The document discusses the challenges of dependency management in modern applications that primarily rely on open-source dependencies, highlighting the vulnerabilities and the increasing sophistication of cyber threats. It emphasizes the need for better scanning tools and proactive security measures, given the rise of supply chain attacks and other malicious tactics targeting software development and deployment. Additionally, it advocates for transparency through Software Bills of Materials (SBOM) to manage risks and maintain software integrity.

1. Stop Security by Sleight of Hand

2. @spoole167
Background – bad guys and dependencies
2

3. @spoole167
$who m- -H
Steve Poole,
@spoole167
Developer Advocate,
sonatype
Olimpiu Pop, @olimpiupop
Head Of Engineering, Salt & Pepper
3

4. At some point we all find ourselves searching for code …
4
@spoole167 @olimpiupop

5. so we can add a
new dependency
5
@spoole167 @olimpiupop

6. Whatever your preferred language or build system
6
@spoole167 @olimpiupop

7. 90% of modern applications are
open source dependencies
Our applications live or die off
dependency management and
repositories
7
@spoole167 @olimpiupop

8. Code is just there
for the taking
So we do.
8
@spoole167 @olimpiupop

9. All the time
496BILLION
In 2021, developers around
the world made more than
requests to Maven Central.
9
@spoole167 @olimpiupop

10. Unfortunately, we’re not good at managing these
dependencies
Or even knowing what we include
10
@spoole167 @olimpiupop

11. https://www.sonatype.com/resources/log4j-vulnerability-resource-center
log4j downloads
11
@spoole167 @olimpiupop

12. https://www.sonatype.com/resources/log4j-vulnerability-resource-center
log4j downloads
12
@spoole167 @olimpiupop

13. This suggests
1. Scanning tools are not being used
2. Scanning tools used aren’t very good
3. Somebody doesn’t care or understand
13
@spoole167 @olimpiupop

14. Not all
dependency
Scanning is
the same
<dependencies>
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>apache-camel</artifactId>
<version>2.10.0</version>
</dependency>
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-twitter</artifactId>
<version>2.10.0</version>
</dependency>
<dependency>
<groupId>org.twitter4j</groupId>
<artifactId>twitter4j-core</artifactId>
<version>2.2.5</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.9</version>
</dependency>
</dependencies>
Most can do
direct
14
@spoole167 @olimpiupop

15. <dependency>
<groupId>org.twitter4j</groupId>
<artifactId>twitter4j-core</artifactId>
<version>2.2.5</version>
</dependency>
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-twitter</artifactId>
<version>2.10.0</version>
</dependency>
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>apache-camel</artifactId>
<version>2.10.0</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.9</version>
</dependency>
Some can
do transitive
Not all
dependency
Scanning is
the same
15
@spoole167 @olimpiupop

16. <dependency>
<groupId>org.twitter4j</groupId>
<artifactId>twitter4j-core</artifactId>
<version>2.2.5</version>
</dependency>
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-twitter</artifactId>
<version>2.10.0</version>
</dependency>
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>apache-camel</artifactId>
<version>2.10.0</version>
</dependency>
<dependency>
<groupId>log4j</groupI
<artifactId>log4j</artifa
<version>1.2.9</version
</dependency>
Some can
handle
hidden
packages
<dependency>
<groupId>fatjar</groupId>
<artifactId>stuff</artifactId>
<version>0.0.1</version>
</dependency>
Not all
dependency
Scanning is
the same
16
@spoole167 @olimpiupop

17. <dependency>
<groupId>fatjar</groupId>
<artifactId>stuff</artifactId>
<version>0.0.1</version>
</dependency>
JNDI.class
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-twitter</artifactId>
<version>2.10.0</version>
</dependency>
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>apache-camel</artifactId>
<version>2.10.0</version>
</dependency>
Some can
even handle
single
classes
Not all
dependency
Scanning is
the same
17
@spoole167 @olimpiupop

18. • Scanning what is installed
is not optimal
• Many ways to miss
dependent code
• Every missed instance is a
vector for the bad guys
• Doesn’t cover all the new
attack vectors
Not all
dependency
Scanning is
the same
The most dangerous Java vulnerability ever
18
@spoole167 @olimpiupop

19. @spoole167
The bad guys and the new attack vectors
19
@spoole167 @olimpiupop

20. @spoole167
It’s not all hackers in bedrooms doing it
for fun
20
@spoole167 @olimpiupop

