U.S. government releases security guidance on open source software for OT/ICS

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs.

This week: The U.S. government releases guidance for OT and ICS leaders on how to best secure their open source software use. Also: Top tech experts reveal what you should be looking for in an SBOM.?

This Week’s Top Story

CISA and others release guidance on open source software in OT/ICS environments

This past Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) alongside the FBI, NSA and the Treasury Department released guidance for operational technology (OT) and industrial control system (ICS) leaders on open source software security. The nine-page document, titled “Improving Security of Open Source Software in Operational Technology and Industrial Control Systems” (PDF) aims to educate OT and ICS leaders on why it is essential to secure open source software (OSS), and offers several recommendations that leaders can use to boost their organizations' OSS security efforts.?

This new guidance is a part of CISA’s Joint Cyber Defense Collaborative, which has the goal of supporting the “awareness, security, and cyber resiliency of OSS in critical infrastructure OT” through public-private partnership. For this guidance, CISA had input from various companies, from security firms such as Dragos to OT companies like Schneider Electric, in addition to OpenSSF and the Linux Foundation.?

Supply chain attacks on OSS have been increasing in recent years, with attacks on public repositories PyPI and npm increasing by almost 300% from 2018-2022. CISA’s guidance points out some of the challenges in securing OSS security: dependency vulnerabilities, a lack of commercial support, and inadequate documentation. And for OT/ICS specifically, CISA recommends that these organizations prioritize both transparency (visibility into a product's components) and verifiability (confirming the authenticity of information and data) in order to best secure their OSS use.?

In addition to the ideals of transparency and verifiability, CISA makes five recommendations for OT/ICS leaders to kickstart their OSS security programs:

• Vendor Support of OSS Development and Maintenance: Provide assistance to OSS foundations and use open source security tools?
• Manage Vulnerabilities: Establish a Coordinated Vulnerability Disclosure (CVD) program and contribute to vulnerability research?
• Patch Management: Promote the understanding of patch deployment processes and establish emergency patching procedures?
• Improve Authentication and Authorization Policies: Use accounts that uniquely and verifiably identify individual users and avoid using hard-coded credentials and weak configurations
• Establish Common Framework: Develop an Open Source Program Office and build a list of targeted security requirements (CISA)

This Week’s Headlines

20 tech experts share essential details to look for in an SBOM

A software bill of materials (SBOM) can help a business determine if developers have followed leading cybersecurity, quality and compliance standards for the software products they are using. However, not all SBOMs are created equal…?

Hear from 20 tech experts, including ReversingLabs’ CEO & co-founder Mario Vuksan, about what your business needs to look for in an SBOM in order to uphold the highest standards for software supply chain security. (Forbes Technology Council)

Container security and the importance of secure runtimes

One critical aspect to address container security is the container runtime — the software responsible for launching and managing containers. This article delves into how container runtimes work, why tightly coupled runtimes can lead to host takeover if an attacker escapes a container, and the significance of using secure container runtimes. (The New Stack)

Researcher bags two-for-one deal on Linux bugs while probing GNOME component

Researchers discovered a high-severity remote code execution (RCE) vulnerability in an inherent component of GNOME-based Linux distros, potentially impacting a huge number of users. Tracked as CVE-2023-43641, the vulnerability is in the relatively small libcue library. By exploiting the vulnerability, attackers could take advantage of the tracker-miners application to facilitate a one-click RCE attack. (The Register)

Cybersecurity and Open Source Experts Up In Arms About the CRA

Provisions in the European Union’s proposed Cyber Resilience Act (CRA) drew more fire from dozens of high-profile cybersecurity and technology advocates. The feedback came in the form of a new open letter signed by heavy hitters from the cybersecurity community, former government officials and members of technology and government think tanks, who took the EU to task for vulnerability disclosure requirements under the CRA as it is written now. (Security Boulevard)

Nasty bug discovered (and patched) in widely used Linux utility curl

Linux’s curl shell command, which is estimated to be used in over twenty billion instances, has a nasty security bug in it, tracked as CVE-2023-38545. Curl’s lead developer Daniel Stenberg wrote in a blog post that it's "the worst security problem found in curl in a long time." Security experts are in agreement that organizations need to begin assessing their inventories, scanning, and updating all systems that use curl. (ZDNet)

Malicious NuGet Package Targeting .NET Developers with SeroXen RAT

A malicious package hosted on the NuGet package manager for the .NET Framework has been found to deliver a remote access trojan called SeroXen RAT. The package, named Pathoschild.Stardew.Mod.Build.Config and published by a user named Disti, is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig, security firm Phylum reports. (The Hacker News)

Resource Round Up

ConversingLabs Podcast: The State of Open Source Software Security

In this episode, host Paul Roberts chats with Mika?l Barbero, Head of Security at the Eclipse Foundation, about the state of open source software security. [Listen Now]

Upcoming webinars you won’t want to miss:?

10/18 - Threat Modeling and Software Supply Chain Security: Why It Matters More Than Ever

In this webinar, Chris Romeo, CEO of Devici and joint-founder of the Threat Modeling Manifesto, will join ReversingLabs Field CISO Matt Rose for a lively discussion about how threat modeling can be applied to supply chain security to better plan your organization’s risk management approach. [Register Now]

10/19 - Uncover Software Vendor Risk: How to Use Software Supply Chain Analysis to Assess CI/CD Pipelines

Watch the ReversingLabs’ software package analysis platform in action to gain insight into a vendor’s CI/CD pipeline help enhance your third party risk assessments. [Register Now]

10/25 -? Yara for the Holidays: Keep the Grinch Away with Custom Automation

Cyber threats like phishing and ransomware spike during the holiday season, preying on employees and businesses. As security teams enjoy their holidays, threat actors ramp up their activities. Join us as we cover the trends and tips to prepare your SOC for the coming season. [Register Now]