New Threat Types Targeting Open Source are Making Old Cybersecurity Conversations New Again

The XZ Utils hack is being called one of the "best-executed" supply chain attacks ever (source: Wired) and driving cybersecurity conversations in interesting new directions.

Or are they new? If you're old enough to have been around early days commercial Linux, purveyors of FUD ("fear, uncertainty and doubt") tried to stop its momentum by claiming open source was "insecure" compared to proprietary software. More eyes on code by open source communities, it has been proven out, results in MORE secure software, and the success of open source is all the proof you need.

But today there's a renaissance of products aiming at the much deeper layering of security considerations within so-called "software supply chain security" - which refers to the individual artifacts that software is built with today, and which creeps down into build systems and frameworks being distributed as open source.

This XZ Utils threat is driving a lot of security companies to campaign about how their wares affect so many layers of cybersecurity, beyond just the classic domains like network perimeters, authentication methods, etc.

Now the conversation is moving fast into Linux distributions, operating systems, build systems, CI/CD, software distribution, and the "provenance" of software (who created it, and that it hasn't been tampered with along the software supply chain).

It's a really interesting time to be in PR or marketing for cybersecurity companies that are addressing this vastly complicated domain.

TechNews can give you a much richer way to traverse these nuanced conversations and the authors leading them, whether you're trying to look holistically at the cybersecurity conversation, Common Vulnerabilities and Exposures (CVEs), or who is writing what about Linux distributions.