1. To the Left, to the Left: All your
Security Shifted to the Left
2. Jamie Lee Coleman
● Role: Developer Advocate @ Sonatype,
previously @ IBM
● Experience: Developer in Mainframe
Software (CICS), WebSphere & OpenJ9
@ IBM
linkedin.com/in/jamie-coleman
@Jamie_Lee_C
3. Theresa Mammarella
● Software Engineer @ IBM
● Eclipse OpenJ9 JVM
● Native image prototyping
● Supply chain security
● Open source developer, community
member and speaker
linkedin.com/in/tmammarella
@t_mammarella
4. Eddie Knight
● Sonatype Office of the CTO
● Maintainer @ FINOS
○ Compliant Financial Infrastructure
● Organizer @ CNCF
○ Cloud Native Security Slam
● Author of Nix (July 2023)
linkedin.com/in/knight1776
@the_eddieknight
https://eddieknight.dev
5. You Are Here
Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
6. Diverse security
efforts are valuable!
● Security Training
● Architecture Review
● Threat Modelling
● And more…
But they’re out of scope
for this workshop.
Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
@the_eddieknight @t_mammarella
7. “Shift left is the practice of moving
testing, quality, and performance evaluation
early in the development process”
https://www.dynatrace.com/news/blog/what-is-shift-left-and-what-is-shift-right
Introduction
Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
@the_eddieknight @t_mammarella
8. ● Plan for Secure Development
○ Time
○ Talent
○ Tools
● Build for Secure Development
○ The Mantra
● Test for Secure Development
○ SCA
○ *AST
Let’s put our security in
the box to the left:
Get over it
I think you
left some out
Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
@the_eddieknight @t_mammarella
10. 1. Does this touch the internet?
2. Does this take untrusted input?
3. Does this handle sensitive data?
The Mantra
Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
@the_eddieknight @t_mammarella
11. #1 - Does this touch the internet?
● Dependency Fetching
● User Input
● External API Calls
● Third-party Integrations
● Messaging, MQQT, Websockets
● Uploads & Downloads
● etc...
If a feature touches the internet, we
need to ensure end-to-end security
from the supplier to the consumer.
Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
@the_eddieknight @t_mammarella
12. #2 - Does this take untrusted input?
● UI Forms
● Calls to a Shared Database
● Cookies and HTTP Headers
● External API Responses
● And more…
If a feature takes untrusted input,
we need to validate it’s integrity
before use.
Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
@the_eddieknight @t_mammarella
13. #3 - Does this handle sensitive data?
● Personally Identifiable Information
● Authentication / Authorization
● Private Communications
● Intellectual Property
● Location, Medical or Financial Data
● And more…
If a feature handles sensitive data,
we must pay special care to
encryption, handling, and storage.
Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
@the_eddieknight @t_mammarella
14. 1. Does this touch the internet?
1. Does this take untrusted input?
1. Does this handle sensitive data?
Ensure end-to-end security from the
supplier to the consumer
Validate it’s integrity before use
Pay special care to encryption,
handling, and storage
Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
@the_eddieknight @t_mammarella
15. Secure Development is Achievable!
Let’s Practice:
https://github.com/sonatype-nexus-community/codetocloud-workshop
1. Review application code using the Mantra
2. Identify any un-mitigated risks
3. Create a GitHub Issue to discuss the risk
Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
@the_eddieknight @t_mammarella
16. Dependency Management Calls for Automation!
(Begin tooling demonstration now)
Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
@the_eddieknight @t_mammarella
17. Secure IaC is Difficult!
This section is not hands on, because
Secure IaC is more nuanced.
1. IaC tools have dependencies too
2. Infrastructure has the largest surface area
3. Defaults are the devil in the details
Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
@the_eddieknight @t_mammarella
19. Devil in the Details
1. Investigate Defaults for Every Resource
2. Parameterize ONLY Where Necessary
3. Remember The Mantra
Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
@the_eddieknight @t_mammarella
20. Secure CI/CD
1. Pipeline permissions
2. Secret handling
3. Pipeline dependencies
a. (containers, actions, etc)
Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
@the_eddieknight @t_mammarella
21. Threat Triage
The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
Weakness & Vulnerability Triage
1. What is the vulnerability rating?
a. Place a higher priority on higher ratings
2. Does this cause breaking changes?
a. Reduce priority for more complex implementations
(depending on how critical the rating is)
3. Do we have the skills/resources immediately
available to implement this upgrade?
a. If not, mark as blocked until you do
@the_eddieknight @t_mammarella
22. The Mantra
Introduction
Software Dev
Dependencies
IaC
CI/CD
Threat Triage
Conclusion
1. Does this touch the internet?
1. Does this take untrusted input?
1. Does this handle sensitive data?
Ensure end-to-end security from the
supplier to the consumer
Validate it’s integrity before use
Pay special care to encryption,
handling, and storage
@the_eddieknight @t_mammarella
23. More Security Content @ KCDC
Hidden security features of the
JVM - everything you didn’t
know and more
Theresa Mammarella
Thursday, 11:15am
Room 2203
CVE 101: The Unfolding Of A
Zero Day Attack
Theresa Mammarella
Friday, 11:00am
Room 2201
@the_eddieknight @t_mammarella