News broke earlier this week that Gloucester City Council have been fined £100,000 after a hacker downloaded 30,000 emails containing employees’ personal information.
Commenting on this, Jonathan Knudsen, security strategist at Synopsys said:
“This incident highlights the critical need for software supply chain management. Software is infrastructure, just like buildings and bridges. It becomes dangerous when it is not maintained properly. Gloucester is not alone in its struggle, only unlucky to become a high-profile victim. According to Billy Rios, 200,000 publicly accessible IP addresses were still vulnerable to Heartbleed in 2016, two full years after its disclosure.
Adding more pressure to beleaguered IT staff is not the answer. With the help of automated tools, supply chain management becomes a practical task. Instead of forcing staff to chase down security alerts and vulnerability reports, a Software Composition Analysis (SCA) solution keeps a catalog of software inventory and its components, then proactively notifies IT staff so they can respond appropriately.
In this case, with a proper SCA solution, Gloucester would have learned about Heartbleed as soon as it was disclosed in April 2014, would have been notified about the software they were using that contained Heartbleed, and would have had nearly three months to respond by updating software or otherwise mitigating to eliminate the vulnerability.”