Third-party software supply chain threats continue to plague CISOs
- by nlqip
Ways to mitigate third-party library risks
There are a number of techniques to mitigate the risks of third-party libraries. Chris Wysopal, the CTO and co-founder of Veracode, tells CSO that he wants software developers to be more proactive and “invest in the right kinds of tooling to find and fix vulnerabilities in their software supply chains and employ immediate fixes, governments must also acknowledge the potential risk to national security posed by open-source software.” This is a common refrain coming from him, harking back to earlier times when he was known by his hacker handle, Weld Pond, and when he testified before Congress about the topic.
As software gets more complex with more dependent components, it quickly becomes difficult to detect coding errors, whether they are inadvertent or added for malicious purposes as attackers try to hide their malware. “A smart attacker would just make their attack look like an inadvertent vulnerability, thereby creating extremely plausible deniability,” Williams says.
There are ways to help flag and eliminate these insecure libraries. In June 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released a series of recommendations on how to improve development frameworks and coding pipelines to prevent third-party attacks. While the agency mentioned the benefits of third-party code to facilitate rapid development and deployment, there needs to be controls such as better and cryptographically stronger account credentials and restrictions of untrusted libraries, for example.
Source link
lol
Ways to mitigate third-party library risks There are a number of techniques to mitigate the risks of third-party libraries. Chris Wysopal, the CTO and co-founder of Veracode, tells CSO that he wants software developers to be more proactive and “invest in the right kinds of tooling to find and fix vulnerabilities in their software supply…
Recent Posts
- Arm To Seek Retrial In Qualcomm Case After Mixed Verdict
- Jury Sides With Qualcomm Over Arm In Case Related To Snapdragon X PC Chips
- Equinix Makes Dell AI Factory With Nvidia Available Through Partners
- AMD’s EPYC CPU Boss Seeks To Push Into SMB, Midmarket With Partners
- Fortinet Releases Security Updates for FortiManager | CISA