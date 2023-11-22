from the accept-the-risk-or-do-a-lot-of-work dept.
A discussion with Maya Kaczorowski, Falcon Momot, George Neville-Neil, and Chris McCubbin
While enterprise security teams naturally tend to turn their focus primarily to direct attacks on their own infrastructure, cybercrime exploits now are increasingly aimed at easier targets upstream—within the open-source software supply chains that enterprises and other organizations have come to rely upon.
This has led to a perfect storm, since virtually all significant codebase repositories at this point include at least some amount of open-source software, given that's where a wealth of innovation is available to be tapped. But opportunities also abound there for the authors of malware, since it's a setup they can leverage to spread the seeds of their exploits far and wide.
The broader cybercrime world, meanwhile, has noted that open-source supply chains are generally easy to penetrate, given an abundance of entry points and an inconsistent dedication to security.
What's being done at this point to address the apparent risks? What are the issues and questions developers and security experts ought to be considering?
To delve into this, we asked George Neville-Neil, who writes acmqueue's Kode Vicious column, to talk it over with a few people known for their work in the front lines: Maya Kaczorowski, who was the senior director of software supply-chain security at GitHub prior to turning her focus more recently to secure networking at a Canadian startup called Tailscale; Falcon Momot, who is responsible for managing quality standards and running a large penetration testing team at Leviathan Security; and Chris McCubbin, an applied scientist at Amazon Web Services who focuses on detecting external security risks and performing triage as necessary.
(Score: 2, Interesting) by pTamok on Friday November 25, @10:33AM
One of the points about FLOSS software is that it is open to inspection by anyone, and modifications/improvements/(security)bugfixes can be produced and distributed by anyone. General improvements in security practices can be applied across the board.
Closed source has none of these advantages - you are dependant on the vendor doing their job properly, all the time, every time. And you have to trust the vendor to tell the truth about the presence, or absence, of vulnerabilities.
Certainly, there is room for improvement in the 'supply chain' - that is, making sure that the software you install and run is compiled from the same source that has been reviewed and available for further inspection, and the security of source repositories against malicious changes can also be improved - but FLOSS project can easily build on each other's best practices.