SlideShare a Scribd company logo

Devoxx France 2022: Game Over or Game Changing? Why Software Development May Never be the same again

Download as PPTX, PDF
Steve Poole
Steve Poole

A small but vital step on a long road was made last year. The President of the USA signed an executive order towards improving the situation on cybersecurity. In this session you’ll learn more about what was ordered and how it’s the beginning of a significant change in how software will be developed, delivered and secured in the future – not just in the USA but world wide too. The need to have a vastly improved software supply chain to counter the challenges of cyber attacks is well understood and many tools already exist. Learn more about the tooling landscape, what’s on the horizon and how presidential orders, the software industry and application development are coming together to take even bigger steps towards safeguarding the future.

Technology
1 of 85
@spoole167 Game Over Or Game Changing? Why software development may never be the same again Steve Poole Sonatype @spoole167
This talk is about • How the nature of cyber attacks is changing • A new US government initiative to combat this challenge • How that initiative will impact how software is developed in the future
One day at work …
@spoole167 Files won’t open “There is no application set to open the document” “Windows can’t open this file ”
@spoole167 Systems won’t start “Unable to read config files” ‘missing dll”
@spoole167 Unexpected files on the system micro https://techdator.net/ransomware-file-extensions/ zepto locky cerber cryp1 osiris crypz locked decrypt2017 r5a enigma surprise evillock fu*ked
@spoole167 Signing in blocks
@spoole167 Explicit information
@spoole167 You’re the victim of a Ransomware Attack
@spoole167 Somewhere is a link to a cryptocurrency wallet and an amount you must pay.
@spoole167 How does it start? Mostly phishing, malware, mostly targeted at Windows clients Malware Installer Malware Malware
@spoole167 Not your usual Phishing…
@spoole167 DEAR SIR/MA'AM. YOUR ATM CARD OF $10.5MILLION DOLLARS WAS RETURNED TODAY BY OUR COURIER DELIVERY COMPANY, AND WE ARE GOING TO CANCEL THE ATM CARD IF YOU FAILS TO ACKNOWLEDGE THIS MESSAGE, WE SHALL ALSO ASSUME THAT WHAT OUR COURIER DELIVERY COMPANY TOLD US IS NOTHING BUT THE TRUTH THAT YOU DON'T NEED YOUR ATM CARD OF $10.5 MILLION DOLLARS ANY LONGER. DO ACKNOWLEDGE THIS MESSAGE AS SOON AS POSSIBLE. YOURS FAITHFULLY. YOURS SINCERELY, MR MARK WRIGHT, DIRECTOR FOREIGN REMITTANCE ATM CARD SWIFT PAYMENT DEPARTMENT ZENITH BANK OF NIGERIA. 😀
@spoole167 Federal Bureau of Investigation (FBI) Anti-Terrorist And Monitory Crime Division. Federal Bureau Of Investigation. J.Edgar.Hoover Building Washington Dc Customers Service Hours / Monday To Saturday Office Hours Monday To Saturday: Dear Beneficiary, Series of meetings have been held over the past 7 months with the secretary general of the United Nations Organization. This ended 3 days ago. It is obvious that you have not received your fund which is to the tune of $16.5million due to past corrupt Governmental Officials who almost held the fund to themselves for their selfish reason and some individuals who have taken advantage of your fund all in an attempt to swindle your fund which has led to so many losses from your end and unnecessary delay in the receipt of your fund.for more information do get back to us. …. Upon receipt of payment the delivery officer will ensure that your package is sent within 24 working hours. 😀
@spoole167 From <your boss> I’ve spoken to the XYZ company CEO and they will send us the goods if we pay $3M immediately. Details below. I’m off to the golf course – no distractions please.
@spoole167 an email from an international transport company urging recipients to open a waybill
@spoole167 Many Ransomware attacked are specifically targeted at certain types of organisation 0 2 4 6 8 10 12 14 16 18 20 Government Education Services Healthcare Technology Manufacturing Retail Utilities Finance Other % Attacks Attacks
@spoole167 Many are specifically targeted at a single company or organisation With personalized attacks you invest more and make it compelling. Your victims views on Facebook about their boss, how busy they are, important deals coming up. It all helps to craft that million dollar attack…
@spoole167 Other vectors: network and delivery vulnerabilities
