Steve Poole, profile picture
Uploaded bySteve Poole
PPTX, PDF51 views

GIDS-2023 A New Hope for 2023? What Developers Must Learn Next

This document discusses the evolving threats from cybercrime and importance of securing the software supply chain. It notes that cybercrime now costs over $6 trillion annually, similar to the global GDP of major countries. Attacks have become more sophisticated using techniques like supply chain compromises and exploiting vulnerabilities before they are publicly known. Developers are urged to carefully select open source components based on security practices like using SBOMs and rapid patching. The talk recommends following secure development principles and keeping educated on improving tools that can help harden applications and their supply chains.

Software
Related topics:
Supply Chain Insights

Embed presentation

Download to read offline
@spoole167 www.developersummit.com @spoole167 A new hope for 2023? What developers must learn next
@spoole167 what do we think when we think about cybercrime?”
@spoole167 Photo by Bastian Pudill on Unsplash Do we imagine someone walking down the road trying the handles of cars as they pass Looking for a car to steal
@spoole167 Do we remember that movie we watched about a daring and sophisticated robbery ?
@spoole167 these are the two styles we often think about. The super complicated attack or the simple opportunist
@spoole167 Wrongly we think we’re not targets we think the bad guys are far away
@spoole167 The most common thoughts as a developer are ”why is it my problem?” or “I don’t really know what to do”
@spoole167 this talk • Is a reality check about what the bad guys are really doing and why • What’s happening to help address these attacks • What should you be doing next
@spoole167 Steve Poole Director, Dev Advocacy Sonatype
@spoole167 Sonatype Invented Maven Started Maven Central in 2003 Created Nexus repo and other technologies The quiet leader in secure software supply chain technology
Not just the Maven Central people
@spoole167 Latest trends in Cyber attacks
@spoole167 Cyberattacks have moved on It’s not all hackers in bedrooms doing it for fun
@spoole167 in 2016 Cybercrime cost ~415 Billion Dollars So did the illicit drug trade
@spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016
@spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016 50
@spoole167 Cybercrime has been growing at ~56% per year ever since drug trade cybercrime
@spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016 50
@spoole167 Buys you US Nimitz Class carriers 6 Trillion Dollars in 2022 50 620
@spoole167 United States: $20.89 trillion China: $14.72 trillion Cyber Crime : $6.0 trillion Japan: $5.06 trillion Germany: $3.85 trillion United Kingdom: $2.67 trillion India: $2.66 trillion France: $2.63 trillion Italy: $1.89 trillion Canada: $1.64 trillion https://globalpeoservices.com/top-15-countries-by-gdp-in-2022/ if Cybercrime was a country (by gdp)
@spoole167 There is no sign of it slowing down drug trade cybercrime US gdp
@spoole167 It’s even more scary …
@spoole167 There are still.. • There are still botnets out there trying to get into your systems • There are still bad guys who want to steal your secrets • There are still people who will ransom your data • There are still cryptocurrency miners trying to steal your CPU cycles
@spoole167 Plus .. • There are still botnets out there trying to get into your systems • There are still bad guys who want to steal your secrets • There are still people who will ransom your data • There are still cryptocurrency miners trying to steal your CPU cycles • Now there are open source project hijacks • Now there are fake packages in repos • Now there is malware in the build process • Now the aim is long term control and stealth
@spoole167 Now there is cyber-warfare • Motivations are different - it’s not about money • Skillsets are higher - professional, well funded. • Perseverance is much greater - specific targets, not just targets of opportunity
@spoole167 Now there is cyber-warfare • Motivations are different - it’s not about money • Skillsets are higher - professional, well funded. • Persistence is much greater - specific targets, not just targets of opportunity • EVERYONE – Every state or political body, every disenfranchised or suppressed group is or will be taking part.
@spoole167 Now there is cyber-warfare • It’s been happening behind the scenes for some time. • Now it’s mainstream. You personally Your personal networks The organizations you work for, belong to or help Your country Potential Targets
@spoole167 Modern attacks are supply chain attacks – and we are all part of a supply chain
@spoole167 The aim is to infiltrate infrastructure and essential services… The internet is the next battlefield. It’s all about software
@spoole167 And manipulate or terminate
@spoole167 Everything really is online There is no distance between you and the bad actors they ‘live’ next door
@spoole167 Cyber warfare is real and will drive massive changes in how we develop and deliver software
@spoole167 The only thing between you and the bad actors is software
@spoole167 be ready for massive increases in attacks on software everywhere s/w in the car s/w on the phone s/w on the watch s/w on any device s/w on the laptop s/w on server s/w on the wifi router s/w at the supermarket
@spoole167 Bad Actors used to search for vulnerabilities to exploit
@spoole167 Now they make their own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Attempts to get malware or weaknesses added into dependency source via social or tools Build Tool attacks Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” Automated Social engineering
The Zero Day Window is Closing Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2
