Security News

Venafi announced survey results highlighting the challenges of improving software supply chain security. While 94% of executives believe there should be clear consequences for software vendors that fail to protect the integrity of their software build pipelines, most have done little to change the way they evaluate the security of the software they purchase and the assurances they demand from software providers.

IT and communication companies in Israel were at the center of a supply chain attack campaign spearheaded by an Iranian threat actor that involved impersonating the firms and their HR personnel to target victims with fake job offers in an attempt to penetrate their computers and gain access to the company's clients. ClearSky theorized that the attacks' focus on IT and communication companies suggest they are intended to facilitate supply chain attacks on their clients.

Data suppliers are unable to efficiently deliver relevant data to a growing number of data consumers, according to a 451 Research survey. The report also finds privacy, security, and governance challenges to be particularly troublesome, with 84% of respondents reporting that data privacy and security requirements will limit access to data at their organizations over the next 24 months.

A group of hackers made an unnerving DEF CON 29 presentation showing how the sprawling growth of digital and automated farming has left the world's food supply chain vulnerable to cyberattack. According to John Deere, current tractors being sold are connected to a moisture sensor monitor called HarvestLab, and an overall monitoring software system called Harvest Monitor, which displays real-time productivity measurements on a monitor.

Checkmarx announced that it has acquired Dustico, a SaaS-based solution that detects malicious attacks and backdoors in open source software supply chains. "We're thrilled to welcome Dustico and its team to Checkmarx as the Israeli tech ecosystem continues to push the boundaries of cybersecurity innovation and talent," said Emmanuel Benzaquen, CEO, Checkmarx.

In this Help Net Security podcast, Tomislav Peri?in, Chief Software Architect at ReversingLabs, explains the latest and most destructive supply chain attacks, their techniques and how to build more secure apps. The idea behind software supply chain attacks is compromising the trust between the software publisher and the end-user, and essentially using software as a backdoor entry into the environment.

Supply chain attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers. Supply chain attacks are now expected to multiply by 4 in 2021 compared to last year.

The maintainers of Python Package Index last week issued fixes for three vulnerabilities, one among which could be abused to achieve arbitrary code execution and take full control of the official third-party software repository. The security weaknesses were discovered and reported by Japanese security researcher RyotaK, who in the past has disclosed critical vulnerabilities in the Homebrew Cask repository and Cloudflare's CDNJS library.

One expert offers ways to remove the bullseye from supply vendors. In his Help Net Security article, How can a business ensure the security of their supply chain?, Reed specifically focused on Merrit's concern about making sure supply-chain vendors are putting forth the effort to meet security standards.

Businesses have connections to other businesses, who supply them with goods, and whom they supply with goods - both parts and software. In many cases, a company has its own supply chain while simultaneously being part of the supply chain for other, probably larger, businesses.