Table of Contents:
Preventing Cyber Attacks is Impossible but Improving Code Security Isn’t
In a recent episode of “In the Nic of Time”, Nicolas Chaillan interviewed David Wheeler, an expert on open source software. David is the Director of Open Source Supply Chain Security at the Linux Foundation and teaches a graduate course in developing secure software at George Mason University.
They began by discussing the increase in cyber attacks and ways to prevent them.
David shared, “We can’t prevent attackers from trying to attack systems. We need to acknowledge that they will attack, and we need to prevent them from succeeding.” Vulnerabilities in software have always persisted because there will always be weaknesses in code.
The Importance of Software Supply Chain Security
Nicolas and David then began to discuss the dramatic increase in supply chain attacks. Software supply chain security is so vital because while open source software makes it easy to build with relatively few resources, vulnerabilities are much more easily exploited because it is reused. Software is moving towards becoming increasingly secure because developers are working harder to prevent attacks. However, the attackers are learning and adapting and still have the advantage because despite our best efforts developers always have exploitable weaknesses in code.
David Wheeler added, “The number one kinds of vulnerabilities are memory safety issues/buffer overflows…[these were] discussed in the 1970’s. Our key problems in software…have been the same for at least 50 years.”
How to Improve Code Security
That’s where RunSafe comes in. The shift left movement is improving code security by empowering developers to fix vulnerabilities before they get released—and therefore boosting code quality. However, this movement can also lead to overburdening developers, causing them to spend more time on vulnerabilities themselves and less time on new feature requests and boosting user value.
By using RunSafe’s exploit prevention tools, organizations can reduce the burden on developers while keeping them focused on new feature development. For example, developers should not constantly resolve memory safety issues when there is a tool like RunSafe that eliminates the exploitability of those memory vulnerabilities so that we can save developers time while making systems more resilient.
Throughout the course of the discussion, they also discussed log4j and the White House Open Source Summit, as well as SPDX and SBOMs. David offered a compelling analogy for SBOMs: the list of ingredients on the back of a cereal box. In the same way that a consumer might look at the back of a cereal box to see the ingredients (to determine its true makeup instead of judging nutritional quality by looks), similarly the SBOM delineates the components of software to detail potential vulnerabilities.
Future Goals for Cybersecurity Experts
Lastly, they discussed short-term versus long-term aspirations for the cybersecurity community. David stated that we should be improving the protection of our build environments in the short-term, but we should move towards verified reproducible builds in the long-term.
The world is a safer place because of folks like Nicolas Chaillan and David Wheeler, but also because we will have greater visibility into vulnerabilities in the software supply chain while offering tools to developers, like RunSafe’s tools, to prevent attacks without slowing down developers. Try RunSafe’s products for free today.