A lesson from Juniper. What’s in your software?

Frankly, I'm surprised. Is it the revelation that Juniper had "unauthorized code" in their Netscreen product? Is it that a third party could reportedly remotely access these systems? Is it that VPN traffic could be decrypted?

Nope. In fact, none of the above.
The part of this story that really caught my attention was fact that this, for all intents and purposes, the first time we're hearing about something like this in a security product. Yes, we've heard of mistakes before in things like OpenSSL as an example.

From Juniper:

During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen® devices and to decrypt VPN connections. Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.

At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority.

Having lived through incidents during my tenure at other jobs, of varying degrees, I can't warm my hands with the rest over the smoldering wreckage of this incident. This isn't a time to satiate your Schadenfreude. Rather, this is a good time as any to set down the Star Wars tickets and consider this idea. Can you say with certainty that your software doesn't have a similar problem lurking in the lines of code?

While this is a failure it does none of us any good to start slinging mud. The glass walls couldn't take it. We need to take this as a teaching moment. Have your assessed the security of your own digital supply chain? Many companies these days outsource some of their software development to off shore development shops. These types of companies are easy to find and rather affordable. The problem lies in the fact that not all of the code submitted is necessarily reviewed.

I once worked with a company that did not check the code that was submitted by their business partner. They could have been embedding an entire copy of Flight Simulator in the code and they would never have been the wiser. No, I don't think that this is the case with Juniper.

I do have questions, as we all do, as to how it happened and I think that will be borne out with time. I have to give Juniper credit for taking the point of the sword, pressing it against their chest and falling forward. It is never an easy task for a company to issue their mea culpas and we need to be sure we take to heart the lesson that this incident offers us.

Most importantly, are you are responsible for the administration of Netscreens in your environment? The 'Force Awakens' after you get your systems patched.

Hop to it!