More and more organizations are creating a software bill of materials (SBOMs) to find out what is in their applications. With new legislation surrounding SBOMs surfacing, we are having to comply with regulations such as certifying that the open source parts of our applications are not full of vulnerabilities and following good programming practices. But what happens if we cannot verify the source of this code? Can we simply put it down as raw materials to bypass said certification?
In this session, I will talk about what companies are doing to circumnavigate these tricky waters and what types of applications are simply not able to use open source code. Then I will go over some best practices to make sure your applications are secure, robust and compliant to be delivered to your customers, with a great set of materials to keep your ship always floating.
2. @Jamie_Lee_C
Introduction
About me
Name: Jamie Lee Coleman
Current Role: Developer Advocate @ Sonatype
Past experience: Developer in Mainframe Software (CICS), WebSphere & OpenJ9 @ IBM
Twitter: @Jamie_Lee_C
Linked-In: https://www.linkedin.com/in/jamie-coleman/
6. @Jamie_Lee_C
What will I talk about today?
1. When we Love Open Source!
2. Supply chain problems today
3. SCA
1. What is SCA
2. SCA Tools
3. BOM Dr Demo*
4. Why Security in Open-source matters!
5. Legislation
6. SBOMs to the rescue?
8. Security Posture
9. Raw Materials
10. Static Analysis Tools
1. What Are they?
2. What is available?
3. Lift Demo*
11. Summary
12. Links
9. @Jamie_Lee_C
Brief History of Open Source
A-2 system in
1953 - First
commercial
example of
Open Source
DECUS
formed 1955 –
Facilitate
sharing of
software
(SHARE OS
by General
Motors)
Advance Research
Projects Agency Network
(ARPANET) – Used to
share code and later
succeeded by the Internet
Launch of the GNU
project 1983 – To
write an OS free from
constraints on source
code
Linux 1991 – The first
freely modifiable kernel
was born
Debian
GNU/Linux
1993 – First
OS was born
OpenJDK 2006 – Java
commits to Open Source
and releases OpenJDK
under the GNU licence
Git 2005 –
Created
by Linux
kernel
developer
s
GitHub 2008 –
Worlds most used
DVCS hosting site
Android 2008 –
Worlds most used
mobile OS (Now
owned by Google)
10. @Jamie_Lee_C
Benefits of FOSS
Personal control and
customizability (4
main FOSS
freedoms)
Study
Copy
Modify
Redistribute
Privacy and
Security*
Use community to find
bugs quickly
Low or no costs
Software is free with
optional licencing
Quality, collaboration
and efficiency
Many people and
organizations working
together
Performance can be
much better due to the
amount of people
contributing
Project development
can become more
agile and efficient
16. @Jamie_Lee_C
Dependency Exploitation
Dependency
confusion
Attempts to get a
Different version
added into a binary
repository
Often “latest”
Typo-squatting
A lookalike domain,
dependency with one
or two wrong or
different characters
Open source
repo attacks
Attempts to get
malware or
weaknesses
added into
dependency
source via social
or tools
Build Tool
attacks
Attempts to get
malware into the
tools that are
used to produce
dependencies
Automated
Social Engineering
21. @Jamie_Lee_C
SCA Tools
Basic tools will provide:
• List of declared dependencies
• Basic information such as latest
version available
More advanced tools will provide:
• Transitive dependencies
• Vulnerability & Licence data
• Project scoring
• Visualisations
• Licence data
• Produce SBOMs
24. @Jamie_Lee_C
In 2016 Cybercrime surpassed the
drug trade!
$450 Billion a year
$14,000 a second
Equivalent to 50 US Nimitz Class
Aircraft carriers
Cyber Crime Facts
27. @Jamie_Lee_C
United States: $20.89 trillion
China: $14.72 trillion
Cyber Crime: $6 trillion
Japan: $5.06 trillion
Germany: $3.85 trillion
India: $2.65 trillion
United Kingdom: $2.63 trillion
France: $2.58 trillion
If Cybercrime was a country by GDP in 2022
32. @Jamie_Lee_C
Be Proactive rather than Reactive
“If no other manufacturing industry is permitted to ship
known vulnerable or defective parts in their products,
why should software manufacturers be any different?” –
Brian Fox CTO/Founder of Sonatype
33. @Jamie_Lee_C
In another historic move, the US
government is calling for generational
investments to:
• Renew infrastructure.
• Secure software and semiconductor supply chains.
• Modernize cryptographic technologies.
In a nutshell the themes for this new strategy are as
follows:
• Software providers and data owners held
responsible under cybersecurity liability
• Realigned long-term investment in cybersecurity will
have a focus on the future
• A drive to invest in security resilience starts with
every digital ecosystem
• Coordinated vulnerability disclosures and SBOMs
are still a best practice. Get your SBOM below.
