@Jamie_Lee_C DevOpsDays Singapore Jamie L Coleman Developer Advocate @ Sonatype Why Building Your Ship (Application) with Raw Materials is a Bad Idea!

@Jamie_Lee_C Introduction About me Name: Jamie Lee Coleman Current Role: Developer Advocate @ Sonatype Past experience: Developer in Mainframe Software (CICS), WebSphere & OpenJ9 @ IBM Twitter: @Jamie_Lee_C Linked-In: https://www.linkedin.com/in/jamie-coleman/

@Jamie_Lee_C

@Jamie_Lee_C Not just the Maven Central people

@Jamie_Lee_C

@Jamie_Lee_C What will I talk about today? 1. When we Love Open Source! 2. Supply chain problems today 3. SCA 1. What is SCA 2. SCA Tools 3. Lifecycle Demo 4. Why Security in Open-source matters! 5. Legislation 6. SBOMs to the rescue? 8. Security Posture 9. Raw Materials 10. Static Analysis Tools 1. What Are they? 2. What is available? 11. Summary 12. Links

@Jamie_Lee_C Why create this talk?

@Jamie_Lee_C

@Jamie_Lee_C https://www.bbc.com/news/uk-england-hampshire-68178750

@Jamie_Lee_C Open Source is amazing!

@Jamie_Lee_C Brief History of Open Source A-2 system in 1953 - First commercial example of Open Source DECUS formed 1955 – Facilitate sharing of software (SHARE OS by General Motors) Advance Research Projects Agency Network (ARPANET) – Used to share code and later succeeded by the Internet Launch of the GNU project 1983 – To write an OS free from constraints on source code Linux 1991 – The first freely modifiable kernel was born Debian GNU/Linux 1993 – First OS was born OpenJDK 2006 – Java commits to Open Source and releases OpenJDK under the GNU licence Git 2005 – Created by Linux kernel developer s GitHub 2008 – Worlds most used DVCS hosting site Android 2008 – Worlds most used mobile OS (Now owned by Google)

@Jamie_Lee_C Benefits of FOSS Personal control and customizability (4 main FOSS freedoms) Study Copy Modify Redistribute Privacy and Security* Use community to find bugs quickly Low or no costs Software is free with optional licencing Quality, collaboration and efficiency Many people and organizations working together Performance can be much better due to the amount of people contributing Project development can become more agile and efficient

@Jamie_Lee_C Sharing = better! 90% of the applications we create are shared dependencies!

@Jamie_Lee_C Supply chain problems!

@Jamie_Lee_C Dependency Managment 150 Dependencies (avg Java project) 10 Releases Per Year (avg per dependency) 1500 Updates To Consider 😱 x

@Jamie_Lee_C Direct vs Transitive Dependency Example: org.springframework.boot:spring-boot-starter-web

@Jamie_Lee_C

@Jamie_Lee_C Dependency Exploitation Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” Typo-squatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Attempts to get malware or weaknesses added into dependency source via social or tools Build Tool attacks Attempts to get malware into the tools that are used to produce dependencies Automated Social Engineering

@Jamie_Lee_C Microservices make this even harder!

@Jamie_Lee_C Software Composition Analysis

@Jamie_Lee_C What is Software Composition Analysis? https://foojay.io/today/sboms-and-software-composition-analysis/

@Jamie_Lee_C What is Software Composition Analysis?

@Jamie_Lee_C SCA Tools Basic tools will provide: • List of declared dependencies • Basic information such as latest version available More advanced tools will provide: • Transitive dependencies • Vulnerability & Licence data • Project scoring • Visualisations • Licence data

@Jamie_Lee_C Demo of SCA tool - Sonatype Lifecycle

@Jamie_Lee_C Why Security in Open-source matters!

@Jamie_Lee_C In 2016 Cybercrime surpassed the drug trade! $450 Billion a year $14,000 a second Equivalent to 50 US Nimitz Class Aircraft carriers Cyber Crime Facts

@Jamie_Lee_C What about 2022?

