In the last couple of weeks I have seen business relationships sour over bad software security. The two examples I want to put forward for discussion are:
- The ISP Digital Ocean terminated its relationship with mailing list provider MailChimp
- The secure messaging vendor Signal got compromised thanks to a breach with Twilio
Both breaches had larger consequences. In Digital Ocean’s case, the lack of MailChimp’s response (which was two days) was one of the reasons for switching list serve providers. Signal had 1900 customer accounts that were at risk and is still using Twilio. Twilio’s breach response has also been criticized in this blog post, and the breach has spilled over elsewhere: Cloudfare announced that 76 of their employees had experienced a similar attack in the same time frame but didn’t fall for it.
What is happening here is a warning sign for every business. This isn’t just a software supply chain issue but a more subtle situation about how you use someone’s software tools in your daily operations. And if basic services are at risk, such as mailing lists and phone number verifications, what about things that are more complex that are part of your software stack?
Here are a few tips. If you use Signal, go to your phone to Signal Settings > Account > Registration Lock and make sure it is enabled. This will prevent these kinds of compromises in the future. Also update your phone to the latest Signal version too. Take a moment to explore other third party software providers and ensure that your APIs have been set up with the most secure authentication options possible. This includes cloud storage containers: the latest cloud-native security report from Sysdig found that 73% of cloud accounts contained exposed Amazon S3 buckets with no authentication whatsoever.