Bash 2014 - This Is Not a Party

September 25, 2014 By Derek Weeks

5 minute read time

108201576-2

I can honestly say that although referred to by the media as Shellshocked, I am neither shocked nor awed.

I can’t say that I am a fan of the latest glorification of bugs like Heartbleed and Shellshock in a fashion similar to tropical storms, but if it gets more people to pay attention to the exponential growth of our reliance on software I can’t say I am too worked up about it either.

One thing that is unarguable is that this just happens to be the latest (and if you are reading this before you have patched stop right now, patch, and then come back to finish).

I think both Heartbleed and Shellshock are just two issues that masked an even bigger problem:

  • our ability to rapidly create the next newest and greatest thing is increasingly outpacing our ability to understand what is really in our software, and

  • our ability to understand where we have deployed our software.

You see, it is these two things that point to the bigger issue. We all know there will be new problems, the next biggest security threat, but we have no hope of “fixing” this problem if we don’t know both what is in our software and where that software is deployed.

I wonder how many IT administrators are rapidly trying to answer the two critical crisis questions (a blog from July)to figure out how many systems where bash is installed, and then rapidly apply the patch? We are still seeing updates to software that's vulnerable from Heartbleed.

This is truly indicative of our inability to have even the most basic understanding of our software supply chain (a failing of many of even the most mature SDLCs). In the case of Heartbleed and Shellshock, those that do are much more secure than those that do not, and this doesn’t take an army of security professionals to figure out. I would be willing to bet a majority of companies spend more money being able to manage physical assets (sometimes to every pen) than software assets, even though the amount of software related asset growth is through the roof.

You can read all about Shellshock and how big of a deal it is elsewhere, I don’t think I need to add another voice to this chorus, but I do want to highlight there is a bigger issue. You can’t patch what you don’t know you have. And if you have it, you need to know where it is.

If you spend a little more time understanding your software supply chain (and yes it is a supply chain), you might not be scrambling as much to fix your systems the next time (and yes there will be a next time).

(image credit: http://bit.ly/1wMOvet)

Tags: Cyber Supply Chain Management and Transparency Act, H.R. 5793, Lynn Jenkins (R-KS), government open source software (GOSS), Sonatype Says, bill of materials, open source governance, security, open source components, open source governance policy, Ed Royce (R-CA), Cyber Chain Integrity Act, application supply chain management, component vulnerabilities, open source software supply chain, Open Source, Cyber Supply Chain, Application Security, bill of materials (of 3rd party and open source co, cyber supply chain management, Software supply chain management, AppSec Spotlight

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.

Learn more on: