Why The Software Supply Chain is The Rhinoceros Head in the Corner
As if Yahoo didn’t have enough trouble, it apparently was using a third party software library called ImageMagick which had a serious security bug in it.
The library which is used to manipulate images is very widely used. Or at least, it was. Some people say that it has not aged well.
Security researcher Chris Evans dubbed the bug YahooBleed #1 after all the “bleed” bugs identified over the last few years.
The bug is now fixed, but every developer who has integrated the package into their software has to recompile and re-release their software.
And even if the developers do re-release their software, users need to know about it and download and install the updated version. Web server managers need to upgrade their web servers.
Yahoo apparently had enough of this and “retired” the library.
For businesses that develop software or pay people to develop software, this third party software library problem is a huge problem.
Developers often use third party libraries because it doesn’t make sense to reinvent the wheel. And whether the library is licensed for a fee or open source, the problem is similar, although for licensed software, if you don’t pay the maintenance fee that the developer might charge, you may not be able to even get the new version of the software.
So the question for managers and executives to ask is whether your in house or contracted development team has a software supply chain management policy and if so,how does it work. Someone in your company needs to be convinced that the process works, whether that is the CIO or CTO or CISO or VP of IT. That is probably one of the biggest security issues in the software world today.
We just saw the WannaCry worm spread like wildfire because even though Microsoft released patches to stop it in March, many organizations had not installed those patches two months later.
Compare that with all of the internally developed and externally contracted software that likely has bugs and security holes. Is that software being patched regularly, including the third party libraries that are in use? In many cases, the answer is no. Some of it likely has not been patched in years and it likely full of security holes.
Kind of like patching potholes in the road, fixing security bugs in old software is not glamorous but it is critical.
If your organization is not dealing with this, that is a high priority problem to fix.
Information for this post came from The Register.