the only interesting part of this whole debacle in my mind is that it highlights what was already fairly obvious. the security of a given environment is only as secure as its weakest link. the entire supply chain for every bit of code that is installed on a machine is a potential vector. if that code happens to run at privilege (like administration software) that vector is shorter. (and that's only if you're considering software) when you think about it, it's staggering.
i suspect we'll be seeing a lot more attention on reproducible and cryptographically secure build environments, similar to the gitian stuff in bitcoin land.
> the only interesting part of this whole debacle... security [...] is only as secure as its weakest link
I agree that it is a staggering debacle; I disagree that the weakest link is the only point of interest.
SolarWinds did not vet its build process and outputs; no antivirus, no government entity, no so-called intelligence agency, no mighty software corporation caught the compromise... for more than six months.
The set of characteristics of this compromise is notable and there are many sobering conclusions.
Also mentioned in this other, brief HN discussion.
i suspect we'll be seeing a lot more attention on reproducible and cryptographically secure build environments, similar to the gitian stuff in bitcoin land.