SlideShare a Scribd company logo

Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA - Kaiwen Jiang.pdf

owasplondon
owasplondon

An overview of Software Composition Analysis (SCA) and its significance in bolstering software security. It includes discussions on SCA tools and key steps for implementation, and addresses challenges associated with SCA adoption. -- This talk was presented at the OWASP London Chapter meetup on April 28th, 2024 at ThoughtMachine London HQ

Technology
1 of 26
Download to read offline
Decoding Software Composition Analysis (SCA): Unveiling Pain Points in SCA Kaiwe Jiang 18/04/2024
● Application Security Engineer at Wise ● Cyber Security Consultant at Deloitte ● Msc Information Security at Royal Holloway, University of London ● Blog: https://appseckiki.medium.com/ ● Cat lover & Swiftie Kaiwen Jiang
Introduction of Software Composition Analysis(SCA) Tools Showcase Pain Points Discussion Summary 1 2 3 4 Agenda
Introduction of Software Composition Analysis(SCA) 01
Supply Chain Attack: Targeting Industrial Control Systems via Third-Party Software Image credit: https://www.ncsc.gov.uk/collection/supply-chain-security/third- party-software-providers
Supply Chain Attack: Targeting Industrial Control Systems via Third-Party Software Impact: ● Disruptions: Production delays, equipment failures, and safety hazards can occur due to manipulated control systems. ● Data theft: Sensitive information about industrial processes or system configurations could be stolen for espionage or sabotage purposes. ● Financial losses: The attack can lead to costly repairs, downtime, and potential regulatory fines. Image credit: https://www.ncsc.gov.uk/collection/supply-chain-security/third- party-software-providers
Software Composition Analysis (SCA) SCA analyses open-source software (OSS) for two main reasons: security and compliance. ● Security Risks: Most software today relies on pre-written open-source components. SCA helps identify those components and any known security vulnerabilities they may have. This allows developers to fix these weaknesses before they become a target for attackers. ● Compliance: Open-source software comes with various licenses that dictate how you can use it. SCA helps ensure your project follows the terms of these licenses, avoiding potential legal issues in the future.
Tools Showcase 02
Tool Showcase: Trivy ● Targets (what Trivy can scan): ○ Container Image ○ Filesystem ○ Git Repository (remote) ○ Virtual Machine Image ○ Kubernetes ○ AWS ● Scanners (what Trivy can find there): OS packages and software dependencies in use (SBOM) Known vulnerabilities (CVEs) IaC issues and misconfigurations Sensitive information and secrets Software licenses
DefectDojo: An OWASP Project for Vulnerability Monitoring
Visualize the SCA workflow ● Visualize the workflow with a chart: Initiate project -> Development (introduce dependencies) -> SCA (Trivy scan) -> Integrate findings with DefectDojo. ● Benefits: Proactive identification and mitigation of security risks early in the development lifecycle.
Pain Points Discussion 03
01 02 03 SLA breach Pain points discussion SCA findings get overlooked Streamline dependency upgrading
● Service Level Agreement (SLA) implementation ● Vulnerability Reminder Slack bot: The bot sends weekly report with all of the high/critical vulnerabilities that'll reach their SLA soon. ● Training and awareness: offering training to the engineering teams on the importance of SCA findings 1. SCA findings get overlooked
● Too many vulnerabilities to fix in a short time? SLA severity adjustment ○ Public facing vs Internal ○ Service level: High priority, standard, or low ○ Exploitable or not ● Implementing warning mode and blocking PRs 2. SLA Breach
● Streamlining the process for addressing vulnerabilities, for example with automated remediation tools such as Dependabot. ○ Dependency PR overload and don’t get to merge ○ Group dependency PRs by upgrade level 3. Streamline dependency upgrading
● Improving testing to improve confidence level of dependency upgrading ○ Implementing unit testing/ integration testing/end to end testing in CI ○ Improving higher test coverage ● utilisation of automated deployment to staging environment 3. Streamline dependency upgrading
● Should we use dependency bots to auto merge pull request (PR)? 3. Streamline dependency upgrading
● Efficiency: Saves developers time by automating the merging of routine dependency updates, freeing them to focus on more complex tasks. ● Consistency: Ensures all projects consistently receive the latest updates, reducing the risk of outdated dependencies with known vulnerabilities. ● Reduced Errors: Eliminates the possibility of human error during manual merging. Pros of Auto-Merging with Dependency Bots
● Security Risks: Auto-merging introduces the risk of introducing new vulnerabilities or compatibility issues with the latest updates. Malicious actors could potentially exploit this by publishing compromised versions of dependencies. ● Lack of Review: Bypasses the opportunity for human review of the changes, which might catch potential issues beyond simple version updates. Important code changes within the dependency update could be missed. Cons of Auto-Merging with Dependency Bots
● Testing strategy: a robust testing with high coverage to make teams more comfortable with auto-merging for minor, well-tested upgrades. ● Security Posture: Organisations with stricter security requirements might be more cautious about auto-merging. ● Dependency Criticality: Auto-merging might be less risky for non critical dependencies compared to core components. Finding the right balance
Summary 04
● SCA is essential for secure coding: Identifies vulnerabilities in open-source components and dependencies. ● Tools like Trivy simplify vulnerability scanning and provide actionable insights. ● Vulnerability management platforms like DefectDojo centralise data and streamline remediation. ● Clear communication and processes are crucial to ensure timely action on SCA findings. SLAs and automated workflows can improve efficiency but require careful planning for security. ● Balance is key: Prioritise security without hindering development speed excessively. Summary
● Integrate SCA tools and vulnerability management into your development process. ● Foster a culture of security awareness and collaboration between developers and security teams. ● Continuously improve your secure coding practices for a more secure development lifecycle. Call to Action
Thank you! Questions? Kaiwen Jiang kaiwen.jiang@wise.com

