A small but vital step on a long road was made last year. The President of the USA signed an executive order towards improving the situation on cybersecurity. In this session you’ll learn more about what was ordered and how it’s the beginning of a significant change in how software will be developed, delivered and secured in the future – not just in the USA but world wide too. The need to have a vastly improved software supply chain to counter the challenges of cyber attacks is well understood and many tools already exist. Learn more about the tooling landscape, what’s on the horizon and how presidential orders, the software industry and application development are coming together to take even bigger steps towards safeguarding the future.
Devoxx France 2022: Game Over or Game Changing? Why Software Development May Never be the same again
1. @spoole167
Game Over Or Game Changing?
Why software development may never be the same again
Steve Poole
Sonatype
@spoole167
2. This talk is about
• How the nature of cyber attacks is changing
• A new US government initiative to combat this challenge
• How that initiative will impact how software is developed in the future
13. @spoole167
DEAR SIR/MA'AM.
YOUR ATM CARD OF $10.5MILLION DOLLARS WAS RETURNED TODAY BY OUR COURIER DELIVERY
COMPANY, AND WE ARE GOING TO CANCEL THE ATM CARD IF YOU FAILS TO ACKNOWLEDGE THIS
MESSAGE, WE SHALL ALSO ASSUME THAT WHAT OUR COURIER DELIVERY COMPANY TOLD US IS
NOTHING BUT THE TRUTH THAT YOU DON'T NEED YOUR ATM CARD OF $10.5 MILLION DOLLARS ANY
LONGER.
DO ACKNOWLEDGE THIS MESSAGE AS SOON AS POSSIBLE.
YOURS FAITHFULLY.
YOURS SINCERELY,
MR MARK WRIGHT,
DIRECTOR FOREIGN REMITTANCE
ATM CARD SWIFT PAYMENT DEPARTMENT
ZENITH BANK OF NIGERIA.
😀
14. @spoole167
Federal Bureau of Investigation (FBI)
Anti-Terrorist And Monitory Crime Division.
Federal Bureau Of Investigation.
J.Edgar.Hoover Building Washington Dc
Customers Service Hours / Monday To Saturday
Office Hours Monday To Saturday:
Dear Beneficiary,
Series of meetings have been held over the past 7 months with the secretary general of the
United Nations Organization. This ended 3 days ago. It is obvious that you have not received
your fund which is to the tune of $16.5million due to past corrupt Governmental Officials who
almost held the fund to themselves for their selfish reason and some individuals who have
taken advantage of your fund all in an attempt to swindle your fund which has led to so many
losses from your end and unnecessary delay in the receipt of your fund.for more information
do get back to us.
….
Upon receipt of payment the delivery officer will ensure that your package is sent within 24
working hours.
😀
15. @spoole167
From <your boss>
I’ve spoken to the XYZ company CEO and they will send us the goods if we
pay $3M immediately. Details below.
I’m off to the golf course – no distractions please.
17. @spoole167
Many Ransomware attacked are specifically targeted at
certain types of organisation
0 2 4 6 8 10 12 14 16 18 20
Government
Education
Services
Healthcare
Technology
Manufacturing
Retail
Utilities
Finance
Other
% Attacks
Attacks
18. @spoole167
Many are specifically targeted at a single company or
organisation
With personalized attacks you invest more and make it compelling.
Your victims views on Facebook about their boss, how busy they are,
important deals coming up. It all helps to craft that million dollar attack…
24. @spoole167
While copying critical data out,
disguised as normal traffic
Sometimes hidden in other
payloads, protocols
Sometimes as responses to
‘legitimate’ requests
Almost always via botnets
27. @spoole167
Cyber Attacks are rising in number and sophistication
Nation states are preparing for the next war – and that all about software
The aim is to infiltrate infrastructure and essential services…
33. @spoole167
This new phase
of cyber attacks
Are state funded
Professionally developed
Regularly exercised
Very sophisticated
And extremely lucrative
34. @spoole167
The incentive is huge
Weaponised Cybercrime is
the new reality
Nation states are preparing for the next war – and that all
about software
@spoole167
38. @spoole167
Open source is built on trust.
We trust it so much it’s growing
at 73% per year
By 2025 there could be
20 Trillion downloads a year
0
2
4
6
8
10
12
14
16
18
20
2021 2022 2023 2024 2025
downloads
40. Now they make their own
Typosquatting
A lookalike
domain,
dependency with
one or two wrong
or different
characters
Open source
repo attacks
Build Tool
attacks
Attempts to get
malware or
weaknesses
added into
dependency
source via social
or tools
Attempts to get
malware into the
tools that are
used to produce
dependencies
Dependency
confusion
Attempts to get a
Different version
added into a binary
repository
Often “latest”
@spoole167 sonatype.com/devsignup
46. @spoole167
Blind trust in Open Source software is evaporating
5% of the projects on Maven Central already have a vulnerability of CVSS 9 or 10
Now there are direct attacks on open source projects and maintainers to gain access to
source repos or release processes
Now there are direct attacks to insert malicious code via pull requests
Now there are direct attacks on the compilers and packaging tools
50. @spoole167
The Executive
Order
Recognizes the need to form a united front
against “malicious cyber actors”
Outlines a direction for closer working between
all parts of the software industry
Adds new requirements on software vendors
selling to the US government
Will change how we produce and consume
software.
