Karl Fischer, CTO at Obsidian Systems
At the end of March, a critical security breach was discovered within the upstream source code of XZ Utils, a collection of open-source tools and libraries for the XZ compression format. The breach affected versions 5.6.0 and 5.6.1 and spanned nearly three years. The potential disastrous implications of this breach, and any other, underscore the importance of continued vigilance in patching all software used in a business environment.
Specifically, this breach involved a sophisticated infiltration of malicious code that compromised the liblzma build process. This allowed data to be intercepted and modified, posing a significant threat to the integrity of compressed data. The ability to leak information about what was compressed, as well as being able to decrypt communications, highlights the severity of this breach. Although primarily affecting developers, the breach has now been widely reported and fixed.
The importance of continuous patching
While the immediate threat from the XZ Utils incident has been mitigated, it serves as a reminder of the necessity for companies to ensure their software is consistently patched and free from known vulnerabilities. Security in software is a moving target. Companies must remain vigilant and proactive in maintaining the security of their systems.
Just as is the case with hardware, software inherently degrades over time. Maintenance must be done with regular patches. The notion of developing software once and expecting it to remain secure indefinitely is unrealistic. All components within the company, especially those used in building software or using libraries and containerised solutions, must come from trusted sources. This is particularly critical in open-source software, where more eyes on the code can help spot and fix security gaps.
A culture change
How quickly a company responds to breaches and the availability of patches reflects its culture. Adopting new best practices and recognising that new vulnerabilities emerge consistently is essential. Mitigating risks to a certain extent through best practices is crucial, but the approach must be dynamic and continuous.
Security cannot be a one-time checkbox. Continuous vulnerability scanning and having processes in place to ensure compliance are necessary steps. Companies must be aware of the vulnerabilities they face and adapt their strategies accordingly. The XZ breach is a clear example of why this is essential when it comes to maintaining the security and integrity of software systems.
At Obsidian Systems, we understand the importance of staying ahead in the security landscape. By fostering a culture of continuous improvement, ongoing monitoring, and identifying more innovative ways to ensure security compliance, we aim to protect our digital infrastructure from unseen threats.
Obsidian Systems is an established supplier of Open Source software solutions. The company was started in 1995 as a modest services provider targeting businesses and organisations looking to integrate and leverage off Linux infrastructure.
Subsequently, the organisation has expanded by partnering with Autumn Leaf and RadixTrie.
The expansion of skills has seen the establishment of a formidable team finding ‘smarter’ ways to align our expertise for Enterprise Open Source solutions for you. This includes retail and subscription services; support and observability for managed services; consulting, architecting and software services across hybrid IT models for your business.
Obsidian Systems and its subsidiaries, Autumn Leaf, and RadixTrie strive to bring three legs to the South African market: the first being vendor-certified products; the second being local skills providing consulting, development, support and training; and the third being innovative offerings built on the latest open technology. With these three elements, any organisation can trust the enterprise open source solution provided