Voxxed Days Amsterdam 2025: Are We Ready For The Next Cyber Security Crisis Like Log4Shell?

Transcript

1. Are We Ready For The Next Cyber Security Crisis Like

   Log4Shell? Probably Not ! SOROOSH KHODAMI Software Developer / Architect Code Nomads April 3rd - 2025

2. In Memory of Alireza Sharifian Zadeh (1994-2024)

3. PROLOGUE EXPOSED

4. Who has ever copied a set of bash commands from

   Stack Overflow / ChatGPT / CoPilot?

5. “I will not run commands in terminal blindly” – a

   developer Hackers Hackers Hackers

6. YOU ARE ONE COMMAND AWAY FROM GIFTING ACCESS TO A

   HACKER

7. Can you recognize?

8. Victim Hacker

9. maven install

10. The New Battlefront in Cybersecurity Supply Chain Attack

11. D E V E L O P E R /

    A R C H I T E C T Soroosh Khodami Developing Software Since Good Old Dial Up Days Researcher in Software Supply Chain Security Solution Architect at Rabobank via Code Nomads @SorooshKh linkedin.com/in/sorooshkhodami

12. ACT I UNMASKED

13. CLASSIC CYBER ATTACKS SQL Injection Cross-Site Scripting (XSS) Cross-Site Request

    Forgery (CSRF) DDoS Man-in-the-Middle Remote Command Execution Malware Injection Buffer Overflow Privilege Escalation Zero-Day Exploits Server-Side Forgery (SSRF) Read More ▪ https://www.certifiedsecure.com ▪ https://portswigger.net/web-security/learning-paths Phishing

14. Security Risk Transformation Read More https://owasp.org/www-project-top-ten/

15. Supply Chain Risks Software Supply Chain Hijacking Counterfeit Components Compromised

    Build Environments Third-Party Vulnerabilities Dependency Confusion

16. ██╗░░░░░░█████╗░░██████╗░░░██╗██╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░ ██║░░░░░██╔══██╗██╔════╝░░██╔╝██║██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░██╗░██╔╝░██║╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░╚██╗███████║░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░ ███████╗╚█████╔╝╚██████╔╝╚════██║██████╔╝██║░░██║███████╗███████╗███████╗ ╚══════╝░╚════╝░░╚═════╝░░░░░░╚═╝╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝ CVE-2021-44228 CVSS Score 10

    / 10 CVE-2024-3094 CVSS Score 10 / 10 CVE-2022-22965 CVSS Score 9.8 / 10 CVE-2020-10148 CVSS Score 9.8 / 10

17. of all downloads of Log4J are still vulnerable to the

    Log4Shell Vulnerability 13% Reported By Sonatype (Maven Central) https://www.sonatype.com/resources/log4j-vulnerability-resource-center 3 Years After Disaster

18. com.xyzcompany.shared-libs version : 1.999.999 com.xyzcompany.shared-libs version : 1.2.5 Repository #2

    Source Code ? Read More • How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 Repository #1 Dependency Confusion

19. Dependency Confusion

20. Spring Boot Hello-World Dependencies

21. Example: How Dangerous SQL Injection Can Be? SQL Injection Vulnerability

    CVE: CVE-2022-22965 (Spring4Shell) Exploiting improper input sanitization in JDBC queries PostgreSQL Command Execution CVE: CVE-2022-1552 Affected versions: PostgreSQL 14.x before 14.3 Allows a database user with CREATE privileges to execute arbitrary code as the PostgreSQL server user Container Privilege Escalation CVE: CVE-2022-0847 (Dirty Pipe) Attack: Leveraging a page cache vulnerability to gain root within container Kubernetes Privilege Escalation CVE: CVE-2023-2727 Affected versions: Kubernetes v1.25.0-1.25.9, v1.26.0-1.26.4, v1.27.0- 1.27.1 Exploiting the API server's subject access review validation to bypass RBAC and gain cluster-admin privileges 1 2 3 4

22. ACT II FORTRESS

23. Naming Convention & Reserve Namespace Version Pinning No Latest or

    Range Package Integrity Check Use Dependency Scanning Tools (SCA) Using Dependency Firewall Official Repositories CRITICAL ESSENTIAL ADVANCED Keep Dependencies Up to Date Clean Up Unused Libraries Immutable Versions Sign Artifacts Continuous Monitoring (SBOM Management) Read More • How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 • https://xygeni.io/blog/lack-of-version-pinning-and-dependency-confusion/ • https://github.blog/2021-02-12-avoiding-npm-substitution-attacks/ • https://books.sonatype.com/mvnref-book/reference/running-sect-options.html#running-sect-deps-option Supply Chain Risks Prevention Recommendations

24. Naming Convention & Reserve Namespace Version Pinning No Latest or

    Range Package Integrity Check CRITICAL Clean Up Unused Libraries Supply Chain Risks Prevention Best Practices • Standardize internal artifact naming patterns (e.g., com.company.*) • Reserve org name in PyPI, npm, and NuGet (not needed for Maven) • Use exact version like 1.2.18 and do not use “LATEST” or ranges like : [1.0,) ▪ mvn clean install --strict-checksums ▪ Maven Enforcer Plugin ▪ GPG signature verification ▪ Dependencies Lock-file • mvn dependency:analyze

25. Use Dependency Scanning Tools (SCA) Official Repositories ESSENTIAL Keep Dependencies

    Up to Date Immutable Versions Supply Chain Risks Prevention Best Practices • Avoid using non-maven-central repositories as much as possible • Using proxy repository solutions with routing (includes/excludes ) -> Nexus Repo/JFrog • Renovate / Dependabot ▪ Enforce Immutability for release versions (via Nexus Repository, Jfrog, … ) • OWASP DepScan, Sonatype Lifecycle, Snyk, Anchore, ...

