What are your interests?
Select categories to help us recommend content for you.
Let's Go!
Close queue History
Play full episodes to fill your queue.
Fathom beta logo
   
mute button
Managing Open Source Packages
episode icon Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
Defensive Security Podcast Episode 268
  Stories: https://www.scmagazine.com/feature/i... more
Jul 17 2022 32m
Managing Open Source Packages
Chapter 1 59 sec
All right, here we go today. Sunday, July 17th. 2022. And this is episode 268. Of the defensive security podcast. My name is Jerry Bell and joining me tonight as always is Mr. Andrew Kellett
Chapter 2 59 sec
point, but the pictures are actually sound absorbing panels
Chapter 3 59 sec
really interesting stuff in here
Chapter 4 59 sec
CISO of solar winds describes that the attack didn& actually. Change their code base. So the attack wasn& against their code repository. It was actually against one of their build systems
Chapter 5 59 sec
end of each of those, there& a comparison. And if they don& They don& match, if the. They call it a deterministic build. So there are like their security team does one, a dev ops team does another and the QA team does a third. And all building
Chapter 6 59 sec
resources to do so maybe it makes sense
Chapter 7 59 sec
dedicated red team who& focused on the build environment. I will say the one. Reservation I have is this kind of feels maybe a little bit like they& fighting the. The last war. And so all the stuff that they& describing is very focused on. Addressing the thing that failed last time
Chapter 8 59 sec
Attack outcomes
Chapter 9 59 sec
I& drawing a blank. I think that& one of the hotel change. don& want to say the wrong name, but I I believe that there are. There are also instances. We& readily available. Where the contrast true. Like they just keep getting hacked over and over
Chapter 10 59 sec
stuff. They mentioned it here. I& sure that CrowdStrike appreciated that. Their own. Tier three SOC. They& got a lot of stuff and they also talking to that now their retention rates for customers are back up in the nineties, which is pretty, pretty good. So I don& know. Yeah. Clearly this is a PR thing
Chapter 11 59 sec
bureaucracy and checks and balances that must add tremendously to the cost
Chapter 12 59 sec
help the rest of The rest of the industry learned, which is, by the way, like what we& trying to do here on the show. Kudos to them
Chapter 13 59 sec
NTSB or what have you. But they released this report last week, which describes. What happened in, or at least their analysis of what happened. In the log4j. Incident that happened last year. And. So I have mixed. Mixed emotions
Chapter 14 59 sec
In the last I checked every single month for the past 20 plus years. Microsoft releases
Chapter 15 59 sec
Combined into this commercial software. And the big challenge we had as an industry. Was figuring out where they, where all that stuff was. And then even after that Trying to beat on your vendors
Chapter 16 59 sec
think there& a real appreciation for how pervasively, some of these things. Are being used. They do talk about in the recommendations about creating built in a better bill of material for software, which I think is good. But it& still, that& like coming at it the wrong way
Chapter 17 59 sec
surprised when some enterprising researcher. Lifts up a rug that nobody& looked under before and realizes, oh gosh, there& this piece of code that was managed by
Chapter 18 59 sec
package. That does its job well that I can include in my software package. I could potentially save myself a lot of bugs and
Chapter 19 59 sec
talking about versus, Hey, that& a solved problem. I& just pull it off the shelf and move on
Chapter 20 59 sec
going to be in every fricking piece of commercial and open source software out there
Chapter 21 59 sec
it becomes much easier to look across your environment and say, yep, I got it there and there
Chapter 22 59 sec
open source components exist in, pervasively and what would be easy ish
Chapter 23 59 sec
are sending letters to unwitting. Employees at different companies. And I don& know how well targeted this is. There& really not a lot of discussion about that, but. In the example they cite they have a letter
Chapter 24 59 sec
It, the hypothesis is that it will lead to unsurprisingly a ransomware infection because they& install a remote access Trojan on your workstation. And then, use that, use that as a beachhead to get into your
Chapter 25 59 sec
perilous to think that you can train it away, because then you start to think that when it happens, It& the failure of the person. And actually think that& the wrong way to think about it. If you have, Obviously. You want to do some level of training?
Chapter 26 59 sec
on our
Chapter 27 59 sec
the. Attacks involving macros has fallen away. So pretty effective control Microsoft last week
Chapter 28 59 sec
problem. For at least 15 years with Microsoft
Chapter 29 59 sec
that is the story for tonight. Just one little bit of editorial. I spend a lot of time during the week reading. Different stories, all kinds of Google alerts set up for For different security stories and whatnot to help pick what we talk about on these podcasts
Chapter 30 59 sec
And I don& mean to be that harsh about it. It& just
Chapter 31 59 sec
to have one of and if it& not one of these three, you don& get premium pricing
Chapter 32 59 sec
We proudly have I think we& cleared 10 years of no No vendor sponsorship. No sponsorship of any kind, other than a donation
Chapter 33 46 sec
entertained. And really proud of you when I found out that your voice. Was found to be one of the best tools to disperse crowds
Like
Clip
Share
Transcript
More
Play Full