The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 Nation states are paying millions of dollars to suppress vulnerability reporting
The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 China requires all disclosures to be reported to the government first
The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 The more severe the vulnerability, the less chance of it being reported publically
@spoole167 Finding or creating vulnerabilities is a growing industry
@spoole167 The new world of cyber security is “exploit first”
@spoole167 And one more thing …
@spoole167 https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital- threats/exploiting-ai-how-cybercriminals-misuse-abuse-ai-and-ml https://techmonitor.ai/cybercrime-future/ai-cybercrime AI …
What are we doing about all of this?
@spoole167 Backstory – the scales are tipping • Open source is seen as both critical and unreliable • Big Business has managed to keep governments quiet • Business Value won over Security • 7 Trillion dollars a year and existential threats to national security  Security wins • The question isn’t whether – it’s about how. • Governments always use big sticks
@spoole167 17 May 2021 – US Government takes a stand Joe Biden
@spoole167 December 2022 – EU Updates directives .. Joe Biden
@spoole167 Hardening the software supply chain : every ‘product’ has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes
@spoole167 Technical responses 1 Securing the supply chain – provable evidence trails 2 Improved understanding of vulnerable projects 3 Automating the supply chain - code to cloud (no humans involved) 4 Education for developers
10th December 2021
Log4Shell may be the worst ever vulnerability https://apple.news/AnKnv0_EdR3K2b-t6Z67-qw
A canonical example of whats going wrong
False confidence in our tools or not caring? Finding out if you are vulnerable using scanning tools can be challenging It’s all ‘after the fact’ requires great tools and great data Not everyone has equal access
@spoole167 On the horizon Switch from scanning tools that try to work out what you have installed To signed, provable, reproduceable “Software Bill of Materials” Centralised signatures Centralised analysis tools
@spoole167 Software Bill Of Materials cyclonedx.org spdx.dev the new important term on the horizon mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
@spoole167 https://bomdoctor.sonatype.com
@spoole167 Tackling the next level 90% of an application is open source components
@spoole167 Tackling the next level Linux Foundation and other groups working to develop guidelines for measuring good practices and ongoing behavior
@spoole167
@spoole167 The Open Source Software Security Mobilization Plan https://openssf.org/oss-security-mobilization-plan/ security education risk assessment digital signatures memory safety incident response better scanning code audits data sharing SBOMs everywhere Supply chains
@spoole167 What can you do right now?
@spoole167 The best tools right now are these
@spoole167 The best tools right now are these
Avoidable Vulnerability (poor choices) Vulnerability management is largely a consumption-side problem For 96% of vulnerable downloads, there was a non- vulnerable version available Avoidability of vulnerable Maven Central downloads Unavoidable Vulnerability
@spoole167 Look at how you choose open source software • What do you do if a open-source component you rely on doesn’t comply? • How much risk are you willing to take? • Even if they say yes - how much can you trust them? • Do they have an SBOM? • What’s their ability to provide updates. • What’s their security posture. Not just is it free, does it do what I want?
things to check for unexpected release frequency number and activity patterns of committers Do they do Static Analysis and Security Testing (SAST) Are they prone to making breaking changes Do they often have no path forward (latest version has vulnerabilities)
things to check for License / security.md file Vulnerability reporting process Development process (how do they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU)
Thinking deeper about how you develop s/w
@spoole167 Exercise your suspicious brain, find code smells and LOOK closely at the projects you’re using Build your own selection criteria or use others
@spoole167 What else should you do?
@spoole167 Visit owasp
@spoole167 Code defensively follow secure design principles • Minimize attack surface area • Establish secure defaults • Principle of Least privilege • Principle of Defense in depth • Fail securely • Don’t trust services • Separation of duties • Avoid security by obscurity • Keep security simple • Fix security issues correctly https://www.owasp.org/index.php/Security_by_Design_Principles#Security _principles
@spoole167 https://owasp.org
@spoole167 Keep a watch on available education
@spoole167 Summary • Cyber attacks are being industrialized, weaponized and hidden. • “exploit first” means Day Zero moving to Day – 1 , -20. -Never • Government legislation aim to force suppliers to “fix” the problem • How we create and deliver software will change • How we select / consume open source software will change • Developers must become experts at AppSec
@spoole167 Takeaways • The days of just taking software off the shelf are numbered • developers must choose software based on production value not just function • Evidence based trust will become essential • the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. • GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny. • It’s time to reassess tools and vendors • Look for partners you can trust to build supply chains you and the world can rely on
@spoole167 Thank you bit.ly/41FGVXt google: “Brian Fox RSAC 2023” bomdoctor.sonatype.com