21. @spoole167
In 2016 Cybercrime surpassed the drug trade
$450 Billion a year
21
@spoole167 @olimpiupop

22. @spoole167
In 2016 Cybercrime surpassed the drug trade
$450 Billion a year
$14000 a second
50 US Nimitz Class carriers
22
@spoole167 @olimpiupop

23. @spoole167
In 2022?
$450 Billion a year
$14000 a second
50 US Nimitz Class carriers
23
@spoole167 @olimpiupop

24. @spoole167
In 2022?
$450 Billion a year 🡪 $6 Trillion a year
$14000 a second 🡪 $200,000
a second
50 US Nimitz Class carriers 🡪 620 carriers
24
@spoole167 @olimpiupop

25. @spoole167
if Cybercrime
was a country
(by gdp)
United States: $20.89 trillion
China: $14.72 trillion
Cyber Crime : $6.0 trillion
Japan: $5.06 trillion
Germany: $3.85 trillion
United Kingdom: $2.67 trillion
India: $2.66 trillion
France: $2.63 trillion
Italy: $1.89 trillion
Canada: $1.64 trillion
https://globalpeoservices.com/top-15-countries-by-gdp-in-2022/ 25
@spoole167 @olimpiupop

26. @spoole167
new bad guys
26
@spoole167 @olimpiupop

27. @spoole167
There are still..
●There are still botnets out there trying to get into your systems
●There are still bad guys who want to steal your secrets
●There are still people who will ransom your data
●There are still cryptocurrency miners trying to steal your CPU cycles
27
@spoole167 @olimpiupop

28. @spoole167
Plus ...
●There are still botnets out there trying to get into your systems
●There are still bad guys who want to steal your secrets
●There are still people who will ransom your data
●There are still cryptocurrency miners trying to steal your CPU cycles
●Now there are open source project hijacks
●Now there are fake packages in repos
●Now there is malware in the build process
●Now the aim is long term control and stealth
28
@spoole167 @olimpiupop

29. @spoole167
Now there is cyber-warfare
●Motivations are different - it’s not just about money
●Skillsets are higher - professional, well funded.
●Persistence is much greater - specific targets, not just targets of
opportunity
29
@spoole167 @olimpiupop

30. @spoole167
Now there is cyber-warfare
●Motivations are different - it’s not about money
●Skillsets are higher - professional, well funded.
●Persistence is much greater - specific targets, not just targets of
opportunity
●EVERYONE – Every state or political body, every disenfranchised or
suppressed group is or will be taking part.
30
@spoole167 @olimpiupop

31. @spoole167
Now there is cyber-warfare
●It’s been happening behind the scenes for some time.
●Now it’s mainstream.
You personally
Your personal networks
The organizations you work for, belong to or help
Your country
Potential
Targets
31
@spoole167 @olimpiupop

32. @spoole167
Modern attacks are supply chain attacks –
and we are all part of a supply chain
32
@spoole167 @olimpiupop

33. @spoole167
The aim is to infiltrate infrastructure and essential services…
The internet is the next battlefield. It’s all about
software
33
@spoole167 @olimpiupop

34. @spoole167
And manipulate or terminate
34
@spoole167 @olimpiupop

35. @spoole167
The incentive is huge
Weaponized Cybercrime is the new reality
Nation states are preparing for the next war –
and that all about software
@spoole167 35
@spoole167 @olimpiupop

36. @spoole167
Supply chain attacks are rising rapidly
36
@spoole167 @olimpiupop

37. The Zero Day Window is Closing
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date
Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Averag
e
4
5
15
2017 2019 2021
Struts2
@spoole167 @olimpiupop

38. The Zero Day Window Has closed
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date
Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Averag
e
4
5
15
2017 2019 2021
Struts2
Exploit before publication
is the new reality
@spoole167 @olimpiupop

39. The Zero Day Window Has closed
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date
Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Averag
e
4
5
15
2017 2019 2021
Struts2
Exploit before publication
is the new reality
Suppression of new CVEs for
$M’s is occuring
@spoole167 @olimpiupop

40. @spoole167
brace for massive increases in attacks on software
everywhere
s/w in the car
s/w on the phone
s/w on the watch
s/w on any device
s/w on the laptop
s/w on server
s/w on the wifi router
s/w at the supermarket
40
@spoole167 @olimpiupop

