The most recent DEF CON featured a demonstration of satellite hacking. In the Hack-a-Sat contest, which was organized by the US Air Force, teams of hackers were able to penetrate a cubesat called Moonlighter and bypass the satellite’s restrictions on the ground targets it can observe. The success of the hackers prompted the Office of the Director of National Intelligence, the FBI, the National Counterintelligence and Security Center, and the Air Force Office of Special Investigations to issue a warning about cyber risks facing satellites in orbit.

The excitement over the Hack-a-Sat contest puzzled me. More than a few space experts will tell you that space assets are vulnerable to cyberattack. Many satellites run on obsolete, unpatched technology. Why is it such a big deal for a team of hackers to take over a satellite? Isn’t that easy?

Even as I asked myself that question, I realized I wasn’t seeing the full picture. If hacking satellites is easy, and hackers can disrupt multi-million-dollar businesses by taking them over—and demanding ransoms to set them free—why is satellite hacking not an everyday occurrence? Satellite hacking is rare. Why?

The short answer is that hacking satellites is a lot harder than it looks. For more insight, I turned to Aaron Moore, CTO of QuSecure, the quantum security company. Moore has spent his career in space technology and space cybersecurity, with stints at Raytheon, Northrop Grumman, the NRO, and DARPA.

I asked Moore my basic question: Why haven’t more satellites been hacked if they are supposedly so vulnerable?

I asked Moore my basic question: Why haven’t more satellites been hacked if they are supposedly so vulnerable? For instance, if there are thousands of satellites in orbit, many with unencrypted data and obsolete software, why aren’t hundreds of them getting taken down by ransomware? It would seem that there’s a lot of money to be made in that kind of attack.

Moore replied that a ransomware attack on a satellite would be a very difficult thing to pull off. “For a number of reasons, it’s not really an ideal target for ransomware,” he said. “There’s not a lot of persistent data that remains on a vehicle itself, so there isn’t much to hold hostage.”

Aaron Moore, CTO of QuSecure

Instead, Moore suggested, a hacker might do better trying to get into a satellite’s command control (C2) system. “They could lock it up, making the satellite useless,” he said. “But, there are a lot of barriers to that, too. The waveforms and protocols that are being used to communicate to the vehicle itself and its payloads are usually segmented from the C2 system on the platform. In fact, a lot of satellites have two separate C2 systems: one for the satellite and one for the payload. It makes hacking a lot more complicated to pull off.”

He went on, saying, “You’ve got an executive on the platform, which you can think of as an operating system. They used to be much less robust. They were really only for the functions necessary to communicate directly to the hardware or the satellite platform. Your ability to have functions in an operating system was very limited. It was therefore quite a small attack surface. The instruction sets themselves are custom in a lot of cases, especially for sensitive satellites.”

This customization of instruction sets makes satellites hard to hack with “off the shelf” hacker tools, which are designed for mass market operating systems and applications.

This customization of instruction sets makes satellites hard to hack with “off the shelf” hacker tools, which are designed for mass market operating systems and applications. For instance, hackers have developed many tools to take over Linux and Windows servers, but these tools are not readily adaptable to custom instruction sets on satellites. Most satellites are not running Windows or Linux. Rather, they run real time operating systems (RTOS’s). A hacker would have to create specialized tools for an attack, a difficulty that deters a lot of malicious actors from trying to hack satellites.

Regarding data on satellites, Moore said, “The problem with the older satellites, of course, is that they used older modes of encryption. So yes, it’s very feasible to get into that. But then you’re talking about sophisticated hacking that would require breaking encryption. Now, some satellites don’t have any encryption, and that’s a problem obviously. But then the data on them is perishable. It’s in formats that usually don’t allow easily to them to be easily interpreted.”

As satellites modernize, they are starting to carry more standard IT assets like X86 servers and commercial database software, which are vulnerable to standard hacking techniques.