@spoole167 Other vectors: supply chain attacks Hack software delivery systems - upstream
@spoole167 The aim, as always is Remote Code Execution
@spoole167 Once in the malware calls back home for encryption keys
@spoole167 And uses sophisticated techniques to encrypt your system. One file at a time Least used first ..
@spoole167 While copying critical data out, disguised as normal traffic Sometimes hidden in other payloads, protocols Sometimes as responses to ‘legitimate’ requests Almost always via botnets
@spoole167 Not new news? here’s the punchline …
@spoole167 Ransomware can often be a visible test of an attack methodology the money can be secondary
@spoole167 Cyber Attacks are rising in number and sophistication Nation states are preparing for the next war – and that all about software The aim is to infiltrate infrastructure and essential services…
@spoole167 And manipulate or terminate
0 1000 2000 3000 4000 5000 6000 2013 2014 2015 2016 2017 2018 2019 2020 2021 Cybercrime Drug trade
@spoole167 Sounds bad?
@spoole167 Sounds bad? $6 Trillion is just the ransomware Estimates go as high as $30 Trillion for everything else.
@spoole167 That’s about $175 000 for every adult in the world
@spoole167 This new phase of cyber attacks Are state funded Professionally developed Regularly exercised Very sophisticated And extremely lucrative
@spoole167 The incentive is huge Weaponised Cybercrime is the new reality Nation states are preparing for the next war – and that all about software @spoole167
@spoole167 Open Source – the golden goose
@spoole167 Most applications are 90% open source Dependencies Payroll App V1
@spoole167 3 Million Projects 37 Million Versions 2.2 Trillion Downloads The amount of open source available is truly staggering Java Javascript Python .Net
@spoole167 Open source is built on trust. We trust it so much it’s growing at 73% per year By 2025 there could be 20 Trillion downloads a year 0 2 4 6 8 10 12 14 16 18 20 2021 2022 2023 2024 2025 downloads
@spoole167 Cybercriminals used to search for vulnerabilities
Now they make their own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Build Tool attacks Attempts to get malware or weaknesses added into dependency source via social or tools Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” @spoole167 sonatype.com/devsignup
@spoole167 Put a different way… Payroll App V1
@spoole167 Most applications are 90% open source Dependencies Payroll App V1
@spoole167 Bad guys used to look for code weaknesses here Dependencies Payroll App V1
@spoole167 Now they are adding their own upstream Dependencies Tools Runtimes Platforms Payroll App V1 Code generators
@spoole167 Many are designed to stay hidden until needed Dependencies Tools Runtimes Platforms Payroll App V1 Code generators
@spoole167 Blind trust in Open Source software is evaporating 5% of the projects on Maven Central already have a vulnerability of CVSS 9 or 10 Now there are direct attacks on open source projects and maintainers to gain access to source repos or release processes Now there are direct attacks to insert malicious code via pull requests Now there are direct attacks on the compilers and packaging tools
@spoole167
@spoole167 last year we finally came together to try to do something about cyber attacks – the focus on making s/w more trustworthy
@spoole167 17 May 2021 Joe Biden
@spoole167 The Executive Order Recognizes the need to form a united front against “malicious cyber actors” Outlines a direction for closer working between all parts of the software industry Adds new requirements on software vendors selling to the US government Will change how we produce and consume software.
@spoole167 Hardening the software supply chain : every product has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes
@spoole167 SBOM – the new important term on the horizon cyclonedx.org spdx.dev
@spoole167 Modern Vulnerability tools scan your builds Dependencies Payroll App V1
@spoole167 Tracking dependencies relies on tools that analyze the end result Web Server 05.1.2 Acme Framework 2.1 Payroll App V1
@spoole167 Which relies on transparency Web Server 05.1.2 Acme Framework 2.1 Payroll App V1
@spoole167 Which can be problematic Web Server 05.1.2 Acme Framework Incomplete Data Opaque Dependencies Payroll App V1