More Related Content

PPTX
Cybercrime and the developer 2021 style
bySteve Poole
 
PPTX
Key Takeaways for Java Developers from the State of the Software Supply Chain...
bySteve Poole
 
PPTX
A new hope for 2023? What developers must learn next
bySteve Poole
 
PPTX
Stop Security by Sleight Of Hand.pptx
bySteve Poole
 
PPTX
Game Over or Game Changing? Why Software Development May Never be the same again
bySteve Poole
 
PPTX
Top Application Security Trends of 2012
byDaveEdwards12
 
PPTX
Cybercrime and the Developer: How to Start Defending Against the Darker Side
bySteve Poole
 
PDF
JacksonvilleJUG_CVE101.pdf
byTheresa Mammarella
 
Cybercrime and the developer 2021 style
bySteve Poole
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
bySteve Poole
 
A new hope for 2023? What developers must learn next
bySteve Poole
 
Stop Security by Sleight Of Hand.pptx
bySteve Poole
 
Game Over or Game Changing? Why Software Development May Never be the same again
bySteve Poole
 
Top Application Security Trends of 2012
byDaveEdwards12
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
bySteve Poole
 
JacksonvilleJUG_CVE101.pdf
byTheresa Mammarella
 

Similar to GIDS-2023 A New Hope for 2023? What Developers Must Learn Next

PPTX
Threat Modeling In 2021
byAdam Shostack
 
PPTX
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
bySteve Poole
 
PDF
Dell Technologies Cyber Security playbook
byMargarete McGrath
 
PPTX
Securing the Cloud
byGGV Capital
 
PDF
BNYMellon - CVE 101.pdf
byTheresa Mammarella
 
PDF
Cybersecurity | Risk. Impact. Innovations.
byVertex Holdings
 
PPTX
M01-L01 - Introduction to Cybersecurity Analytics_Updated.pptx
byMinhaoCheng2
 
PPTX
CyberSecurity presented by satyam Siddharth university
bysatyamsahani184
 
PPTX
CyberSecurity SONI CHANDAN TEACHER TRAINING MATERIALS
bySoniChandan
 
PDF
CyberSecurityConclaveAtVigyanBhavanDelhi_1.pdf
bygejamienterprises
 
PPTX
Cyber security by Gaurav Singh
byGaurav Singh
 
PDF
Advanced Information Security — Understanding Modern Threats, Attacks & Defenses
byArooj Fatima
 
PPTX
Cybersecurity threats and prevention 23BIT250.pptx
byAagnyaSuthar
 
PPTX
CyberSecurity Threats in the Digital Age(1).pptx
byzainchaudary496
 
PPTX
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
bySteve Poole
 
PPTX
DevnexusRansomeware.pptx
bySteve Poole
 
PDF
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
byDevSecCon
 
PDF
LonghornPHP - CVE 101.pdf
byTheresa Mammarella
 
PPTX
Progscon cybercrime and the developer
bySteve Poole
 
PPTX
Strengthening cyber resilience with Software Supply Chain Visibility
bySonatype
 
Threat Modeling In 2021
byAdam Shostack
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
bySteve Poole
 
