Tweet
So I wanted to leave a short update....two things. One is that FireEye showed evidence that the patch that caused all the problems was digitally signed, so Kung's point was right.
However.....
There seems to be a suspicion of a lack of hygiene in the Solar Winds patch development process, security experts are stating there may have been some control gaps that would allow a developer (or a state-sponsored entity) the opportunity to install a payload at a point past the testing libraries where no developer should have access. If it comes out that this was a 'cut-corner' due to leveraging continuous development/deployment cycles (i.e. Agile), this is going to be a real black eye for them.
Note, I know of a very large firm that hired an executive to bring continuous release into their organization who stated that they would no longer require controls over change and release because they were now an agile shop and the process did not require controls anymore (they thought the process would govern itself). That person was handed their walking papers when unavailability numbers spiked due to a lack of rigor around the change and release process (flawed changes being introduced into production and breaking production).
I wonder if that person is in charge of change and release for solar winds (/sarcasm off).
I always like to say that Auditors are like cockroaches. We will be here in another thousand years because of executives that think like this.
However.....
There seems to be a suspicion of a lack of hygiene in the Solar Winds patch development process, security experts are stating there may have been some control gaps that would allow a developer (or a state-sponsored entity) the opportunity to install a payload at a point past the testing libraries where no developer should have access. If it comes out that this was a 'cut-corner' due to leveraging continuous development/deployment cycles (i.e. Agile), this is going to be a real black eye for them.
Note, I know of a very large firm that hired an executive to bring continuous release into their organization who stated that they would no longer require controls over change and release because they were now an agile shop and the process did not require controls anymore (they thought the process would govern itself). That person was handed their walking papers when unavailability numbers spiked due to a lack of rigor around the change and release process (flawed changes being introduced into production and breaking production).
I wonder if that person is in charge of change and release for solar winds (/sarcasm off).
I always like to say that Auditors are like cockroaches. We will be here in another thousand years because of executives that think like this.
Comment