The hackers who compromised SolarWind’s Orion network-performance monitoring software pulled off one of the most thorough compromises of a target that has ever been carried out, and they did this by subverting a vendor’s software supply chain.
The attack has made thinking about (or at least talking about) the security of software supply chains trendy. Lots of meetings are being held to discuss the topic. I have already sat—or rather, Zoomed—through many.
Many enterprises are requiring all of their software vendors to fill out long questionnaires of dubious value so that they can reassure their auditors that they have taken commercially reasonable steps to ensure that they haven’t suffered a similar compromise. Software vendors in turn are requiring their subcontractors to fill out such questionnaires, and so on and so on.
It’s not hard to imagine this trickling down to the developers, who, because they can’t make someone else fill out a long questionnaire, will instead annoy the people at fast food drive-through windows by asking them about their supply chains.
“Hello, sir, may I take your…
