Cybercrime is becoming increasingly sophisticated and profitable, with its estimated worth reaching $6 trillion, prompting a significant shift in how developers must approach software security. The focus is moving towards automating vulnerability assessments and ensuring software supply chain integrity through practices like Software Bill of Materials (SBOM). Developers are urged to adopt a defensive coding mindset, evaluate open-source dependencies critically, and prepare for an era where evidence-based trust in software production will be essential.

1. Cybercrime
and the
Developer
How to defend against
the darker side
@spoole167

2. Steve Poole
• Developer Adocate
• Sonatype
@spoole167

3. Take away one thing
As a developer, security
is your problem
@spoole167

4. Who uses
wifi?
Every thought about how it
works?
@spoole167

5. Would you notice
one of these
on the wall?
@spoole167

6. With some simple
h/w its’ easy to
spoof the wifi
@spoole167

7. How safe is
your data now?
@spoole167

8. Of course, most
of us don’t
know
@spoole167

9. The world runs on software
@spoole167

10. And software is under attack
@spoole167

11. 5 years a go I said things like this
@spoole167

12. Organized Cybercrime is the most profitable
type of crime
Cybercrime was estimated to be worth 445 Billion Dollars a Year
United Nations Office on Drugs and Crime (UNODC) estimated globally the illicit drug
trade was worth 435 Billion Dollars
• Guess which one has the least risk to the criminal?
• Guess which is growing the fastest?
• Guess which one is the hardest to prosecute?
• Guess which one is predicted to real 2100 Billion Dollars by 2019
• Guess which one is predicted to real 6000 Billion Dollars by 2021
@spoole167

13. 0
1000
2000
3000
4000
5000
6000
2013 2014 2015 2016 2017 2018 2019 2020 2021
Cybercrime Drug trade

14. What’s the status today?
@spoole167

15. It’s much worse than predicted …
As a developer your world is going to
change rapidly
@spoole167

16. Weaponised Cybercrime
Nation states are preparing for the next war – and that
all about software
@spoole167

17. Cyber Attacks are
rising in number
and sophistication
The aim is to infiltrate infrastructure
and essential services…
@spoole167

18. So they can manipulate or disable
@spoole167

19. Cybercriminals used to search for
vulnerabilities to exploit

20. Now they make their own
Typosquatting
A lookalike
domain,
dependency with
one or two wrong
or different
characters
Open source
repo attacks
Build Tool
attacks
Attempts to get
malware or
weaknesses
added into
dependency
source via social
or tools
Attempts to get
malware into the
tools that are
used to produce
dependencies
Dependency
confusion
Attempts to get a
Different version
added into a binary
repository
Often “latest”
@spoole167

21. Put differently Payroll App V1

22. Payroll App V1
Most
applications
are 90% open
source
Dependencies

23. Payroll App V1
Bad guys still
look for
weaknesses
Dependencies

24. Payroll App V1
But now they
are adding
their own
Dependencies
Tools
Runtime
s
Platforms
Code
generators

25. Payroll App V1
Many are
designed to
stay hidden
Until needed
Dependencies
Tools
Runtime
s
Platforms
Code
generators

27. Let me tell you a story

28. Got one of these?
@spoole167

29. Got one of
these in it?
• $2 from china

30. This new phase
of cyber attacks
Are state funded
Professionally developed
Regularly exercised
Very sophisticated
And extremely lucrative

31. 2021 – 6 trillion dollars
2022 ?
@spoole167

32. 2021 – 6 trillion dollars
2022 - 35 Trillion dollars?
@spoole167

33. 2021 – 6 trillion dollars
2022 - 35 Trillion dollars?
@spoole167

34. That’s
$4300 per
person
@spoole167

35. What can you do?
@spoole167

36. 1: Think about the supply chain
@spoole167

37. @spoole167

38. The
Executive
Order
Recognizes the need to form a united front
against “malicious cyber actors”
Outlines a direction for closer working between
all parts of the software industry
Adds new requirements on software vendors
selling to the US government
Will change how we produce and consume
software.
@spoole167

39. Hardening the software supply
chain : every product
has a SBOM
uses an automatic
supply chain process
has evidence of
software integrity
has evidence of
an automatic
vulnerability check
process
Has a vulnerability
disclosure program
Has evidence on the
providence of all
software used
Demonstrates strong
controls over the use
of internal and third-
party software and
services
Demonstrate regular
audit processes
@spoole167

40. SBOM – the new important term
on the horizon
cyclonedx.org spdx.dev
@spoole167

41. Modern
Vulnerability
tools scan your
builds
Dependencies
Payroll App V1
@spoole167

42. Tracking
dependencies
relies on tools
that analyze the
end result
Payroll App V1
Web Server
05.1.2
Acme
Framework
2.1
@spoole167

43. Which relies on
transparency
Payroll App V1
Web Server
05.1.2
Acme
Framework
2.1
@spoole167

44. Which can be
problematic
Payroll App V1
Web Server
05.1.2
Acme
Framework
Incomplete Data
Opaque
Dependencies
@spoole167

