More and more organizations are creating a software bill of materials (SBOMs) to find out what is in their applications. With new legislation surrounding SBOMs surfacing, we are having to comply with regulations such as certifying that the open source parts of our applications are not full of vulnerabilities and following good programming practices. But what happens if we cannot verify the source of this code? Can we simply put it down as raw materials to bypass said certification? In this session, I will talk about what companies are doing to circumnavigate these tricky waters and what types of applications are simply not able to use open source code. Then I will go over some best practices to make sure your applications are secure, robust and compliant to be delivered to your customers, with a great set of materials to keep your ship always floating.

1. @Jamie_Lee_C
London Java Community
Jamie L Coleman
Developer Advocate @ Sonatype
Why Building Your Ship
(Application) with Raw
Materials is a Bad Idea!

2. @Jamie_Lee_C
Introduction
About me
Name: Jamie Lee Coleman
Current Role: Developer Advocate @ Sonatype
Past experience: Developer in Mainframe Software (CICS), WebSphere & OpenJ9 @ IBM
Twitter: @Jamie_Lee_C
Linked-In: https://www.linkedin.com/in/jamie-coleman/

3. @Jamie_Lee_C

4. @Jamie_Lee_C
Not just the Maven Central people

5. @Jamie_Lee_C

6. @Jamie_Lee_C
What will I talk about today?
1. When we Love Open Source!
2. Supply chain problems today
3. SCA
1. What is SCA
2. SCA Tools
3. BOM Dr Demo*
4. Why Security in Open-source matters!
5. Legislation
6. SBOMs to the rescue?
8. Security Posture
9. Raw Materials
10. Static Analysis Tools
1. What Are they?
2. What is available?
3. Lift Demo*
11. Summary
12. Links

7. @Jamie_Lee_C
Why create this talk?

8. @Jamie_Lee_C
Open Source is amazing!

9. @Jamie_Lee_C
Brief History of Open Source
A-2 system in
1953 - First
commercial
example of
Open Source
DECUS
formed 1955 –
Facilitate
sharing of
software
(SHARE OS
by General
Motors)
Advance Research
Projects Agency Network
(ARPANET) – Used to
share code and later
succeeded by the Internet
Launch of the GNU
project 1983 – To
write an OS free from
constraints on source
code
Linux 1991 – The first
freely modifiable kernel
was born
Debian
GNU/Linux
1993 – First
OS was born
OpenJDK 2006 – Java
commits to Open Source
and releases OpenJDK
under the GNU licence
Git 2005 –
Created
by Linux
kernel
developer
s
GitHub 2008 –
Worlds most used
DVCS hosting site
Android 2008 –
Worlds most used
mobile OS (Now
owned by Google)

10. @Jamie_Lee_C
Benefits of FOSS
Personal control and
customizability (4
main FOSS
freedoms)
Study
Copy
Modify
Redistribute
Privacy and
Security*
Use community to find
bugs quickly
Low or no costs
Software is free with
optional licencing
Quality, collaboration
and efficiency
Many people and
organizations working
together
Performance can be
much better due to the
amount of people
contributing
Project development
can become more
agile and efficient

11. @Jamie_Lee_C
Sharing = better!
90% of the applications we create are shared dependencies!

12. @Jamie_Lee_C
Supply chain problems!

13. @Jamie_Lee_C
Dependency Managment
150 Dependencies (avg Java project)
10 Releases Per Year (avg per dependency)
1500 Updates To Consider 😱
x

14. @Jamie_Lee_C
Direct vs Transitive Dependency
Example: org.springframework.boot:spring-boot-starter-web

15. @Jamie_Lee_C

16. @Jamie_Lee_C
Dependency Exploitation
Dependency
confusion
Attempts to get a
Different version
added into a binary
repository
Often “latest”
Typo-squatting
A lookalike domain,
dependency with one
or two wrong or
different characters
Open source
repo attacks
Attempts to get
malware or
weaknesses
added into
dependency
source via social
or tools
Build Tool
attacks
Attempts to get
malware into the
tools that are
used to produce
dependencies
Automated
Social Engineering

17. @Jamie_Lee_C
Microservices make this even harder!

18. @Jamie_Lee_C
Software Composition Analysis

19. @Jamie_Lee_C
What is Software Composition Analysis?
https://foojay.io/today/sboms-and-software-composition-analysis/

20. @Jamie_Lee_C
What is Software Composition Analysis?

