Or else hack the software development supply chain… A recent data breach highlights an overlooked element of cybersecurity posture…
On 30 Nov, password management software firm LastPass announced that an “unauthorized party” had recently gained access to some customers’ information stored in a third-party cloud service shared by LastPass and its parent company, GoTo.
Using data obtained from an earlier breach in August 2022, hackers infiltrated the firm’s systems again and managed to steal customer information this time.
Ironically, LastPass is being trusted by more than 33m users to manage password hygiene. Portions of the firm’s source codes were stolen in the earlier intrusion. According to one expert, if the root cause of the breaches is a compromised development system, then this latest attack is a continuation of an attack vector we have seen with the high profile SolarWinds ‘Sun Burst’ attack.
Once a software development or test system has been compromised, the ‘keys to the kingdom’ will have reached the hackers’ hands — allowing lateral movement towards critical sensitive information, or permitting an attacker to interfere in the software build process to introduce backdoors in the software produced for sale.
Said Michael White, Technical Director and Principal Architect, Synopsys Software Integrity Group: “When we talk about software supply chain attacks, protecting the internal software delivery process and infrastructure itself is a critical element. Guidelines have recently been released such as SLSA, NIST 800-161 and others, which highlight how an organization can implement effective controls throughout the software development lifecycle.”
White noted that many development teams know the cybersecurity measures but many overlook protections for software development environments, including toolchains such as build servers, source code repositories, and test instances, perhaps because:
- these are not viewed as important as customer facing production services
- these are excluded from the scope of compliance with various existing standards because development environments themselves do not process customer data directly
The key to protecting software development environments and foiling software supply chain attacks is to “adopt an adversarial mindset and implement appropriate controls to mitigate identified risks,” White said.