Dell Technologies Cyber Security playbook
byMargarete McGrath
 
Securing the Cloud
byGGV Capital
 
BNYMellon - CVE 101.pdf
byTheresa Mammarella
 
Cybersecurity | Risk. Impact. Innovations.
byVertex Holdings
 
M01-L01 - Introduction to Cybersecurity Analytics_Updated.pptx
byMinhaoCheng2
 
CyberSecurity presented by satyam Siddharth university
bysatyamsahani184
 
CyberSecurity SONI CHANDAN TEACHER TRAINING MATERIALS
bySoniChandan
 
CyberSecurityConclaveAtVigyanBhavanDelhi_1.pdf
bygejamienterprises
 
Cyber security by Gaurav Singh
byGaurav Singh
 
Advanced Information Security — Understanding Modern Threats, Attacks & Defenses
byArooj Fatima
 
Cybersecurity threats and prevention 23BIT250.pptx
byAagnyaSuthar
 
CyberSecurity Threats in the Digital Age(1).pptx
byzainchaudary496
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
bySteve Poole
 
DevnexusRansomeware.pptx
bySteve Poole
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
byDevSecCon
 
LonghornPHP - CVE 101.pdf
byTheresa Mammarella
 
Progscon cybercrime and the developer
bySteve Poole
 
Strengthening cyber resilience with Software Supply Chain Visibility
bySonatype
 

More from Steve Poole

PPTX
Maven Central++ What's happening at the core of the Java supply chain
bySteve Poole
 
PPTX
The Secret Life of Maven Central
bySteve Poole
 
PPTX
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
bySteve Poole
 
PPTX
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
bySteve Poole
 
PDF
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
bySteve Poole
 
PPTX
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
bySteve Poole
 
PPTX
Log4Shell - Armageddon or Opportunity.pptx
bySteve Poole
 
PPTX
Agile Islands 2020 - Dashboards and Culture
bySteve Poole
 
PPTX
The Secret Life of Maven Central.pptx
bySteve Poole
 
PPTX
Keynote Dev Days vilnius 2018: how openness changes your behaviour
bySteve Poole
 
PPTX
Java application security the hard way - a workshop for the serious developer
bySteve Poole
 
PPTX
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
bySteve Poole
 
PPTX
Superman or Ironman - can everyone be a 10x developer?
bySteve Poole
 
PPTX
Dashboards and Culture: How Openness Changes Your Behaviour
bySteve Poole
 
PDF
QCon London - Java at Scale
bySteve Poole
 
PPTX
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
bySteve Poole
 
PPTX
LJC Speaker Clnic June 2020
bySteve Poole
 
PPTX
Beyond the Pi: What’s Next for the Hacker in All of Us?
bySteve Poole
 
PPTX
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
bySteve Poole
 
PPTX
A Modern Fairy Tale: Java Serialization
bySteve Poole
 
Maven Central++ What's happening at the core of the Java supply chain
bySteve Poole
 
The Secret Life of Maven Central
bySteve Poole
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
bySteve Poole
 
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
bySteve Poole
 
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
bySteve Poole
 
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
bySteve Poole
 
Log4Shell - Armageddon or Opportunity.pptx
bySteve Poole
 
Agile Islands 2020 - Dashboards and Culture
bySteve Poole
 
The Secret Life of Maven Central.pptx
bySteve Poole
 
Keynote Dev Days vilnius 2018: how openness changes your behaviour
bySteve Poole
 
Java application security the hard way - a workshop for the serious developer
bySteve Poole
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
bySteve Poole
 
Superman or Ironman - can everyone be a 10x developer?
bySteve Poole
 
Dashboards and Culture: How Openness Changes Your Behaviour
bySteve Poole
 
QCon London - Java at Scale
bySteve Poole
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
bySteve Poole
 
LJC Speaker Clnic June 2020
bySteve Poole
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
bySteve Poole
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
bySteve Poole
 
A Modern Fairy Tale: Java Serialization
bySteve Poole
 

Recently uploaded

PPTX
SNG460-CNG489_Week6_3-7Nov25_Chp6-Part1.pptx
byberayseray382
 
PPTX
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
PPTX
Computer_Virus_Presentation_With_Slide7.pptx
byHEVISLIVE
 
PDF
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
PDF
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
PPTX
Road_Quality_Indicator using deeplearning algorithms and computer vision
byDHARUNPRASHOBMM
 