@Jamie_Lee_C In 2022! $6 Trillion a year!* $200,000 a second Equivalent to 620 US Nimitz Class Aircraft carriers Cyber Crime Facts

@Jamie_Lee_C United States: $20.89 trillion China: $14.72 trillion Cyber Crime: $6 trillion Japan: $5.06 trillion Germany: $3.85 trillion India: $2.65 trillion United Kingdom: $2.63 trillion France: $2.58 trillion If Cybercrime was a country by GDP in 2022

@Jamie_Lee_C Todays Pablo Escobar uses a Laptop

@Jamie_Lee_C Since I started speaking today… ~ $420,000,000

@Jamie_Lee_C

@Jamie_Lee_C Devices allowed to contain OS code: IEC 62304

@Jamie_Lee_C Legislation!

@Jamie_Lee_C Be Proactive rather than Reactive “If no other manufacturing industry is permitted to ship known vulnerable or defective parts in their products, why should software manufacturers be any different?” – Brian Fox CTO/Founder of Sonatype

@Jamie_Lee_C In another historic move, the US government is calling for generational investments to: • Renew infrastructure. • Secure software and semiconductor supply chains. • Modernize cryptographic technologies. In a nutshell the themes for this new strategy are as follows: • Software providers and data owners held responsible under cybersecurity liability • Realigned long-term investment in cybersecurity will have a focus on the future • A drive to invest in security resilience starts with every digital ecosystem • Coordinated vulnerability disclosures and SBOMs are still a best practice. Get your SBOM below. US - National Cyber Secuirty Stratagy

@Jamie_Lee_C Main points of this legislation: • Essential cybersecurity requirements • Requirement for any digital products on the market and includes things such as good practices for example: “products must protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks” • Vulnerability handling requirements • Requirement for how to handle vulnerabilities with the use of policies for example: “once a security update has been made available, manufacturers must publically disclose information about fixed vulnerabilities and have a policy in place on coordinated vulnerability disclosure” • Extra requirements for Critical products • There are two classes of critical products. Class 1 includes stuff like password management, traffic and identity systems. Class 2 includes operating systems for servers, desktops and mobile devices. • Conformity of products and information and instructions to users • Requirement of software to conform to certain requirements such as Technical documentation that is available before release and is updated throughout the software lifecycle that includes stuff such as a security risk assessment and reports of tests related to vulnerabilities. It also needs to be clear and understandable to the user and includes stuff like a point of contact for reporting vulnerabilities etc. • Reporting obligations • The requirement here is to notify the ENISA within 24h of becoming aware of a actively exploited vulnerability contained in the product. Users should also be notified without undue delay and if possible you should provide them with information about fixes to said vulnerabilities. • Obligations on the rest of the supply chain • Requirements for importers of software that what they have imported EU - Cyber Resilience Act

@Jamie_Lee_C The Product Security and Telecommunications Infrastructure (PSTI) Bill: • Require manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers. • Provide a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement, the evolving techniques employed by malicious actors, and the broader international regulatory landscape. Main points of this bill • Ban default passwords. • Products that come with default passwords are an easy target for cyber criminals. • Require products to have a vulnerability disclosure policy. • Security researchers regularly identify security flaws in products, but need a way to give notice to manufacturers of the risk they have identified, so that they can enable the manufacturer to act before criminals can take advantage. The Bill will provide measures to help ensure any vulnerabilities in a product are identified and flagged. • Require transparency about the length of time for which the product will receive important security updates. • Consumers should know if their product will be supported UK – PSTI

@Jamie_Lee_C SBOM To The Rescue?

@Jamie_Lee_C SBOM “It is great to have a software bill of materials, but the important part is what you do with it.” - Me

@Jamie_Lee_C Easy ways to generate an SBOM 1. CycloneDX Maven Plugin 2. Kubernetes bom 3. Microsoft’s SBOM Tool 4. SPDX SBOM Generator 5. Syft 6. Sonatype Lift

@Jamie_Lee_C Even our SBOMs are not safe!

