In Part 1 we helped with the understanding gap using this unfortunate, but recent, real-world example of a supply chain attack. Simply, this breach demonstrates the weakness in most software organizations we all rely on.
At Tauruseer, we take our science seriously and help our customers do the same. With a clear understanding of the challenges we all face, and with a shared framework to help us move forward, we can (and should) accelerate software ecosystems of risk posture maturity.
*Post updated 1/5/2021.
"Risky Combinations" and the cyber imperative
For those companies operating valuable business processes or producing products critical to their customers via software, this is your call-to-action to begin implementing proactive prevention measures via a platform-driven approach.
Either one of these alerts, if handled by a human, can prevent malicious code from going unnoticed and making its way into the distribution channels. But it is the historical tracking of "risky combinations" that could have further helped the teams see a threat pattern.
1. Contextually baselined every application's supporting infrastructure, Bill of Materials, tool configurations, team members, certificates, risk performance metrics, and underlying dependencies
automatically checking for security violations with continuous feedback results for risky changes, prioritization, and remediation.
2. Detected malicious activity in any source control system for any code committed
that falls outside standard practices and security policies independent of any tool.
3.
Detected if an unauthorized individual has added code to a repository
across their entire application portfolio to determine if anyone was messing with their codebase and secretly installing backdoors or malware.
4. Detected any code repository change from private to public across their entire application portfolio to determine insecure misconfigurations, intent, and whether to revoke access control, and understand the potential business impact.
5.
Automatically mapped supply chain known vulnerabilities to every entity
so when an agency like NIST or The Cybersecurity and Infrastructure Security Agency (CISA)
releases an alert detailing active exploitations
with associated CVEs (CVE-2020-10148,
CVE-2020-14005, and
CVE-2020-13169) people can research and within minutes (rather than weeks or months) take action on
the right systems (your most critical risks).
Additionally, historical tracking of events in one platform enables our
Cognition Engine™ to alert when any
"risky combinations" like these are observed.