PDF
Jeremy Millul - An NYU Computer Science Graduate
byJeremy Millul
 
PPTX
OTT Content Analytics Enhanced by ALTBalaji Data Scraping.pptx
byyashpatric
 
PPTX
NSF Converter Software to Convert NSF to PST, EML, MSG
byNSF Converter Software
 
PPTX
Membershipanywhere - Digital Membership Card - USA , Canada, Australia.pptx
bymembershipanywhere
 
PPTX
Modern P&C Insurance Software for Smarter, Faster Operations.pptx
byInsurance Tech Services
 
PDF
Coding Assessment Tools .pdf
byCodexpro
 
PPTX
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
PDF
DSD-INT 2025 Introduction to Hydrology Suite - Slootjes
byDeltares
 
PDF
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
PDF
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
PDF
Kiến trúc hướng dịch vụ UET!!!!!!!!!!!!!!!!!!!!!!!
bydoquangminh962004
 
PPTX
Python-Functions-A-Comprehensive-Overview.pptx
byMuhammad Fahad Bashir
 
PDF
Solved First Semester B.C.A. C Programming Question Paper – Jan/Feb 2025
byKuvempu University
 
PDF
DSD-INT 2025 Hydrological response of the Puget Sound area to a changing clim...
byDeltares
 
SNG460-CNG489_Week6_3-7Nov25_Chp6-Part1.pptx
byberayseray382
 
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
Computer_Virus_Presentation_With_Slide7.pptx
byHEVISLIVE
 
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
Road_Quality_Indicator using deeplearning algorithms and computer vision
byDHARUNPRASHOBMM
 
Jeremy Millul - An NYU Computer Science Graduate
byJeremy Millul
 
OTT Content Analytics Enhanced by ALTBalaji Data Scraping.pptx
byyashpatric
 
NSF Converter Software to Convert NSF to PST, EML, MSG
byNSF Converter Software
 
Membershipanywhere - Digital Membership Card - USA , Canada, Australia.pptx
bymembershipanywhere
 
Modern P&C Insurance Software for Smarter, Faster Operations.pptx
byInsurance Tech Services
 
Coding Assessment Tools .pdf
byCodexpro
 
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
DSD-INT 2025 Introduction to Hydrology Suite - Slootjes
byDeltares
 
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
Kiến trúc hướng dịch vụ UET!!!!!!!!!!!!!!!!!!!!!!!
bydoquangminh962004
 
Python-Functions-A-Comprehensive-Overview.pptx
byMuhammad Fahad Bashir
 
Solved First Semester B.C.A. C Programming Question Paper – Jan/Feb 2025
byKuvempu University
 
DSD-INT 2025 Hydrological response of the Puget Sound area to a changing clim...
byDeltares
 