41. @spoole167
Cybercriminals used to search for vulnerabilities
41
@spoole167 @olimpiupop

42. Now they make their own
Typosquatting
A lookalike
domain,
dependency with
one or two
wrong or
different
characters
Open source
repo attacks
Build Tool
attacks
Attempts to get
malware or
weaknesses
added into
dependency
source via social
or tools
Attempts to get
malware into the
tools that are
used to produce
dependencies
Dependency
confusion
Attempts to get a
Different version
added into a binary
repository
Often “latest”
42
@spoole167 @olimpiupop

43. @spoole167
Open Source software is a primary target
5% of the projects on Maven Central already have a vulnerability of CVSS
9 or 10
Now there are direct attacks on open source projects and maintainers to gain
access to source repos or release processes
Now there are direct attacks to insert malicious code via pull requests
Now there are direct attacks on the compilers and packaging tools
43
@spoole167 @olimpiupop

44. @spoole167
Worried yet?
●How good are your scanning tools?
●Can you work out what version of javac was used to build them?
●Other build time processes?
●What’s in your new image?
44
@spoole167 @olimpiupop

45. 45
@spoole167 @olimpiupop

46. Full Supply Chain
● Secure Development Process
● Supply Chain Management
● Legal and Licensing
● Risk Management
● Vulnerability Management
● Developer eXperience
Choose
Software
Build
Software
Operate
Software Release
Software
46
@spoole167 @olimpiupop

47. In God Software We Trust
Choose
Software
Build
Software
Operate
Software Release
Software
47
@spoole167 @olimpiupop

48. Transparency: A Beginning
SBOM = Software Bill Of Material
[
/ˌ’sɒftweə(r) bɪl əv məˈtɪəriəl/
1. Silver Bullet for Omniscient risk Management
2. In short, it is a way to tell another party all of the software that is
used in the stack that makes up an application.
3. Similar to ingredients labels on food. They are critical to keep
consumers safe and healthy, they are somewhat standardized, but
it is a lot more exciting to grow or make the food rather than the
label.
]
48
@spoole167 @olimpiupop

49. Approved Formats
● Software Package Data eXchange
○ License management
○ RDF, XLS, SPDX, YAML, JSON
○ ISO/IEC approved
● Cyclone Data eXchange
○ OWASP Dependency Track
○ XML, JSON
● SoftWare IDentification - ISO/IEC
○ Installed software inventory
○ XML
Common
● Machine readable
● Open Source Or Free guidance
● Interchangeable
● Supported build coordinates
○ Common Platform Enumeration
(CPE)
○ Package URL (purl)
○ Software Heritage persistent ID
(SWHID)
49
@spoole167 @olimpiupop

50. NTIAs Minimum Fields
Data Field Description
Supplier Name The name of an entity that creates defines, and identifies components.
Component Name Designation assigned to a unit of software defined by the original supplier.
Version of the Component Identifier used by the supplier to specify a change in software for a previously identified
version.
Other Unique Identifiers Other identifiers that are used to identify a component, or serve as a look-up key for relevant
DBs.
Dependency Relationship Characterizing the relationship that an upstream component X is included in software Y.
Author of SBOM Data The name of the entity that creates the SBOM data for this component.
Timestamp Record of the date and time of the SBOM data assembly.
50
@spoole167 @olimpiupop

51. In Hardened Software We Trust
use an automatic
supply chain process
has a SBOM
has evidence of
software integrity
demonstrate regular
audit process
has evidence of
an automatic
vulnerability
check process
has a vulnerability
disclosure program
has evidence on the
providence of all
software used
demonstrates strong
controls over the use
of internal and 3rd
party software and
services
51
@spoole167 @olimpiupop

52. 52
@spoole167 @olimpiupop

53. Pipeline - Heart And Soul
53
@spoole167 @olimpiupop

54. We Have the Information, What do We do With It?
54
@spoole167 @olimpiupop

55. Resources
https://www.sonatype.com/products/free-developer-tools
https://www.ntia.gov/SBOM
https://github.com/awesomeSBOM/awesome-sbom
https://anchore.com/sbom
https://spdx.dev/resources/tools
https://cyclonedx.org/tool-center
https://jfrog.com/sbom-resources
https://bomdoctor.sonatype.dev
55
@spoole167 @olimpiupop

56. ευχαριστώ
56