VRB News
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact
No Result
View All Result
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact
No Result
View All Result
VRB News
No Result
View All Result
Home IT news

Vulnerabilities in third-party code endanger companies

admin by admin
March 26, 2022
in IT news
0
The software supply chain must become more secure, because insecure devices expand the attack surface and endanger the security of the entire company.
0
SHARES
11
VIEWS
Share on FacebookShare on Twitter

Code libraries become a security risk Vulnerabilities in third-party code put businesses at risk

23.03.2022A guest article by Evan Grant et al.

Software libraries, which are used by several hardware manufacturers, are increasingly becoming a problem for security experts in companies. The fact that manufacturers share code is not fundamentally critical, but the fact that there is often a lack of security checks and precautions. When threat researchers discover a new vulnerability, potential victims are often not informed in time before cybercriminals get to work.

Related providers

The software supply chain must become more secure, because insecure devices expand the attack surface and endanger the security of the entire company.

(© Eisenhans – stock.adobe.com)

In the spring of 2021, Tenable discovered a vulnerability in a router from the manufacturer Buffalo, the origin of which was in the Arcadian software used. Ultimately, at least 20 other models from 17 different providers and service providers such as Telstra, Telus, Verizon and Vodafone – and thus their customers and users – were affected worldwide. Insecure routers can also endanger the business operations of companies in times of remote work. In addition, there is the flood of mobile devices and IoT components whose third-party software may also contain security vulnerabilities. The home networks, but also the growing Internet of Things, significantly expand the potential attack surface.

In addition, ransomware attacks are becoming more and more sophisticated. Attackers recently targeted managed service providers and their corporate customers. In a spectacular case, savvy actors exploited zero-day vulnerabilities in the Professional Services Automation (PSA) software Kaseya VSA in July 2021. Others take the self-spreading, destructive malware NotPetya, which caused great damage worldwide in the summer of 2017, as an example. In order to stop the large-scale exploitation of a vulnerability and the spread of such a threat, greater care is needed, especially with third-party software. For example, in the case of vulnerabilities in software that has been used several times, it is crucial to identify all downstream software projects, services and customers in order to be able to warn those involved in a timely manner.

The software supply chain must become more secure

The complexity of software projects is increasing and the dependence on third-party frameworks, open source software and cross-vendor libraries is increasing. It is therefore crucial that companies carry out a complete inventory of the components used. A machine-readable software Bill of Materials (SBOM) is extremely helpful here. This record contains all the details and supply chain relationships of the components that a company has resorted to when creating software. By means of reliably updated SBOMs, it is possible to detect affected devices at an early stage and to warn all parties involved.

The application of secure software development practices is another starting point to make the software supply chain more secure. A Secure Software Development Lifecycle (SSDLC) means to quantitatively and qualitatively identify the vulnerabilities in a new software release and to reduce and eliminate these vulnerabilities. Furthermore, companies can reduce their development costs by identifying problems in the development process at an early stage. Rising costs are not least due to the fact that bugs and vulnerabilities often only become visible and are fixed when the code is already in productive use.

It also makes sense to set up a Product Security Incident Response team (PSIRT), which deals with the identification, evaluation and handling of risks of security vulnerabilities in software in the company. Integrated into the SSDLC process, the PSIRT implements proper security practices and provides oversight and coordination for all security issues. The establishment of a PSIRT or the implementation of internal programs for the disclosure of security gaps makes the entire process much more efficient until it is fixed.

Defuse security problems in a timely manner

The increasing cyber security incidents and cyber attacks in connection with the software supply chain have recently caused increased attention on the part of software providers and security experts, but also legislators. As a result, the entire community is introducing new approaches, implementing new policies and procedures that are specifically designed to deal with security problems in complex software supply chains.

It is a cross-manufacturer, industry-wide problem that requires the commitment and cooperation of all parties involved. The previously tedious and bumpy process of reporting vulnerabilities in shared software libraries needs to be streamlined. This is the only way to resolve security vulnerabilities in all affected products as effectively as efficiently.

About the authors: Evan Grant is a Staff Research Engineer at Tenable and co-authored this article with Tenable’s Zero Day Research Team.

Previous Post

SD card support comes to Gear VR

Next Post

How to Surf the Web 】2022

admin

admin

Related Posts

Real or Virtual wishes you a very merry Christmas Sent by the community
IT news

Real or Virtual wishes you a very merry Christmas Sent by the community

May 22, 2022
Winter sale for HTC Vive
IT news

Winter sale for HTC Vive

May 22, 2022
Shift, motion controllers for mobiles
IT news

Shift, motion controllers for mobiles

May 22, 2022
PocketStrafe turns our mobile into a walker
IT news

PocketStrafe turns our mobile into a walker

May 22, 2022
Oculus acquires the startup The Eye Tribe specializing in eye tracking
IT news

Oculus acquires the startup The Eye Tribe specializing in eye tracking

May 22, 2022
Next Post
How to Surf the Web 】2022

How to Surf the Web 】2022

Premium Content

The creators of Rec Room raise $5 million

The creators of Rec Room raise $5 million

May 6, 2022

Aerial: the startup where AI drives wireless motion analysis

November 15, 2021
Windows 10 Creators Update is now being distributed

Windows 10 Creators Update is now being distributed

March 29, 2022

Browse by Category

  • Games
  • IT news
  • Tech
  • World
VRB News

VRB News is ready to cooperate with webmasters and content creators. Send an email to info@virtualrealitybrisbane.com

Categories

  • Games
  • IT news
  • Tech
  • World

Recent Posts

  • Real or Virtual wishes you a very merry Christmas Sent by the community
  • Winter sale for HTC Vive
  • Shift, motion controllers for mobiles

© 2021 - The project has been developed ServReality

No Result
View All Result
  • Home
  • About us
  • IT news
  • Tech
  • World
  • Contact

© 2021 - The project has been developed ServReality

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?