At the same time, Moore warned, as satellites modernize, they are starting to carry more standard IT assets like X86 servers and commercial database software, which are vulnerable to standard hacking techniques. Not that it would be easy, exactly, as he explained. An attacker still has to establish communication with a satellite, which might require hacking a ground station that is, itself, “air-gapped” from publicly accessible networks. “Anything can be hacked,” he said, “but each countermeasure adds to an overall defense that’s hard to penetrate.”

The use of data diodes is a further obstacle to satellite hacking. A data diode is a hardware appliance with a data transmitter on one end and receiver on the other. As Moore explained, with a data diode, data does not flow in two directions. It flows in one, “so you can push data from a secure environment down to a low-security environment or up to a highly secure environment, but there’s no communications between the two,” Moore pointed out. “That means it’s impossible for a ransomware attack to succeed because a malware agent cannot establish bidirectional communications. This is one of the biggest advantages within the satellite architecture.”

Does Moore worry about any aspect of satellite cybersecurity? Yes, he is concerned about a supply chain attack. Though, as he admits, the bar is quite high for such an attack, if malicious actors can implant malware into a satellite’s code at the development stage, a lot of bad outcomes are possible.

If malicious actors can implant malware into a satellite’s code at the development stage, a lot of bad outcomes are possible.

He is also concerned about physical (kinetic) attacks on satellites as well as denial of service (DoS) attacks. In his view, that’s basically electronic warfare, e.g., jamming. “If you look at a satellite signal coming down,” he said, “in terms of power, which is regulated in at least in our government, you don’t get a lot of power hitting the ground. It doesn’t take a lot to jam that signal.”

I then asked Moore what he would do if I were a “moustache twirling villain” who wanted to hire him to hack a satellite. Who would he hire to do the deed?

He replied, “I would get people who have built satellite payloads before, people who understand normal satellite office communications and satellite bus communications. I’d get people who were very familiar with vulnerabilities with runtime RTOS’s, as well as folks who were very savvy with electronic warfare as delivery mechanisms.”

The question, then, is whether people with such skills might be tempted to go to work for the bad guys…

Akamai, which runs a massive content distribution network (CDN), is ideally situated to observe and react to cyberattacks. It operates hundreds of thousands of points of presence all around the world. They can therefore detect trouble before anyone else even knows there’s a problem. So it was on September 5, when Akamai observed and thwarted a massive distributed denial-of-service (DDoS) attack targeting a large American financial institution. (Disclosure: I previously worked as a contract writer for Akamai.)

As Akamai explained, there is usually only a small amount of legitimate traffic coming to this company’s site from within the United States. However, in just two minutes, the target was on the receiving end of 633.7 gigabits of traffic per second (Gbps) and 55.1 million packets per second (Mpps) from all over the world.  Sources included Bulgaria, Brazil, China, India, Thailand, Russia, Ukraine, Vietnam, and Japan.

Akamai’s Prolexic DDoS defense platform blocked a flood of ACK, PUSH, RESET, and SYN flood attack vectors. The attack was directed at the target’s main web landing page. The likely intent was to disrupt their online banking. However, with Akamai’s intervention, the incident didn’t harm or disrupt services. If Prolexic had not been functioning, the attack would have probably stopped the company’s operations for a period of time. DDoS attacks are also often a smokescreen for implanting malware, so the target likely avoided that fate as well.

This incident is a reminder of how potent and commonplace DDoS attacks have become. They may not be fancy or technologically interesting, but they are potentially devastating. Financial services, in particular, remains a popular target. Nearly a third of the DDoS attacks detected by Akamai have targeted financial services firms. Akamai stated, “Financial institutions are a key pillar of an economy, and targeting such businesses often has a larger impact on the overall economy.”

Akamai’s report on the attack also revealed some interesting facts about the DDoS trend. It turns out that Bulgaria, of all places, is the number once source of DDoS traffic—clocking in at 999.56 Gigabytes in a 24-hour period.