21. @Jamie_Lee_C
SCA Tools
Basic tools will provide:
• List of declared dependencies
• Basic information such as latest
version available
More advanced tools will provide:
• Transitive dependencies
• Vulnerability & Licence data
• Project scoring
• Visualisations
• Licence data
• Produce SBOMs

22. @Jamie_Lee_C
Time to visit the BOM Dr
https://bomdoctor.sonatype.com/

23. @Jamie_Lee_C
Why Security in Open-source matters!

24. @Jamie_Lee_C
In 2016 Cybercrime surpassed the
drug trade!
$450 Billion a year
$14,000 a second
Equivalent to 50 US Nimitz Class
Aircraft carriers
Cyber Crime Facts

25. @Jamie_Lee_C
What about 2022?

26. @Jamie_Lee_C
In 2022!
$6 Trillion a year!
$200,000 a second
Equivalent to 620 US Nimitz Class
Aircraft carriers
Cyber Crime Facts

27. @Jamie_Lee_C
United States: $20.89 trillion
China: $14.72 trillion
Cyber Crime: $6 trillion
Japan: $5.06 trillion
Germany: $3.85 trillion
India: $2.65 trillion
United Kingdom: $2.63 trillion
France: $2.58 trillion
If Cybercrime was a country by GDP in 2022

28. @Jamie_Lee_C
Todays Pablo Escobar uses a Laptop

29. @Jamie_Lee_C

30. @Jamie_Lee_C
Devices allowed to contain OS code:
IEC 62304

31. @Jamie_Lee_C
Legislation!

32. @Jamie_Lee_C
Be Proactive rather than Reactive
“If no other manufacturing industry is permitted to ship
known vulnerable or defective parts in their products,
why should software manufacturers be any different?” –
Brian Fox CTO/Founder of Sonatype

33. @Jamie_Lee_C
In another historic move, the US
government is calling for generational
investments to:
• Renew infrastructure.
• Secure software and semiconductor supply chains.
• Modernize cryptographic technologies.
In a nutshell the themes for this new strategy are as
follows:
• Software providers and data owners held
responsible under cybersecurity liability
• Realigned long-term investment in cybersecurity will
have a focus on the future
• A drive to invest in security resilience starts with
every digital ecosystem
• Coordinated vulnerability disclosures and SBOMs
are still a best practice. Get your SBOM below.
US - National Cyber Secuirty Stratagy

34. @Jamie_Lee_C
Main points of this legislation:
• Essential cybersecurity requirements
• Requirement for any digital products on the market and includes things such as
good practices for example: “products must protect the availability of essential
functions, including the resilience against and mitigation of denial of service
attacks”
• Vulnerability handling requirements
• Requirement for how to handle vulnerabilities with the use of policies for
example: “once a security update has been made available, manufacturers
must publically disclose information about fixed vulnerabilities and have a
policy in place on coordinated vulnerability disclosure”
• Extra requirements for Critical products
• There are two classes of critical products. Class 1 includes stuff like password
management, traffic and identity systems. Class 2 includes operating systems
for servers, desktops and mobile devices.
• Conformity of products and information and
instructions to users
• Requirement of software to conform to certain requirements such as
Technical documentation that is available before release and is
updated throughout the software lifecycle that includes stuff such as
a security risk assessment and reports of tests related to
vulnerabilities. It also needs to be clear and understandable to the
user and includes stuff like a point of contact for reporting
vulnerabilities etc.
• Reporting obligations
• The requirement here is to notify the ENISA within 24h of becoming
aware of a actively exploited vulnerability contained in the product.
Users should also be notified without undue delay and if possible
you should provide them with information about fixes to said
vulnerabilities.
• Obligations on the rest of the supply chain
• Requirements for importers of software that what they have imported
has abided by the obligations in the CRA.
EU - Cyber Resilience Act

35. @Jamie_Lee_C
The Product Security and Telecommunications
Infrastructure (PSTI) Bill:
• Require manufacturers, importers and distributors to
ensure that minimum security requirements are met in
relation to consumer connectable products that are
available to consumers.
• Provide a robust regulatory framework that can adapt
and remain effective in the face of rapid technological
advancement, the evolving techniques employed by
malicious actors, and the broader international
regulatory landscape.
Main points of this bill
• Ban default passwords.
• Products that come with default passwords are an easy
target for cyber criminals.
• Require products to have a vulnerability
disclosure policy.
• Security researchers regularly identify security flaws in
products, but need a way to give notice to manufacturers
of the risk they have identified, so that they can enable
the manufacturer to act before criminals can take
advantage. The Bill will provide measures to help ensure
any vulnerabilities in a product are identified and flagged.
• Require transparency about the length of time
for which the product will receive important
security updates.
• Consumers should know if their product will be supported
with security updates, and if so, what the minimum length
of time is that they can expect that support to continue.
UK – PSTI

36. @Jamie_Lee_C
SBOM To The Rescue?

