I just finished the draft of a white paper on the software supply chain and how Triumfant addresses some of the problems presented in that chain. The white paper explores how to protect organizations from the subversion of third party software to create security problems in the form of exploits to be used later for malicious activity, or actual malicious code baked into the software. The growing global economy, the demand for new applications, and the pressure to get those new applications to market quickly are all factors that are driving the problem. The research brought into clear view that we are in an interesting conundrum because as security threats become increasingly complex and persistent, we are going the exact opposite way in our development processes and methodologies.
Think about the gold rush to build iPhone applications – just how much time do you think was spent on securing those applications? The software being developed today is neither designed nor built to be secure. Today’s developers have had very little exposure to secure development methodologies, and therefore do not integrate sound security practices into their coding and engineering. Rapid development, iterative design, and the growing use of mash-ups all point to the fact that there can be presumption that security is baked in. Combine this lack of security rigor with the overt threats of baking exploits or malware into an application and we have a serious security problem.
So back to the conundrum – as the cyber criminals have become more organized and find new and innovative ways to attack our systems, we are countering by rolling out software across our computer populations that is increasingly less prepared from a security perspective. After all, how much easier is it for a cyber criminal to subvert application software that is willingly distributed by the targeted organization rather than go through all the problems of infiltrating machines one at a time?
Up to the point where I started this paper, I was focused on the more direct acts of infiltration and had not fully considered the implication of the software supply chain. I actually was pointed that way by someone steeped in IT security who, after getting the three minute malware challenge demo at RSA, noted that Triumfant was uniquely capable of addressing much of the software supply chain issues because of its change detection capabilities. After my research I have a better appreciation of the problem and now understand that the software supply chain must be considered in any defense in depth strategy. And not just the normal processes of testing applications before they are deployed, but the vigilance of testing applications post-deployment. There was actually a great article in PC World about how DISA continues rigorous testing post-deployment. I would also note that the subject of the software supply chain was noted in the White House Cybersecurity Policy Review.
I will address how Triumfant addresses this problem in a future post and provide the link to the white paper as soon as it is ready for prime time.