Industry experts warned that DDoS should be a concern for everyone, however. According to Emily Phelps, Director, Cyware, “While financial institutions should pay close attention to the escalating attacks aimed at banks, enterprises across all sectors should take notice and ensure they have appropriate protections in place. Threat actors are not loyal to hitting one particular industry if the opportunity presents itself elsewhere. As DDoS attacks grow in scale and frequency, organizations must adopt more proactive measures to safeguard against such threats. Enterprises should regularly evaluate their risks and vulnerabilities and stay updated on the latest DDoS tactic, updating their defenses accordingly.”

Dave Ratner, CEO, HYAS, weighed in as well, saying, “The attack highlights that a chain is only as strong as its weakest link — in this case, one user likely following a malicious link amongst the hundreds that were delivered. Even the smartest of professionals will occasionally make mistakes or be fooled. It has never been clearer that Protective DNS solutions, capable of catching that mistake when a user clicks on a nefarious link, are required as part of a depth-in-depth strategy.”

Akamai concluded its report with guidance on minimizing DDoS risks. Suggestions included reviewing CISA recommendations and reviewing critical subnets and IP spaces to ensure that mitigation controls are in place. It was a reminder that while DDoS attacks are very serious, they can also be mitigated if targets take appropriate steps.

by Noam Taylor

I recently sat down to talk with Dor Eisner, CEO and Co-Founder of Guardz, a company dedicated to defending small to medium-sized enterprises (SMEs) from cyber threats. Like many of his peers in Israel’s cybersecurity sector, Eisner previously served as a commander in the IDF cyber unit 8200. He has also worked with the government as a cybersecurity expert. Eisner and his partners launched Guardz in 2022.

Dor Eisner, Co-Founder and CEO of Guardz

“Our mission at Guardz is to help the ‘underdog’,” explained Eisner. “We generate solutions designed to fortify small businesses that often lack the cyber resources of corporate giants. Guardz steps in with strategies that allow them to thrive in the turbulent waves of today’s cyber world.” Guardz provides 360-degree analysis and attack response for its small business customers, as well as for managed security providers (MSPs) that also serve this segment of the market. Guardz also provides its clients with an agency service that connects them with cyber insurance platforms that know and trust Guardz.

Guardz is gaining traction in the market because small businesses usually do not have personnel at the ready to respond to cyberattacks. If all they receive is an alert that something is amiss or that malware has been detected, they may have no real ability to respond to it. Guardz offers a solution. Instead of merely monitoring a network and notifying clients about irregularities, Guardz does some of the incident response for them.

For example, if an American SME has an employee logging in from an offshore location and it turns out to be a phishing attack, Guardz will block access to the attacker. This is a fundamental pillar of its solution for small businesses, which tend to lack the resources to respond on their own. According to Eisner, “Larger enterprises are commonly equipped to deal with the attacks, but our clients aren’t. We are democratizing cyber protection for everyone in the market.”

Eisner went on to explain that IT cybersecurity is more complex than OT (operational technology) cybersecurity. “The IT systems that Guardz is responsible for are fluid, with a lot more going on than in manufacturing. In an OT setting, there isn’t as much connection to the internet and things are more monotonous,” he said. He added that, with IT, the overall picture and the macro synchronizing of systems is key to a successful security strategy. This isn’t necessarily the case in the world of OT cybersecurity, where the systems are more focused on micro functioning and product output.

At Eisner’s direction, Guardz offers some views of the Dark Web, where cyber criminals hang out to buy and sell stolen information. In his view, the Dark Web began to change a couple of years ago. Instead of simply selling information to each other, hackers began offering cyber tools to junior criminals. “This creates a very dangerous scenario for the field of cybersecurity,” he said. “Both the ubiquitousness of these tools and the level of sophistication contribute to this new challenge.”

Eisner also discussed the evolving role of artificial intelligence (AI) in the cyber universe. According to Eisner, AI has completely shaken the status quo of cybersecurity. With AI, there is open access to sophisticated tools that were once used exclusively by veteran hackers. As he put it, “AI is democratizing the cyber criminal world. But also, it is helping the defenders.”