37. @Jamie_Lee_C
SBOM
“It is great to have a software bill of materials, but the important part is
what you do with it.” - Me

38. @Jamie_Lee_C
Easy ways to generate an SBOM
1. CycloneDX Maven Plugin
2. Kubernetes bom
3. Microsoft’s SBOM Tool
4. SPDX SBOM Generator
5. Syft
6. Sonatype Lift

39. @Jamie_Lee_C
Even our SBOMs are not safe!

40. @Jamie_Lee_C
Security Posture

41. @Jamie_Lee_C

42. @Jamie_Lee_C
Simple ways for Identifying vulnerable projects

43. @Jamie_Lee_C
The small things make big differences

44. @Jamie_Lee_C
Easy ways to Improve Security
• Code Review
• Binaries outside of projects
• Dependencies pinned to a
specific version
• Secure Branches

45. @Jamie_Lee_C
What are raw materials?

46. @Jamie_Lee_C
Software Supply Chain
Suppliers
Third Party
Software Such
as Open
Source
Warehouses
Component
Repositories
Manufacturers
Software
Development
Teams Finished
Goods
Software
Applications

47. @Jamie_Lee_C
Raw materials in the software supply chain
Unknown Suppliers
Unknown Third
Party Open-source
Warehouses
Component
Repositories
Manufacturers
Software
Development
Teams Finished
Goods
Software
Applications
The BIG
BANG

48. @Jamie_Lee_C

49. @Jamie_Lee_C
Raw materials get
around Policy
controls and the
need to check
supplier hygiene!

50. @Jamie_Lee_C
Small mistake can have big impacts!

51. @Jamie_Lee_C
Static Analysis Tools

52. @Jamie_Lee_C
What is a Static Analysis Tool?
SA tools examine your applications
source code for:
• Enforce Coding standards
• Insecure code patterns
• Measure test coverage
• Control flow, nesting and data
flow
• Documentation and requirements
docs

53. @Jamie_Lee_C
Demo Time
https://lift.sonatype.com/

54. @Jamie_Lee_C
Summary

55. @Jamie_Lee_C
One day your luck will run out!
Snapshot taken over 1 year later…

56. @Jamie_Lee_C
Continuous
Upgrade Strategy
Ongoing Security
Scanning
Have A Remediation
Strategy
What’s in your
application?
(Untangle your
dependencies)
Choose New
Dependencies
Wisely
Assess Existing
Dependencies

57. @Jamie_Lee_C
Open Source in Medical Devices
https://starfishmedical.com/blog/open-source-software-medical-devices/
SOUP/Raw materials info
https://starfishmedical.com/blog/soup-in-medicaldevicedevelopment/
History of software supply chain attacks
https://www.sonatype.com/resources/vulnerability-timeline
State of the software supply chain report:
https://www.sonatype.com/state-of-the-software-supply-chain/
LOG4J download data:
https://www.sonatype.com/resources/log4j-vulnerability-resource-center
White House supply chain blog:
https://blog.sonatype.com/white-house-national-cybersecurity-strategy-
landmark-action-for-a-critical-threat
Useful Links

58. @Jamie_Lee_C
Get in touch
Website:
https://www.sonatype.com
Twitter: @sonatype
LinkedIn: /company/sonatype/

59. @Jamie_Lee_C
Cool stuff to
checkout!
New Maven Central
https://central.sonatype.com/
BOM Dr
https://bomdoctor.sonatype.com/
DevZone
https://dev.sonatype.com/
Foojay Series
• https://foojay.io/today/sboms-first-steps-in-a-new-
journey-for-developers/
• https://foojay.io/today/sboms-and-software-
composition-analysis/
• https://foojay.io/today/making-sboms-threats-and-
modelling-them-a-piece-of-cake/
Malware Monthly
https://blog.sonatype.com/malware-monthly-february-2023

60. @Jamie_Lee_C
Don’t forget
to scan your
applications
with the Dr
https://bomdoctor.sonatype.com/

61. @Jamie_Lee_C