You buy a device and it works. It works reliably and securely for a period of time and then due to insert reasons, it stops working reliably or securely. I was recently looking at replacing my network stack of Unifi gear. One vendor I contemplated was Cisco.
When you develop a reputation for being the global leader for reliably supplying internet facing equipment with hard coded passwords and remote code execution vulnerabilities, perhaps it might be time to stop repeating the same product development process and expecting a different result?
No Cisco for me from the looks of it.
The CEO of LastPass, a fairly well known password manager, last week made public a security incident. It seems an unauthorized party gained access to a developer account and through that gained access to a developer environment. Said party then seems to have gained access to portions of their source code and proprietary technical information.
Will they continue to be your go to way to securely manage your secrets in the future? The parent company does have a reputation to take great software and make them soulless products with degraded engineering quality and capability.
So last week the U.S. House of Representatives passed the National Defense Authorization Act for Fiscal Year 2023 which might become the law if it gets Senate approval and is signed into law by President Joe Biden.
This bill is a well intentioned effort to improve the overall standard of the software supply chain in use by the Department of Homeland Security. It requires the submission of a Software Bill of Materials for certification for any software product without any known open vulnerabilities or defects. Currently the NIST NVD and CISA registered databases will be referenced for validation.
I am not sure how succesful this will be as .gov usually prescribe the
what and leave the
how for everyone else to figure out.
With the increase in supply chain attacks in the software development industry, there’s been a steady increase in various players in the industry rolling out mandatory MFA requirements for developers.
Earlier this week RubyGems announced their intention to enforce MFA requirements on maintainers of gems with 180 million downloads or more.
PyPI announced support for MFA in mid 2019. This was an opt-in option for package maintainers back then. However, earlier this year they announced this policy was being made mandatory for maintainers of projects deemed critical.
Mozilla announced their MFA requirements for extension developers last year. GitHub required MFA for the npm registry in the past and recently announced their intention to extend this requirement out to all contributing developer accounts.
Okta has a blog post of industries requiring MFA mostly due to compliance requirements in each listed industry.
Expect more such developments across the software supply chain ecosystem as time progresses. Now if only there was a way to tackle some of the other problems with regards to software supply chain security.
Defcon may be the worst and best place to learn anything in that way - the environment is hopelessly chaotic, with two talks happening inches away from each other, and only feet from a DJ pumping out house music. But perhaps the best environment to learn in is the one in which you are most inspired?
The above is an excerpt by Dave Aitel’s recent entry to the Daily Dave mailing list. In just a single paragraph it completely captures what the experience of DEF CON is.
DEF CON 30 returned to Las Vegas this year and from early reports the crowds aren’t at the same level as past years. However, looking at the schedule and the post conference analyses, it looks like the hacker ethos is still well and alive.
Long live the googley eyes
Also last week there was Black Hat USA 2022 as well.
Obligatory first post.
This used to be a blog more as a catch all for notes I had collected over the years. I have deprecated those notes and have decided to pivot this blog to capture my thoughts and opinions about specific events and developments in the field of information security. Expect a linklog type blog focused on information security here from now on.
The views I present here are that of my own and can & will change as I move across the arc of time. Should you need to get in touch with me send an email to the blog-discussion list on sourcehut.