Secure Software Ecosystem

Transcript

1. Secure Software Ecosystem 22 May - Soroosh Khodami & Ali

   Yazdani

2. NOT VERY LONG AGO

3. ██╗░░░░░░█████╗░░██████╗░░░██╗██╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░ ██║░░░░░██╔══██╗██╔════╝░░██╔╝██║██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░██╗░██╔╝░██║╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░╚██╗███████║░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░ ███████╗╚█████╔╝╚██████╔╝╚════██║██████╔╝██║░░██║███████╗███████╗███████╗ ╚══════╝░╚════╝░░╚═════╝░░░░░░╚═╝╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝ CVE-2021-44228 CVSS Score 10

   / 10 CVE-2024-3094 CVSS Score 10 / 10 CVE-2022-22965 CVSS Score 9.8 / 10 CVE-2020-10148 CVSS Score 9.8 / 10

4. We are living in unsecure world everything is probable to

   get exploited. We could be the next target, are we ready ?

5. of all downloads of Log4J are still vulnerable to the

   Log4Shell Vulnerability 30% Reported By Sonatype (Maven Central) Previous Update: https://www.sonatype.com/en/press-releases/critical-log4j-vulnerability-still-being-downloaded-40-of-the-time 2 Years After Release

6. WHY WE ARE HERE SECURITY ENGINEER D E V I

   L D E V E L O P E R

7. WHO WE ARE SECURITY ENGINEER D E V E L

   O P E R Ali Yazdani Soroosh Khodami +10 Years of Software Development Experience Researcher in Software Supply Chain Security Solution Architect at Rabobank via Code Nomads +10 Years of Security Experience Principal Security Engineer @ Scoutbee OWASP DevSecOps Guideline Project Lead @SorooshKh linkedin.com/in/sorooshkhodami ASecurityEngineer.com @asecengineer linkedin.com/in/aliyazdani

8. CLASSIC CYBER ATTACKS SQL Injection Cross-Site Scripting (XSS) Cross-Site Request

   Forgery (CSRF) DDoS Man-in-the-Middle Remote Command Execution Malware Injection Buffer Overflow Privilege Escalation Zero-Day Exploits Server-Side Forgery (SSRF) Read More § https://portswigger.net/web-security/learning-paths § https://www.certifiedsecure.com Phishing

9. Security Risk Tranformation Read More https://owasp.org/www-project-top-ten/

10. Supply chain attack Dependency Confusion Software Supply Chain Hijacking Counterfeit

    Components Third-Party Compromise Compromised Build Environments

11. Dependency Confusion mycompany-ui-component version : 6.6.6 mycompany-ui-component version : 1.2.5

    Private Repository Source Code ? Read More • How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

12. HOW TO DOWNLOAD WHOLE INTERNET WITH ONE COMMAND ?

13. $ npm install

14. Let’s create a HELLO WORLD APP

15. HELLO WORLD Dependency GRAPH Depth = 0 -> 1 Dependency

    Depth = 1 -> 32 Dependencies Depth = 2 -> 65 Dependencies

16. Supply Chain Protection Best Practices Reserve Namespace / Scope /

    Prefix Version Pinning No Latest or Range Package Integrity Check Using SCA Tools Using Dependency Firewall Official Repositories MUST GOOD NICE Read More • How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 • https://xygeni.io/blog/lack-of-version-pinning-and-dependency-confusion/ • https://github.blog/2021-02-12-avoiding-npm-substitution-attacks/ • https://books.sonatype.com/mvnref-book/reference/running-sect-options.html#running-sect-deps-option Keep Dependencies Up to Date Clean Up Unused Libraries Immutable Versions

17. When Security is Involved in Software Development? Application Development Journey

    Already Changed!

18. Traditional Approach Design Develop Deploy Staging Production Lucky security tester

    Unlucky security tester

19. Detect Early, Pay Less! Refrence https://www.nowsecure.com/blog/2017/05/10/level-up-mobile-app-security-metrics-to-measure-success/ https://www.packtpub.com/product/practical-cybersecurity-architecture/9781838989927

20. Modern Approach Design Develop Deploy Staging Production § DAST §

    Load/Stress Test § 4-Eyes Principle § Secret Scanning § SAST/SCA § IaC Scanning § Container Image Scanning § Security Design § Threat Modelling S H I F T L E F T Phases can cover but can't replace each other. • Continuous Dependency Monitoring • Firewall • Runtime Application Security • Pentest / Bug Bounty • Vulnerability Disclosure Program • Logging & Monitoring • Cloud Native Application Protection Read more • OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline

21. Still ... lop Deploy Staging Production § DAST § Container

    Image Scanning § Load/Stress Test t Scanning SCA canning • Continuous Dependency Monitoring • Firewall • Runtime Application Security • Pentest / Bug Bounty • Vulnerability Disclosure Program • Logging & Monitoring • Cloud Native Application Protection https://www.youtube.com/watch?v=gdsUKphmB3Y Read more • OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline

