Following the news around the comments from Microsoft President Brad Smith on the 60 Minutes program about how the recent SolarWinds hack was “the largest and most sophisticated attack, the world has ever seen” as reported by the Independent.
<p>A core truism in information security is that it\’s impossible to prevent 100% of all breaches. The attack on SolarWinds is proof that even the world\’s most security sensitive organisations have some degree of vulnerability to the software supply chain that they rely so heavily on. Another way to look at it, however, is that while we don\’t know exactly how attackers got into SolarWinds in the first place, this kind of breach is the exception rather than the norm. All too often breaches occur because of software supply chain vulnerabilities, and a significant portion of these are known and easily preventable with good security hygiene in software development and operations.</p> <p> </p> <p>However, the standards by which we hold software and other digital product vendors accountable for cybersecurity such as ISO 27001 and SOC 2 Type 2 audits tend not to emphasise the techniques that result in more robust software. This, predictably, leads to cybersecurity attention and budget allocation in areas outside of building and maintaining secure products, such as network perimeter defences.</p> <p> </p> <p>One industry that has recognised and corrected this fundamental oversight is the Payment Card Industry (PCI), which released the Secure Software Framework (SSF). From this year onwards, payment applications are required to comply with the SSF. Compliance is no guarantee that payment products will be free of vulnerabilities, but it will almost certainly lead to fewer known, preventable defects. Most other industries – including most types of software products – have no such standard that they are held to. The true measure of success in industry will not be the eradication of such breaches as sophisticated as SolarWinds, but rather limiting the incidences and the success rates of such one of a kind breaches. There is heightened awareness of this subject right now and questions remain on whether we will seize the opportunity as an industry to raise security standards. For example, will we adopt the SSF more broadly or require software vendors to comply with the NIST Secure Software Development Framework?</p>
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics