All indications are that software supply chain security will be the biggest issue for the security industry in 2021. The largest security story of 2020 was the supply chain compromise of SolarWinds Orion which allowed attackers to ship malicious updates with backdoors to Orion customers with perfectly valid signatures. Once these updates were applied and attackers were in these networks, this access allowed a large-scale attack of government agencies and tech and security companies, perhaps one of the single largest attacks of US networks in history. In some cases the level of compromise was so deep, including compromised administrator credentials, that the general guidance has been for victims to rebuild infrastructure from the ground up .
Supply chain security is not a new concept (I wrote about how Purism protects the digital supply chain over two years ago) and many researchers have recognized it as a legitimate threat for a long time. Yet the industry overall has been slow to recognize the risk and in fact perverse incentives have led to many in the industry doubling-down on security solutions that rely heavily (in many cases rely entirely) on the exact kind of security measures supply chain hacks defeat.
The proprietary software industry can’t fix the software supply chain problem because they largely created it and depend on it to maintain control over customers. In this article I’m going to explain how this happened, and what the future of supply chain security looks like.
Read the rest of the article here: