Toyota has fixed a vulnerability in the Toyota Global Supplier Preparation Information Management System (GSPIMS) Web portal that allowed a security researcher to gain access to corporate and partner accounts, and other sensitive data. GSPIMS is used by Toyota employees and suppliers to coordinate supply chain tasks. The researcher notified Toyota about the backdoor login flaw in November 2022.
Note
- Another example that supply chain security isn’t just about suppliers, it is also about the security of portals that the big guys require their suppliers to use. Since in most cases suppliers have no choice, use this one as an example to your Chief Legal Counsel to make sure you have some form of liability coverage or limitation.
- A good use case for enterprises to review the network security architecture that supports their supply chain. APIs are prevalent in most web applications and consequently are often an attack vector used for initial access. The Open Web Application Security Project (OWASP) regularly publishes mitigation guidance against the top security concerns. Implement OWASPs recommendations as part of your software development process.
- Recall the flaw was that Toyota’s GSPIMS system was generating JWTs based solely on email, not on a validation process. While Toyota has addressed the shortfall, the question is are you properly generating tokens used for trust relationships or are you assuming that the generation and use points of the tokens is secure enough to not warrant verification? Yeah, it’s a hard question to ask, and the developers are going to hurt your head explaining, (don’t hate on them, we still love them), so use the Toyota example to make your case and have them step back and consider if their assumptions are still correct, don’t forget to ask them to consider the impact of distributed/cloud or ZTA changes in the environment.
Read more in
