helping to avoid consuming them. Most of this intelligence comes from deep research, monitoring the public repos, evaluating open source contributors, observing how suspect open source packages run in a sandbox, and responsibly disclosing their research to those who run the public repos. From there, vendors share their intelligence to organisations who desire to consume it for the primary purpose of keeping them better informed. This activity is going to mature even further, and vendors who offer this intelligence will likely experience growth in the form of increasing customer demand and subsequent purchases.
If CISA wanted to impact the entire world in a quick, very positive fashion, first, they need to establish some sort of global tracking site (like cve.mitre.org) where developers and AppSec teams could learn more about known malicious open source packages they may already be consuming. Using this information, they would understand what packages need replaced in their custom applications and what future packages to avoid.”
