This week’s WordPress malware highlights the bigger issue of software bill of material security.
First the WordPress issue.
An attacker has infected and then weaponized 20,000 WordPress sites by distributing bootleg versions of premium WordPress plugins and themes. The users thought they were getting a deal on the themes or plugins and what they got was their web site compromised.
It does represent a significant issue since the infected sites have close to a million views – at least.
In the grand scheme of things 20,000 WordPress sites is a drop in the bucket out of the millions of WordPress sites, but it does remind us of the bigger problem that software BOM represents.
For more information on this particular attack, see this article at Bleeping Computer.
What I really want to focus on is the software BOM problem.
Software Bill of Materials means that you understand the ingredients that go into your website or other software. This is no different than understanding the ingredients that go into your meal.
Using the (life threatening) meal example, if you have a severe peanut allergy and go to a restaurant, you need to know if your meal has peanuts in it or has come into contact with them. If it has and you don’t know that, you could go into anaphylactic shock and die.
In the case of software, while it may not be life threatening, if you get rogue third party software in your system, the system could fail or it could launch an attack against your company or from your company. Or it could make you vulnerable to being attacked.
This means that you need to understand all of the pieces that go into making the software that you are using or selling. I understand that, for large systems, this is not easy.
You may remember a small breach at Equifax. That was caused by a software BOM issue. They did not understand that a particular server was running Apache Struts – a vulnerable version of Struts. A version for which a patch was released months earlier. The rest is history.
If you use software or develop software (pretty much covers everyone), you need to understand your software BOM risk and address it.
You need to create a software BOM management project. It will require some time but likely very little hard cash.
Before you become the next site or company that is hacked.