IT Security Summit - Münich 16 May 2022 Software rotting or why you need to change your approach to security

1. Software rotting or
why you need to change your approach to security
Giulio Vian
16 May 2022
@giulio_vian
https://www.getlatestversion.eu
http://blog.casavian.eu
https://www.slideshare.net/giuliov
https://github.com/giuliov

2. Executive Summary
Software decays rapidly, and decay rate
is speeding up.
Security is the main force, but not the
only one.
We must improve tooling and practices
to cope with this increased velocity.
Technical Inflation helps Management
understand what is going on.
Assume you know what SCA or SAST is
Image source: Public Domain

3. Hardware spec:
1 KB RAM
4 KB ROM
First computer Past employers Communities
Giulio Vian Principal DevOps Engineer
@giulio_vian
giuliovdev@hotmail.com

4. Agenda
A security problem
becomes a developers’ problem,
an IT Operations’ problem,
and a management’s problem.

5. A security problem…
Image source: Unknown

6. Vulnerabilities
Log4J Log4Shell
OpenSSL Heartbleed
pac-resolver
WinSCPHelper
librdkafka
…

7. Open source dependency &
vulnerability
Source: Sonatype Source: Sonatype

8. Dependencies
An average .NET project has 11 direct, and 76
indirect dependencies [Source: Snyk]
Project == nuget.org package
The average application contains 118 open-
source libraries [Source: Contrast Security]
Application: Java/.NET/NodeJS

9. Intermezzo: libraries & languages
Source:
Contrast Security

10. Attacks through libraries are increasing
(slightly)
Source: Sonatype

11. Last, but not least
Source: Snyk
Source: Sonatype
Mean Time to Update

12. Standard Reaction©
CVE
triggers
Security
instructs
Developer Teams
fix code
Release
Management
deploy
Image source: PxHere

13. …becomes a
developers’ problem…
Image: Code monkey at work
by Kevin Key (aka slworking)

14. Finding code,
manually
Multiple production
branches
release/*
hotfix/*
Untagged releases
Image: Archaeological Sifting Earth from the Temple Mount
by zachi dvira Pikiwiki Israel

15. How broadly?
How many teams, repos,
and pipelines?
My company has 3,000 repos
across 100 teams, storing over
13 million lines of code, and
using 2,800 pipelines
A single vulnerability may affect 10s teams
and 100s of repos
Are they distributed or
centralized?
Image: The Crowd For DMB 1 by Moses

16. Finding code,
automated
SCA† tools are
pipeline–bound
Rarely built code
Pipeline does not work anymore
† Software Composition Analysis
Image: Automated storage and retrieval system using TGW Stingray
by TGWmechanics

17. Fixing code
Scan all repositories
Patch code
Latest or specific version
Can be automated?
Image: robotic arm in the Conrad Prebys Center for Chemical Genomics
by Josh Baxt

18. Can you
expedite?
Separation of Duties
Regulation / audit requirement
Slows 0-day patching
Tightly controlled usage
Automated checks
Single commit with limited
churn
Additional approvers for
quick turnaround
Image courtesy of SpaceX

19. Testing
Regression, regression,
regression
% Code coverage with care

20. …an IT Operations’
problem…
Image: Worried? by Marcin Bajer

21. Affected by
Vulnerability
Application stack
Container images
Virtual Machine images
Application itself
Application code
Libraries
Internal
3rd party
Self-contained run-time
Application
Run-time
OS
libraries
Base
image
Self-
contained

22. Base images
vmdk, VHD, VDI, OVA, …
AMI , VHD
Docker, OCI, ACI, …
Application
Run-time
OS
libraries
Base
image

23. App Platform shift
Chrome 1 month patched after 14 days
Node.JS 30 months (LTS) patched every 25 days
6 months
Go 6 months patched every 26 days
Two major releases supported.
MongoDB 30 months patched every 5 weeks
.NET 3 years (LTS) patched every 6 weeks
18 months
Java 3 years (LTS) patched every
6 months 12 weeks

24. Redeploy.
Every. Day.
Simplest pattern
Once automated
patching is in place
Must cover rollback scenario
Zero-downtime deploy
in place
Consider pipeline
resources
Image: the gerbil wheel pose by dbgg1979

25. Bill of Materials
on steroids
Reverse indexes
Library → Binaries [SCA tool]
O.S. API → Binaries [SAST tool]
Binary → Pipelines [artifact store]
Pipeline → Repo(s) [pipeline tool]
Pipeline
Binaries
Production
Libraries
Repo(s)

26. …a management’s
problem.
Image source: PxHere

27. Costs
Investment to optimize
patching and
deployment processes
Increased on-going cost
to rebuild as needed
On top of SCA & other
security tooling
Image by Jayne Simmons

