What SendGrid can teach us about dependency

The watch-word for the SendGrid breach is “interdependence”.  In the online world, we may think we’re dealing with one company, but we’re actually dealing with them and with every other company they choose to deal with.  This makes an ever-widening attack surface.  (The breaking news about the Chinese “Great Cannon” software shows similar patterns.)  These days, if you visit a website, you can be confident you are actually talking to a huge variety of other organizations who may provide ads, services, traffic monitoring, or any other legitimate services.  One recent study of a popular news site showed that reading a simple news story meant your browser spoke to 38 distinct hosts, spread across no less than 20 different organizational domains!  The problem is that this array of services is very large, and a chain is only as strong as its weakest link.  Attackers only need to find one weak point to start an attack.