Security News > 2021 > January > Russia’s SolarWinds Attack and Software Security
Obscure software packages can have hidden vulnerabilities that affect the security of these networks, and sometimes the entire Internet.
Any system for acquiring software needs to evaluate the security of the software and the security practices of the company, in detail, to ensure they are sufficient to meet the security needs of the network they're being installed in.
Procurement contracts need to include security controls of the software development process.
Some of the groundwork for an approach like this has already been laid by the federal government, which has sponsored the development of a "Software Bill of Materials" that would set out a process for software makers to identify the components used to assemble their software.
These security requirements need to be monitored throughout the software's life cycle, along with what software is being used in government networks.
The Biden administration should prioritize minimum security standards for all software sold in the United States, not just to the government but to everyone.
News URL
https://www.schneier.com/blog/archives/2021/01/russias-solarwinds-attack-and-software-security.html
Related news
- Critical Security Flaw in WhatsUp Gold Under Active Attack - Patch Now (source)
- 18-year-old security flaw in Firefox and Chrome exploited in attacks (source)
- CISA warns critical SolarWinds RCE bug is exploited in attacks (source)
- Most Ransomware Attacks Occur When Security Staff Are Asleep, Study Finds (source)
- SQL Injection Attack on Airport Security (source)
- Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus (source)
- Security measures fail to keep up with rising email attacks (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)