A recent study details that existing cybersecurity risk frameworks fall short in addressing tactics used by hackers to compromise significant applications, including SolarWinds, log4j, and XZ Utils. The researchers highlight that while 114 hacking techniques can be paired with tasks from 10 frameworks, three critical gaps remain unaddressed: the sustainability of open-source software, environmental scanning tools, and the effective reporting of vulnerabilities by application partners. Experts emphasize that no single framework can guarantee complete security, advising DevOps leaders to engage across their organizations to fill these gaps and enhance overall cybersecurity efforts.
Current cybersecurity risk frameworks inadequately address hacker tactics that led to compromises in SolarWinds and other applications, necessitating additional critical tasks.
The researchers identified three crucial mitigation factors missing in existing frameworks: ensuring the sustainability of open source software, environmental scanning, and vulnerability reporting.
According to Johannes Ullrich, 'None of the frameworks is perfect... DevOps leaders must talk to the rest of the enterprise to see where the gaps are that they need to fill.'
The study found a disconnect between recommended tasks in existing frameworks and actual threats, highlighting that no single approach can secure the software supply chain.
Collection
[
|
...
]