In the tech world’s latest thriller, German code detective Andres Freund, while tinkering with performance tests, unearthed a sneaky plot within the XZ Utils program, the data compression software out of the Linux world. This digital whodunit had all the makings of a cyber catastrophe, with a rogue developer trying to install a backdoor into the internet’s back office. But fear not! Freund, our hero from Microsoft’s San Francisco HQ, caught the digital gremlin in time, saving the day and possibly millions of servers.
The tech community let out a collective sigh of relief, with security guru Satnam Narang declaring, “We really dodged a bullet.” It was a close call that put the spotlight on the unsung heroes of open source software (OSS), those brave souls who volunteer their time and sanity to keep the digital world spinning. These are the folks who, like Lasse Collin, the long-time lone ranger of XZ Utils, juggle code and life’s curveballs, sometimes passing the baton to fresh faces like Jia Tan, who gained significant control over the project by 2023. It turns out that Tan inserted some sneaky code into the project that leaves a backdoor for future access.
The moral of this story is that our friend, Freund, is not a security researcher and does not work for the security team at Microsoft. He’s a regular developer doing his job. But, he exhibited a level of security awareness and presence of mind that goes well beyond what we typically see from most developers. We can see the chat between Mr. Freund and other contributors on a Mastodon thread.
The stark reality is that Security personnel at most organizations are outnumbered and outgunned. Done right, Security programs need to systematically rely on their layperson colleagues to “see something, then say something”. As with this example, it is impossible for the Security team to deeply understand the mechanics of a specific piece of OSS code, like XZ Utils. It’s equally hard for Security teams to understand supplier management or accounting.
The way Security leaders think about security awareness training needs to evolve into these realities. It is the people in the organization who are the best line of defense, as shown to us all over again by Mr. Freund. These people might not be security specialists, but they are far more specialized at what they do than Security teams. With a dash of awareness, they can help protect us all.
