We have many clients who have their own software or have custom software on their website or web apps written for them by developers. These developers may or may not reuse code or modules written by third party developers and sourced through a software repository – such as GitHub or NPM. It is also very likely these developers are also using GitHub or NPM, or a similar service, as an tool where they develop and update their own code.
So any breach in the code development service or repository is very serious to all the developers using the service and to the clients of these developers. The impact is even greater if the threat actors can compromise the certificates that the service use to verify the authenticity of the platform’s software to the developers. This happened to GitHub:
GitHub says hackers cloned code-signing certificates in breached repository | Ars Technica
The compromised certificates have been revoked and replaced – so this vulnerability is now closed, but it does illustrate why you need to know how your code or website developer works so if this situation arises again you will know yours and your clients exposure to the incident.
My advice: Either you or your IT support need to check whether these issues impact your systems. You need to have a master document that details your systems, hardware, software, online, networks, back-ups, suppliers etc – so when cyber security (or operational) issues arise you and your support teams can quickly check if you are affected. From there you can take fast, effective action.
You have asked these questions? Haven’t you?
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
How much are you relying on your web designer to protect your reputation? – CyberAwake