Secure Software Ecosystem 22 May - Soroosh Khodami & Ali Yazdani 

NOT VERY LONG AGO 

██╗░░░░░░█████╗░░██████╗░░░██╗██╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░ ██║░░░░░██╔══██╗██╔════╝░░██╔╝██║██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░██╗░██╔╝░██║╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░╚██╗███████║░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░ ███████╗╚█████╔╝╚██████╔╝╚════██║██████╔╝██║░░██║███████╗███████╗███████╗ ╚══════╝░╚════╝░░╚═════╝░░░░░░╚═╝╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝ CVE-2021-44228 CVSS Score 10 / 10 CVE-2024-3094 CVSS Score 10 / 10 CVE-2022-22965 CVSS Score 9.8 / 10 CVE-2020-10148 CVSS Score 9.8 / 10 

We are living in unsecure world everything is probable to get exploited. We could be the next target, are we ready ? 

of all downloads of Log4J are still vulnerable to the Log4Shell Vulnerability 30% Reported By Sonatype (Maven Central) Previous Update: https://www.sonatype.com/en/press-releases/critical-log4j-vulnerability-still-being-downloaded-40-of-the-time 2 Years After Release 

WHY WE ARE HERE SECURITY ENGINEER D E V I L D E V E L O P E R 

WHO WE ARE SECURITY ENGINEER D E V E L O P E R Ali Yazdani Soroosh Khodami +10 Years of Software Development Experience Researcher in Software Supply Chain Security Solution Architect at Rabobank via Code Nomads +10 Years of Security Experience Principal Security Engineer @ Scoutbee OWASP DevSecOps Guideline Project Lead @SorooshKh linkedin.com/in/sorooshkhodami ASecurityEngineer.com @asecengineer linkedin.com/in/aliyazdani 

CLASSIC CYBER ATTACKS SQL Injection Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) DDoS Man-in-the-Middle Remote Command Execution Malware Injection Buffer Overflow Privilege Escalation Zero-Day Exploits Server-Side Forgery (SSRF) Read More § https://portswigger.net/web-security/learning-paths § https://www.certifiedsecure.com Phishing 

Security Risk Tranformation Read More https://owasp.org/www-project-top-ten/ 

Supply chain attack Dependency Confusion Software Supply Chain Hijacking Counterfeit Components Third-Party Compromise Compromised Build Environments 

Dependency Confusion mycompany-ui-component version : 6.6.6 mycompany-ui-component version : 1.2.5 Private Repository Source Code ? Read More • How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 

HOW TO DOWNLOAD WHOLE INTERNET WITH ONE COMMAND ? 

$ npm install 

Let’s create a HELLO WORLD APP 

HELLO WORLD Dependency GRAPH Depth = 0 -> 1 Dependency Depth = 1 -> 32 Dependencies Depth = 2 -> 65 Dependencies 

Supply Chain Protection Best Practices Reserve Namespace / Scope / Prefix Version Pinning No Latest or Range Package Integrity Check Using SCA Tools Using Dependency Firewall Official Repositories MUST GOOD NICE Read More • How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 • https://xygeni.io/blog/lack-of-version-pinning-and-dependency-confusion/ • https://github.blog/2021-02-12-avoiding-npm-substitution-attacks/ • https://books.sonatype.com/mvnref-book/reference/running-sect-options.html#running-sect-deps-option Keep Dependencies Up to Date Clean Up Unused Libraries Immutable Versions 

When Security is Involved in Software Development? Application Development Journey Already Changed! 

Traditional Approach Design Develop Deploy Staging Production Lucky security tester Unlucky security tester 

Detect Early, Pay Less! Refrence https://www.nowsecure.com/blog/2017/05/10/level-up-mobile-app-security-metrics-to-measure-success/ https://www.packtpub.com/product/practical-cybersecurity-architecture/9781838989927 

Modern Approach Design Develop Deploy Staging Production § DAST § Load/Stress Test § 4-Eyes Principle § Secret Scanning § SAST/SCA § IaC Scanning § Container Image Scanning § Security Design § Threat Modelling S H I F T L E F T Phases can cover but can't replace each other. • Continuous Dependency Monitoring • Firewall • Runtime Application Security • Pentest / Bug Bounty • Vulnerability Disclosure Program • Logging & Monitoring • Cloud Native Application Protection Read more • OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline 

Still ... lop Deploy Staging Production § DAST § Container Image Scanning § Load/Stress Test t Scanning SCA canning • Continuous Dependency Monitoring • Firewall • Runtime Application Security • Pentest / Bug Bounty • Vulnerability Disclosure Program • Logging & Monitoring • Cloud Native Application Protection https://www.youtube.com/watch?v=gdsUKphmB3Y Read more • OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline 

