Newsletter

06.01.2021 | 5'' read

Extending SBOMs to the firmware layer

by Ryan Naraine

Was this newsletter forwarded to you?  Sign up here!  Say hello on Twitter (DMs are open).

Sponsor message: MongoDB supports The Diana Initiative

MongoDB is the leading modern, general purpose database platform, designed to unleash the power of software and data for developers and the applications they build. The company is proud to support and sponsor The Diana Initiative, an event focused on women, diversity and inclusion in information security. Register here for the virtual conference, scheduled for July 16-17, 2021.


VBOS (Vulnerabilities Below the Operating System)
The U.S. government’s cybersecurity unit (CISA) is starting to flag firmware security — “vulnerabilities below the operating system” — as a priority, warning there are categories of security holes lurking beneath the surface.  This CISA slide deck, presented at the RSA Conference, does a fantastic job of describing the problem and suggesting responses to move the needle:

  • Promote software bills of materials (SBOMS) extending to the firmware level.
  • Have vendors include the intent of the components of the system.
  • Produce analysis of code.
  • Provide public risk scoring.
  • Reduce purchasing of products that shape up poorly.

The reality is that the tech below the OS is an alphabet soup of complexity and security problems we just can’t see.  It’s refreshing to see .gov carrying on this conversation in such a transparent manner. Even for firmware, SBOM is coming and you should start preparing for it.

On to the newsletter…

The most clicked link from last week’s issue was the GAO’s report on ransomware-induced disturbance in the cyber-insurance marketplace. [direct .pdf]

🎧 New Podcast: Google Security Leader Heather Adkins  (presented by Eclypsium)

Founding-member of the Google security team Heather Adkins joins the show to stress the importance of defenders playing the “long-game,” the need for meaningful culture-change among security leaders, and the expansion of zero-trust beyond identities and devices.  Listen here.

Here is a transcript of the Heather Adkins conversation, lightly edited for brevity and clarity.

Also catch my interview with Collin Greene, head of product security at Facebook.

Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms — AppleGoogleSpotify and Amazon.

Hardware/firmware security

What’s a supply chain attack?

Wired senior writer Andy Greenberg does a fine job of explaining a supply chain attack. His story includes this nugget:

Supply chain attacks were first demonstrated around four decades ago, when Ken Thompson, one of the creators of the Unix operating system, wanted to see if he could hide a backdoor in Unix’s login function. Thompson didn’t merely plant a piece of malicious code that granted him the ability to log into any system. He built a compiler — a tool for turning readable source code into a machine-readable, executable program — that secretly placed the backdoor in the function when it was compiled. Then he went a step further and corrupted the compiler that compiled the compiler, so that even the source code of the user’s compiler wouldn’t have any obvious signs of tampering. 

The referenced Ken Thompson paper (pdf) puts the issue of trust in software code bluntly:

You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code.

Mind-mapping all the things.

As a fan of mind-mapping software to visualize projects, I was thrilled to see Imran Parray publishing this list of security-themed mind-maps.  They include mind-maps for Android attack vectorsbug hunters methodologiesred teaming and reconnaissance.

Rafeeq Rehman’s CISO mind-map is also a favorite understand and explain the modern security program.

Freebies.

Things you should already have read.

Tangentially.

Have a fantastic week.

_ryan

PS: The podcast is available on all platforms (AppleGoogleSpotify and Amazon).  As the kids say, like and subscribe, like and subscribe.

|

This site uses cookies and may process personal data based on our Privacy Policy