@spoole167 And is always incomplete Or even faked Web Server 05.1.2 Acme Framework What’s in the runtimes? What tools were used to build? Payroll App V1
@spoole167 A SBOM provides evidence on how software was built Web Server 05.1.2 Acme Framework Payroll App V1 Runtime V2 OS V3.4 Compiler V9 CI/CD V2 OS V6 Compiler Environmental Information All componentry
@spoole167 1.1 Foo 2.1 Bar 3.1 This product Dependency ref
@spoole167 1.1 Foo 2.1 Bar 3.1 Becomes this product Dependency ref Dependency SBOM ref url url SBOM signature SHA1024 SHA1024 Product URL url Product signature SHA1024
@spoole167 Becomes this 1.1 Foo 2.1 Bar 3.1 url url SHA SHA url SHA1024 Gcc 3.6 RHEL url url SHA SHA zip url SHA Jenkins url SHA Github action url url
@spoole167 And you ‘inherit’ all their SBOM info too (and all their dependents) 1.1 url SHA1024
@spoole167 Which means? More likelihood of finding issues 1.1 url SHA1024
@spoole167 Which means? More issues more often 1.1 url SHA1024
The way you build software is going to change You can expect every government to follow suit on this sort of initiative Even if you're not selling directly, you could be in a chain that is The prediction is that by 2025 every software vendor, open source project etc will have to provide this proof Manual anything is going to be problematic
@spoole167 You will need • to be able to track back exactly how, where and with what your s/w was built. • To be able to deal with an increase in the number of reported vulnerabilities • Be able to build your s/w automatically at a moments notice • To provide to others your ‘SBOM’ The next wave is moving from IAC to EAC (Everything as code)
@spoole167 The way you choose open source software is going to change • What do you do if a open-source component you rely on doesn’t comply? • How much risk are you willing to take? • Even if they say yes - how much can you trust them? • Do they have an SBOM? • What’s their ability to provide updates. • What’s their security posture. Not just is it free, does it do what I want?
@spoole167 What tools can you use to help?
@spoole167 Many tools to help with your code
@spoole167 And quite a few to tell you about your dependencies
@spoole167 even with the best sw/ tools in the world …
@spoole167 The best tools right now are these
@spoole167 The best tools right now are these
@spoole167 Time to exercise your suspicious brain, find code smells and LOOK closely at the projects you’re using Build your own selection criteria or use ours
things to check for License / security.md file Vulnerability reporting process Development process (how to they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU)
things to check for unexpected release frequency number and activity patterns of committers Do they do Static Analysis and Security Testing (SAST) Are they prone to making breaking changes Do they often have no path forward (latest version has vulnerabilities)
@spoole167 This is obviously hard and time consuming Getting your own supply chain in a fit state is one thing
@spoole167 This is obviously hard and time consuming What about all your dependencies?
obvious thoughts BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies
obvious thoughts BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies Those that can create automated, highly productive supply chains will have an immediate competitive advantage
This is the cost for dealing with BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies The new motives behind cyber attacks The increase in risk of being attacked – because your in someones supply chain Open Source still the primary vector The long term transformation of open source communities
This is the cost for dealing with BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies The new motives behind cyber attacks The increase in risk of being attacked – because your in someones supply chain Open Source still the primary vector The long term transformation of open source communities It’s still all software – it’s still up to us to make the world safer.
@spoole167 Takeaways • The days of just taking software off the shelf are numbered : choose software based on how it’s produced not just what it does • Evidence based trust will become essential : Your own supply chain – the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny.
@spoole167 Questions?
bit.ly/software-supply-chain @spoole167 sonatype.com/devsignup

