January 14, 2021 at 12:00 am
Comments posted to this topic are about the item Microsoft Fights Back
January 14, 2021 at 8:30 pm
Very timely, Steve. We don't use feature flags here, but I'm thinking seriously of introducing them. I handle the application build & release. Right now, it's a manual process where I must get into TFS and change the setting on a task in the Release portion (we're working with an old version of TFS). This is error prone, as I tend to forget to change or before running a build/release, or I'll change that setting and forget to change it back after releasing a new version of software.
Martin Fowler's article is long, but I intend to read it and then present the idea to my team.
Kindest Regards, Rod Connect with me on LinkedIn.
January 15, 2021 at 1:01 am
Dang, that article by Martin Fowler is a novella. Interesting reading, though.
Rod
January 15, 2021 at 6:37 pm
My understanding of the SolarWinds hack is that the password to the FTP site used for software releases (SolarWinds123) was inadvertently leaked on the web, because they re-used the same password in another public open source project. A hacker downloaded the executable package, infected it with a trojan, and then re-uploaded it to the FTP site, where it was subsequently deployed by SolarWinds clients. It wasn't really an exploit of a software back door or Windows vulnerability - just a really bad password and poorly implemented DevOps release process on the part of SolarWinds. It's equivalent to a bank leaving the key under the mat and then not paying attention to who is coming and going.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
January 15, 2021 at 8:11 pm
I don't know exactly how they got in, but from my understanding, this wasn't an exe replacement, it was a change of code. Perhaps it was a new DLL or some similar change, but attackers got into the software pipeline.
Whether this was FPT, social engineering, or some attack to access the source code, it's still an issue that needs to be addressed by any organization.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply