Ninety-nine times out of a hundred, defenders call attacks "genius" as a way of subverting accountability. What makes this particular incident pernicious is that it already had a built-in deflection of accountability --- the responsibility for ensuring that SolarWinds was fit for purpose was diffuse; hundreds of giant companies with large security teams all believed it was someone else's job to verify that SolarWinds could safely deliver its functionality.
I've worked with people who don't operate this way, and who take continuous flack from CIOs for spending resources on verification for COTS IT management tools. But those teams are, in my experience, very rare --- and the SolarWinds hack provides further evidence of that view.
It's not a perfect predictor, but a reasonable rule of thumb: if you've never heard of a vendor's security team, chances are they barely have one. That's obviously true of... most vendors! So you should be careful when you select one for a role as sensitive as fleetwide agent-based monitoring, where a vulnerability or a software supply chain fuckup is going to create mass compromise. This seems so clear to me that it barely counts as insight.
Also their security team can just be a subgroup of coders who have some idea how their software executes.
IMHO most sane vendors who want you to install something on your machine make it open source and use existing tools as much as possible. Doing it this way also decreases chances of some "temporary fix" changes on even otherwise secure software. Companies optimize for money, management tries to align with company values and engineers often just have to follow it. It's inevitable what trade-offs will be made unless there's some direct negative impact. For everybody selling their time and not being heavily invested, ignoring black swans and basically "eating tons of sugar" is the natural move.
I've worked with people who don't operate this way, and who take continuous flack from CIOs for spending resources on verification for COTS IT management tools. But those teams are, in my experience, very rare --- and the SolarWinds hack provides further evidence of that view.
It's not a perfect predictor, but a reasonable rule of thumb: if you've never heard of a vendor's security team, chances are they barely have one. That's obviously true of... most vendors! So you should be careful when you select one for a role as sensitive as fleetwide agent-based monitoring, where a vulnerability or a software supply chain fuckup is going to create mass compromise. This seems so clear to me that it barely counts as insight.