W.H.I.S Bite-Size #2

Vendor Bugs May Come Back to Bite Them

Author

Siddhantha Bose
October 31, 2024

Let’s run through some important stories you may have missed over the last couple of weeks with WHIS Bite-Size. Give the newsletter a share if you know someone who’d enjoy this content!

Rapidfire

  • Recent headlines about researchers breaking “military grade encryption” with quantum computers weren’t much more than that: Headlines.

    • Your quarterly reminder to read past the headlines

  • Leveraging the growing need for better attack surface management as companies continue flocking to the cloud, Armis Security raises $200 million at a $4.3 billion evaluation

If you buy something off Amazon and it doesn’t work as intended, you might get refunded. If you order some food at a restaurant and there’s an issue, they might make it for you again. If you buy a piece of software and there’s a vulnerability in it that leads to your data being leaked, you swear a bit and move on.

A recent directive from the EU aims to change that. They have laid out strict guidelines protecting individuals (read, not businesses) from poorly constructed software. Under this directive, individuals can claim damages caused by a defective product without proving negligence on the vendor’s side.

This high bar says software vendors can only be absolved of blame if the “objective state of scientific and technical knowledge” when the software was released was insufficient to discover the issue.

This is a very complicated topic (as illustrated by Biden’s struggles to pass similar legislation) and the hope is that carving out a niche for individuals will help advise how to deal with enterprise damages in the future. Moreover, as vendors are forced to adopt a higher standard for development processes, there may be a knock on effect as enterprise software could be compelled to adopt the same standard to avoid falling behind.

Beginning in early September, Microsoft failed to completely capture customer logging data (a record of activities) for a period of about 2 weeks. According to Joao Ferreira from Microsoft, this bug appeared after an engineering team attempted to fix a different logging related bug.

Poor disclosure from Microsoft is really nothing new, and apparently when they initially alerted customers about the issue, at least two were not notified.

While logs may not be the most exciting thing to think about, they are incredibly important. Logs can contain information such as when and where a user logged in from and if they changed any files. In a security investigation, this information can be invaluable and not having access to them can cause issues to go undetected.

Thanks for taking the time to read this week’s bite-sized newsletter. Reach out to me on LinkedIn if you want to chat more. See you in the next one!