Automation is Mend’s main theme at RSA Conference 2023. Their focus is on enabling people to autopilot their application security programs. Encourage and enable as much automation of AppSec as possible, as no manual method will work. Mend’s booth is at South Expo, booth #1543.
Mend introduces Dependency Health updates and the latest enhancements to automate prioritization of items that cannot be resolved automatically. These enhancements are focused on offloading decision making from developers so they can spend more time developing. Modern cloud-native applications require a lot of manual effort just to stay up-to-date. However, staying up-to-date can easily be automated by using the right tools with the right features to ensure updates don’t add risk.
Tanya Janca will be at Mend’s booth on Tuesday from 11-1:30 for a Q&A and book signing on Alice & Bob Learn Application Security.
Mend’s Vice President of Products, Jeff Martin, commented:
“Supply chain security is arguably at the forefront of many conversations. Now that the application development industry has matured and is following the model of already mature industries such as manufacturing, transportation, and healthcare, everyone is We care about it now: we know how software products are built, what they contain, we make sure they’re secure, and most importantly, we We are in the business of communicating the chain and its security status to our customers.”
Can you briefly explain how supply chain attacks work and why companies should be concerned? Where does the threat come from and how far does it go?
All supply chain attacks utilize one of three tactics: unwanted behavior, abuse of trust relationships, and attacks on outdated elements.
Security teams and developers should be able to answer three questions about each component:
To ensure that your components are safe, you need known and trusted suppliers, desirable transparent behavior, and up-to-date. Monitoring malicious packages ensures that suppliers are known and trusted and protects against unknown supplier attacks such as typosquatting, dependency confusion, hijacking, or using new libraries. increase. Unwanted or unclear behavior such as obfuscated code, protestware, cryptominers, spam packages. and malware. Suppliers must provide transparency about their accountable, public, and remediated vulnerabilities to ensure all components are up-to-date. If a component is outdated, it will automatically be considered vulnerable.
Application security tools and software bills of materials (SBOMs) help you understand when components are compromised and where they are used so you can quickly update and remediate them.
The damage from an attack on the supply chain can be extensive, especially when open source components are involved. Open source code is widely used and currently makes up 80-90% of the code base of modern software.
Can you give me a recent example?
The 3CX breach is one of the recent high-profile examples. A compromised software supply chain spread malware via trojanized versions of the company’s legitimate software. The trojanized version contained malicious code and downloaded a data miner to steal browser information. Interestingly, the initial vector of entry for this attack turned out to be a malware-laced software package distributed during a previous software supply chain breach.
Other recent examples include GitHub and Okta attacks in 2022, SolarWinds in 2020, ASUS in 2019, and CCleaner in 2017.
What are your best tips for thwarting attacks on your supply chain?
My top suggestion would be to automate updating your dependencies. Again, if a component is outdated it is definitely considered vulnerable.
Knowing your risks is also important. Create a software bill of materials and ask all 3rd party her partners to do the same. SBOM and inventory management must contain all product content and be easily searchable for zero-day attacks.
Third, make sure you’re using a scanning tool regularly. SCA tools monitor new known vulnerabilities and malicious packages to continually answer the question, “When will a component become unsafe?”
Are there other topics or trends that you think will be the focus of attention this year?
AI and machine learning and their impact on both attackers and defenders will be another hot topic.
Everyone seems to be drawn to the new and novel. However, the real issue of security is still fundamental. There’s no point defending a system with fancy AI if the components within it haven’t been updated in his five years. This is similar to using robots to guard doors, but leaves all windows open. Once you’ve taken the proper steps to secure all the basics, it’s time to explore how the latest shiny tech can make security even better.
