Press Rewind
Music: Del the Funky Homosapien - Press Rewind (2000)
This week we take at recent updates in software supply chain security that may provide an ability to press rewind.
Getting Informed
If you didn’t know already, Fudge Sunday offers a Spotify playlist of the music that inspired 76+ weeks of issues. Mash that subscribe button, or something.
While the promise of ever smarter devices may provide a roadmap for a better future, there will be undoubtedly be a few bumps in the road along the way. Indeed, some bumps will be jarring enough for some to require starting the journey over from scratch — or to say it differently — press rewind.
Readers of Fudge Sunday may probably recall the March 2022 issue on SCA, xAST, RASP, DevSecOps, and SBOM in software supply chain security. Well, now there is an emerging example for the importance of software supply chain security that will likely grace every presentation you’ll see from vendors in the coming months (years?).
Mandiant says the North Korea-linked hack of VoIP company 3CX’s customers is the first confirmed incident of one software-supply-chain attack enabling another
By Andy Greenberg / Wired. View the full context on Techmeme.
Techmeme
If you know me, then you know my background is in telecom from the 1990s. I was one of those folks that was starting my career as Voice over IP (VoIP) was in its infancy — and I embraced VoIP — warts and all.
Back in those days, office, workers, or knowledge, workers would sit in cubicles, called cubicle farms. On these cubical desk surfaces, you would find some form of desktop personal computer, and the ubiquitous often hated / ignored proprietary office phone systems with arguably cryptic features and many _many_ physical buttons.
Of course, most business class office worker VoIP was done using physical desktop phones that looked, and for the most part acted, like traditional desktop phones. The primary difference was a VoIP phone device had software definable characteristics, settings, and flexibility with emerging standards — and is increased based on embedded Linux with color LCD screens as well as hardware and software buttons.
To understand the problematic side of such flexibility, consider this example… Doom, the game, runs on Linux too.
DOOM On A Desk Phone Is Just The Tip Of The Iceberg
These days we expect even the cheapest of burner smartphones to feature a multi-core processor, at least a gigabyte of RAM, and a Linux-based operating system. But obviously those sort of specs are…
Hackaday
Next, let’s consider recent updates in software supply chain security that may help press rewind before it is too late. After all, not all actors will simply want to play fun and games on the smart devices of the future — malware is very real and very profitable for bad actors that will rely on asymmetric advantages.
Word sentinel invisible infidel interstellar 🎶
Software supply chain security will continue to be important as the toolchains become increasingly pervasive in more organizations. So, it is wonderful to see the Cloud Native Computing Foundation extending efforts to this critical concern.
Building secure software supply chains in CNCF with SLSA assessments | Cloud Native Computing Foundation
To continue efforts to improve the security of our graduated and incubating projects, we recently worked with Chainguard to assess the software supply chain security practices of two of our graduated…
Cloud Native Computing Foundation
Next, it is worth noting that software supply chain security isn’t just tools scanning tools that scan tools. There are people and processes needed too.
The eeriest mic mysterious 🎶
Perhaps there is no better example of people and processes in software supply chain security than the community of security minded people and their own knowledge sharing. In software supply chain security, _if you see something say something_ isn’t just an aphorism.
The Good, the Bad and the Ugly in Cybersecurity - Week 16
Two Chrome zero-days urgently patched, LockBit ransomware takes a swipe at macOS, and Linux malware tied to 3CX attack.
SentinelOne
So, what will be the next big thing in our ability to press rewind in software supply chain security?
Until then… Place your bets!
Work Plug
As a reminder, after a +25 year walkabout, I’m an IBMer (again). For 2023, in “Work Plug”, I’ll share a new link each week that is educational, accessible, and relevant to platform engineering from fellow IBMers[1] in the wider IBM Community.
Stay tuned!
Disclosure
I am linking to my disclosure.
Shout out to Stephanie “Snow” Carruthers ↩︎