45. And is always
incomplete
Or even faked
Payroll App V1
Web Server
05.1.2
Acme
Framework
What’s in the
runtimes?
What tools were used to
build?
@spoole167

46. Web Server
05.1.2
Acme
Framework
Payroll App V1
Runtime V2
OS V3.4
Compiler V9
CI/CD V2
OS V6
Compiler
Environmental
Information
All componentry
SBOMs are intended to cover ‘everything’

47. 2: Automate everything
@spoole167

48. SBOM raise awareness of issues
1.1
Foo 2.1 Bar 3.1
product
Dependency ref
@spoole167

49. SBOM raise awareness of issues
1.1
Foo 2.1 Bar 3.1
product
Dependency ref
url url
SBOM signature
SHA1024 SHA1024
Product URL
url
SHA1024
@spoole167

50. Means more fixes to apply
1.1
Foo 2.1 Bar 3.1
url url
SHA SHA
url
SHA1024
Gcc 3.6 RHEL
url url
SHA SHA
zip
url
SHA
Jenkins
url
SHA
Github
action
url
url

51. Since SBOMS inherit from dependencies
1.1
url
SHA1024

52. More info is available
1.1
url
SHA1024

53. More updates, more often, all the time
1.1
url
SHA1024

54. Time to EXPLOIT?
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
Average
Days
to
Exploit
Average
45
15
2017
@spoole167

55. 2 days
@spoole167

56. 2 days
Oh wait that was 2016 – what’s the
number now?

57. 2 days
@spoole167

58. 2 seconds
@spoole167

59. The way you build
software is going to
change
You can expect every government
to follow suit on this sort of
initiative
Even if you're not selling directly,
you could be in a chain that is
The prediction is that by 2025 every
software vendor, open source
project etc will have to provide this
proof
Manual anything is going to be
problematic
@spoole167

60. You will
need to be able to track back exactly how,
where and with what your s/w was built.
To be able to deal with an increase in
the number of reported vulnerabilities
Be able to build your s/w automatically
at a moments notice
To provide to others your ‘SBOM’
The next wave
is moving from
IAC to EAC
(Everything as
code)

61. 3: Lower your trust levels
@spoole167

62. The way you
choose open
source
software is
going to
change
What do you do if a open-source component
you rely on doesn’t comply?
How much risk are you willing to take?
Even if they say yes - how much can you trust
them?
Do they have an SBOM?
What’s their ability to provide updates.
What’s their security posture.
No more: is is it
free and does it
do what I want?
@spoole167

63. Evaluating open-source projects
means more than checking their
license
License
Vulnerability
reporting process
Development
process (how to
they review
contributions)
Build process – is
it secure? Who
can trigger it?
General
assessment of
their quality
(MTTU)
@spoole167

64. 4: Code defensively
@spoole167

65. Exploitation comes often from
simple mistakes
Clean code
Defensive architecture
comprehensive tests
Exception path testing
Useful error messages
Test dependencies
Compartmentalisation of data
Secured pipelines
No ‘dev mode’
Code Reviews
Thinking defensively
…

66. And poor behavior
Ever googled for:
“very trusting trust manager”
“Getting Java to accept all certs over HTTPS”
“How to Trust Any SSL Certificate”
“Disable Certificate Validation in Java”

67. We’ve found 72,609 code results
AlwaysValidTrustManager
TrustAllServersWrappingTrustManager
A very friendly, accepting trust
manager factory. Allows anything
through. all kind of certificates are
accepted and trusted.
A very trusting trust manager that
accepts anything
// Install the all-trusting trust
manager
OverTrustingTrustProvider
AllTrustingSecurityManagerPlugin.java
AcceptingTrustManagerFactory.java
AllTrustingCertHttpRequester.java

68. And poor behavior
curl –insecure
wget --no-check-certificate
sudo apt-get --allow-unauthenticated
@spoole167

69. And poor behavior
curl –insecure
wget --no-check-certificate
sudo apt-get --allow-unauthenticated

70. And by not understanding the
code and tools we use
“I thought I was using the tool correctly”
“I didn’t realize what the default setting was”
“I trusted the tool to do the right thing”
@spoole167

71. IF you contribute to open source
• Take these behaviors with you
• Think about software safety
• Think defensively.
@spoole167

72. Summary
Cyber attacks have entered a
new and aggressive phase
Automated, evidence based Everything-
as-code is the direction
Open Source is still the primary
vector
Risk of attack is rising
dramatically
BYO pipelines will get replaced by
commercial ones
Consuming open source directly will
reduce. You’ll pay for trusted versions
How we write code must
change
How we work with other developers will
change

73. Takeaways
• The days of just taking software off the shelf are numbered :
choose software based on how it’s produced not just what it does
• Evidence based trust will become essential : Your own supply chain
– the software you use, how you develop, how you deploy will become
a certified step in someone else's evidence chain.
• A complex and challenging new world lies ahead. GDPR changed
how we thought and deal with user information – supply chains are
going to get the same sort of scrutiny.
• Software is critical to every facet of our lives – the world has woken
up to that .
@spoole167

74. As developers,
we’re on the front
line
@spoole167

75. Thank
you
Any questions?
@spoole167