The document discusses the vulnerabilities in the software supply chain, particularly highlighting critical CVEs such as log4j, and the importance of maintaining updated and secure software components. It emphasizes best practices for secure software development including dependency monitoring, software composition analysis, and the generation of software bills of materials (SBOM). The authors, Ali Yazdani and Soroosh Khodami, advocate for a DevSecOps approach to eliminate silos in software delivery while adhering to emerging regulations on cybersecurity.

1. Secure Software Ecosystem
22 May - Soroosh Khodami & Ali Yazdani

2. NOT VERY LONG AGO

3. ██╗░░░░░░█████╗░░██████╗░░░██╗██╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██║░░░░░██╔══██╗██╔════╝░░██╔╝██║██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░░░░██║░░██║██║░░██╗░██╔╝░██║╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░░░░██║░░██║██║░░╚██╗███████║░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
███████╗╚█████╔╝╚██████╔╝╚════██║██████╔╝██║░░██║███████╗███████╗███████╗
╚══════╝░╚════╝░░╚═════╝░░░░░░╚═╝╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝
CVE-2021-44228
CVSS Score 10 / 10
CVE-2024-3094
CVSS Score 10 / 10
CVE-2022-22965
CVSS Score 9.8 / 10
CVE-2020-10148
CVSS Score 9.8 / 10

4. We are living in unsecure world
everything is probable to get
exploited. We could be the next
target, are we ready ?

5. of all downloads of Log4J are still
vulnerable to the Log4Shell
Vulnerability
30% Reported By Sonatype (Maven Central)
Previous Update: https://www.sonatype.com/en/press-releases/critical-log4j-vulnerability-still-being-downloaded-40-of-the-time
2 Years After Release

6. WHY WE ARE HERE
SECURITY ENGINEER
D E V I L
D E V E L O P E R

7. WHO WE ARE
SECURITY ENGINEER
D E V E L O P E R
Ali Yazdani
Soroosh Khodami
+10 Years of Software Development Experience
Researcher in Software Supply Chain Security
Solution Architect at Rabobank via Code Nomads
+10 Years of Security Experience
Principal Security Engineer @ Scoutbee
OWASP DevSecOps Guideline Project Lead
@SorooshKh
linkedin.com/in/sorooshkhodami
ASecurityEngineer.com @asecengineer linkedin.com/in/aliyazdani

8. CLASSIC
CYBER ATTACKS
SQL Injection
Cross-Site Scripting
(XSS)
Cross-Site Request
Forgery (CSRF)
DDoS
Man-in-the-Middle
Remote Command
Execution
Malware Injection Buffer Overflow
Privilege Escalation Zero-Day Exploits
Server-Side Forgery
(SSRF)
Read More
§ https://portswigger.net/web-security/learning-paths
§ https://www.certifiedsecure.com
Phishing

9. Security Risk Transformation
Read More
https://owasp.org/www-project-top-ten/

10. Supply chain attack
Dependency Confusion
Software Supply Chain Hijacking
Counterfeit Components
Third-Party Compromise
Compromised Build Environments

11. Dependency Confusion
mycompany-ui-component
version : 6.6.6
mycompany-ui-component
version : 1.2.5
Private Repository
Source Code
?
Read More
• How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

12. HOW TO DOWNLOAD
WHOLE INTERNET
WITH ONE COMMAND ?

13. $ npm install

14. Let’s create a HELLO WORLD APP

15. HELLO WORLD Dependency GRAPH
Depth = 0 -> 1 Dependency
Depth = 1 -> 32 Dependencies
Depth = 2 -> 65 Dependencies

16. Supply Chain Protection Best Practices
Reserve
Namespace / Scope / Prefix
Version Pinning
No Latest or Range
Package Integrity Check
Using SCA Tools
Using Dependency
Firewall
Official Repositories
MUST
GOOD
NICE
Read More
• How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
• https://xygeni.io/blog/lack-of-version-pinning-and-dependency-confusion/
• https://github.blog/2021-02-12-avoiding-npm-substitution-attacks/
• https://books.sonatype.com/mvnref-book/reference/running-sect-options.html#running-sect-deps-option
Keep Dependencies
Up to Date
Clean Up
Unused Libraries
Immutable Versions

17. When Security is Involved in
Software Development?
Application Development Journey Already Changed!

18. Traditional Approach
Design Develop Deploy Staging Production
Lucky security tester
Unlucky security tester

19. Detect Early, Pay Less!
Refrence
https://www.nowsecure.com/blog/2017/05/10/level-up-mobile-app-security-metrics-to-measure-success/
https://www.packtpub.com/product/practical-cybersecurity-architecture/9781838989927

20. Modern Approach
Design Develop Deploy Staging Production
§ DAST
§ Load/Stress Test
§ 4-Eyes Principle
§ Secret Scanning
§ SAST/SCA
§ IaC Scanning
§ Container Image Scanning
§ Security Design
§ Threat Modelling
S H I F T L E F T
Phases can cover but can't replace each other.
• Continuous Dependency Monitoring
• Firewall
• Runtime Application Security
• Pentest / Bug Bounty
• Vulnerability Disclosure Program
• Logging & Monitoring
• Cloud Native Application Protection
Read more
• OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline

