SlideShare ist ein Scribd-Unternehmen logo

A new hope for 2023? What developers must learn next

Als PPTX, PDF herunterladen
Steve Poole
Steve Poole

Over the last ten years, we’ve seen cybercrime accelerate beyond all comprehension and the growing and relentless impact it has on our society and economies. It’s taken a long time for the world to act, but finally, we’re coming together to resist this uniquely 21st-century evil. At the heart of the resistance are developers. Whatever role you have, whatever programming language or software you use - the battle is at your door. In this session, we’ll brief you on the state of the situation and what you can do to be more prepared.: we’ll look at the bad guys and how they operate, examine recent legal and government responses and, most importantly, how the software industry is working together to create the tools, frameworks and education needed to help us all become the developers we need to be.

Software
1 von 74
@spoole167 A new hope for 2023? What developers must learn next
@spoole167 what do we think when we think about cybercrime?”
@spoole167 Photo by Bastian Pudill on Unsplash Do we imagine someone walking down the road trying the handles of cars as they pass Looking for a car to steal
@spoole167 Do we remember that movie we watched about a daring and sophisticated robbery ?
@spoole167 these are the two styles we often think about. The super complicated attack or the simple opportunist
@spoole167 Wrongly we think we’re not targets we think the bad guys are far away
@spoole167 The most common thoughts as a developer are ”why is it my problem?” or “I don’t really know what to do”
@spoole167 this talk • Is a reality check about what the bad guys are really doing and why • What’s happening to help address these attacks • What should you be doing next
@spoole167 Steve Poole Developer Advocate Sonatype
@spoole167 Latest trends in Cyber attacks
@spoole167 Cyberattacks have moved on It’s not all hackers in bedrooms doing it for fun
@spoole167 in 2016 Cybercrime cost ~415 Billion Dollars So did the illicit drug trade
@spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016
@spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016 50
@spoole167 Cybercrime has been growing at ~56% per year ever since drug trade cybercrime
@spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016 50
@spoole167 Buys you US Nimitz Class carriers 6 Trillion Dollars in 2022 50 620
@spoole167 United States: $20.89 trillion China: $14.72 trillion Cyber Crime : $6.0 trillion Japan: $5.06 trillion Germany: $3.85 trillion United Kingdom: $2.67 trillion India: $2.66 trillion France: $2.63 trillion Italy: $1.89 trillion Canada: $1.64 trillion https://globalpeoservices.com/top-15-countries-by-gdp-in-2022/ if Cybercrime was a country (by gdp)
@spoole167 There is no sign of it slowing down drug trade cybercrime US gdp
@spoole167 It’s even more scary …
@spoole167 There are still.. • There are still botnets out there trying to get into your systems • There are still bad guys who want to steal your secrets • There are still people who will ransom your data • There are still cryptocurrency miners trying to steal your CPU cycles
@spoole167 Plus .. • There are still botnets out there trying to get into your systems • There are still bad guys who want to steal your secrets • There are still people who will ransom your data • There are still cryptocurrency miners trying to steal your CPU cycles • Now there are open source project hijacks • Now there are fake packages in repos • Now there is malware in the build process • Now the aim is long term control and stealth
@spoole167 Now there is cyber-warfare • Motivations are different - it’s not about money • Skillsets are higher - professional, well funded. • Perseverance is much greater - specific targets, not just targets of opportunity
@spoole167 Now there is cyber-warfare • Motivations are different - it’s not about money • Skillsets are higher - professional, well funded. • Persistence is much greater - specific targets, not just targets of opportunity • EVERYONE – Every state or political body, every disenfranchised or suppressed group is or will be taking part.
@spoole167 Now there is cyber-warfare • It’s been happening behind the scenes for some time. • Now it’s mainstream. You personally Your personal networks The organizations you work for, belong to or help Your country Potential Targets
@spoole167 Modern attacks are supply chain attacks – and we are all part of a supply chain
@spoole167 The aim is to infiltrate infrastructure and essential services… The internet is the next battlefield. It’s all about software
@spoole167 And manipulate or terminate
@spoole167 Everything really is online There is no distance between you and the bad actors they ‘live’ next door
@spoole167 Cyber warfare is real and will drive massive changes in how we develop and deliver software
@spoole167 The only thing between you and the bad actors is software
@spoole167 be ready for massive increases in attacks on software everywhere s/w in the car s/w on the phone s/w on the watch s/w on any device s/w on the laptop s/w on server s/w on the wifi router s/w at the supermarket
@spoole167 Bad Actors used to search for vulnerabilities to exploit
@spoole167 Now they make their own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Attempts to get malware or weaknesses added into dependency source via social or tools Build Tool attacks Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” Automated Social engineering
The Zero Day Window is Closing Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2
The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 Nation states are paying millions of dollars to suppress vulnerability reporting
The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 China requires all disclosures to be reported to the government first
The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 The more severe the vulnerability, the less chance of it being reported publically
@spoole167 Finding or creating vulnerabilities is a growing industry
@spoole167 The new world of cyber security is “exploit first”
@spoole167 And one more thing …