GIDS-2023 A New Hope for 2023? What Developers Must Learn Next

  • 1.
    @spoole167 www.developersummit.com @spoole167 A new hopefor 2023? What developers must learn next
  • 2.
    @spoole167 what do wethink when we think about cybercrime?”
  • 3.
    @spoole167 Photo by BastianPudill on Unsplash Do we imagine someone walking down the road trying the handles of cars as they pass Looking for a car to steal
  • 4.
    @spoole167 Do we rememberthat movie we watched about a daring and sophisticated robbery ?
  • 5.
    @spoole167 these are thetwo styles we often think about. The super complicated attack or the simple opportunist
  • 6.
    @spoole167 Wrongly we thinkwe’re not targets we think the bad guys are far away
  • 7.
    @spoole167 The most common thoughtsas a developer are ”why is it my problem?” or “I don’t really know what to do”
  • 8.
    @spoole167 this talk • Isa reality check about what the bad guys are really doing and why • What’s happening to help address these attacks • What should you be doing next
  • 9.
  • 10.
    @spoole167 Sonatype Invented Maven Started MavenCentral in 2003 Created Nexus repo and other technologies The quiet leader in secure software supply chain technology
  • 11.
    Not just theMaven Central people
  • 13.
  • 14.
    @spoole167 Cyberattacks have movedon It’s not all hackers in bedrooms doing it for fun
  • 15.
    @spoole167 in 2016 Cybercrimecost ~415 Billion Dollars So did the illicit drug trade
  • 16.
    @spoole167 Buys you US NimitzClass carriers 415 Billion Dollars in 2016
  • 17.
    @spoole167 Buys you US NimitzClass carriers 415 Billion Dollars in 2016 50
  • 18.
    @spoole167 Cybercrime has beengrowing at ~56% per year ever since drug trade cybercrime
  • 19.
    @spoole167 Buys you US NimitzClass carriers 415 Billion Dollars in 2016 50
  • 20.
    @spoole167 Buys you US NimitzClass carriers 6 Trillion Dollars in 2022 50 620
  • 21.
    @spoole167 United States: $20.89trillion China: $14.72 trillion Cyber Crime : $6.0 trillion Japan: $5.06 trillion Germany: $3.85 trillion United Kingdom: $2.67 trillion India: $2.66 trillion France: $2.63 trillion Italy: $1.89 trillion Canada: $1.64 trillion https://globalpeoservices.com/top-15-countries-by-gdp-in-2022/ if Cybercrime was a country (by gdp)
  • 22.
    @spoole167 There is nosign of it slowing down drug trade cybercrime US gdp
  • 23.
  • 24.
    @spoole167 There are still.. •There are still botnets out there trying to get into your systems • There are still bad guys who want to steal your secrets • There are still people who will ransom your data • There are still cryptocurrency miners trying to steal your CPU cycles
  • 25.
    @spoole167 Plus .. • Thereare still botnets out there trying to get into your systems • There are still bad guys who want to steal your secrets • There are still people who will ransom your data • There are still cryptocurrency miners trying to steal your CPU cycles • Now there are open source project hijacks • Now there are fake packages in repos • Now there is malware in the build process • Now the aim is long term control and stealth
  • 26.
    @spoole167 Now there iscyber-warfare • Motivations are different - it’s not about money • Skillsets are higher - professional, well funded. • Perseverance is much greater - specific targets, not just targets of opportunity
  • 27.
    @spoole167 Now there iscyber-warfare • Motivations are different - it’s not about money • Skillsets are higher - professional, well funded. • Persistence is much greater - specific targets, not just targets of opportunity • EVERYONE – Every state or political body, every disenfranchised or suppressed group is or will be taking part.
  • 28.
    @spoole167 Now there iscyber-warfare • It’s been happening behind the scenes for some time. • Now it’s mainstream. You personally Your personal networks The organizations you work for, belong to or help Your country Potential Targets
  • 29.
    @spoole167 Modern attacks are supplychain attacks – and we are all part of a supply chain
  • 30.
    @spoole167 The aim isto infiltrate infrastructure and essential services… The internet is the next battlefield. It’s all about software
  • 31.
  • 32.
    @spoole167 Everything really isonline There is no distance between you and the bad actors they ‘live’ next door
  • 33.
    @spoole167 Cyber warfare isreal and will drive massive changes in how we develop and deliver software
  • 34.
    @spoole167 The only thingbetween you and the bad actors is software
  • 35.
    @spoole167 be ready formassive increases in attacks on software everywhere s/w in the car s/w on the phone s/w on the watch s/w on any device s/w on the laptop s/w on server s/w on the wifi router s/w at the supermarket
  • 36.
    @spoole167 Bad Actors usedto search for vulnerabilities to exploit
  • 37.
    @spoole167 Now they maketheir own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Attempts to get malware or weaknesses added into dependency source via social or tools Build Tool attacks Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” Automated Social engineering
  • 38.
    The Zero DayWindow is Closing Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2
  • 39.
    The Zero DayWindow is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 Nation states are paying millions of dollars to suppress vulnerability reporting
  • 40.
    The Zero DayWindow is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 China requires all disclosures to be reported to the government first
