Defensive Security Podcast Episode 268 Podcast Por arte de portada

Defensive Security Podcast Episode 268

Defensive Security Podcast Episode 268

Escúchala gratis

Ver detalles del espectáculo
Stories: https://www.scmagazine.com/feature/incident-response/why-solarwinds-just-may-be-one-of-the-most-secure-software-companies-in-the-tech-universe https://www.computerweekly.com/news/252522789/Log4Shell-on-its-way-to-becoming-endemic https://www.bleepingcomputer.com/news/security/hackers-impersonate-cybersecurity-firms-in-callback-phishing-attacks/ https://www.cybersecuritydive.com/news/microsoft-rollback-macro-blocking-office/627004/ jerry: [00:00:00] All right, here we go today. Sunday, July 17th. 2022. And this is episode 268. Of the defensive security podcast. My name is Jerry Bell and joining me tonight as always is Mr. Andrew Kellett. Andy: Hello, Jerry. How are you, sir? jerry: great. How are you doing? Andy: I’m doing good. I see nobody else can see it, but I see this amazing background that you’ve done with your studio and all sorts of cool pictures. Did you take those. jerry: I It did not take those. They are straight off Amazon actually. It’s. jerry: I’ll have to post the picture at some [00:01:00] point, but the pictures are actually sound absorbing panels. Andy: Wow. I there’s jokes. I’m not going to make them, but anyway, I’m doing great. Good to see ya.. jerry: Awesome. Just a reminder that the thoughts and opinions we express on the show are ours and do not represent those of our employers. But as you are apt to point out, they could be for the right price. Andy: That’s true. That’s true. And that, and by the way, what that really means is you’re not going to change our opinions. You’re just going to to hire them. jerry: Correct. right. Sponsor our existing opinions. Andy: Someday that’ll work. jerry: All right. So we have some interesting stories today. The first one comes from SC magazine dot com. The title is why solar winds just might be one of the most secure software companies. In the tech universe. Andy: It’s a pretty interesting one. I went into this a little. Andy: Cynical. But there’s a lot of [00:02:00] really interesting stuff in here. jerry: Yeah there, there is, I think jerry: What I found interesting. A couple of things. One is very obvious. That this is a. Planted attempt to get back into the good graces of the it world. But at the same time, It is very clear that they have made some pretty significant improvements in their security posture. And I think for that, it deserves a. jerry: A discussion. Andy: Yeah, not only improvements, but they’re also. Andy: Having these strong appearance of transparency and sharing lessons learned. Which we appreciate. jerry: Correct. The one thing that I so we’ll get into it a little bit, but they still don’t really tell you. How. The thing happened. Andy: Aliens. jerry: Obviously it was aliens. They did tell you what happened. And so in the. Article here they describe this the [00:03:00] CISO of solar winds describes that the attack didn’t actually. Change their code base. So the attack wasn’t against their code repository. It was actually against one of their build systems. jerry: And so they were the adversary here. Was injecting code. At build time, basically. So it wasn’t something that they could detect through code reviews. It was actually being added as part of the build process. And by inference the head. Pretty good control. At least they assert they had good control over their jerry: source code, but they did not have good control. Over the build process and in the article they go through. The security uplifts they’ve made to their build process, which are quite interesting. Like they I would describe it as they have three parallel. Build channels that are run by three different teams. jerry: And at the end of, at the [00:04:00] end of each of those, there’s a comparison. And if they don’t. They don’t match, if the. They call it a deterministic build. So there are like their security team does one, a dev ops team does another and the QA team does a third. And all building. jerry: The same set of code. They should end up with the same final. Final product. All of the systems are are central to themselves. They don’t commingle. They don’t have access to each others. So there should be a very low opportunity for for an adversary to have access to all three. jerry: Environments and do the same thing they did without being able to detect at the end, when they do the comparison between the three builds, whether it’s a novel approach. I hadn’t thought about it. It seems. jerry: My first blush was, it seemed excessive, but as the more I think about it, It’s probably not a huge amount of [00:05:00] resources to do so maybe it makes sense. Andy: Yeah. Andy: And also, they mentioned that three different people are in charge of it. And so to corrupt it. Or somehow injected. Into all three would take. Somehow corrupting three different individuals, somehow some way. jerry: Yeah, they would have to clue the three teams would have to collude. Andy: Yeah. Andy: Which. Is ...
Todavía no hay opiniones