Chief Product Officer at CodeSecure, where he leads product strategy for the company’s application security portfolio.
Recently, a high-severity heap overflow vulnerability was revealed for the popular Client for URL (or curl) application and related library, libcurl, which are used to retrieve knowledge from the Internet via HTTP and many other protocols. To date, curl has 20 billion installs.
Because curl is used in operational formula (OS), container, and runtime environments, this vulnerability poses a significant threat to source chain security for embedded applications. While patching hosts is fairly straightforward, updating boxes is less so, and patching built-in runtimes is very straightforward. difficult. Here are 3 demanding situations related to mitigating curl vulnerability in embedded products.
1. Ubiquity: The curl application and libcurl library are widely used in various software applications, adding internet browsers, internet services, and many other networked applications, to make HTTP requests and move knowledge across the internet. They have a significant effect in terms of uses and amenities.
2. Cascading Accounts and Vulnerabilities: The popularity of curl implies cascading vulnerabilities in many software programs that rely on it. Vulnerabilities in those countries can create a domino effect, potentially compromising the security of a wide diversity of software products along the chain.
3. Patching: Coordinating patches in the software source chain is a complex and time-consuming procedure that involves identifying all applicable products and installations and ensuring they are up to date.
Obviously, the first step is to correct or update the known curl and libcurl times in the organization. In most cases, the patch has been deployed to all Linux repositories to update hosts. Microsoft Windows and MacOS will likely be patched later with security. Updates. However, if libcurl has been reused in a software product or service developed across the organization or if curl has been incorporated into a product or container deployed within your IT environment, there is still work to be done.
Detecting unknown dependencies can be tricky. Here, a software woven bill (SBOM), which can be extracted from binary composition research (BCA) technology, can detect and assess exposure to curl vulnerabilities in products developed and fed through the organization.
To prepare for long-term vulnerabilities in open source and other third-party software like curl, by incorporating the following proactive and most productive practices into the software acquisition, development, and deployment lifecycles:
• Regular patches and updates: Maintain a normal schedule of updates and patches for software dependencies, adding libraries such as libcurl. Stay up-to-date with updates and security patches from library officials.
• Acquire scanning technology: BCA is a new category of software source chain security technology. You can store software developed through the company, as well as purchased programs, to determine what open source code is used and reused, without access to the source code. Analysis is worth performing as component versions are replaced over time and also as vulnerabilities such as curl/libcurl are revealed.
• SBOM: Insist on obtaining an SBOM from software vendors to perceive legacy exposures. It obviously involves all dependencies like libcurl or log4j, for example. Scanning SBOMs for known unsafe parts should be an ongoing activity. For organizations that produce and sell software, an SBOM is provided to consumers so that they can proactively perceive and manage security risks in their supply chain.
• Monitoring and reacting to incidents: Continuous control of the security of the source chain aims to mitigate hazards such as curl vulnerability. Regular scans can detect new hazards and initiate reaction activities. If processes are in place to manage those situations, adding SBOM control capabilities, it is much less difficult to assess exposures and reduce the time needed to mitigate hazards.
Right now, software development organizations that reuse open-source pieces like curl and downstream consumers who purchase products that integrate them recognize the desire to proactively manage risks in their source chain. With processes in place for SBOM maintenance and monitoring, the next curl or log4j vulnerability can be controlled in a controlled manner.
The Forbes Technology Council is an exclusive invitation for world-class CIOs, CTOs, and generation executives. Am I eligible?