The Unsolvable Problem: XZ and Modern Infrastructure


            By Josh Bressers, Vice President of Security, Anchore



            The  ongoing  prevalence  (and  rise)  of software  supply  chain  attacks  is enough  to  keep  any  software
            developer or security analyst up at night. The recent XZ backdoor attack is finally behind us, and luckily
            there was no widespread reach of the backdoored library. If you hadn’t heard, this software supply chain
            attack was a malicious effort that targeted Linux systems, and this attack had been years in the making.

            There’s no denying that an event like XZ will happen again, and we may not be so lucky next time. But
            what  hasn’t  been  discussed  is  how  what  happened  with  XZ  isn’t  a  problem  we  can  solve  with  best
            practices today. So, if we can’t solve this problem of backdoor supply chain attacks, how do we chart a
            safe route forward?



            The Unsolvable Problem

            Sometimes reality can be harsh, but the painful truth about this sort of backdoor attack is that there is no
            solution,  we simply  don’t  know  how  to solve  this one.  Many  projects  and  organizations  are  happy  to
            explain how they keep you safe, or how you can prevent software supply chain attacks, by doing this one
            simple thing. However, the industry as it stands today lacks the ability to prevent an attack created by a
            motivated and resourced threat actor. In fact, the Anchore 2022 Software Supply Chain Security Report





            Cyber Defense eMagazine – August 2024 Edition                                                                                                                                                                                                          104
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.