Chief Technology Officer for Obsidian Systems, Karl Fischer, says “Constant vigilance is essential to identifying software security breaches.”
Fischer recounts, “In late March, a critical security breach was uncovered in the upstream source code of XZ Utils, a set of open-source tools and libraries for the XZ compression format. The breach impacted versions 5.6.0 and 5.6.1, spanning nearly three years. The potential disastrous consequences of this breach, and others like it, emphasize the crucial need for ongoing vigilance in patching all software utilized in a business environment.”
“This breach specifically involved a sophisticated infiltration of malicious code targeting the liblzma build process. This allowed for the interception and modification of data, posing a significant threat to the integrity of compressed data. The ability to extract information about the compressed content, as well as decrypt communications, underscores the seriousness of this breach. While primarily affecting developers initially, the breach has since been widely reported and remedied.” says Fischer
The importance of continuous patching
“While the immediate threat from the XZ Utils incident has been mitigated, it serves as a reminder of the necessity for companies to ensure their software is consistently patched and free from known vulnerabilities. Security in software is a moving target. Companies must remain vigilant and proactive in maintaining the security of their systems.” he says
“Just as is the case with hardware, software inherently degrades over time. Maintenance must be done with regular patches. The notion of developing software once and expecting it to remain secure indefinitely is unrealistic. All components within the company, especially those used in building software or using libraries and containerised solutions, must come from trusted sources. This is particularly critical in open-source software, where more eyes on the code can help spot and fix security gaps.” he adds
The importance of continuous patching
Fischer notes that, “Though the immediate threat posed by the XZ Utils incident has been mitigated, it serves as a stark reminder of the imperative for companies to ensure their software is consistently patched and free from known vulnerabilities. Security within software represents a moving target, demanding companies to remain vigilant and proactive in maintaining the integrity of their systems.”
He adds that, “Similar to hardware, software inherently deteriorates over time, necessitating regular maintenance through patches. The notion of developing software once and expecting it to remain secure indefinitely is unrealistic. All components utilized within a company, especially those involved in software development or reliant on libraries and containerized solutions, must originate from trusted sources. This is particularly crucial in open-source software, where increased scrutiny of the code can aid in identifying and rectifying security loopholes.”

A Cultural Shift
According to Fischer, the speed with which a company responds to breaches and the availability of patches mirrors its culture.
“Embracing new best practices and acknowledging the consistent emergence of new vulnerabilities are crucial. While mitigating risks to some extent through best practices is important, the approach must be dynamic and ongoing.” he says
“Security cannot be a one-time checkbox. Continuous vulnerability scanning and implementing processes to ensure compliance are essential measures. Companies must be cognizant of the vulnerabilities they encounter and adjust their strategies accordingly. The XZ breach serves as a clear example of why this adaptability is vital for maintaining the security and integrity of software systems.” he continues
He concludes by saying, “At Obsidian Systems, we grasp the significance of staying ahead in the security landscape. By fostering a culture of continuous improvement, ongoing monitoring, and identifying more innovative approaches to ensure security compliance, we aim to safeguard our digital infrastructure from unforeseen threats.”

The post Regular Vigilance Crucial for Spotting Software Breaches first appeared on IT News Africa | Business Technology, Telecoms and Startup News.