@spoole167 https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital- threats/exploiting-ai-how-cybercriminals-misuse-abuse-ai-and-ml https://techmonitor.ai/cybercrime-future/ai-cybercrime Think about what you saw at the Keynote
What are we doing about all of this?
@spoole167 17 May 2021 – US Government takes a stand Joe Biden
@spoole167 The Executive Order Recognizes the need to form a united front against “malicious cyber actors” Outlines a direction for closer working between all parts of the software industry Adds new requirements on software vendors selling to the US government Will change how we produce and consume software.
@spoole167 Hardening the software supply chain : every ‘product’ has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes
@spoole167 Technical responses 1 Securing the supply chain – provable evidence trails 2 Improved understanding of vulnerable projects 3 Automating the supply chain - code to cloud (no humans involved) 4 Education for developers
10th December 2021
Log4Shell may be the worst ever vulnerability https://apple.news/AnKnv0_EdR3K2b-t6Z67-qw
A canonical example of whats going wrong
False confidence in our tools or not caring? Finding out if you are vulnerable using scanning tools can be challenging It’s all ‘after the fact’ requires great tools and great data Not everyone has equal access
@spoole167 On the horizon Switch from scanning tools that try to work out what you have installed To signed, provable, reproduceable “Software Bill of Materials” Centralised signatures Centralised analysis tools
@spoole167 Software Bill Of Materials cyclonedx.org spdx.dev the new important term on the horizon mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
@spoole167 https://bomdoctor.sonatype.dev/
@spoole167 www.sigstore.dev reproducible-builds.org
@spoole167 Tackling the next level 90% of an application is open source components
@spoole167 Tackling the next level Linux Foundation and other groups working to develop guidelines for measuring good practices and ongoing behavior
@spoole167
@spoole167 The Open Source Software Security Mobilization Plan https://openssf.org/oss-security-mobilization-plan/ security education risk assessment digital signatures memory safety incident response better scanning code audits data sharing SBOMs everywhere Supply chains
@spoole167 What can you do right now?
@spoole167 The best tools right now are these
@spoole167 The best tools right now are these
@spoole167 Look at how you choose open source software • What do you do if a open-source component you rely on doesn’t comply? • How much risk are you willing to take? • Even if they say yes - how much can you trust them? • Do they have an SBOM? • What’s their ability to provide updates. • What’s their security posture. Not just is it free, does it do what I want?
things to check for unexpected release frequency number and activity patterns of committers Do they do Static Analysis and Security Testing (SAST) Are they prone to making breaking changes Do they often have no path forward (latest version has vulnerabilities)
things to check for License / security.md file Vulnerability reporting process Development process (how do they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU)
@spoole167 Exercise your suspicious brain, find code smells and LOOK closely at the projects you’re using Build your own selection criteria or use ours
@spoole167 What else should you do?
@spoole167 Visit owasp
@spoole167 Code defensively follow secure design principles • Minimize attack surface area • Establish secure defaults • Principle of Least privilege • Principle of Defense in depth • Fail securely • Don’t trust services • Separation of duties • Avoid security by obscurity • Keep security simple • Fix security issues correctly https://www.owasp.org/index.php/Security_by_Design_Principles#Security _principles
@spoole167 https://owasp.org/
@spoole167 Keep a watch on available education
@spoole167 Summary • Cyber attacks are being industrialized, weaponized and hidden. • “exploit first” means Day Zero moving to Day – 1 , -20. - Never • Government legislation aim to force suppliers to “fix” the problem • How we create and deliver software will change • How we select / consume open source software will change • Developers must become experts at AppSec
@spoole167 Takeaways • The days of just taking software off the shelf are numbered • developers must choose software based on production value not just function • Evidence based trust will become essential • the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. • GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny. • It’s time to reassess tools and vendors • Look for partners you can trust to build supply chains you and the world can rely on
@spoole167 Thank you #mavencentral

Empfohlen

GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxSteve Poole
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Steve Poole
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleSteve Poole
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptxSteve Poole
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
 

Empfohlen

GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxSteve Poole
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Steve Poole
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleSteve Poole
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptxSteve Poole
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
 
Pentest trends 2017
Pentest trends 2017Pentest trends 2017
Pentest trends 2017Jorge González
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxSteve Poole
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven CentralSteve Poole
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
FOSS and Security
FOSS and SecurityFOSS and Security
FOSS and SecurityBud Siddhisena
 
The Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesThe Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesSteve Poole
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open SourceShane Coughlan
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureSteve Poole
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane LackeyYandex
 
2014 Technology Predictions
2014 Technology Predictions2014 Technology Predictions
2014 Technology PredictionsChris Powell
 
