One lesson data centers should not take away from the SolarWinds breach is that installing supplier patches is a bad idea.
The attack did compromise the automated software update system, but it’s a lot more dangerous to leave known vulnerabilities in your systems, said Tsvi Korren, field CTO at Aqua Security. “It requires some painstaking work to compromise the internal systems of a company,” he said.
By comparison, exploiting a known vulnerability is quick, easy, and appealing to attackers of all ability levels. “Leaving vulnerabilities out there is something we want to avoid,” Korren told DCK.
Security managers can ask their vendors for some assurances, however. “It’s reasonable to demand to know what their internal chain of custody is,” he said. “How do they ensure the integrity of their process all the way from writing a line of code to the packaging and distribution?”