51. @spoole167
Hardening the software supply chain : every product
has a SBOM
uses an automatic
supply chain process
has evidence of
software integrity
has evidence of
an automatic
vulnerability check
process
Has a vulnerability
disclosure program
Has evidence on the
providence of all
software used
Demonstrates strong
controls over the use
of internal and third-
party software and
services
Demonstrate regular
audit processes
57. @spoole167
And is always
incomplete
Or even faked Web Server
05.1.2
Acme
Framework
What’s in the
runtimes?
What tools were used to
build?
Payroll App V1
58. @spoole167
A SBOM provides evidence on how software was built
Web Server
05.1.2
Acme
Framework
Payroll App V1
Runtime V2
OS V3.4
Compiler V9
CI/CD V2
OS V6
Compiler
Environmental
Information
All componentry
65. The way you build software
is going to change
You can expect every government to
follow suit on this sort of initiative
Even if you're not selling directly, you
could be in a chain that is
The prediction is that by 2025 every
software vendor, open source project
etc will have to provide this proof
Manual anything is going to be
problematic
66. @spoole167
You will need
• to be able to track back exactly how, where and with what your s/w
was built.
• To be able to deal with an increase in the number of reported
vulnerabilities
• Be able to build your s/w automatically at a moments notice
• To provide to others your ‘SBOM’
The next wave is moving from IAC to
EAC (Everything as code)
67. @spoole167
The way you choose open source
software is going to change
• What do you do if a open-source component you
rely on doesn’t comply?
• How much risk are you willing to take?
• Even if they say yes - how much can you trust them?
• Do they have an SBOM?
• What’s their ability to provide updates.
• What’s their security posture.
Not just is it free,
does it do what I
want?
74. @spoole167
Time to exercise your suspicious brain, find code smells and
LOOK closely at the projects you’re using
Build your own selection
criteria or use ours
75. things to check for
License /
security.md file
Vulnerability
reporting process
Development
process (how to
they review
contributions)
Build process – is
it secure? Who can
trigger it?
General
assessment of
their quality
(MTTU)
76. things to check for
unexpected
release frequency
number and
activity patterns
of committers
Do they do Static
Analysis and
Security Testing
(SAST)
Are they prone to
making breaking
changes
Do they often have
no path forward
(latest version has
vulnerabilities)
79. obvious thoughts
BYO pipelines will get replaced by
commercial ones.
Automated, evidence based everything-
as-code supply chains is the way forward
But developer productivity is going to be
impacted before we get there
Consuming open source directly will
reduce. You’ll pay for trusted versions or
have very strict consumption policies
80. obvious thoughts
BYO pipelines will get replaced by
commercial ones.
Automated, evidence based everything-
as-code supply chains is the way forward
But developer productivity is going to be
impacted before we get there
Consuming open source directly will
reduce. You’ll pay for trusted versions or
have very strict consumption policies
Those that can create
automated, highly productive
supply chains will have an
immediate competitive
advantage
81. This is the cost for dealing with
BYO pipelines will get replaced by
commercial ones.
Automated, evidence based everything-
as-code supply chains is the way forward
But developer productivity is going to be
impacted before we get there
Consuming open source directly will
reduce. You’ll pay for trusted versions or
have very strict consumption policies
The new motives behind cyber
attacks
The increase in risk of being
attacked – because your in
someones supply chain
Open Source still the primary
vector
The long term transformation of
open source communities
82. This is the cost for dealing with
BYO pipelines will get replaced by
commercial ones.
Automated, evidence based everything-
as-code supply chains is the way forward
But developer productivity is going to be
impacted before we get there
Consuming open source directly will
reduce. You’ll pay for trusted versions or
have very strict consumption policies
The new motives behind cyber
attacks
The increase in risk of being
attacked – because your in
someones supply chain
Open Source still the primary
vector
The long term transformation of
open source communities
It’s still all software – it’s still up to us to make the world safer.
83. @spoole167
Takeaways
• The days of just taking software off the shelf are numbered :
choose software based on how it’s produced not just what it does
• Evidence based trust will become essential : Your own supply chain
– the software you use, how you develop, how you deploy will
become a certified step in someone else's evidence chain.
• A complex and challenging new world lies ahead. GDPR changed
how we thought and deal with user information – supply chains are
going to get the same sort of scrutiny.