26. Dependency Scanning Dependencies Info Licenses Vulnerabilities App Identifier & Metadata

    Software Bill of Material (SBOM)

27. SBOM Generation Artifact Container Image Source Code Runtime Env

28. SBOM: OWASP DepScan - Jack of All Trades

29. SBOM Generation – Java Ecosystem Read more • OWASP DevSecOps

    Guideline https://github.com/OWASP/DevSecOpsGuideline • Securing the Supply Chain for Your Java Applications by THOMAS VITALE - https://www.youtube.com/watch?v=VM7lJ0f_xhQ Version +3.3

30. SBOM Generation - Docker Read more • OWASP DevSecOps Guideline

    - https://github.com/OWASP/DevSecOpsGuideline • Securing the Supply Chain for Your Java Applications by THOMAS VITALE - https://www.youtube.com/watch?v=VM7lJ0f_xhQ • https://earthly.dev/blog/docker-sbom/

31. Dependency Scanning Free & Paid Tools Read more • OWASP

    DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline

32. Supply Chain Risks Prevention Best Practices • Real-time blocking of

    vulnerable and malicious dependencies • Jar file: Jarsigner • Container Image: cosign + Enforce signed images on K8s ▪ Monitor SBOMs to detect newly discovered vulnerabilities Using Dependency Firewall ADVANCED Sign Artifacts Continuous Monitoring (SBOM Management)

33. ACT III RESILIENCE

34. Which Application ? Who to contact ? How to Fix

    ? How to detect ? ██╗░░░░░░█████╗░░██████╗░░░██╗██╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░ ██║░░░░░██╔══██╗██╔════╝░░██╔╝██║██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░██╗░██╔╝░██║╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░ ██║░░░░░██║░░██║██║░░╚██╗███████║░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░ ███████╗╚█████╔╝╚██████╔╝╚════██║██████╔╝██║░░██║███████╗███████╗███████╗ ╚══════╝░╚════╝░░╚═════╝░░░░░░╚═╝╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝ CVE-2021-44228 CVSS Score 10 / 10 h Application ? Who to contact ? How to Fix ? How to detect ? cation ? Who to contact ? How to Fix ? How to detect ? Which Application ? Who to contact ? How to Fix ? How to d Which Application ? Who to contact ? How x ? How to detect ?

35. SBOM Management SBOM In Practice SBOM App SBOM App SBOM

    App SBOM App Continuous Monitoring ZERO DAY ALERT ! Search Apps Based On Dependency or CVE Which Applications ? Authors/Committers Information is Available Who to Contact ? Continuous Monitoring on New SBOMs Are we safe now ? (Realtime-overview) Application Metadata Prioritization on Fix

36. SBOM Management: Dependency Track

37. Commercial Tools Free / Open-Source Read more • OWASP DevSecOps

    Guideline https://github.com/OWASP/DevSecOpsGuideline SBOM Management

38. Naming Convention & Reserve Namespace Version Pinning No Latest or

    Range Package Integrity Check Use Dependency Scanning Tools (SCA) Using Dependency Firewall Official Repositories CRITICAL ESSENTIAL ADVANCED Keep Dependencies Up to Date Clean Up Unused Libraries Immutable Versions Sign Artifacts Continuous Monitoring (SBOM Management) Am I Prepared Now For New Crisis?
39. None

40. DevSecOps Read more • OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline • What

    is DevSecOps? https://www.ibm.com/think/topics/devsecops

41. Modern Approach Design Develop Deploy Staging Production ▪ DAST ▪

    Load/Stress Test ▪ 4-Eyes Principle ▪ Secret Scanning ▪ SAST/SCA ▪ IaC Scanning ▪ Container Image Scanning ▪ Security Design ▪ Threat Modelling S H I F T L E F T • Continuous Dependency Monitoring • Firewall • Runtime Application Security • Pentest / Bug Bounty • Vulnerability Disclosure Program • Logging & Monitoring • Cloud Native Application Protection Read more • OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline • What is DevSecOps? https://www.ibm.com/think/topics/devsecops

42. EPILOGUE COMPLIANT

43. Standards ISO/IEC 27036 Cybersecurity — Supplier relationships Frameworks Supply-chain Levels

    for Software Artifacts Read more • https://www.iso.org/standard/82905.html • https://cyclonedx.org • https://spdx.dev/ • https://slsa.dev/ SBOM Format Standard Software package data exchange (SPDX) SBOM Format Standard CycloneDX (CDX)

44. Regulations Read more • NITA - https://www.ntia.gov/page/software-bill-materials • NIST -

    https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1+ • EU Cyber Resilience Act (CRA) ▪ Executive Order 14028 on Improving the Nation’s Cybersecurity ▪ DHS Software Supply Chain Risk Management Act ▪ FDA Medical Device Cybersecurity Requirements ▪ NIST SP 800-218 • DORA – EU Cyber Resilience Operation (Financial Sector • GERMANY – TR - 03183: SBOM Requirements for CRA

45. Regulations –CRA Timeline NOW Enter Into Force 2024 – Q2

    Deadline 2026 Q1 Read more • https://medium.com/@bugprove/eu-cyber-resilience-act-cra-all-you-need-to-know-in-a-nutshell-b843d149e18a

46. Thanks for your attention Please Rate This Talk in Provided

    QR Code If you have any other questions, you can reach out to us via MS Teams or Social Media handles: @SorooshKh linkedin.com/in/sorooshkhodami Special Thanks to Ali Yazdani (OWASP.org) Leendert Brouwer, Jana Vojnovic & Erdi Aktan