22. Continuous Dependency Monitoring In Production

23. Continuous Dependency Monitoring Generating list of Dependencies (SBOM) Continuous Monitoring

    After Deploying to Production

24. Software Bill of Material (SBOM) Dependencies Components / Libraries Licenses

    Vulnerabilities Suppliers App Meta-Data App Identifier Authors

25. Which Application ? Who to contact ? How to Fix

    ? How to detect ? ██╗░░░░░░█████╗░░██████╗░░░██╗██╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░ ██║░░░░░██╔══██╗██╔════╝░░██╔╝██║██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░██╗░██╔╝░██║╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░╚██╗███████║░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░ ███████╗╚█████╔╝╚██████╔╝╚════██║██████╔╝██║░░██║███████╗███████╗███████╗ ╚══════╝░╚════╝░░╚═════╝░░░░░░╚═╝╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝ CVE-2021-44228 CVSS Score 10 / 10 h Application ? Who to contact ? How to Fix ? How to detect ? cation ? Who to contact ? How to Fix ? How to detect ? Which Application ? Who to contact ? How to Fix ? How to d Which Application ? Who to contact ? How x ? How to detect ?

26. SBOM Management SBOM In Practice SBOM App SBOM App SBOM

    App SBOM App Continuous Monitoring ZERO DAY ALERT ! Search Apps Based On Dependency or CVE Which Applications ? Authors/Committers Information is Available Who to Contact ? Continuous Monitoring on New SBOMs Are we safe now ? (Realtime-overview) Application Metadata Prioritization on Fix

27. How to Generate SBOM

28. SBOM Generation Artifact Container Image Source Code Runtime Env

29. SBOM Journey In CI/CD Generate Software Bill of Material

30. SBOM Generation - Generic Read more • OWASP DevSecOps Guideline

    https://github.com/OWASP/DevSecOpsGuideline

31. SBOM Generation – Java Ecosystem Version +3.3 Read more •

    OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline • Securing the Supply Chain for Your Java Applications by THOMAS VITALE - https://www.youtube.com/watch?v=VM7lJ0f_xhQ

32. SBOM Generation - Docker Read more • OWASP DevSecOps Guideline

    - https://github.com/OWASP/DevSecOpsGuideline • Securing the Supply Chain for Your Java Applications by THOMAS VITALE - https://www.youtube.com/watch?v=VM7lJ0f_xhQ • https://earthly.dev/blog/docker-sbom/

33. Software Composition Analysis (SCA)

34. SBOM Journey In CI/CD Software Composition Analysis (SCA)

35. Software Composition Analysis (SCA)

36. Software Composition Analysis (SCA) Commercial Free/Open-Source Read more • OWASP

    DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline

37. SBOM Journey In CI/CD SBOM Management & Continious Monitoring

38. SBOM Management

39. SBOM Management Commercial Tools Free / Open-Source OWASP Dependency Track

    Read more • OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline

40. Am I Prepared Now? Firewall Continuous Monitoring Logging & Monitoring

41. None

42. Dev Sec Ops

43. The team story

44. The team story DevSecOps destroy silos to achieve the goal

    of delivering secure and stable software quickly.

45. Regulations Insights

46. Regulations Read more • NITA - https://www.ntia.gov/page/software-bill-materials • NIST -

    https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1+ • EU Cyber Resilience Act (CRA) § Executive Order 14028 on Improving the Nation’s Cybersecurity § DHS Software Supply Chain Risk Management Act § FDA Medical Device Cybersecurity Requirements § NIST SP 800-218 • DORA – EU Cyber Resilience Operation (Financial Sector) • GERMANY – TR - 03183: SBOM Requirements for CRA

47. Regulations –CRA Timeline NOW Enter Into Force 2024 – Q2

    Deadline 2026 Q1 Read more • https://medium.com/@bugprove/eu-cyber-resilience-act-cra-all-you-need-to-know-in-a-nutshell-b843d149e18a

48. Regulations – DORA Timeline NOW Enter Into Force Deadline 2025

    - Q1 Read more • https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en • https://www.eiopa.europa.eu/document/download/2888a8e8-4a20-4e27-ad51-7ad4e5b511f7_en

49. Standards ISO/IEC 27036 Cybersecurity — Supplier relationships Frameworks Supply-chain Levels

    for Software Artifacts Read more • https://www.iso.org/standard/82905.html • https://cyclonedx.org • https://spdx.dev/ • https://slsa.dev/ SBOM Format Standard Software package data exchange (SPDX) SBOM Format Standard CycloneDX (CDX)

50. Thanks for your attention If you have any other questions,

    you can reach out to us via Social Media @SorooshKh linkedin.com/in/sorooshkhodami @asecengineer linkedin.com/in/aliyazdani
51. None