Recommended

DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptxSteve Poole
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextSteve Poole
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleSteve Poole
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxSteve Poole
 
The Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesThe Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesSteve Poole
 

Recommended

DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptxSteve Poole
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextSteve Poole
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleSteve Poole
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxSteve Poole
 
The Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesThe Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesSteve Poole
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxSteve Poole
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven CentralSteve Poole
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
FOSS and Security
FOSS and SecurityFOSS and Security
FOSS and SecurityBud Siddhisena
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureSteve Poole
 
Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Sonatype
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
How enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceHow enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceRogue Wave Software
 
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsOpen Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing AttacksPECB
 
Data breach at Target, demystified.
Data breach at Target, demystified.Data breach at Target, demystified.
Data breach at Target, demystified.Cyphort
 
Pentest trends 2017
Pentest trends 2017Pentest trends 2017
Pentest trends 2017Jorge González
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDFranklin Mosley
 
Beginning Ethical Hacking with Python.pdf
Beginning Ethical Hacking with Python.pdfBeginning Ethical Hacking with Python.pdf
Beginning Ethical Hacking with Python.pdfIndianArmy38
 
Beginning Ethical Hacking with Python.pdf
Beginning Ethical Hacking with Python.pdfBeginning Ethical Hacking with Python.pdf
Beginning Ethical Hacking with Python.pdfIndianArmy38
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
 

More Related Content

Similar to Devoxx France 2022: Game Over or Game Changing? Why Software Development May Never be the same again

(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxSteve Poole
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven CentralSteve Poole
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureSteve Poole
 
Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Sonatype
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
How enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceHow enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceRogue Wave Software
 
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsOpen Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing AttacksPECB
 
Data breach at Target, demystified.
Data breach at Target, demystified.Data breach at Target, demystified.
Data breach at Target, demystified.Cyphort
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDFranklin Mosley
 
Beginning Ethical Hacking with Python.pdf
Beginning Ethical Hacking with Python.pdfBeginning Ethical Hacking with Python.pdf
Beginning Ethical Hacking with Python.pdfIndianArmy38
 
Beginning Ethical Hacking with Python.pdf
Beginning Ethical Hacking with Python.pdfBeginning Ethical Hacking with Python.pdf
Beginning Ethical Hacking with Python.pdfIndianArmy38
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 

Similar to Devoxx France 2022: Game Over or Game Changing? Why Software Development May Never be the same again (20)

(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker Side
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptx
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven Central
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
FOSS and Security
FOSS and SecurityFOSS and Security
FOSS and Security
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and Culture
 
Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
 
How enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceHow enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open source
 
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsOpen Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing Attacks
 
Data breach at Target, demystified.
Data breach at Target, demystified.Data breach at Target, demystified.
Data breach at Target, demystified.
 
Pentest trends 2017
Pentest trends 2017Pentest trends 2017
Pentest trends 2017
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CD
 
Beginning Ethical Hacking with Python.pdf
Beginning Ethical Hacking with Python.pdfBeginning Ethical Hacking with Python.pdf
Beginning Ethical Hacking with Python.pdf
 
Beginning Ethical Hacking with Python.pdf
Beginning Ethical Hacking with Python.pdfBeginning Ethical Hacking with Python.pdf
Beginning Ethical Hacking with Python.pdf
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open Source
 

More from Steve Poole

THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Steve Poole
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxSteve Poole
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020Steve Poole
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Steve Poole
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Steve Poole
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization Steve Poole
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkSteve Poole
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...Steve Poole
 
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Steve Poole
 
Keynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourKeynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourSteve Poole
 
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Steve Poole
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaLocking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaSteve Poole
 
Dashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your BehaviourDashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your BehaviourSteve Poole
 
QCon London - Java at Scale
QCon London - Java at ScaleQCon London - Java at Scale
QCon London - Java at ScaleSteve Poole
 
Dashboards and Culture: How Openness changes your behavior
Dashboards and Culture: How Openness changes your behaviorDashboards and Culture: How Openness changes your behavior
Dashboards and Culture: How Openness changes your behaviorSteve Poole
 