For instance, Eisner said, “If you ask ChatGPT for a list of different ‘phishing attack’ approaches, you might get something like a hundred.” This attests to the evolution and growth of hacker techniques, but it also reveals how AI enables defenders to identify threats. Eisner is convinced that AI’s role in cybersecurity will only continue to grow in the coming years.

by Noam Taylor

Ilan Barda, Co-founder & CEO of Radiflow.

I recently had the opportunity to chat with Ilan Barda, CEO and founder of Radiflow, an operational technology (OT) cybersecurity company. We discussed his journey as a founder, from where he began to where he thinks the industry is heading.

Barda initially spent six years developing cybersecurity products in Unit 8200 of the Israel Defense Forces (IDF). After his service with the IDF, Barda worked at Nokia but left in 2009 after the company began to apply strategic changes that he thought were unsustainable.

He co-founded Radiflow In 2015. In the beginning, the company focused on helping industrial networks with communications. It provided large-scale companies with centralized management of extended, complex systems. Radiflow also assisted in engineering and enabling these systems to move in a more frictionless way.

However, although these services were successful and necessary, they weren’t providing Radiflow with the growth that the company needed. So, Radiflow soon expanded its product line and began providing OT cybersecurity solutions within the same industrial manufacturing market.

According to Barda, what sets Radiflow apart from most of its counterparts in OT cybersecurity is a focus on making clients aware of their overall “risk posture,” rather than just monitoring clients’ systems and scouting for any anomalies.

As Barda put it, “Many of our clients have a sort of tunneled focus on producing their products. They are often very unaware of their cyber weaknesses. We make sure they have a ‘birdseye’ view of their systems flaws and are prepared to solve the problems that can occur, rather than just reacting to alerts about potential threats.”

He added, “Radiflow has even come across a few cases where the client’s leadership was operating under the assumption that their computer networks were airtight; when in reality they had exposed numerous off-network portals, some of which were even left by dead technicians. These unknown portals were just sitting there, ready to be taken advantage of by hackers.”

Barda explained that there are a few critical differences between OT and its sister field of information technology (IT) cybersecurity. First, with OT, one is fortifying complex industrial machinery, which requires a deep understanding of how the machines operate, as well as their various flaws. With IT, it’s just computer and software systems, so security requires no extra knowledge of how the machines’ engineering functions.

Also, in OT cybersecurity, there is a significant upside. Industrial manufacturing machines and the process of production are practically non-evolving. The machines are designed to do the same thing repetitively. This allows Radiflow to screen for anomalies on a flat and unmoving landscape. IT, in contrast, involves a cyber threat analysis process that is more fluid, as users can morph their activities significantly within the network. This makes detecting anomalies far more challenging.

Another serious distinction is found in the aftermath of a cyberattack. Breaches in an industrial environment cost manufacturers enormously as downtime results in lessened output. However, in IT, system downtime doesn’t usually cut into a company’s bottom line the same way, though there are some major exceptions to this rule. An outage is usually more of an annoyance than a significant loss with dollars and cents attached. To bring out the severity of this difference, Barda gave the example of pharmaceutical companies, where if a breach is discovered too late, an entire lot of much-needed medication could be disqualified based on concerns of safety and efficacy.

Aside from the vital but standard alerts and notifications, Radiflow designs attack simulations and tools that can better educate and prepare its customer for what may come. Barda said, “We make sure our clients have a tailor-made playbook that they can turn to in the event of a problem. It isn’t as simple as having a good backup system, although any good security strategy does. You need a list of protocols and unique techniques to best survive an attack.” The backup systems that Radiflow provides its industrial clients are designed to make a seamless transfer without any extra time wasted on a system reboot.

I asked Barda what he would have done differently had he been offered a ride back in time. He explained that when Radiflow was transitioning to OT, he wishes they would have moved quicker. At the beginning stage of the switch, the company tried to juggle both the communications services and the cybersecurity. “We should have leaned completely into the cybersecurity at that stage,” he said.

Barda also feels his company may have been too conservative with its opportunities at the beginning. Radiflow was very selective with whom and where they did business. He said, “It’s hard to know for sure, but it may be that we missed some growth due to our overly risk-averse strategy.”

