Discussion heightens over effective strategies for addressing software weaknesses triggered by attacks within supply chains

In a recent development, SonarSource, a leading company in the software development industry, has recommended that all project owners who depend on the Squirrel engine rebuild the latest version of Squirrel from source code. The recommendation comes after researchers at SonarSource discovered a vulnerability in the Squirrel engine that allows attackers to bypass sandbox restrictions and execute arbitrary code within the SquirrelVM.

This vulnerability could potentially be exploited to embed backdoors in community content distributed via the Steam workshop, posing a significant threat to video games and cloud services that use SquirrelLang, such as Counter-Strike: Global Offensive. The game utilizes the Squirrel Engine for custom game modes and maps.

The discovery of this vulnerability follows a series of high-profile cyber attacks, including the SolarWinds Orion incident in 2020, where a backdoor was installed, exposing thousands of customers to potential downstream attacks. A study released in July 2021 from Venafi suggests that future attacks will likely use similar techniques.

The software development community is grappling with the lifecycle question of mean time to remediate, with processes to detect vulnerabilities often aimed at production environments and patching runtime environments being costly. A better approach, according to Om Moolchandani, CTO, CISO and co-founder of Accurics, is detecting vulnerabilities in the design and development phase and using automation to remediate flaws.

The responsibility for creating and implementing an automated system to detect security vulnerabilities in the software development phase primarily lies with the company's security teams and IT specialists who manage vulnerability management processes. These teams use automated code-analysis tools and vulnerability scanners to identify and mitigate weaknesses before software or platforms are deployed for use by the company.

However, there is disagreement over whether security teams or DevOps teams are responsible for detecting and mitigating security flaws during the software development process. Mitchell Schneider, Gartner principal research analyst, notes that there is a significant public relations benefit (or harm) in being seen as proactive or lagging in responding to vulnerabilities that are brought to a company's attention.

The issue of when companies have the obligation to notify customers of a potential vulnerability was raised by the Kaseya ransomware attack in 2021. Gartner has developed guidance around notification, including providing clear details on any workarounds/configuration changes that can be put in place before a patch is available.

Corporate stakeholders want to understand the risk calculus of their technology stacks, answering the question of whether they are a potential target. Kevin Bocek, VP of security strategy and threat intelligence at Venafi, stated that the only way to reduce risks is to improve the security of the development pipeline and the software it delivers.

Sixty-nine percent of developers believe the developer is responsible for the security of software build environments, while 67% of security respondents say it is their responsibility. The Venafi study further reveals that four in five respondents are not completely confident in their organization's ability to protect against attacks targeting the software build.

In the case of the Squirrel vulnerability, SonarSource sent details of the vulnerability to the Squirrel GitHub repository in August, but as of the date the blog was published, the commit had not been included in a new, stable release of Squirrel. This underscores the need for improved communication and collaboration between developers, security teams, and IT specialists to ensure the security of software development projects.