CrowdStrike Reminds Us That Dependency Management is a Major Attack Vector
I’m sure you’re aware of one of the biggest computer shutdowns ever, which has grounded over 2,000 flights worldwide, shuttered hospitals, retail stores, and who knows what else. All because of a faulty automatic update from CrowdStrike—software ironically meant to protect companies—that’s used by a majority of Fortune 500s.
My take is that this issue has been brewing for some time—automatic updates and increasing failures in dependency management.
For the non-developers in the room, most modern software is built on tons of dependencies from a combination of open-source and closed-source repositories. When you set up a new project or do an update, a dependency management tool downloads the code from an external source so your application can use it.
Our software has tons of dependencies, much of this to allow us, as developers, to avoid rebuilding logic that’s already been built. Think database connections, complex math operations, image editing tools, charts and more.
In 2016, a developer of a package used by tons of software rage-quit over issues with his package’s name, breaking the Internet and bringing down tons of applications around the world.
This has become an increasingly common attack vector where squatters buy up abandoned packages only to add code that can be used as a back door, or worse, hackers become contributors to popular packages with the goal of injecting malicious code into applications.
While all eyes point to a mistake by CrowdStrike, it serves as a reminder that our software has become so complex that auto-updates of dependencies, like security software or operating system updates on production platforms without testing, remain a huge door for vulnerabilities.
IT managers should not let software publish to mission-critical systems, even from their most trusted vendors, without testing and ensuring a ready rollback procedure to get systems quickly up in the case of a failure.
