Slide 1

Slide 1 text

@Jamie_Lee_C DevOpsDays Singapore Jamie L Coleman Developer Advocate @ Sonatype Why Building Your Ship (Application) with Raw Materials is a Bad Idea!

Slide 2

Slide 2 text

@Jamie_Lee_C Introduction About me Name: Jamie Lee Coleman Current Role: Developer Advocate @ Sonatype Past experience: Developer in Mainframe Software (CICS), WebSphere & OpenJ9 @ IBM Twitter: @Jamie_Lee_C Linked-In: https://www.linkedin.com/in/jamie-coleman/

Slide 3

Slide 3 text

@Jamie_Lee_C

Slide 4

Slide 4 text

@Jamie_Lee_C Not just the Maven Central people

Slide 5

Slide 5 text

@Jamie_Lee_C

Slide 6

Slide 6 text

@Jamie_Lee_C What will I talk about today? 1. When we Love Open Source! 2. Supply chain problems today 3. SCA 1. What is SCA 2. SCA Tools 3. Lifecycle Demo 4. Why Security in Open-source matters! 5. Legislation 6. SBOMs to the rescue? 8. Security Posture 9. Raw Materials 10. Static Analysis Tools 1. What Are they? 2. What is available? 11. Summary 12. Links

Slide 7

Slide 7 text

@Jamie_Lee_C Why create this talk?

Slide 8

Slide 8 text

@Jamie_Lee_C

Slide 9

Slide 9 text

@Jamie_Lee_C https://www.bbc.com/news/uk-england-hampshire-68178750

Slide 10

Slide 10 text

@Jamie_Lee_C Open Source is amazing!

Slide 11

Slide 11 text

@Jamie_Lee_C Brief History of Open Source A-2 system in 1953 - First commercial example of Open Source DECUS formed 1955 – Facilitate sharing of software (SHARE OS by General Motors) Advance Research Projects Agency Network (ARPANET) – Used to share code and later succeeded by the Internet Launch of the GNU project 1983 – To write an OS free from constraints on source code Linux 1991 – The first freely modifiable kernel was born Debian GNU/Linux 1993 – First OS was born OpenJDK 2006 – Java commits to Open Source and releases OpenJDK under the GNU licence Git 2005 – Created by Linux kernel developer s GitHub 2008 – Worlds most used DVCS hosting site Android 2008 – Worlds most used mobile OS (Now owned by Google)

Slide 12

Slide 12 text

@Jamie_Lee_C Benefits of FOSS Personal control and customizability (4 main FOSS freedoms) Study Copy Modify Redistribute Privacy and Security* Use community to find bugs quickly Low or no costs Software is free with optional licencing Quality, collaboration and efficiency Many people and organizations working together Performance can be much better due to the amount of people contributing Project development can become more agile and efficient

Slide 13

Slide 13 text

@Jamie_Lee_C Sharing = better! 90% of the applications we create are shared dependencies!

Slide 14

Slide 14 text

@Jamie_Lee_C Supply chain problems!

Slide 15

Slide 15 text

@Jamie_Lee_C Dependency Managment 150 Dependencies (avg Java project) 10 Releases Per Year (avg per dependency) 1500 Updates To Consider 😱 x

Slide 16

Slide 16 text

@Jamie_Lee_C Direct vs Transitive Dependency Example: org.springframework.boot:spring-boot-starter-web

Slide 17

Slide 17 text

@Jamie_Lee_C

Slide 18

Slide 18 text

@Jamie_Lee_C Dependency Exploitation Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” Typo-squatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Attempts to get malware or weaknesses added into dependency source via social or tools Build Tool attacks Attempts to get malware into the tools that are used to produce dependencies Automated Social Engineering

Slide 19

Slide 19 text

@Jamie_Lee_C Microservices make this even harder!

Slide 20

Slide 20 text

@Jamie_Lee_C Software Composition Analysis

Slide 21

Slide 21 text

@Jamie_Lee_C What is Software Composition Analysis? https://foojay.io/today/sboms-and-software-composition-analysis/

Slide 22

Slide 22 text

@Jamie_Lee_C What is Software Composition Analysis?

Slide 23

Slide 23 text

@Jamie_Lee_C SCA Tools Basic tools will provide: • List of declared dependencies • Basic information such as latest version available More advanced tools will provide: • Transitive dependencies • Vulnerability & Licence data • Project scoring • Visualisations • Licence data

Slide 24

Slide 24 text

@Jamie_Lee_C Demo of SCA tool - Sonatype Lifecycle

Slide 25

Slide 25 text

@Jamie_Lee_C Why Security in Open-source matters!

