Welcome to the latest edition of The Week in Security, which brings you the most important headlines from the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: A new bill tasks the CISA Director with tackling open source software security, a leaked LockBit builder is being used by a new ransomware gang, and more.
This Week’s Top Story
New bill would task the CISA Director with tackling open source software security
Last week, U.S. Congressman Gary Peters of Michigan read a bill he is sponsoring to the Congressional Committee on Homeland Security and Governmental Affairs. If passed, the legislation would mandate that the Director of the Cybersecurity and Infrastructure Security Agency (CISA) complete a number of actions relating to open source software security. Known as the “Securing Open Source Software Act of 2022,” the bill (PDF), aims to amend the Homeland Security Act of 2002 to tackle open source software security at large.
The bill notes the importance of open source software to the health of the U.S.’s economy, free and open internet, and technological advances. It also points out the unique challenges to securing open source software, which helps to emphasize the importance of the CISA Director tackling these challenges head on. The bill then declares that the federal government should play a role in offering services that secure open source software as well as the software development lifecycles (SDLCs) used by federal agencies and departments.
There are several responsibilities assigned to the CISA Director in this bill. Generally, the Director must make open source security a key part of their role by connecting with other relevant government agencies and officers, such as the National Institute for Standards and Technology (NIST) and the National Cyber Director. This also includes supporting federal agencies’ efforts to secure open source software, and serve as the public point of contact for non-federal government entities regarding open source software security.
The other major task assigned to the CISA Director is the creation of a framework, with a deadline of one year after the bill passes, that will be used to assess the risk of open source software components. It would be based on direct and indirect software dependencies, and provide guidance for how to evaluate security properties of code, and security practices for software development. It will also include the number of publicly known, unpatched vulnerabilities and their severity levels.
It’s unclear as to whether this legislation will pass. However, the bill comes at a time when the risks associated with open source software continue to become more apparent. Software supply chain attacks via open source software repositories like npm and PyPI have surged over the past four years, by 289%, a recent ReversingLabs report on the National Vulnerability Database (NVD) found.
The problems associated with open source software are too great to ignore, and should force the federal government to act more forcibly. See more information on the latest White House memo on software supply chain security, as well as new guidance from the federal government's Enduring Security Framework working group.
News roundup
Here are the stories we’re paying attention to this week…
A new Linux tool aims to guard against software supply chain attacks (WIRED)
Chainguard launched a Linux distribution called Wolfi that is designed specifically for how digital systems are actually built today in the cloud.
Critical WhatsApp bugs could have let attackers hack devices remotely (The Hacker News)
WhatsApp has released security updates to address two flaws in its messaging app for Android and iOS that could lead to remote code execution on vulnerable devices. One of them concerns CVE-2022-36934, a critical integer overflow vulnerability in WhatsApp that results in the execution of arbitrary code simply by establishing a video call.
Most attackers need less than 10 hours to find weaknesses (Dark Reading)
A new SANS Institute survey reports that the average ethical hacker can find a vulnerability that allows the breach of the network perimeter and then exploit the environment in less than 10 hours. Also, once a vulnerability or weakness is found, about 58% of ethical hackers can break into an environment in less than five hours.
Leaked LockBit 3.0 builder used by 'Bl00Dy' ransomware gang in attacks (Bleeping Computer)
The relatively new Bl00Dy ransomware gang has started to use a recently leaked LockBit ransomware builder in attacks against companies. Last week, the LockBit 3.0 ransomware builder was leaked on Twitter after the LockBit operator had a falling out with his developer. This builder allows anyone to build a fully functional encryptor and decryptor that threat actors can use for attacks.
Report: 90% of orgs have software security checkpoints in their SDLC (VentureBeat)
The latest edition of the annual Synopsys Building Security In Maturity Model (BSIMM) report found that 90% of the member organizations surveyed have established software security checkpoints in their software development lifecycle (SDLC).
Keep learning
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.