Click here to sponsor Fudge Sunday and post jobs!

Music: Del the Funky Homosapien - Press Rewind (2000)

This week we take at recent updates in software supply chain security that may provide an ability to press rewind.

Getting Informed

If you didn’t know already, Fudge Sunday offers a Spotify playlist of the music that inspired 76+ weeks of issues. Mash that subscribe button, or something.

While the promise of ever smarter devices may provide a roadmap for a better future, there will be undoubtedly be a few bumps in the road along the way. Indeed, some bumps will be jarring enough for some to require starting the journey over from scratch — or to say it differently — press rewind.

Readers of Fudge Sunday may probably recall the March 2022 issue on SCA, xAST, RASP, DevSecOps, and SBOM in software supply chain security. Well, now there is an emerging example for the importance of software supply chain security that will likely grace every presentation you’ll see from vendors in the coming months (years?).

Techmeme: Mandiant says the North Korea-linked hack of VoIP company 3CX’s customers is the first confirmed incident of one software-supply-chain attack enabling another (Andy Greenberg/Wired)

By Andy Greenberg / Wired. View the full context on Techmeme.

If you know me, then you know my background is in telecom from the 1990s. I was one of those folks that was starting my career as Voice over IP (VoIP) was in its infancy — and I embraced VoIP — warts and all.

Back in those days, office, workers, or knowledge, workers would sit in cubicles, called cubicle farms. On these cubical desk surfaces, you would find some form of desktop personal computer, and the ubiquitous often hated / ignored proprietary office phone systems with arguably cryptic features and many many physical buttons.

Of course, most business class office worker VoIP was done using physical desktop phones that looked, and for the most part acted, like traditional desktop phones. The primary difference was a VoIP phone device had software definable characteristics, settings, and flexibility with emerging standards — and is increased based on embedded Linux with color LCD screens as well as hardware and software buttons.

To understand the problematic side of such flexibility, consider this example… Doom, the game, runs on Linux too.

DOOM On A Desk Phone Is Just The Tip Of The Iceberg | Hackaday

These days we expect even the cheapest of burner smartphones to feature a multi-core processor, at least a gigabyte of RAM, and a Linux-based operating system. But obviously those sort of specs are…

Next, let’s consider recent updates in software supply chain security that may help press rewind before it is too late. After all, not all actors will simply want to play fun and games on the smart devices of the future — malware is very real and very profitable for bad actors that will rely on asymmetric advantages.

Word sentinel invisible infidel interstellar 🎶

Software supply chain security will continue to be important as the toolchains become increasingly pervasive in more organizations. So, it is wonderful to see the Cloud Native Computing Foundation extending efforts to this critical concern.

Building secure software supply chains in CNCF with SLSA assessments | Cloud Native Computing Foundation

To continue efforts to improve the security of our graduated and incubating projects, we recently worked with Chainguard to assess the software supply chain security practices of two of our graduated…

Next, it is worth noting that software supply chain security isn’t just tools scanning tools that scan tools. There are people and processes needed too.

The eeriest mic mysterious 🎶

Perhaps there is no better example of people and processes in software supply chain security than the community of security minded people and their own knowledge sharing. In software supply chain security, if you see something say something isn’t just an aphorism.

The Good, the Bad and the Ugly in Cybersecurity - Week 16 - SentinelOne

Two Chrome zero-days urgently patched, LockBit ransomware takes a swipe at macOS, and Linux malware tied to 3CX attack.

So, what will be the next big thing in our ability to press rewind in software supply chain security?

Until then… Place your bets!

Work Plug

As a reminder, after a +25 year walkabout, I’m an IBMer (again). For 2023, in “Work Plug”, I’ll share a new link each week that is educational, accessible, and relevant to platform engineering from fellow IBMers¹ in the wider IBM Community.

Stay tuned!

Disclosure

I am linking to my disclosure.