Dellfer Insights: Sixth Edition

December 2023

Welcome to the sixth edition of Dellfer Insights, a series curated by our VP of Channels, Shawn Lorenz. The series highlights notable industry news, key takeaways, and why it matters to combat the next cyberattack. This month, we loop back to previous coverage of CISA’s argument for using memory-safe languages; we look at the impact of the SEC ruling against SolarWinds and what the future holds. Lastly, we review OKTA, CISCO, VMware, NXP, Fortinet, and Citrix’s recent attacks. Enough? Let’s get to it.

💡Dellfer Insight #1: 

The results are in. Embedded engineers take a stand – With over 70% of vulnerabilities stemming from memory safety issues, developers must prioritize writing memory-safe code in C/C++, not other languages. This newsletter will explore why this remains a top concern and address the ongoing debate about alternative languages like Rust.

As highlighted in a previous Dellfer Insight post, the Cybersecurity and Infrastructure Security Agency (CISA) advocated for considering alternative languages, predominantly Rust, to mitigate the 70% of vulnerabilities reported by tech giants like Microsoft and Google, all attributed to memory attacks.

This week, an embedded developer group on Reddit had the opportunity to respond with a career-oriented topic: “Is it still valid to learn C++?” The group retribution was swift and pointed:

  • “Rust fan here. I love Rust, but there’s a zero chance that Rust will make C++ (or C) obsolete in the foreseeable future.”
  • “If you’re into embedded. If you need a system-level language, C++ and his older brother C are still THE languages to learn.”
  • “End of C++ is like nuclear fusion, always a few years away.”
  • “It’ll be 30 years before Rust might be more mainstream. Even then, C++ will probably be more common than it is now with future higher performance processors, and C will no doubt still be chugging along and embedded king.”
  • “I haven’t seen Rust in an embedded code-base so far. I even floated the idea for a greenfield project at work, but there was immense resistance. It’s especially uphill if your software has to integrate into someone else’s system where they dictate libs and resource budgets (like flash). Also, Carbon and Jai aren’t even worth considering at the moment.”
  • “Not any time soon. This isn’t web development; we don’t change languages/frameworks/patterns every other week here.”

Key Takeaway:

CISA’s position on memory safety language training was influenced by the audience of Carnegie Mellon CS undergraduates and professors when CISA Director Jen Easterly argued for better CS curricula. “How can we tackle this challenge?” Ms. Eastery asks, “What if we start a formal program – with material funding, incentives for professors, goals, an executive sponsor, and metrics – to migrate course materials to use memory-safe languages?” This emphasis on Languages, not development practices, is not finding traction in the embedded developer community.

Why It Matters:

Dellfer’s ZeroDayGuard is integrated into C/C++ source code, making C/C++ source code memory safe. Dellfer is the best development tool for embedded systems if you want to clean your existing code and implement safer development and deployment practices for the future.   Let me repeat that. Dellfer’s ZeroDayGuard integrates into your C/C++ source code, making your C/C++ source code memory safe and correcting the years of ignoring security for embedded applications.  

💡Dellfer Insight #2: 

SolarWinds is being sued by the Securities and Exchange Commission (SEC). Is this the beginning of the end or the end of the beginning?

What happened? On October 30 the SEC filed the first of its kind lawsuit against SolarWinds CISO and the Company. The SEC alleged that SolarWinds failed to have adequate internal controls and made misleading statements in its public filings in violation of 1933 and 1934 SEC laws. SolarWinds says the SEC ‘lacks competence’ to regulate cybersecurity and will defend itself in court.

A little history: As reported in the 2021 New York Times Opinion article, SolarWinds’ approach to cybersecurity was inadequate, leading to major data breaches. The company’s use of cost-effective overseas software engineers, lax password management, and failure to heed security warnings allowed Russian and Chinese hackers to infiltrate their systems and access sensitive data. Misaligned corporate incentives to underinvest in cybersecurity and transfer this risk to customers who ‘won’t notice unless they have been attacked’ calls for Government Intervention. Companies need to pay the true costs of their insecurities through a combination of laws, regulations, and legal liability.

Key Takeaway:

Timing. Tired of boilerplate disclosures and gamesmanship from public companies more concerned with protecting their reputations than their shareholders and customers, the SEC says it’s time to get tough. On December 15h, 2023, the new SEC regulations will go into effect, calling for disclosure of material cybersecurity vulnerabilities, including security processes, within four days of discovery. 

Playing Catch-up. The bad guys are so far ahead of their victims. MeridianLink is a fin-serv solution for banks and recently was reported by the ALPHV/BlackCat ransomware operation to the SEC for not responding to their ransom demands quickly enough. Seriously. They are better at this than you are.

Why It Matters:

All of these reporting and transparency outcomes are reactionary, not proactive. Dellfer’s ZeroDayGuard removes all known exploits before you ship. Real-time monitoring catches all unknown exploits after you ship. There is no vulnerability, of any level, of being “material” for Dellferized code as we not only capture the attack, we shut it down. Schedule a discussion with Dellfer today.

💡Dellfer Insight #3: 

In the “late is sometimes the same as never” department, we do a quick round-robin of recent attacks of our favorite networking vendors.

The last several months have been very busy if you are a hacker, even more hectic as a cyber security professional playing the role of a good guy.

Key Takeaway:

Patch faster, fix faster is dead.   “To say that our cybersecurity solution is at least in part, patch faster, fix faster, that is a failed model,” Goldstein, the executive assistant director for cybersecurity at CISA, said at an event held by the nonprofit International Information System Security Certification Consortium. “It is a model that does not account for the capability and the acceleration of the adversaries who we’re up against.”

Why It Matters:

As widely promoted, Dellfer’s ZeroDayGuard is essential for infrastructure technology companies in defeating all known and unknown attacks. The intangible benefit of having no false positives gives our users a sense of legitimacy that first-generation scanning tools are missing. However, a missing piece of the discussion is the importance of beating hackers’ persistence beyond patches. If this is a topic you would like to discuss further – reach out to us.

Share

Table of Contents

Subscribe to
The Dellfer Brief

The latest industry insights and company news delivered to your inbox.

See Our Blog Posts

Enter Your Information to Access This White Paper

Enter Your Information to Access This White Paper

Enter Your Information to Access This White Paper

Enter Your Information to Access This White Paper

Enter Your Information to Access This Datasheet

Enter Your Information to Access This Datasheet