Slide 26

Slide 26 text

@Jamie_Lee_C In 2016 Cybercrime surpassed the drug trade! $450 Billion a year $14,000 a second Equivalent to 50 US Nimitz Class Aircraft carriers Cyber Crime Facts

Slide 27

Slide 27 text

@Jamie_Lee_C What about 2022?

Slide 28

Slide 28 text

@Jamie_Lee_C In 2022! $6 Trillion a year!* $200,000 a second Equivalent to 620 US Nimitz Class Aircraft carriers Cyber Crime Facts

Slide 29

Slide 29 text

@Jamie_Lee_C United States: $20.89 trillion China: $14.72 trillion Cyber Crime: $6 trillion Japan: $5.06 trillion Germany: $3.85 trillion India: $2.65 trillion United Kingdom: $2.63 trillion France: $2.58 trillion If Cybercrime was a country by GDP in 2022

Slide 30

Slide 30 text

@Jamie_Lee_C Todays Pablo Escobar uses a Laptop

Slide 31

Slide 31 text

@Jamie_Lee_C Since I started speaking today… ~ $420,000,000

Slide 32

Slide 32 text

@Jamie_Lee_C

Slide 33

Slide 33 text

@Jamie_Lee_C Devices allowed to contain OS code: IEC 62304

Slide 34

Slide 34 text

@Jamie_Lee_C Legislation!

Slide 35

Slide 35 text

@Jamie_Lee_C Be Proactive rather than Reactive “If no other manufacturing industry is permitted to ship known vulnerable or defective parts in their products, why should software manufacturers be any different?” – Brian Fox CTO/Founder of Sonatype

Slide 36

Slide 36 text

@Jamie_Lee_C In another historic move, the US government is calling for generational investments to: • Renew infrastructure. • Secure software and semiconductor supply chains. • Modernize cryptographic technologies. In a nutshell the themes for this new strategy are as follows: • Software providers and data owners held responsible under cybersecurity liability • Realigned long-term investment in cybersecurity will have a focus on the future • A drive to invest in security resilience starts with every digital ecosystem • Coordinated vulnerability disclosures and SBOMs are still a best practice. Get your SBOM below. US - National Cyber Secuirty Stratagy

Slide 37

Slide 37 text

@Jamie_Lee_C Main points of this legislation: • Essential cybersecurity requirements • Requirement for any digital products on the market and includes things such as good practices for example: “products must protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks” • Vulnerability handling requirements • Requirement for how to handle vulnerabilities with the use of policies for example: “once a security update has been made available, manufacturers must publically disclose information about fixed vulnerabilities and have a policy in place on coordinated vulnerability disclosure” • Extra requirements for Critical products • There are two classes of critical products. Class 1 includes stuff like password management, traffic and identity systems. Class 2 includes operating systems for servers, desktops and mobile devices. • Conformity of products and information and instructions to users • Requirement of software to conform to certain requirements such as Technical documentation that is available before release and is updated throughout the software lifecycle that includes stuff such as a security risk assessment and reports of tests related to vulnerabilities. It also needs to be clear and understandable to the user and includes stuff like a point of contact for reporting vulnerabilities etc. • Reporting obligations • The requirement here is to notify the ENISA within 24h of becoming aware of a actively exploited vulnerability contained in the product. Users should also be notified without undue delay and if possible you should provide them with information about fixes to said vulnerabilities. • Obligations on the rest of the supply chain • Requirements for importers of software that what they have imported EU - Cyber Resilience Act

Slide 38

Slide 38 text

@Jamie_Lee_C The Product Security and Telecommunications Infrastructure (PSTI) Bill: • Require manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers. • Provide a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement, the evolving techniques employed by malicious actors, and the broader international regulatory landscape. Main points of this bill • Ban default passwords. • Products that come with default passwords are an easy target for cyber criminals. • Require products to have a vulnerability disclosure policy. • Security researchers regularly identify security flaws in products, but need a way to give notice to manufacturers of the risk they have identified, so that they can enable the manufacturer to act before criminals can take advantage. The Bill will provide measures to help ensure any vulnerabilities in a product are identified and flagged. • Require transparency about the length of time for which the product will receive important security updates. • Consumers should know if their product will be supported UK – PSTI

Slide 39

Slide 39 text

@Jamie_Lee_C SBOM To The Rescue?

Slide 40

Slide 40 text

@Jamie_Lee_C SBOM “It is great to have a software bill of materials, but the important part is what you do with it.” - Me

Slide 41

Slide 41 text

@Jamie_Lee_C Easy ways to generate an SBOM 1. CycloneDX Maven Plugin 2. Kubernetes bom 3. Microsoft’s SBOM Tool 4. SPDX SBOM Generator 5. Syft 6. Sonatype Lift

Slide 42

Slide 42 text

@Jamie_Lee_C Even our SBOMs are not safe!

