theDocumentId => 1339764 Slideshows - Dark Reading

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News

12/18/2020
10:40 AM
Jai Vijayan
Jai Vijayan
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

5 Key Takeaways From the SolarWinds Breach

New details continue to emerge each day, and there may be many more lessons to learn from what could be among the largest cyberattacks ever.
3 of 6

'Build Systems' Need Protection
SolarWinds has said the attackers likely inserted the SUNBURST malware into its software updates by gaining access to the company's build system, or CI/CD environment. This incident is another example of why organizations need to pay attention to security during the software development life cycle. The move to more agile development methods in recent years has improved speed and cadence of software delivery, but analysts have noted security is often seen as an impediment in this environment.
So-called build systems 'are designed to package up source code, perform any steps required to make it usable in production, and, increasingly these days, actually deploy the changes' into production, says Daniel Trauner, director of security at Axonius. These systems are critical for software engineering teams, who rely on them to make it as easy as possible to run automated tests and ship their code. 
'[But] because engineers are often concerned about the reliability of CI/CD systems, they may not be audited or maintained as carefully, especially with respect to security,' Trauner says. Organizations should take care to protect and audit the usage of any software signing keys within a build system, he adds.
Image credit: Gorodenkoff via Shutterstock

'Build Systems' Need Protection

SolarWinds has said the attackers likely inserted the SUNBURST malware into its software updates by gaining access to the company's build system, or CI/CD environment. This incident is another example of why organizations need to pay attention to security during the software development life cycle. The move to more agile development methods in recent years has improved speed and cadence of software delivery, but analysts have noted security is often seen as an impediment in this environment.

So-called build systems "are designed to package up source code, perform any steps required to make it usable in production, and, increasingly these days, actually deploy the changes" into production, says Daniel Trauner, director of security at Axonius. These systems are critical for software engineering teams, who rely on them to make it as easy as possible to run automated tests and ship their code.

"[But] because engineers are often concerned about the reliability of CI/CD systems, they may not be audited or maintained as carefully, especially with respect to security," Trauner says. Organizations should take care to protect and audit the usage of any software signing keys within a build system, he adds.

Image credit: Gorodenkoff via Shutterstock

3 of 6
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
robert.cox@gapac.com
50%
50%
robert.cox@gapac.com,
User Rank: Apprentice
1/25/2021 | 11:39:59 AM
Any new information or updates?
This story broke a little over a month ago; I'm curious if there are new updates worth reviewing?
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4974
PUBLISHED: 2021-07-28
IBM Jazz Foundation products are vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 192434.
CVE-2020-5004
PUBLISHED: 2021-07-28
IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192957.
CVE-2021-32001
PUBLISHED: 2021-07-28
A Missing Encryption of Sensitive Data vulnerability in k3s, kde2 of SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup to extract the cluster's confidential keying material (cluster certificate authority private keys, secrets encryption configuration p...
CVE-2021-32000
PUBLISHED: 2021-07-28
A UNIX Symbolic Link (Symlink) Following vulnerability in the clone-master-clean-up.sh script of clone-master-clean-up in SUSE Linux Enterprise Server 12 SP3, SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allows local attackers to delete arbitrary files. This issue affects: SUSE Linux Enterp...
CVE-2021-23414
PUBLISHED: 2021-07-28
This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.