When vendors ship malicious code, vendors and customers have to contain the blast radius.
With open source and third-party code resources, companies are susceptible to unwanted exposure. But catching vulnerabilities before the code is packaged into proprietary solutions has industry at a standstill.
Companies can find some vulnerabilities that slip through the cracks using static and dynamic analysis.
"But there's also going to be situations where you have perfectly secure malicious software, software that does bad things," that no tools would have been able to detect, said Vincent Liu, CEO and co-founder of Bishop Fox, during a virtual roundtable hosted by ForAllSecure Thursday.
Take the SolarWinds Orion compromise, for example. "That's kind of the conundrum that we're facing," he said.
Software supply chain security demands two types of classification: insecure software and "bad acting" software, said Liu. The solution to weeding out both kinds of corrupt software could be repurposing tools to use in a new context. "It's kind of like how sometimes you find out that a drug you were developing for one thing turns out to work great for another thing."
To detect unexpected activity in software, industry is folding detection and response into the DevSecOps process. SolarWinds attackers took advantage of the cadence of scans and pentesting, traditionally a weeks long ark. The hackers incrementally manipulated code over a longer period of time when security tools are designed to take snapshots of an environment.
No matter why code is corrupted, developers and security practitioners have a responsibility to sweep for flaws. "By the time you actually get a box, or you get a software, you've got hundreds or thousands of dependencies that have been bundled together in that thing that your company is using," said HD Moore, CEO and co-founder of Rumble and developer of the Metasploit Framework, during the webcast.
Third-party repositories have given way to efficient product releases while testing a comfortable level of risk. Traditional software risks are exacerbated by the software supply chain.
Traditional software security and supply chain security demand a different approach. Software supply chain risks are "insecurities that are purposefully introduced into software either in the development, distribution packaging, anywhere along that spectrum," said Liu.
Open source packages come with a false sense of security. The attitude is, "well, someone else has checked it, so I'm just going to use it and not worry about it," said David Brumley, CEO and co-founder of ForAllSecure and professor of electrical and computer engineering at Carnegie Mellon University, during the webcast.
"I think right now, a lot of application security is focused on the developer. But really, it's the end user who pays the price when there's a problem," he said.
If a company leverages code from Microsoft and an exploit is uncovered, the user is the one dealing with the fallout. Brumley wants to see vendors make their software easier to test.
"Like Apple, it's really hard to test their things independently, you have to just trust what they're doing," said Brumley. He's not against obfuscating for IP purposes, but as bugs are embedded deeper into a stack, security testing becomes more difficult.