More from Steve Poole (18)

THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chain
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptx
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
 
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
 
Keynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourKeynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviour
 
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaLocking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
 
Dashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your BehaviourDashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your Behaviour
 
QCon London - Java at Scale
QCon London - Java at ScaleQCon London - Java at Scale
QCon London - Java at Scale
 
Dashboards and Culture: How Openness changes your behavior
Dashboards and Culture: How Openness changes your behaviorDashboards and Culture: How Openness changes your behavior
Dashboards and Culture: How Openness changes your behavior
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Devoxx France 2022: Game Over or Game Changing? Why Software Development May Never be the same again

  • 1. @spoole167 Game Over Or Game Changing? Why software development may never be the same again Steve Poole Sonatype @spoole167
  • 2. This talk is about • How the nature of cyber attacks is changing • A new US government initiative to combat this challenge • How that initiative will impact how software is developed in the future
  • 3. One day at work …
  • 4. @spoole167 Files won’t open “There is no application set to open the document” “Windows can’t open this file ”
  • 5. @spoole167 Systems won’t start “Unable to read config files” ‘missing dll”
  • 6. @spoole167 Unexpected files on the system micro https://techdator.net/ransomware-file-extensions/ zepto locky cerber cryp1 osiris crypz locked decrypt2017 r5a enigma surprise evillock fu*ked
  • 9. @spoole167 You’re the victim of a Ransomware Attack
  • 10. @spoole167 Somewhere is a link to a cryptocurrency wallet and an amount you must pay.
  • 11. @spoole167 How does it start? Mostly phishing, malware, mostly targeted at Windows clients Malware Installer Malware Malware
  • 13. @spoole167 DEAR SIR/MA'AM. YOUR ATM CARD OF $10.5MILLION DOLLARS WAS RETURNED TODAY BY OUR COURIER DELIVERY COMPANY, AND WE ARE GOING TO CANCEL THE ATM CARD IF YOU FAILS TO ACKNOWLEDGE THIS MESSAGE, WE SHALL ALSO ASSUME THAT WHAT OUR COURIER DELIVERY COMPANY TOLD US IS NOTHING BUT THE TRUTH THAT YOU DON'T NEED YOUR ATM CARD OF $10.5 MILLION DOLLARS ANY LONGER. DO ACKNOWLEDGE THIS MESSAGE AS SOON AS POSSIBLE. YOURS FAITHFULLY. YOURS SINCERELY, MR MARK WRIGHT, DIRECTOR FOREIGN REMITTANCE ATM CARD SWIFT PAYMENT DEPARTMENT ZENITH BANK OF NIGERIA. 😀
  • 14. @spoole167 Federal Bureau of Investigation (FBI) Anti-Terrorist And Monitory Crime Division. Federal Bureau Of Investigation. J.Edgar.Hoover Building Washington Dc Customers Service Hours / Monday To Saturday Office Hours Monday To Saturday: Dear Beneficiary, Series of meetings have been held over the past 7 months with the secretary general of the United Nations Organization. This ended 3 days ago. It is obvious that you have not received your fund which is to the tune of $16.5million due to past corrupt Governmental Officials who almost held the fund to themselves for their selfish reason and some individuals who have taken advantage of your fund all in an attempt to swindle your fund which has led to so many losses from your end and unnecessary delay in the receipt of your fund.for more information do get back to us. …. Upon receipt of payment the delivery officer will ensure that your package is sent within 24 working hours. 😀
  • 15. @spoole167 From <your boss> I’ve spoken to the XYZ company CEO and they will send us the goods if we pay $3M immediately. Details below. I’m off to the golf course – no distractions please.
  • 16. @spoole167 an email from an international transport company urging recipients to open a waybill
  • 17. @spoole167 Many Ransomware attacked are specifically targeted at certain types of organisation 0 2 4 6 8 10 12 14 16 18 20 Government Education Services Healthcare Technology Manufacturing Retail Utilities Finance Other % Attacks Attacks