21. Still ...
lop Deploy Staging Production
§ DAST
§ Container Image Scanning
§ Load/Stress Test
t Scanning
SCA
canning
• Continuous Dependency Monitoring
• Firewall
• Runtime Application Security
• Pentest / Bug Bounty
• Vulnerability Disclosure Program
• Logging & Monitoring
• Cloud Native Application Protection
https://www.youtube.com/watch?v=gdsUKphmB3Y
Read more
• OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline

22. Continuous
Dependency Monitoring
In Production

23. Continuous Dependency Monitoring
Generating list of
Dependencies (SBOM)
Continuous Monitoring
After Deploying to Production

24. Software Bill of Material (SBOM)
Dependencies Components / Libraries
Licenses
Vulnerabilities
Suppliers
App Meta-Data
App Identifier
Authors

25. Which Application ?
Who to contact ?
How to Fix ?
How to detect ?
██╗░░░░░░█████╗░░██████╗░░░██╗██╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██║░░░░░██╔══██╗██╔════╝░░██╔╝██║██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░░░░██║░░██║██║░░██╗░██╔╝░██║╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░░░░██║░░██║██║░░╚██╗███████║░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
███████╗╚█████╔╝╚██████╔╝╚════██║██████╔╝██║░░██║███████╗███████╗███████╗
╚══════╝░╚════╝░░╚═════╝░░░░░░╚═╝╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝
CVE-2021-44228
CVSS Score 10 / 10
h Application ?
Who to contact ?
How to Fix ?
How to detect ?
cation ?
Who to contact ?
How to Fix ?
How to detect ?
Which Application ?
Who to contact ?
How to Fix ?
How to d
Which Application ?
Who to contact ?
How
x ?
How to detect ?

26. SBOM Management
SBOM In Practice
SBOM
App
SBOM
App
SBOM
App
SBOM
App
Continuous
Monitoring
ZERO DAY
ALERT !
Search Apps Based On Dependency or CVE
Which Applications ?
Authors/Committers Information is Available
Who to Contact ?
Continuous Monitoring on New SBOMs
Are we safe now ?(Realtime-overview)
Application Metadata
Prioritization on Fix

27. How to Generate
SBOM

28. SBOM Generation
Artifact
Container Image
Source Code
Runtime Env

29. SBOM Journey In CI/CD
Generate Software Bill of Material

30. SBOM Generation - Generic
Read more
• OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline

31. SBOM Generation – Java Ecosystem
Version +3.3
Read more
• OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline
• Securing the Supply Chain for Your Java Applications by THOMAS VITALE - https://www.youtube.com/watch?v=VM7lJ0f_xhQ

32. SBOM Generation - Docker
Read more
• OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline
• Securing the Supply Chain for Your Java Applications by THOMAS VITALE - https://www.youtube.com/watch?v=VM7lJ0f_xhQ
• https://earthly.dev/blog/docker-sbom/

33. Software Composition Analysis
(SCA)

34. SBOM Journey In CI/CD
Software Composition Analysis (SCA)

35. Software Composition Analysis (SCA)

36. Software Composition Analysis (SCA)
Commercial
Free/Open-Source
Read more
• OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline

37. SBOM Journey In CI/CD
SBOM Management & Continious Monitoring

38. SBOM Management

39. SBOM Management
Commercial Tools
Free / Open-Source
OWASP Dependency Track
Read more
• OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline

40. Am I Prepared Now?
Firewall Continuous Monitoring Logging & Monitoring

42. Dev Sec Ops

43. The team story

44. The team story
DevSecOps destroy silos to achieve
the goal of delivering secure and
stable software quickly.

45. Regulations Insights

46. Regulations
Read more
• NITA - https://www.ntia.gov/page/software-bill-materials
• NIST - https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1+
• EU Cyber Resilience Act (CRA)
§ Executive Order 14028 on Improving the Nation’s Cybersecurity
§ DHS Software Supply Chain Risk Management Act
§ FDA Medical Device Cybersecurity Requirements
§ NIST SP 800-218
• DORA – EU Cyber Resilience Operation (Financial Sector)
• GERMANY – TR - 03183: SBOM Requirements for CRA

47. Regulations –CRA Timeline
NOW
Enter Into Force
2024 – Q2
Deadline 2026
Q1
Read more
• https://medium.com/@bugprove/eu-cyber-resilience-act-cra-all-you-need-to-know-in-a-nutshell-b843d149e18a

48. Regulations – DORA Timeline
NOW
Enter Into Force
Deadline 2025 - Q1
Read more
• https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
• https://www.eiopa.europa.eu/document/download/2888a8e8-4a20-4e27-ad51-7ad4e5b511f7_en

49. Standards
ISO/IEC 27036
Cybersecurity — Supplier relationships
Frameworks
Supply-chain Levels for Software Artifacts
Read more
• https://www.iso.org/standard/82905.html
• https://cyclonedx.org
• https://spdx.dev/
• https://slsa.dev/
SBOM Format Standard
Software package data exchange (SPDX)
SBOM Format Standard
CycloneDX (CDX)

50. Thanks for your attention
Please Rate This Talk in NLJUG App
If you have any other questions, you can reach out to us via Social Media
@SorooshKh linkedin.com/in/sorooshkhodami
@asecengineer linkedin.com/in/aliyazdani
QR CODE