F-Secure comment on Codecov supply-chain attack
Following the news of the Codecov supply-chain attack, Calvin Gan, Senior Manager with F-Secure’s Tactical Defense Unit comments:
“While the effect of this breach is currently unknown and likened to SolarWinds, this just reiterates F-Secure’s view that supply chain attacks will continue to gain traction as more organizations move towards relying on third party vendors for certain functions. A good reminder is for all organizations to treat third party vendors or providers as part of their organization when performing security audits. The key here is to have periodic reviews and be ready to make adjustments accordingly when anomalies are found.
This incident is also a timely reminder for organizations to ensure all configurations are proper and verified, especially when deploying anything over cloud applications or when making them publicly accessible. This is to prevent unintentional leaks or exposing of sensitive information.
Finally, always understand and weigh the risk involved when using any third party service such as Codecov. While the service offered is a valuable one, it is also good to review or limit what is being sent over to these services, especially if it contains credentials or sensitive information. This is not easy, especially if the service is a trusted one by the company. But weighing the risk involved and having a backup/response plan early enough would come in handy when breaches such as this are discovered”.