Open Source Security Incidents and How Organizations Can Respond
Attacks that leverage vulnerabilities in open source software are on the rise. How security teams respond to these incidents is key to what impact they will ultimately have. Oftentimes the attacks stemming from open source vulnerabilities are unpredictable, making them a big challenge for teams.
Despite all the steps a security team takes to defend the organization, “emergency situations are going to come out and we’re going to have to deal with them,” said Jen Trahan, senior vice president of product, application and cloud security at Warner Brothers Discovery.
Many organizations have invested well in incident response tools for identification, containment, eradication, recovery and lessons learned, said Trahan, speaking at a session at the recent RSA Conference virtual seminar on supply chain security.
“The thing that is different about these types of incidents is that they aren’t quite a full blown security incident yet,” but nevertheless such vulnerabilities in software need to be addressed before it’s too late. “You can’t wait till the next seven days to fix this,” Trahan said. “People need to be woken up in the middle of the night to fix this to protect the business.”
An open source vulnerability that results in an attack is more of a business project and less of a security incident, Trahan said. “It’s a business-impacting event; we should be trying to leverage any and all muscle memory we have around [disaster recovery and] any of those mechanisms we have in our organization that exceed just security,” she said. “We can’t just think of this as a security issue.”
As such, security leaders must help business partners and executive leadership within the organization aware of the nature of these incidents and create ways to protect the organization.
One of the most important steps in defending against open source threats is to identify the heads of operational excellence within the organization and other key players to discuss what’s going on and the potential impact, Trahan said.
Another good practice is to establish a new, documented incident response plan or revise an existing one, depending on how the existing plan is laid out. Trahan recommends documenting how teams would handle an open source threat, and getting commitments from all the key players, including executives, technical teams, security teams and others to follow the plan when needed.
It’s also a good idea to leverage a responsibility assignment matrix, also known as RACI matrix. This is a linear responsibility chart that describes the participation by various roles in completing deliverables or tasks. RACI stands for the four key responsibilities most typically used: responsible, accountable, consulted and informed, and it’s used to clarify and define roles and responsibilities in cross-functional or departmental processes such as incident response.
RACI is good for assigning risk responsibility and accountability, “and just establishing all those different roles and what the expectations are for them,” Trahan said.