Podcast Episode 94: Black Report takes Hacker View and Securing the Open Source Supply Chain

In this episode of the Security Ledger Podcast we do a deep dive into the recent Black Report by NUIX – which flips the script by asking hackers and pen testers their opinions about how they hack firms and what defensive strategies and technologies work best at stopping them. Also: Rami Sass the CEO and co-founder of this week’s sponsor, WhiteSource Software, joins us in the Security Ledger studios to talk about how a white knuckle audit of his company’s open source dependencies eight years ago prompted him to start WhiteSource, which makes a tool for managing the open source software supply chains. 

The Black Report: Hacker Eye on the Security Admin Guy

The information security industry is full of surveys and trend reports that mull over cyber crime data and reports from the victims of hacks and other security incidents. Documents like the Verizon Data Breach Investigations Report tell us all we want to know about what industries are most affected by malicious actors, what kind of attacks they launch and what types of IT assets they’re most interested in hacking.

But how useful are victim reports in actually thwarting cyber crime? “not very” according to our first guest, Chris Pogue of the firm NUIX. His company recently released its Black Report, a survey of hundreds of penetration testers and other white, gray and black hat hackers. The report assesses the kinds of attacks that cyber attackers themselves use, what types of security approaches and tools they find effective and their feelings about the state of security.

chris pogue nuix
Chris Pogue is the Head of Services, Security and Partner Integration at NUIX

Pogue said that the survey of hundreds of professionals who do security offense revealed that few thought much of venerable defensive tools like firewalls and anti virus software. The best security investment, according to the report, wasn’t even a security product. It was basic endpoint hardening: essentially – doing a better job deploying the software you’ve already purchased by taking advantage of security features that are already in the product and not making dumb mistakes when you roll it out.

Check out our full conversation in the first part of this month’s podcast.

GitHub’s Revenge: managing the open source software supply chain

There’s a saying that modern software is no longer written so much as it is composed. And, indeed, most modern, agile software applications aren’t made from whole cloth. Rather, they’re expertly knitted together with bits of new, proprietary code and lots of pre-packaged third party and open source components that have been written by others – often years ago.

Rami Sass
Rami Sass is the CEO and co-founder of WhiteSource Software

The ease with which new applications can be assembled from these pre-written components is a huge win: drastically shortening the time it takes to develop and launch a new software tool. But, as often happens, that convenience comes at a cost: security vulnerabilities that may lurk undiscovered even in widely used open source libraries. (Consider the Heartbleed vulnerability, for example.)

[This episode of The Security Ledger podcast is sponsored by WhiteSource Software. ]

Those third party and open source dependencies are increasingly a cause for concern. The hack of Equifax, for example, was traced back to an attack on a known flaw in Apache Struts, a widely used open source package. Rami Sass, the CEO and co-founder of the firm Whitesource Software, told us that open source dependency is an issue that he’s intimately familiar with. In fact, the origins of Whitesource lay in a white knuckle audit he and his co-founders had to do prior to selling an earlier firm, Eurikify, to CA in 2009.

“During the acquisition process we had to spend a lot of time and effort to determine what open source components we were using in our software,” Sass told me. “It was very obvious that there was a big risk for companies developing software when they take on these third party components but don’t track them closely enough.”

Check out our full conversation in this week’s podcast!