Comments by: Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group
The proposed Executive Order outlines several steps in the right direction in the battle against cyber-crime. First and foremost, it recognises that there is no possible way to patch something you don’t know you’re exposed to. This is critical when you recognise that the days of software being created exclusively within the proverbial four walls of a commercial software vendor are long gone.
Modern software is a combination of proprietary code and open source components. As the Synopsys Open Source Security and Risk Analysis report has consistently shown over its five year history, the majority of the code in commercial applications can trace its roots back to open source efforts. That’s why having a software bill of materials is a critical asset in any cyber-defender’s toolkit – the weakness being exploited might be in the DNA of the software and the vendor might not be aware of the risk, which is where greater communication and transparency as outlined in the proposed Executive Order becomes valuable.
Attackers control the rules of their attacks, and their success is directly related to their ability to execute their playbook against multiple targets. When successful attack patterns are kept secret, this enables an attacker to replay their attacks with confidence that they’ve a wide window of opportunity.