At the end of March, a critical security breach was discovered within the upstream source code of XZ Utils, a collection of open-source tools and libraries for the XZ compression format.

Karl Fischer, chief technology officer at Obsidian Systems

The breach affected versions 5.6.0 and 5.6.1 and spanned nearly three years. The potential disastrous implications of this breach, and any other, underscore the importance of continued vigilance in patching all software used in a business environment.

Specifically, this breach involved a sophisticated infiltration of malicious code that compromised the liblzma build process. This allowed data to be intercepted and modified, posing a significant threat to the integrity of compressed data.

The ability to leak information about what was compressed, as well as being able to decrypt communications, highlights the severity of this breach. Although primarily affecting developers, the breach has now been widely reported and fixed.

The importance of continuous patching

While the immediate threat from the XZ Utils incident has been mitigated, it serves as a reminder of the necessity for companies to ensure their software is consistently patched and free from known vulnerabilities. Security in software is a moving target. Companies must remain vigilant and proactive in maintaining the security of their systems.

Just as is the case with hardware, software inherently degrades over time. Maintenance must be done with regular patches. The notion of developing software once and expecting it to remain secure indefinitely is unrealistic.

All components within the company, especially those used in building software or using libraries and containerised solutions, must come from trusted sources. This is particularly critical in open-source software, where more eyes on the code can help spot and fix security gaps.

A culture change

How quickly a company responds to breaches and the availability of patches reflects its culture. Adopting new best practices and recognising that new vulnerabilities emerge consistently is essential. Mitigating risks to a certain extent through best practices is crucial, but the approach must be dynamic and continuous.

Security cannot be a one-time checkbox. Continuous vulnerability scanning and having processes in place to ensure compliance are necessary steps. Companies must be aware of the vulnerabilities they face and adapt their strategies accordingly. The XZ breach is a clear example of why this is essential when it comes to maintaining the security and integrity of software systems.