28. Technical Debt
«describes the consequences
of software development
actions that intentionally or
unintentionally prioritize
client value and/or project
constraints such as delivery
deadlines, over more
technical implementation
and design considerations.»
Holvitie J., Licorish S.A., et al. - Technical
debt and agile software development
practices and processes – Information and
Software Technology, issue 96 (2018) p.142 Image by ThoBel-0043

29. Technical
Inflation
Unintended reduction
in value of a software
product over time,
independent of source
code changes.
Depreciation does not
capture two elements:
Unintentionality
Value can be restored
Image source: Max Pixel

30. Restoring
Value
Expedite pipelines
Dependency metabase
At most two platform
versions
Zero-(security-)issues policy
Image by Marek Ślusarczyk

31. Track progress
Security SLA
Mean time to implement a
security Fix
From notice (e.g. CVE) to dev
Mean Time to Patch
Production
From dev to prod
Image by Tumisu

32. Summary
Feels increased
pressure
Automates
patching code
Efficiently rebuild
images and
redeploy
Allots budget
& tracks
improvement

33. Questions?
@giulio_vian
giuliovdev@hotmail.com

34. Thank you!
@giulio_vian
giuliovdev@hotmail.com
5 slides follows with bibliographic references

35. References (1/5)
https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021
https://blog.chromium.org/2021/03/speeding-up-release-cycle.html
https://nodejs.org/en/about/releases/
https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/process/release_
cycle.md
https://support.google.com/chrome/a/answer/6220366
https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core
https://docs.fedoraproject.org/en-US/releases/lifecycle/
https://www.oracle.com/java/technologies/java-se-support-roadmap.html
https://kubernetes.io/releases/release/
https://www.mongodb.com/support-policy/software

36. References (2/5)
https://heartbleed.com/
Why Every Business Is a Software Business — Watts S. Humphrey Informit, Feb 22, 2002
http://www.informit.com/articles/article.aspx?p=25491
https://en.wikipedia.org/wiki/Watts_Humphrey
https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021
https://www.shopify.com/enterprise/global-ecommerce-statistics
https://blog.cloudflare.com/popular-domains-year-in-review-2021/
https://radar.cloudflare.com/year-in-review-2021
https://snyk.io/blog/net-open-source-security-insights/
https://www.contrastsecurity.com/the-state-of-the-oss-report-2021
https://octoverse.github.com/static/github-octoverse-2020-security-report.pdf

37. References (3/5)
https://www.soa.org/globalassets/assets/files/resources/research-report/2020/quantification-
cyber-risk.pdf
https://www.soa.org/globalassets/assets/files/resources/research-report/2020/exposure-
measures-cyber-insurance.pdf
https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
https://www.verizon.com/business/resources/reports/dbir/
https://www.accenture.com/us-en/insights/security/cost-cybercrime-study
https://www.ibm.com/security/data-breach
https://go.snyk.io/SoOSS-Report-2020.html
https://www.amazon.co.uk/Accelerate-Software-Performing-Technology-
Organizations/dp/1942788339

38. References (4/5)
https://www.sciencedirect.com/science/article/abs/pii/0164121279900220
https://daverupert.com/2020/11/technical-debt-as-a-lack-of-understanding/
https://wiki.owasp.org/images/b/bd/Software_Composition_Analysis_OWASP_Stammtisch_
-_Stanislav_Sivak.pdf
https://googleprojectzero.blogspot.com/
https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md
https://dotnet.microsoft.com/en-us/download/dotnet/3.1
https://docs.mongodb.com/upcoming/release-notes/5.0/
https://www.devsecops.org/
https://github.com/golang/go/wiki/Go-Release-Cycle

39. References (5/5)
https://go.dev/doc/devel/release
https://libraries.io/data
https://github.com/devopsenterprise/2021-virtual-us/blob/main/Bryan%20Finster%20-
%20DOES%202021%20-%20Misuse%20and%20Abuse%20DORA%20Metrics.pdf
https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-
Cyber-Activity-to-the-U.S.-Economy.pdf

40. Backup Slides

41. Tools to
Identify
Vulnerabilities
 Static Application
Security Testing (SAST)
 Software Composition
Analysis (SCA)
Commercial
Synopsys Black Duck, Snyk,
WhiteSource Bolt, Sonatype Nexus
Platform, JFrog Xray, docker scan
OSS
npm audit, OWASP Dependency
Check, GitHub dependabot, Trivy
Application
Run-time
OS
libraries
v

42. Impact
IBM
Lost business represented 38% of total breach cost.
287 Average number of days to identify and
contain a data breach.
Ransomware attacks cost an average of $4.62
million .

43. Inflation
Inflation refers to a general
progressive increase in prices of
goods and services in an
economy […] consequently,
inflation corresponds to a
reduction in the purchasing
power of money.
Source: Wikipedia
Image: Public Domain

44. Costs
This is not keeping the lights on
It is more similar to insurance
Requires CI/CD maturity
All component build, test and deploy automated
Preventive updates minimize fast-track usage
More red-taping until tools catch up

45. DevOps