Why Software Bills of Materials Are So Important

You probably heard about the vulnerability in the vBulletin web site forum software that was announced last month. The vulnerability, which, apparently, even a child can exploit, allowed a hacker to run arbitrary code on the web site running vBulletin.

Here is a very interesting timeline.

On September 23rd exploit code was released to exploit the bug.

Two days later, the company released patches for that exploit. So far so good. The vendor was able to respond to an unknown and unwarned about exploit in 48 hours.

Four days after that or six days after the exploit was released, Commodo’s web site was hacked using this exploit.

This is sort of unfortunate for Commodo as they are a security company and it is very bad optics from a PR standpoint for a company who says their business is security to get hacked and especially when there is a patch available to block the attack. Not to worry, though. After the breach, the company’s PR team released a memo saying that security was very important to them.

Optics aside, this attack brings up two very important issues for all companies.

The first one is how long do you wait before you install a new patch. That is an old question and there is no simple answer. I suspect that Comodo wishes that they had installed the patch as they go through the breach notifications and lawsuits and bad PR.

The second question is one that I have been harping on for a long time. Do you know where a given piece of software is running inside your enterprise? That is a question that Equifax answered incorrectly and which triggered, possibly, the largest breach in U.S. history.

The answer to the second question is to create and maintain a SOFTWARE BILL OF MATERIALS (SW BOM) for every system, server, Internet of Things device, network device AND software system.

It is this lack of a SW BOM that caused Equifax to not patch the server that allowed the hackers to get in and steal information on close to 150 million people.

For your company, if the news reports that a vulnerability in some random piece of software is being actively exploited in the wild (and by software, I do NOT mean like Windows or Linux, but rather, say, for example Apache Struts). If you say that you don’t run Struts, I would ask if you have Cisco hardware and management software in your company or if you run VMWare, because both of those use Struts in some of their support tools.

Companies need to start building and maintaining SW BOMs and also to start demanding that vendors tell them what is inside as well.

Until that happens, we are gonna see more Comodos. Sorry.

Source: Tech Crunch.

P.S. There are now three more vulnerabilities in vBulletin that allow the same kind of attack, so if you are running vBulletin anywhere, you have to patch it again.