Security News > 2021 > January > Russia’s SolarWinds Attack and Software Security
Obscure software packages can have hidden vulnerabilities that affect the security of these networks, and sometimes the entire Internet.
Any system for acquiring software needs to evaluate the security of the software and the security practices of the company, in detail, to ensure they are sufficient to meet the security needs of the network they're being installed in.
Procurement contracts need to include security controls of the software development process.
Some of the groundwork for an approach like this has already been laid by the federal government, which has sponsored the development of a "Software Bill of Materials" that would set out a process for software makers to identify the components used to assemble their software.
These security requirements need to be monitored throughout the software's life cycle, along with what software is being used in government networks.
The Biden administration should prioritize minimum security standards for all software sold in the United States, not just to the government but to everyone.
News URL
https://www.schneier.com/blog/archives/2021/01/russias-solarwinds-attack-and-software-security.html
Related news
- Cross-Domain Attacks: A Growing Threat to Modern Security and How to Combat Them (source)
- Patch Tuesday: January 2025 Security Update Patches Exploited Elevation of Privilege Attacks (source)
- Balancing usability and security in the fight against identity-based attacks (source)
- Security pros more confident about fending off ransomware, despite being battered by attacks (source)
- Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant' (source)