Finally, Barda shared what was coming down the pike in the field of OT cybersecurity. He shared, “The first generation of corporations to deal with cyber threats were slow to understand the importance and necessity of cyber protection. They soon learned their lesson, though. And, at present, there is a general understanding that you must be protected. This has completely shifted the playing field. Because the market has recognized the need for real security measures, everything from attackers’ techniques to cybersecurity has leveled up. A world with higher walls means hackers must learn to jump higher.”

Noam Taylor is a freelance reporter for The Journal of Cyber Policy

by Noam Taylor

I spoke recently with Oleg Vusiker, CEO and Co-Founder of Salvador Technologies, which specializes in OT (Operational Technology) cybersecurity solutions. He shared his company’s goals and innovations, opening a window into a new approach to cyber defense.

Before launching Salvador Technologies, Vusiker spent 10 years in the Israel Defense Force’s Unit 8200, its elite cybersecurity unit. This experience led Vusiker to the main insight that distinguishes Salvador Technologies from the old world of cyber security. He realized that the simple and terrifying reality of cyber security today is that the attackers always will get in. Once an attack is commenced it is no longer a matter of if, but rather when systems start malfunctioning as the malware takes them over.

What follows is that the cyber defense solution can’t focus on prevention, but rather must focus on support and backup in the aftermath of a breach. The objective is to regenerate a system and have it up and running moments after a hacker breaks through the defenses.

Oleg Vusiker

Salvador Technologies applies this principle to OT, which refers to systems that operate large scale manufacturing, , power systems, healthcare and other systems that cannot go offline for even a few minutes. The main factor that separates the field of OT from IT (Information Technology) is that OT systems are old and often manual. This creates a sort of ironic situation where a cyber attacker’s first path towards penetrating a computer system is actually the “back door,” the backup system.

“OT backups are commonly older and can even be operating on old versions of Windows,” explained Vusiker. “Besides that, these long-outdated backups are frequently unmonitored, which leaves the hackers to do as they please, undetected—tackling these colossal and lumbering systems to the ground. By the time anyone smells smoke, so to speak, it is far too late.”

Salvador Technologies offers an innovative set of solutions to this risk. First, their goal is to replenish and save a system once it is attacked. To make this work, Vusiker posited that a good rule of thumb is to follow the 3-2-1 principal: 3 copies, at 2 locations, with 1 copy offline.

The Salvador Technologies’s backup system, which is separated from the client’s system, runs for all of its clients across the world. Vusiker added, “As the famous adage goes, ‘Don’t put all your eggs in one basket.’ The outcome? When the viruses come, and systems begin to fall apart, it’s only a matter of minutes before things are up and running again. This prevents serious and possibly irreversible losses.”

Vusiker shared a story about an industrial chemical plant that suffered a catastrophic cyber breach, but due to Salvador Technologies’s solutions, their system was replaced within moments of the attack. This saved the chemical plant from serious losses as they were able to continue production as usual almost as if nothing had gone wrong.

The main product that Salvador Technologies offers is an edge site cyber response system. Essentially, every computer is individually monitored and guarded, with backups on a more atomized scale. This version is great for smaller networks, but they hope to introduce a more extensive system for the larger networks their clients operate. The new product would be a centralized version of Salvador Technologies’s already successful cyber-attack prevention and recovery system. Salvador Technologies is one of the first in the world to present this kind of centralized solution.

Another tool that Salvador Technologies uses to help its clients is their patented “Air Gap” cyber-attack prevention arrangement. An “Air Gap” maintains a complete separation between systems, preventing a hacker from making his way further into a company’s vital operating system. This approach is useful, given that it is common for hackers to enter through the unmonitored back up system. With an air gap in place, if a hacker has already penetrated a company’s backup system, he cannot continue forward into the core operating structure.

Salvador Technologies also provides customers with constant threat and virus detection. They monitor their vast industrial operating systems and provide constant updates on possible and incoming problems.

