Each code contributor (internal or external) should be treated as a potential insider threat.
Recently, a malicious backdoor was discovered in a widely used open-source utility called xz Utils. This compression tool is nearly ubiquitous in the Linux ecosystem, providing lossless data compression on various Unix-like operating systems. The backdoor was introduced in versions 5.6.0 and 5.6.1 of xz Utils. Although there are no known reports of these versions being incorporated into production releases for major Linux distributions, some beta releases (such as Fedora Rawhide and Debian testing) did use the compromised versions. A stable release of Arch Linux was also affected, although it’s not commonly used in production systems.
Sophisticated attackers like we have seen before can compromise a build pipeline by infiltrating the software development process. Once inside an organization, attackers can manipulate the build process, potentially affecting downstream consumers who use the affected software.
Both open source and closed source (commercial) software are vulnerable to attacks. Each have their merits and drawbacks. While there is no definitive answer to whether one is inherently more secure than the other, let’s explore some reasons why:
1
2
3
4
Customization and Control:
Vigilance and monitoring in the fast-paced DevOps landscape is critical. Organizations must fortify their defenses by employing governance to monitor the integrity of their software build process regardless of type. Critical areas of focus include:
Source: Cybersecurity and Infrastructure Security Agency, Secure by Design | CISA
Fortunately, this backdoor was discovered before it made its way into production versions of Linux, but this incident highlights the importance of what-if. Consider using this as an opportunity to ask yourself and cross-functional teams what if this had not been detected earlier? How would you have determined scope and impact? What containment and remediation steps you would have taken?
KPMG professionals are passionate and objective about cyber security. We’re always thinking, sharing and debating. Because when it comes to cyber security, we’re in it together.