Slide 43

Slide 43 text

@Jamie_Lee_C Managing SBOMs “By 2026, at least 60% of organizations procuring mission-critical software solutions will mandate software bill of materials (SBOM) disclosures in their license and support agreements, up from less than 5% in 2022.” – Gartner ● Import & manage SBOM’s ● Search SBOM’s for specific components to help identify what applications contain vulnerabilities.

Slide 44

Slide 44 text

@Jamie_Lee_C Security Posture

Slide 45

Slide 45 text

@Jamie_Lee_C

Slide 46

Slide 46 text

@Jamie_Lee_C Simple ways for Identifying vulnerable projects

Slide 47

Slide 47 text

@Jamie_Lee_C The small things make big differences

Slide 48

Slide 48 text

@Jamie_Lee_C Easy ways to Improve Security • Code Review • Binaries outside of projects • Dependencies pinned to a specific version • Secure Branches

Slide 49

Slide 49 text

@Jamie_Lee_C What are raw materials?

Slide 50

Slide 50 text

@Jamie_Lee_C Software Supply Chain Suppliers Third Party Software Such as Open Source Warehouses Component Repositories Manufacturers Software Development Teams Finished Goods Software Applications

Slide 51

Slide 51 text

@Jamie_Lee_C Raw materials in the software supply chain Unknown Suppliers Unknown Third Party Open-source Warehouses Component Repositories Manufacturers Software Development Teams Finished Goods Software Applications The BIG BANG

Slide 52

Slide 52 text

@Jamie_Lee_C

Slide 53

Slide 53 text

@Jamie_Lee_C Raw materials get around Policy controls and the need to check supplier hygiene!

Slide 54

Slide 54 text

@Jamie_Lee_C Small mistake can have big impacts!

Slide 55

Slide 55 text

@Jamie_Lee_C Static Analysis Tools

Slide 56

Slide 56 text

@Jamie_Lee_C What is a Static Analysis Tool? SA tools examine your applications source code for: • Enforce Coding standards • Insecure code patterns • Measure test coverage • Control flow, nesting and data flow • Documentation and requirements docs

Slide 57

Slide 57 text

@Jamie_Lee_C Summary

Slide 58

Slide 58 text

@Jamie_Lee_C One day your luck will run out!

Slide 59

Slide 59 text

@Jamie_Lee_C Continuous Upgrade Strategy Ongoing Security Scanning Have A Remediation Strategy What’s in your application? (Untangle your dependencies) Choose New Dependencies Wisely Assess Existing Dependencies

Slide 60

Slide 60 text

@Jamie_Lee_C Who wants some free Swag? https://bit.ly/SonatypeDeveloper Fill out the form to unlock the code to get a free Sticker and light up bouncy ball. Limited number available!

Slide 61

Slide 61 text

@Jamie_Lee_C Open Source in Medical Devices https://starfishmedical.com/blog/open-source-software-medical-devices/ SOUP/Raw materials info https://starfishmedical.com/blog/soup-in-medicaldevicedevelopment/ History of software supply chain attacks https://www.sonatype.com/resources/vulnerability-timeline State of the software supply chain report: https://www.sonatype.com/state-of-the-software-supply-chain/ LOG4J download data: https://www.sonatype.com/resources/log4j-vulnerability-resource-center White House supply chain blog: https://blog.sonatype.com/white-house-national-cybersecurity-strategy-lan dmark-action-for-a-critical-threat Useful Links

Slide 62

Slide 62 text

@Jamie_Lee_C Get in touch Website: https://www.sonatype.com Twitter: @sonatype LinkedIn: /company/sonatype/

Slide 63

Slide 63 text

@Jamie_Lee_C Cool stuff to checkout! New Maven Central https://central.sonatype.com/ DevZone https://dev.sonatype.com/ Foojay Series • https://foojay.io/today/sboms-first-steps-in-a-new-journe y-for-developers/ • https://foojay.io/today/sboms-and-software-composition- analysis/ • https://foojay.io/today/making-sboms-threats-and-modell ing-them-a-piece-of-cake/ Malware Monthly https://blog.sonatype.com/malware-monthly-february-2023

Slide 64

Slide 64 text

@Jamie_Lee_C Scan the QR code to find my slides About me Name: Jamie Lee Coleman Current Role: Developer Advocate @ Sonatype Past experience: Developer in Mainframe Software (CICS), WebSphere & OpenJ9 @ IBM Twitter: @Jamie_Lee_C Linked-In: https://www.linkedin.com/in/jamie-coleman/ Slides/Recordings: https://jamiecoleman92.github.io/

Slide 65

Slide 65 text

@Jamie_Lee_C