I asked Vusiker what he thought was approaching in the realm of cyber security in the future. His response was that aside from the advancements in hacker skill and technique, what looms in the future as a major challenge to his field is the application of artificial intelligence (AI).

When a hacker uses AI, he doesn’t just get smarter, he can use the AI as a tool during the process of hacking itself. According to Vusiker, AI tools can change their encryption during a cyber-attack, making it much more difficult to thwart the breach. Due to the challenges posed by AI, tomorrow’s cyber-attack prevention is becoming a wholly different task, with new and evolving difficulties. Salvador Technologies’s forward thinking puts them on track for being prepared for what’s coming.

Noam Taylor is a freelance reporter for The Journal of Cyber Policy

Memory safety is having a moment. Last Friday, the White House Office of the National Cyber Director (ONCD), in partnership with CISA, the National Science Foundation, DARPA, and the OMB, announced a request for information on the development of memory-safe languages and more secure techniques of developing software.

The project’s origins rest with the notorious Log4j exploit, which threatened millions of software programs around the world. In addition, rising tensions with China are causing increased (and long overdue, in my view) concerns about the vulnerability of American critical infrastructure and military systems to sophisticated cyberattacks.

Last month, The New York Times revealed that the US Military was actively hunting for Chinese malware that could incapacitate its operations. Then, last Saturday, at Def Con, CISA Director Jen Easterly sounded the alarm that China may attack critical infrastructure in the US as part of a conflict in the Taiwan Straits. Memory safety, a relatively esoteric but nonetheless crucial area of cyber defense, plays a key role in mitigating these risks.

In a memory attack, a malicious actor compromises compiled software code when it’s active in a computer’s memory. There are a wide variety of memory attacks, but most exploit functions that allocate memory to software execution, such as “buffer overflows.” With control over the software in memory, that attacker can wreak havoc on a system and its data.

“If you compromise software at the memory level, then you can take remote control of the execution of the software and do whatever you wish to do.” – Joe Saunders, Founder and CEO of RunSafe Security

According to Saunders, Founder and CEO of RunSafe Security, a maker of cyberhardening technology for embedded systems and devices and industrial control systems, “If you compromise software at the memory level, then you can take remote control of the execution of the software and do whatever you wish to do. You can exfiltrate data. You can even perpetrate a kinetic attack, such as crashing a vehicle. It’s a big area of risk exposure, in national security terms.”

Joe Saunders

Microsoft and Google claim that memory-based vulnerabilities represent 70% or more of the vulnerabilities in software. And, while these attacks are difficult to execute, they are well within the capabilities of advanced hackers, especially ones backed by nation states. It certainly seems that the ONCD and CISA are worried about memory safety vulnerabilities when they talk about threats from China and others.

As Saunders further elaborated, memory-based vulnerabilities are inherent in the Linux operating system and applications built on real time operating systems (RTOS’s), which are deployed across critical infrastructure. Older programming languages, such as C and C++, are particularly vulnerable.

To this point, NSA came out with guidance in November of 2022 that called for improved memory safety. The ONCD offered similar guidance in its National Cybersecurity Strategy in March of 2023. Both sets of guidance call for remediation of memory-based vulnerabilities. An emerging recommendation is to change software running government, military, and critical infrastructure systems from C and C++ to “memory safe” languages like Rust or Go.

This, of course, would be a total nightmare. One is reminded of the wonderful scene in Woody Allen’s 1971 film “Bananas,” when the power-drunk dictator, played by Carlos Montalban, declares that everyone in the nation of San Marcos must change their underwear twice a day. And, in order for the authorities to be able to enforce this new law, “everyone must wear their underwear on the outside.”

“Take a company like Schneider Electric. They can’t just rewrite their software in memory safe languages.” – Joe Saunders

As Saunders explained, “Take a company like Schneider Electric. They can’t just rewrite their software in memory safe languages. Why? Because they have thousands of products. And, those products have 10 to 30-year lifespans. Yes, in theory, they can do it, but in reality, this is a multi-year project—and the risks are happening right now.”

