{"href":"http://player.captivate.fm/services/oembed?url=http%3A%2F%2Fplayer.captivate.fm%2Fepisode%2F727a6be9-f685-4d0a-8240-d1ebf585339f","version":"1.0","provider_name":"Captivate.FM","provider_url":"https://www.captivate.fm","width":600,"height":200,"type":"rich","html":"<iframe style=\"width: 100%; height: 200px;\" title=\"Securing the software supply chain, with Kim Lewandowski\" frameborder=\"0\" scrolling=\"no\" allow=\"clipboard-write\" seamless src=\"http://player.captivate.fm/episode/727a6be9-f685-4d0a-8240-d1ebf585339f\"></iframe>","title":"Securing the software supply chain, with Kim Lewandowski","description":"At the start of the global coronavirus pandemic, nearly everyone was forced to learn about the \"supply chain.\" Immediate stockpiling by an alarmed (and from a smaller share, opportunistic) public led to an almost overnight disappearance of hand sanitizer, bottled water, toilet paper, and face masks.\nIn time, those items returned to stores. But then a big ship got stuck in the Suez, and once again, we learned even more about the vulnerability of supply chains. They can handle little stress. They can be derailed with one major accident. They spread farther than we know.\nWhile the calamity in the canal involved many lessons, there was another story in late 2020 that required careful study in cyberspace\u2014an attack on the digital supply chain.\nThat year, attackers breached a network management tool called Orion, which is developed by the Texas-based company SolarWinds. Months before the attack was caught, the attackers swapped malicious code into a legitimately produced security update from SolarWinds. This malicious code gave the attackers a backdoor into every Orion customer who both downloaded and deployed the update and who had their servers connected online. Though the initial number of customers who downloaded the update was about 18,000 companies, the number of customers infected with the attackers\u2019 malware was far lower, somewhere around 100 companies and about a dozen government agencies.\nThis attack, which did involve a breach of a company, had a broader focus\u2014the many, many clients of that one company. This was an attack on the software supply chain, and since that major event, similar attacks have happened again and again.\nToday, on the Lock and Code podcast with host David Ruiz, we speak with Kim Lewandowski, founder and head of product at Chainguard, about the software supply chain, its vulnerabilities, and how we can fix it.\nShow notes, resources, and credits:\nKubernetes diagram:\nhttps://user-images.githubusercontent.com/622577/170547400-ef9e2ef8-e35b-46df-adee-057cbce847d1.svg\nIntro Music: \u201cSpellbound\u201d by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: \u201cGood God\u201d by Wowa (unminus.com)\n\u00a0","thumbnail_width":300,"thumbnail_height":300,"thumbnail_url":"https://artwork.captivate.fm/24dc2a72-95f0-4667-8028-2e182c4a56d9/lock-and-code-logo-2021-ar2rs.jpg"}