Security News

SCSW Back in 2020, Eric Scales led the incident response team investigating a nation-state hack that compromised his company's servers along with those at federal agencies and tech giants including Microsoft and Intel. "It was similar to a fraternity rush - the best experience I never want to do again," Scales, head of incident response at Mandiant, told The Register.

SCSW The vast majority of off-the-shelf software is composed of imported components, whether that's open source libraries or proprietary code. "Attackers have realized this, and that it's easy to hide in and attack all those gaps, those third-party components as they get transferred around and reused by other vendors," Dan Lorenc, CEO and co-founder of security specialists Chainguard, told The Register.

Analysis Open source components play an increasingly central role in the software development scene, proving to be a boon in a time of continuous integration and deployment, DevOps, and daily software updates. In a report last year, silicon design automation outfit Synopsys found that 97 percent of codebases in 2021 contained open source, and that in four of 17 industries studied - computer hardware and chips, cybersecurity, energy and clean tech, and the Internet of Things - open source software was in 100 percent of audited codebases.

The hack of SolarWinds' software more than two years ago pushed the threat of software supply chain attacks to the front of security conversations, but is anything being done? More recently, attackers have targeted code repositories like GitHub and PyPI and companies like CI/CD platform provider CircleCI, an incident that expanded the definition of a supply chain attack, according to Matt Rose, field CISO for cybersecurity vendor ReversingLabs.

Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller software, nearly two months after three security vulnerabilities were brought to light in the same product. Firmware security firm Eclypsium said the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations.

Data compromises steadily increased in the second half of 2022. Data breach notices suddenly lacked details, resulting in increased risk for individuals and businesses, as well as uncertainty about the number of data breaches and victims.

So we though we'd take a quick look back at some of the major issues we covered over the last couple of weeks, and reiterate the serious security lessons we can learn from them. If you are ever stuck with doing a data breach notification, don't try to rewrite history to your marketing advantage.

Dec. 31, 2022, the PyTorch machine learning framework announced on its website that one of its packages had been compromised via the PyPI repository. According to the PyTorch team, a malicious torchtriton dependency package was uploaded to the PyPI code repository on Friday, Dec. 30, 2022, at around 4:40 p.m. The malicious package had the same package name as the one shipped on the PyTorch nightly package index.

Now there are new third party risk assessment strategies, services and tools that can help identify security "Weak points" in your company's supply chain. In 2021, BlueVoyant, a cybersecurity provider, reported that 98% of organizations it had surveyed said they had been impacted by a supply chain security breach.

Software development isn't only about code; more importantly, it's driven by a set of best practices and guidelines that help us write better and more secure software. Like all large software companies, Microsoft has developed its own set of policies and procedures to implement approaches like its Secure Software Development Lifecycle.