  • 18. @spoole167 Many are specifically targeted at a single company or organisation With personalized attacks you invest more and make it compelling. Your victims views on Facebook about their boss, how busy they are, important deals coming up. It all helps to craft that million dollar attack…
  • 19. @spoole167 Other vectors: network and delivery vulnerabilities
  • 20. @spoole167 Other vectors: supply chain attacks Hack software delivery systems - upstream
  • 21. @spoole167 The aim, as always is Remote Code Execution
  • 22. @spoole167 Once in the malware calls back home for encryption keys
  • 23. @spoole167 And uses sophisticated techniques to encrypt your system. One file at a time Least used first ..
  • 24. @spoole167 While copying critical data out, disguised as normal traffic Sometimes hidden in other payloads, protocols Sometimes as responses to ‘legitimate’ requests Almost always via botnets
  • 26. @spoole167 Ransomware can often be a visible test of an attack methodology the money can be secondary
  • 27. @spoole167 Cyber Attacks are rising in number and sophistication Nation states are preparing for the next war – and that all about software The aim is to infiltrate infrastructure and essential services…
  • 29. 0 1000 2000 3000 4000 5000 6000 2013 2014 2015 2016 2017 2018 2019 2020 2021 Cybercrime Drug trade
  • 31. @spoole167 Sounds bad? $6 Trillion is just the ransomware Estimates go as high as $30 Trillion for everything else.
  • 32. @spoole167 That’s about $175 000 for every adult in the world
  • 33. @spoole167 This new phase of cyber attacks Are state funded Professionally developed Regularly exercised Very sophisticated And extremely lucrative
  • 34. @spoole167 The incentive is huge Weaponised Cybercrime is the new reality Nation states are preparing for the next war – and that all about software @spoole167
  • 35. @spoole167 Open Source – the golden goose
  • 37. @spoole167 3 Million Projects 37 Million Versions 2.2 Trillion Downloads The amount of open source available is truly staggering Java Javascript Python .Net
  • 38. @spoole167 Open source is built on trust. We trust it so much it’s growing at 73% per year By 2025 there could be 20 Trillion downloads a year 0 2 4 6 8 10 12 14 16 18 20 2021 2022 2023 2024 2025 downloads
  • 39. @spoole167 Cybercriminals used to search for vulnerabilities
  • 40. Now they make their own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Build Tool attacks Attempts to get malware or weaknesses added into dependency source via social or tools Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” @spoole167 sonatype.com/devsignup
  • 43. @spoole167 Bad guys used to look for code weaknesses here Dependencies Payroll App V1
  • 44. @spoole167 Now they are adding their own upstream Dependencies Tools Runtimes Platforms Payroll App V1 Code generators
  • 45. @spoole167 Many are designed to stay hidden until needed Dependencies Tools Runtimes Platforms Payroll App V1 Code generators
  • 46. @spoole167 Blind trust in Open Source software is evaporating 5% of the projects on Maven Central already have a vulnerability of CVSS 9 or 10 Now there are direct attacks on open source projects and maintainers to gain access to source repos or release processes Now there are direct attacks to insert malicious code via pull requests Now there are direct attacks on the compilers and packaging tools
  • 48. @spoole167 last year we finally came together to try to do something about cyber attacks – the focus on making s/w more trustworthy
  • 50. @spoole167 The Executive Order Recognizes the need to form a united front against “malicious cyber actors” Outlines a direction for closer working between all parts of the software industry Adds new requirements on software vendors selling to the US government Will change how we produce and consume software.
  • 51. @spoole167 Hardening the software supply chain : every product has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes
  • 52. @spoole167 SBOM – the new important term on the horizon cyclonedx.org spdx.dev
  • 54. @spoole167 Tracking dependencies relies on tools that analyze the end result Web Server 05.1.2 Acme Framework 2.1 Payroll App V1
  • 55. @spoole167 Which relies on transparency Web Server 05.1.2 Acme Framework 2.1 Payroll App V1
  • 56. @spoole167 Which can be problematic Web Server 05.1.2 Acme Framework Incomplete Data Opaque Dependencies Payroll App V1