Recommended

Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementIvanti
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability ManagementIRJET Journal
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Getting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paperGetting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paperTawnia Beckwith
 

Recommended

Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementIvanti
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability ManagementIRJET Journal
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Getting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paperGetting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paperTawnia Beckwith
 
Penetration Test Report
Penetration Test ReportPenetration Test Report
Penetration Test ReportDOTCOMIT PRO SRL
 
Vulnerability Management in IT Infrastructure
Vulnerability Management in IT InfrastructureVulnerability Management in IT Infrastructure
Vulnerability Management in IT InfrastructureIRJET Journal
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the HackersCheckmarx
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaGubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaPeter Gubarevich
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management SystemIRJET Journal
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Atlantic Security Conference
 
Eric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingEric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingPositive Hack Days
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
What is the software supply chain and how can it be secured.pdf
What is the software supply chain and how can it be secured.pdfWhat is the software supply chain and how can it be secured.pdf
What is the software supply chain and how can it be secured.pdfJose thomas
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
IRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application SystemIRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application SystemIRJET Journal
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependenciesthariyarox
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

More Related Content

Similar to Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA - Kaiwen Jiang.pdf

Vulnerability Management in IT Infrastructure
Vulnerability Management in IT InfrastructureVulnerability Management in IT Infrastructure
Vulnerability Management in IT InfrastructureIRJET Journal
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the HackersCheckmarx
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaGubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaPeter Gubarevich
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management SystemIRJET Journal
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Eric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingEric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingPositive Hack Days
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
What is the software supply chain and how can it be secured.pdf
What is the software supply chain and how can it be secured.pdfWhat is the software supply chain and how can it be secured.pdf
What is the software supply chain and how can it be secured.pdfJose thomas
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
IRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application SystemIRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application SystemIRJET Journal
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependenciesthariyarox
 

Similar to Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA - Kaiwen Jiang.pdf (20)

Penetration Test Report
Penetration Test ReportPenetration Test Report
Penetration Test Report
 
Vulnerability Management in IT Infrastructure
Vulnerability Management in IT InfrastructureVulnerability Management in IT Infrastructure
Vulnerability Management in IT Infrastructure
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
 
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaGubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management System
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Eric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingEric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core Banking
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
What is the software supply chain and how can it be secured.pdf
What is the software supply chain and how can it be secured.pdfWhat is the software supply chain and how can it be secured.pdf
What is the software supply chain and how can it be secured.pdf
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
IRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application SystemIRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application System
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependencies
 