Continuous Dependency Monitoring In Production 

Continuous Dependency Monitoring Generating list of Dependencies (SBOM) Continuous Monitoring After Deploying to Production 

Software Bill of Material (SBOM) Dependencies Components / Libraries Licenses Vulnerabilities Suppliers App Meta-Data App Identifier Authors 

Which Application ? Who to contact ? How to Fix ? How to detect ? ██╗░░░░░░█████╗░░██████╗░░░██╗██╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░ ██║░░░░░██╔══██╗██╔════╝░░██╔╝██║██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░██╗░██╔╝░██║╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░╚██╗███████║░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░ ███████╗╚█████╔╝╚██████╔╝╚════██║██████╔╝██║░░██║███████╗███████╗███████╗ ╚══════╝░╚════╝░░╚═════╝░░░░░░╚═╝╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝ CVE-2021-44228 CVSS Score 10 / 10 h Application ? Who to contact ? How to Fix ? How to detect ? cation ? Who to contact ? How to Fix ? How to detect ? Which Application ? Who to contact ? How to Fix ? How to d Which Application ? Who to contact ? How x ? How to detect ? 

SBOM Management SBOM In Practice SBOM App SBOM App SBOM App SBOM App Continuous Monitoring ZERO DAY ALERT ! Search Apps Based On Dependency or CVE Which Applications ? Authors/Committers Information is Available Who to Contact ? Continuous Monitoring on New SBOMs Are we safe now ? (Realtime-overview) Application Metadata Prioritization on Fix 

How to Generate SBOM 

SBOM Generation Artifact Container Image Source Code Runtime Env 

SBOM Journey In CI/CD Generate Software Bill of Material 

SBOM Generation - Generic Read more • OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline 

SBOM Generation – Java Ecosystem Version +3.3 Read more • OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline • Securing the Supply Chain for Your Java Applications by THOMAS VITALE - https://www.youtube.com/watch?v=VM7lJ0f_xhQ 

SBOM Generation - Docker Read more • OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline • Securing the Supply Chain for Your Java Applications by THOMAS VITALE - https://www.youtube.com/watch?v=VM7lJ0f_xhQ • https://earthly.dev/blog/docker-sbom/ 

Software Composition Analysis (SCA) 

SBOM Journey In CI/CD Software Composition Analysis (SCA) 

Software Composition Analysis (SCA) 

Software Composition Analysis (SCA) Commercial Free/Open-Source Read more • OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline 

SBOM Journey In CI/CD SBOM Management & Continious Monitoring 

SBOM Management 

SBOM Management Commercial Tools Free / Open-Source OWASP Dependency Track Read more • OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline 

Am I Prepared Now? Firewall Continuous Monitoring Logging & Monitoring 

No content

Dev Sec Ops 

The team story 

The team story DevSecOps destroy silos to achieve the goal of delivering secure and stable software quickly. 

Regulations Insights 

Regulations Read more • NITA - https://www.ntia.gov/page/software-bill-materials • NIST - https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1+ • EU Cyber Resilience Act (CRA) § Executive Order 14028 on Improving the Nation’s Cybersecurity § DHS Software Supply Chain Risk Management Act § FDA Medical Device Cybersecurity Requirements § NIST SP 800-218 • DORA – EU Cyber Resilience Operation (Financial Sector) • GERMANY – TR - 03183: SBOM Requirements for CRA 

Regulations –CRA Timeline NOW Enter Into Force 2024 – Q2 Deadline 2026 Q1 Read more • https://medium.com/@bugprove/eu-cyber-resilience-act-cra-all-you-need-to-know-in-a-nutshell-b843d149e18a 

Regulations – DORA Timeline NOW Enter Into Force Deadline 2025 - Q1 Read more • https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en • https://www.eiopa.europa.eu/document/download/2888a8e8-4a20-4e27-ad51-7ad4e5b511f7_en 

Standards ISO/IEC 27036 Cybersecurity — Supplier relationships Frameworks Supply-chain Levels for Software Artifacts Read more • https://www.iso.org/standard/82905.html • https://cyclonedx.org • https://spdx.dev/ • https://slsa.dev/ SBOM Format Standard Software package data exchange (SPDX) SBOM Format Standard CycloneDX (CDX) 

Thanks for your attention If you have any other questions, you can reach out to us via Social Media @SorooshKh linkedin.com/in/sorooshkhodami @asecengineer linkedin.com/in/aliyazdani 

No content