  • 57. @spoole167 And is always incomplete Or even faked Web Server 05.1.2 Acme Framework What’s in the runtimes? What tools were used to build? Payroll App V1
  • 58. @spoole167 A SBOM provides evidence on how software was built Web Server 05.1.2 Acme Framework Payroll App V1 Runtime V2 OS V3.4 Compiler V9 CI/CD V2 OS V6 Compiler Environmental Information All componentry
  • 59. @spoole167 1.1 Foo 2.1 Bar 3.1 This product Dependency ref
  • 60. @spoole167 1.1 Foo 2.1 Bar 3.1 Becomes this product Dependency ref Dependency SBOM ref url url SBOM signature SHA1024 SHA1024 Product URL url Product signature SHA1024
  • 61. @spoole167 Becomes this 1.1 Foo 2.1 Bar 3.1 url url SHA SHA url SHA1024 Gcc 3.6 RHEL url url SHA SHA zip url SHA Jenkins url SHA Github action url url
  • 62. @spoole167 And you ‘inherit’ all their SBOM info too (and all their dependents) 1.1 url SHA1024
  • 63. @spoole167 Which means? More likelihood of finding issues 1.1 url SHA1024
  • 65. The way you build software is going to change You can expect every government to follow suit on this sort of initiative Even if you're not selling directly, you could be in a chain that is The prediction is that by 2025 every software vendor, open source project etc will have to provide this proof Manual anything is going to be problematic
  • 66. @spoole167 You will need • to be able to track back exactly how, where and with what your s/w was built. • To be able to deal with an increase in the number of reported vulnerabilities • Be able to build your s/w automatically at a moments notice • To provide to others your ‘SBOM’ The next wave is moving from IAC to EAC (Everything as code)
  • 67. @spoole167 The way you choose open source software is going to change • What do you do if a open-source component you rely on doesn’t comply? • How much risk are you willing to take? • Even if they say yes - how much can you trust them? • Do they have an SBOM? • What’s their ability to provide updates. • What’s their security posture. Not just is it free, does it do what I want?
  • 68. @spoole167 What tools can you use to help?
  • 70. @spoole167 And quite a few to tell you about your dependencies
  • 71. @spoole167 even with the best sw/ tools in the world …
  • 72. @spoole167 The best tools right now are these
  • 73. @spoole167 The best tools right now are these
  • 74. @spoole167 Time to exercise your suspicious brain, find code smells and LOOK closely at the projects you’re using Build your own selection criteria or use ours
  • 75. things to check for License / security.md file Vulnerability reporting process Development process (how to they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU)
  • 76. things to check for unexpected release frequency number and activity patterns of committers Do they do Static Analysis and Security Testing (SAST) Are they prone to making breaking changes Do they often have no path forward (latest version has vulnerabilities)
  • 77. @spoole167 This is obviously hard and time consuming Getting your own supply chain in a fit state is one thing
  • 78. @spoole167 This is obviously hard and time consuming What about all your dependencies?
  • 79. obvious thoughts BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies
  • 80. obvious thoughts BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies Those that can create automated, highly productive supply chains will have an immediate competitive advantage
  • 81. This is the cost for dealing with BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies The new motives behind cyber attacks The increase in risk of being attacked – because your in someones supply chain Open Source still the primary vector The long term transformation of open source communities
  • 82. This is the cost for dealing with BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies The new motives behind cyber attacks The increase in risk of being attacked – because your in someones supply chain Open Source still the primary vector The long term transformation of open source communities It’s still all software – it’s still up to us to make the world safer.
  • 83. @spoole167 Takeaways • The days of just taking software off the shelf are numbered : choose software based on how it’s produced not just what it does • Evidence based trust will become essential : Your own supply chain – the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny.