Software Supply Chain Under Attack
There has been an uptick in the news discussing the most recent cybersecurity attack on popular software applications, infrastructure, and smart hardware devices. In late 2021, the Log4j security vulnerability (Log4Shell) caused most software producers to scramble to answer their customers’ question of whether their applications were vulnerable to this security defect, and if so, when would a patch be released. However, this issue follows a long history of very public exploits based on past security vulnerabilities:
| • | Heartbleed was discovered in 2014 due to a security issue in OpenSSL. Eight years later, vulnerable versions of OpenSSL are still being discovered as part of Revenera’s open-source audit projects. |
| • | The Equifax breach in 2017 was a result of the failure to apply a patch to Apache Struts2, resulting in millions of personal data records being leaked. |
| • | SolarWinds was a supply chain attack in 2020 and brought cybersecurity to the forefront. |
| • | The Colonial Pipeline hack was a ransomware infrastructure attack on the gasoline industry. |