US - National Cyber Secuirty Stratagy
34. @Jamie_Lee_C
Main points of this legislation:
• Essential cybersecurity requirements
• Requirement for any digital products on the market and includes things such as
good practices for example: “products must protect the availability of essential
functions, including the resilience against and mitigation of denial of service
attacks”
• Vulnerability handling requirements
• Requirement for how to handle vulnerabilities with the use of policies for
example: “once a security update has been made available, manufacturers
must publically disclose information about fixed vulnerabilities and have a
policy in place on coordinated vulnerability disclosure”
• Extra requirements for Critical products
• There are two classes of critical products. Class 1 includes stuff like password
management, traffic and identity systems. Class 2 includes operating systems
for servers, desktops and mobile devices.
• Conformity of products and information and
instructions to users
• Requirement of software to conform to certain requirements such as
Technical documentation that is available before release and is
updated throughout the software lifecycle that includes stuff such as
a security risk assessment and reports of tests related to
vulnerabilities. It also needs to be clear and understandable to the
user and includes stuff like a point of contact for reporting
vulnerabilities etc.
• Reporting obligations
• The requirement here is to notify the ENISA within 24h of becoming
aware of a actively exploited vulnerability contained in the product.
Users should also be notified without undue delay and if possible
you should provide them with information about fixes to said
vulnerabilities.
• Obligations on the rest of the supply chain
• Requirements for importers of software that what they have imported
has abided by the obligations in the CRA.
EU - Cyber Resilience Act
35. @Jamie_Lee_C
The Product Security and Telecommunications
Infrastructure (PSTI) Bill:
• Require manufacturers, importers and distributors to
ensure that minimum security requirements are met in
relation to consumer connectable products that are
available to consumers.
• Provide a robust regulatory framework that can adapt
and remain effective in the face of rapid technological
advancement, the evolving techniques employed by
malicious actors, and the broader international
regulatory landscape.
Main points of this bill
• Ban default passwords.
• Products that come with default passwords are an easy
target for cyber criminals.
• Require products to have a vulnerability
disclosure policy.
• Security researchers regularly identify security flaws in
products, but need a way to give notice to manufacturers
of the risk they have identified, so that they can enable
the manufacturer to act before criminals can take
advantage. The Bill will provide measures to help ensure
any vulnerabilities in a product are identified and flagged.
• Require transparency about the length of time
for which the product will receive important
security updates.
• Consumers should know if their product will be supported
with security updates, and if so, what the minimum length
of time is that they can expect that support to continue.
UK – PSTI
44. @Jamie_Lee_C
Easy ways to Improve Security
• Code Review
• Binaries outside of projects
• Dependencies pinned to a
specific version
• Secure Branches
47. @Jamie_Lee_C
Raw materials in the software supply chain
Unknown Suppliers
Unknown Third
Party Open-source
Warehouses
Component
Repositories
Manufacturers
Software
Development
Teams Finished
Goods
Software
Applications
The BIG
BANG
52. @Jamie_Lee_C
What is a Static Analysis Tool?
SA tools examine your applications
source code for:
• Enforce Coding standards
• Insecure code patterns
• Measure test coverage
• Control flow, nesting and data
flow
• Documentation and requirements
docs
57. @Jamie_Lee_C
Open Source in Medical Devices
https://starfishmedical.com/blog/open-source-software-medical-devices/
SOUP/Raw materials info
https://starfishmedical.com/blog/soup-in-medicaldevicedevelopment/
History of software supply chain attacks
https://www.sonatype.com/resources/vulnerability-timeline
State of the software supply chain report:
https://www.sonatype.com/state-of-the-software-supply-chain/
LOG4J download data:
https://www.sonatype.com/resources/log4j-vulnerability-resource-center
White House supply chain blog:
https://blog.sonatype.com/white-house-national-cybersecurity-strategy-
landmark-action-for-a-critical-threat
Useful Links
Talk about sitting in a round tables at conferences and listening to some of the biggest tech companies talk about this problem.
The Product Security and Telecommunications Infrastructure (PSTI) Bill
Talk about SBOM tools being hacked
Mention SOUP Software of Unknown Provenance
What is the difference between these two lines of code? *pause*
One is a vulnerability and one is not. These aren’t big changes, anyone can make this type of mistake
CVE-2022-3602
An off by one error in the punycode decoder allowed for a single unsigned int
overwrite of a buffer which could cause a crash and possible code execution.
vulnerability might be described as CRITICAL if “remote code execution is considered likely in common situations”. This was not the case for this CVE as it was unlikely in common system configurations.
Secondly, many modern platforms implement stack overflow protections which would mitigate against the risk of remote code execution and usually lead to a crash instead. Examples of protection from following best practices.
Source:
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
https://github.com/openssl/openssl/commit/3b421ebc64c7b52f1b9feb3812bdc7781c784332