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA - Kaiwen Jiang.pdf

  • 1. Decoding Software Composition Analysis (SCA): Unveiling Pain Points in SCA Kaiwe Jiang 18/04/2024
  • 2. ● Application Security Engineer at Wise ● Cyber Security Consultant at Deloitte ● Msc Information Security at Royal Holloway, University of London ● Blog: https://appseckiki.medium.com/ ● Cat lover & Swiftie Kaiwen Jiang
  • 3. Introduction of Software Composition Analysis(SCA) Tools Showcase Pain Points Discussion Summary 1 2 3 4 Agenda
  • 5. Supply Chain Attack: Targeting Industrial Control Systems via Third-Party Software Image credit: https://www.ncsc.gov.uk/collection/supply-chain-security/third- party-software-providers
  • 6. Supply Chain Attack: Targeting Industrial Control Systems via Third-Party Software Impact: ● Disruptions: Production delays, equipment failures, and safety hazards can occur due to manipulated control systems. ● Data theft: Sensitive information about industrial processes or system configurations could be stolen for espionage or sabotage purposes. ● Financial losses: The attack can lead to costly repairs, downtime, and potential regulatory fines. Image credit: https://www.ncsc.gov.uk/collection/supply-chain-security/third- party-software-providers
  • 7. Software Composition Analysis (SCA) SCA analyses open-source software (OSS) for two main reasons: security and compliance. ● Security Risks: Most software today relies on pre-written open-source components. SCA helps identify those components and any known security vulnerabilities they may have. This allows developers to fix these weaknesses before they become a target for attackers. ● Compliance: Open-source software comes with various licenses that dictate how you can use it. SCA helps ensure your project follows the terms of these licenses, avoiding potential legal issues in the future.
  • 9. Tool Showcase: Trivy ● Targets (what Trivy can scan): ○ Container Image ○ Filesystem ○ Git Repository (remote) ○ Virtual Machine Image ○ Kubernetes ○ AWS ● Scanners (what Trivy can find there): OS packages and software dependencies in use (SBOM) Known vulnerabilities (CVEs) IaC issues and misconfigurations Sensitive information and secrets Software licenses
  • 10.
  • 11. DefectDojo: An OWASP Project for Vulnerability Monitoring
  • 12. Visualize the SCA workflow ● Visualize the workflow with a chart: Initiate project -> Development (introduce dependencies) -> SCA (Trivy scan) -> Integrate findings with DefectDojo. ● Benefits: Proactive identification and mitigation of security risks early in the development lifecycle.
  • 14. 01 02 03 SLA breach Pain points discussion SCA findings get overlooked Streamline dependency upgrading
  • 15. ● Service Level Agreement (SLA) implementation ● Vulnerability Reminder Slack bot: The bot sends weekly report with all of the high/critical vulnerabilities that'll reach their SLA soon. ● Training and awareness: offering training to the engineering teams on the importance of SCA findings 1. SCA findings get overlooked
  • 16. ● Too many vulnerabilities to fix in a short time? SLA severity adjustment ○ Public facing vs Internal ○ Service level: High priority, standard, or low ○ Exploitable or not ● Implementing warning mode and blocking PRs 2. SLA Breach
  • 17. ● Streamlining the process for addressing vulnerabilities, for example with automated remediation tools such as Dependabot. ○ Dependency PR overload and don’t get to merge ○ Group dependency PRs by upgrade level 3. Streamline dependency upgrading
  • 18. ● Improving testing to improve confidence level of dependency upgrading ○ Implementing unit testing/ integration testing/end to end testing in CI ○ Improving higher test coverage ● utilisation of automated deployment to staging environment 3. Streamline dependency upgrading
  • 19. ● Should we use dependency bots to auto merge pull request (PR)? 3. Streamline dependency upgrading
  • 20. ● Efficiency: Saves developers time by automating the merging of routine dependency updates, freeing them to focus on more complex tasks. ● Consistency: Ensures all projects consistently receive the latest updates, reducing the risk of outdated dependencies with known vulnerabilities. ● Reduced Errors: Eliminates the possibility of human error during manual merging. Pros of Auto-Merging with Dependency Bots
  • 21. ● Security Risks: Auto-merging introduces the risk of introducing new vulnerabilities or compatibility issues with the latest updates. Malicious actors could potentially exploit this by publishing compromised versions of dependencies. ● Lack of Review: Bypasses the opportunity for human review of the changes, which might catch potential issues beyond simple version updates. Important code changes within the dependency update could be missed. Cons of Auto-Merging with Dependency Bots
  • 22. ● Testing strategy: a robust testing with high coverage to make teams more comfortable with auto-merging for minor, well-tested upgrades. ● Security Posture: Organisations with stricter security requirements might be more cautious about auto-merging. ● Dependency Criticality: Auto-merging might be less risky for non critical dependencies compared to core components. Finding the right balance
  • 24. ● SCA is essential for secure coding: Identifies vulnerabilities in open-source components and dependencies. ● Tools like Trivy simplify vulnerability scanning and provide actionable insights. ● Vulnerability management platforms like DefectDojo centralise data and streamline remediation. ● Clear communication and processes are crucial to ensure timely action on SCA findings. SLAs and automated workflows can improve efficiency but require careful planning for security. ● Balance is key: Prioritise security without hindering development speed excessively. Summary
  • 25. ● Integrate SCA tools and vulnerability management into your development process. ● Foster a culture of security awareness and collaboration between developers and security teams. ● Continuously improve your secure coding practices for a more secure development lifecycle. Call to Action