RunSafe offers a solution which protects memory without requiring a software rewrite. If companies and government entities want to meet the goals set out by the NSA, CISA and others, they are going to need this kind of technology. Replacing software will take too long.

Photo by Sergei Starostin: https://www.pexels.com/photo/green-and-black-computer-ram-stick-6636474/

If you create software that runs medical devices, airplanes, or critical infrastructure, government regulations or industry rules will require you to submit a software bill of materials (BOM) that catalogues the components of your code. This process is necessary because the customer, as well as the regulator, want to be sure that your software does not contain vulnerabilities that create risk exposure.

For example, if your software includes an open-source code component that has a known Common Vulnerabilities and Exposures (CVE), an analysis of the BOM will reveal the presence of the CVE—triggering a remediation process. The CVE program is managed by Mitre Corporation. This makes sense, because who wants a pacemaker or a passenger jet that’s powered by malware?

This makes sense, because who wants a pacemaker or a passenger jet that’s powered by malware?

The process sounds simple, and in theory, it is. In practice, securing the software supply chain is a challenging, largely deficient process. For many, it can be an exercise in box checking. Submitted the BOM? Check. Flagged any CVEs? Check. Done, right? Maybe not…

According to JC Herz, Co-Founder and CEO of Ion Channel, the maker of a software supply chain risk management platform, the software supply chain risk assessment process needs to go a lot deeper than just identifying CVEs. Ion Channel was acquired by Exiger, a supply chain risk management company, last May. Now, Ion Channel covers the software side of Exiger’s broader supply chain risk management business, which covers factors like manufacturing defects, third-party risks, and so forth.

“The truth is,” Herz explained, “CVEs are a lagging indicator of risk.”

“The truth is,” Herz explained, “CVEs are a lagging indicator of risk. In our experience, a CVE is generally a good eight to twelve months too late in identifying vulnerabilities.” She elaborated, sharing that creating CVEs is a human process, which causes several serious problems. One is that people are slow. And, people work for incentives, even if they don’t realize they are doing so.

For instance, people may choose to focus on a vulnerability because it will garner them stars on Github, which in turn drives interest in the CVE from their peers. This is an understandable reality, but it’s not good for software supply chain risk management. It misses many serious vulnerabilities.

A better approach, Herz advised, is to stop approaching the process as a matter of box checking and start thinking more outside the box: Ask, “Where are the most serious vulnerabilities and attack surfaces, even if, or especially if you can’t see them.”

Indeed, some of the worst risks are not logged as CVEs. In some cases, it’s simply a matter of running outdated software. “We often see code components that are five updates behind. We know they are insecure, but they’re still in production with a ‘green’ dot next to them on a software composition analysis report. That’s a high-risk situation, even if there’s no CVE.”

JC Herz

Other times, risks arise from low quality code. “This is a lot more common than people think, even in highly critical software, like the code for medical devices.” The issue might be code that’s maintained by a single person, rather than using the “two-man rule” that provides a measure of objectivity and redundancy in securing software.

Then, there are zero-day vulnerabilities. These are seemingly secure and functioning bits of code that contain hidden exploits. Ion Channel’s solution is to undertake a massive data analytics process to identify previously invisible points of risk exposure. “Our platform analyzes a trillion data points in a software ecosystem. A lot of times, we spot problems that no one can has noticed.”

From there, it’s a matter of remediation. As anyone who has managed a developer team knows, this is not a happy subject. Culturally, developers tend to dislike remediating security problems. It’s not what they enjoy, and more importantly, it’s not where their incentives are driving them. “The incentive is to create new features,” Herz said. “Not fix old problems.”

In her view, the difficulties companies face in remediating insecure code are reflective of misaligned strategies for quality and commercial success. “The push is almost always for new features faster and faster, regardless of the supply chain issues. The problem is that the quality and security defects will eventually catch up with you, and the remediation will be a lot more expensive, including fixing damage to your reputation.”

Software supply chain security is an evolving field. As Herz is finding, companies are starting to get more serious about moving beyond box checking, but it’s a low evolution. Much work remains to be done.