  • 41.
    The Zero DayWindow is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 The more severe the vulnerability, the less chance of it being reported publically
  • 42.
  • 43.
    @spoole167 The new worldof cyber security is “exploit first”
  • 44.
  • 45.
  • 46.
    What are wedoing about all of this?
  • 47.
    @spoole167 Backstory – thescales are tipping • Open source is seen as both critical and unreliable • Big Business has managed to keep governments quiet • Business Value won over Security • 7 Trillion dollars a year and existential threats to national security  Security wins • The question isn’t whether – it’s about how. • Governments always use big sticks
  • 48.
    @spoole167 17 May 2021– US Government takes a stand Joe Biden
  • 49.
    @spoole167 December 2022 –EU Updates directives .. Joe Biden
  • 50.
    @spoole167 Hardening the softwaresupply chain : every ‘product’ has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes
  • 51.
    @spoole167 Technical responses 1 Securingthe supply chain – provable evidence trails 2 Improved understanding of vulnerable projects 3 Automating the supply chain - code to cloud (no humans involved) 4 Education for developers
  • 52.
  • 53.
    Log4Shell may be theworst ever vulnerability https://apple.news/AnKnv0_EdR3K2b-t6Z67-qw
  • 54.
    A canonical exampleof whats going wrong
  • 55.
    False confidence inour tools or not caring? Finding out if you are vulnerable using scanning tools can be challenging It’s all ‘after the fact’ requires great tools and great data Not everyone has equal access
  • 56.
    @spoole167 On the horizon Switchfrom scanning tools that try to work out what you have installed To signed, provable, reproduceable “Software Bill of Materials” Centralised signatures Centralised analysis tools
  • 57.
    @spoole167 Software Bill OfMaterials cyclonedx.org spdx.dev the new important term on the horizon mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
  • 58.
  • 59.
    @spoole167 Tackling the nextlevel 90% of an application is open source components
  • 60.
    @spoole167 Tackling the nextlevel Linux Foundation and other groups working to develop guidelines for measuring good practices and ongoing behavior
  • 61.
  • 62.
    @spoole167 The Open Source Software Security Mobilization Plan https://openssf.org/oss-security-mobilization-plan/ security educationrisk assessment digital signatures memory safety incident response better scanning code audits data sharing SBOMs everywhere Supply chains
  • 63.
  • 64.
    @spoole167 The best toolsright now are these
  • 65.
    @spoole167 The best toolsright now are these
  • 66.
    Avoidable Vulnerability (poor choices) Vulnerability management islargely a consumption-side problem For 96% of vulnerable downloads, there was a non- vulnerable version available Avoidability of vulnerable Maven Central downloads Unavoidable Vulnerability
  • 67.
    @spoole167 Look at howyou choose open source software • What do you do if a open-source component you rely on doesn’t comply? • How much risk are you willing to take? • Even if they say yes - how much can you trust them? • Do they have an SBOM? • What’s their ability to provide updates. • What’s their security posture. Not just is it free, does it do what I want?
  • 68.
    things to checkfor unexpected release frequency number and activity patterns of committers Do they do Static Analysis and Security Testing (SAST) Are they prone to making breaking changes Do they often have no path forward (latest version has vulnerabilities)
  • 69.
    things to checkfor License / security.md file Vulnerability reporting process Development process (how do they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU)
  • 70.
    Thinking deeper abouthow you develop s/w
  • 71.
    @spoole167 Exercise your suspiciousbrain, find code smells and LOOK closely at the projects you’re using Build your own selection criteria or use others
  • 72.
  • 73.
  • 74.
    @spoole167 Code defensively follow securedesign principles • Minimize attack surface area • Establish secure defaults • Principle of Least privilege • Principle of Defense in depth • Fail securely • Don’t trust services • Separation of duties • Avoid security by obscurity • Keep security simple • Fix security issues correctly https://www.owasp.org/index.php/Security_by_Design_Principles#Security _principles
  • 75.
  • 76.
    @spoole167 Keep a watchon available education
  • 77.
    @spoole167 Summary • Cyber attacksare being industrialized, weaponized and hidden. • “exploit first” means Day Zero moving to Day – 1 , -20. -Never • Government legislation aim to force suppliers to “fix” the problem • How we create and deliver software will change • How we select / consume open source software will change • Developers must become experts at AppSec
  • 78.
    @spoole167 Takeaways • The daysof just taking software off the shelf are numbered • developers must choose software based on production value not just function • Evidence based trust will become essential • the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. • GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny. • It’s time to reassess tools and vendors • Look for partners you can trust to build supply chains you and the world can rely on
  • 79.
    @spoole167 Thank you bit.ly/41FGVXt google: “BrianFox RSAC 2023” bomdoctor.sonatype.com