@Jamie_Lee_C Managing SBOMs “By 2026, at least 60% of organizations procuring mission-critical software solutions will mandate software bill of materials (SBOM) disclosures in their license and support agreements, up from less than 5% in 2022.” – Gartner ● Import & manage SBOM’s ● Search SBOM’s for specific components to help identify what applications contain vulnerabilities.

@Jamie_Lee_C Security Posture

@Jamie_Lee_C

@Jamie_Lee_C Simple ways for Identifying vulnerable projects

@Jamie_Lee_C The small things make big differences

@Jamie_Lee_C Easy ways to Improve Security • Code Review • Binaries outside of projects • Dependencies pinned to a specific version • Secure Branches

@Jamie_Lee_C What are raw materials?

@Jamie_Lee_C Software Supply Chain Suppliers Third Party Software Such as Open Source Warehouses Component Repositories Manufacturers Software Development Teams Finished Goods Software Applications

@Jamie_Lee_C Raw materials in the software supply chain Unknown Suppliers Unknown Third Party Open-source Warehouses Component Repositories Manufacturers Software Development Teams Finished Goods Software Applications The BIG BANG

@Jamie_Lee_C

@Jamie_Lee_C Raw materials get around Policy controls and the need to check supplier hygiene!

@Jamie_Lee_C Small mistake can have big impacts!

@Jamie_Lee_C Static Analysis Tools

@Jamie_Lee_C What is a Static Analysis Tool? SA tools examine your applications source code for: • Enforce Coding standards • Insecure code patterns • Measure test coverage • Control flow, nesting and data flow • Documentation and requirements docs

@Jamie_Lee_C Summary

@Jamie_Lee_C One day your luck will run out!

@Jamie_Lee_C Continuous Upgrade Strategy Ongoing Security Scanning Have A Remediation Strategy What’s in your application? (Untangle your dependencies) Choose New Dependencies Wisely Assess Existing Dependencies

@Jamie_Lee_C Who wants some free Swag? https://bit.ly/SonatypeDeveloper Fill out the form to unlock the code to get a free Sticker and light up bouncy ball. Limited number available!

@Jamie_Lee_C Open Source in Medical Devices https://starfishmedical.com/blog/open-source-software-medical-devices/ SOUP/Raw materials info https://starfishmedical.com/blog/soup-in-medicaldevicedevelopment/ History of software supply chain attacks https://www.sonatype.com/resources/vulnerability-timeline State of the software supply chain report: https://www.sonatype.com/state-of-the-software-supply-chain/ LOG4J download data: https://www.sonatype.com/resources/log4j-vulnerability-resource-center White House supply chain blog: https://blog.sonatype.com/white-house-national-cybersecurity-strategy-lan dmark-action-for-a-critical-threat Useful Links

@Jamie_Lee_C Get in touch Website: https://www.sonatype.com Twitter: @sonatype LinkedIn: /company/sonatype/

@Jamie_Lee_C Cool stuff to checkout! New Maven Central https://central.sonatype.com/ DevZone https://dev.sonatype.com/ Foojay Series • https://foojay.io/today/sboms-first-steps-in-a-new-journe y-for-developers/ • https://foojay.io/today/sboms-and-software-composition- analysis/ • https://foojay.io/today/making-sboms-threats-and-modell ing-them-a-piece-of-cake/ Malware Monthly https://blog.sonatype.com/malware-monthly-february-2023

@Jamie_Lee_C Scan the QR code to find my slides About me Name: Jamie Lee Coleman Current Role: Developer Advocate @ Sonatype Past experience: Developer in Mainframe Software (CICS), WebSphere & OpenJ9 @ IBM Twitter: @Jamie_Lee_C Linked-In: https://www.linkedin.com/in/jamie-coleman/ Slides/Recordings: https://jamiecoleman92.github.io/

@Jamie_Lee_C