RSA Conference Major supply-chain attacks of recent years – we’re talking about SolarWinds, Kaseya and Log4j to name a few – are “just the tip of the iceberg at this point,” according to Aanchal Gupta, who leads Microsoft’s Security Response Center.
“All of those have been big,” she said, in an interview with The Register at RSA Conference. “But I feel they will continue and there will be more. And there’s a reason I think that.”
As the head of MSRC, Gupta has a unique vantage point. Her view spans all of Microsoft’s products and services, as well as visibility across industry partners’ software and tools plus customers’ environments including government agencies.
“The reason we will have a continuation of these supply chain attacks is our reliance on third party software and open source software is only growing,” she said. “It’s not going to come down anytime soon.”
That reliance benefits cybercriminals, because they can find an unpatched vulnerability in one company’s environment and use that to infect those organizations’ customers and partners – “Like we saw with Nobelium,” Gupta noted, referring to the Russian miscreants who hacked SolarWinds. “It also gives them economies of scale.”
“And one thing, which came to light with Log4j: how pervasively it’s used,” she added.
Because the popular Apache Log4j logging library is so widely used among enterprise apps and cloud services, the remote code execution flaw made it an especially attractive target for criminals to exploit.
“I compare it to salt in the food items in your pantry,” Gupta said. “If I were to tell you to throw out all the things that have salt, you would say: do you want my pantry to be empty? Because it’s just everywhere.”
Gupta, who previously worked as a developer at Microsoft and Facebook, said she remembers when the news about the Log4j exploit broke. She recalled saying, “is that the same package I used in 2000 to code? It’s the same package! Oh my god, people still use it? And its usage has grown.”
Ingredients list for software products
This is why she believes companies need an “ingredients list” (some people call this a software bill of materials, or SBOM) – essentially an inventory of all the open source and third party code used in their products.
“When we ship something, or when we consume something, what are the downstream dependencies? It’s critical for us to be very well aware of that,” and Microsoft maintains a software dependency index, which helped the MSRC respond quickly to Log4j, Gupta noted. “Organizations have to prioritize this work.”
Continuing with the food metaphor: companies should know the sources of the ingredients, she said. This means asking vendors about their security policies and doing audits, as well as code reviews on open source software.
“And then the third thing I would say is trust but verify,” Gupta said. “Even though you trust the vendor who is providing you the dependency, you should still have this program to verify.” ®