2014 Tech Predictions by Daily Deal Builder
2014 Tech Predictions by Daily Deal Builder2014 Tech Predictions by Daily Deal Builder
2014 Tech Predictions by Daily Deal BuilderMarc Horne
 
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecSonatype
 
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearThe Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearIronCore Labs
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...Cyber Security Alliance
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysOri Pekelman
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
It’s No Myth: Compliance Is Good Business
It’s No Myth: Compliance Is Good BusinessIt’s No Myth: Compliance Is Good Business
It’s No Myth: Compliance Is Good BusinessBlack Duck by Synopsys
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
 

Weitere ähnliche Inhalte

Ähnlich wie A new hope for 2023? What developers must learn next

The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxSteve Poole
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven CentralSteve Poole
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
The Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesThe Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesSteve Poole
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open SourceShane Coughlan
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureSteve Poole
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane LackeyYandex
 
2014 Technology Predictions
2014 Technology Predictions2014 Technology Predictions
2014 Technology PredictionsChris Powell
 
2014 Tech Predictions by Daily Deal Builder
2014 Tech Predictions by Daily Deal Builder2014 Tech Predictions by Daily Deal Builder
2014 Tech Predictions by Daily Deal BuilderMarc Horne
 
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecSonatype
 
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearThe Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearIronCore Labs
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...Cyber Security Alliance
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysOri Pekelman
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
It’s No Myth: Compliance Is Good Business
It’s No Myth: Compliance Is Good BusinessIt’s No Myth: Compliance Is Good Business
It’s No Myth: Compliance Is Good BusinessBlack Duck by Synopsys
 

Ähnlich wie A new hope for 2023? What developers must learn next (20)

Pentest trends 2017
Pentest trends 2017Pentest trends 2017
Pentest trends 2017
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptx
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven Central
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
FOSS and Security
FOSS and SecurityFOSS and Security
FOSS and Security
 
The Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesThe Anatomy of Java Vulnerabilities
The Anatomy of Java Vulnerabilities
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and Culture
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
 
2014 Technology Predictions
2014 Technology Predictions2014 Technology Predictions
2014 Technology Predictions
 
2014 Tech Predictions by Daily Deal Builder
2014 Tech Predictions by Daily Deal Builder2014 Tech Predictions by Daily Deal Builder
2014 Tech Predictions by Daily Deal Builder
 
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
 
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearThe Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
It’s No Myth: Compliance Is Good Business
It’s No Myth: Compliance Is Good BusinessIt’s No Myth: Compliance Is Good Business
It’s No Myth: Compliance Is Good Business
 

Mehr von Steve Poole

THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Steve Poole
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxSteve Poole
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020Steve Poole
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Steve Poole
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Steve Poole
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization Steve Poole
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkSteve Poole
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...Steve Poole
 
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Steve Poole
 
Keynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourKeynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourSteve Poole
 
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Steve Poole
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaLocking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaSteve Poole
 
Dashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your BehaviourDashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your BehaviourSteve Poole
 
QCon London - Java at Scale
QCon London - Java at ScaleQCon London - Java at Scale
QCon London - Java at ScaleSteve Poole
 
Dashboards and Culture: How Openness changes your behavior
Dashboards and Culture: How Openness changes your behaviorDashboards and Culture: How Openness changes your behavior
Dashboards and Culture: How Openness changes your behaviorSteve Poole
 

Mehr von Steve Poole (18)

THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chain
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptx
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
 
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
 
Keynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourKeynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviour
 
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaLocking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
 
Dashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your BehaviourDashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your Behaviour
 
QCon London - Java at Scale
QCon London - Java at ScaleQCon London - Java at Scale
QCon London - Java at Scale
 
Dashboards and Culture: How Openness changes your behavior
Dashboards and Culture: How Openness changes your behaviorDashboards and Culture: How Openness changes your behavior
Dashboards and Culture: How Openness changes your behavior
 

Kürzlich hochgeladen

8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 

Kürzlich hochgeladen (20)

8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 

A new hope for 2023? What developers must learn next

  • 1. @spoole167 A new hope for 2023? What developers must learn next
  • 2. @spoole167 what do we think when we think about cybercrime?”
  • 3. @spoole167 Photo by Bastian Pudill on Unsplash Do we imagine someone walking down the road trying the handles of cars as they pass Looking for a car to steal
  • 4. @spoole167 Do we remember that movie we watched about a daring and sophisticated robbery ?
  • 5. @spoole167 these are the two styles we often think about. The super complicated attack or the simple opportunist
  • 6. @spoole167 Wrongly we think we’re not targets we think the bad guys are far away
  • 7. @spoole167 The most common thoughts as a developer are ”why is it my problem?” or “I don’t really know what to do”
  • 8. @spoole167 this talk • Is a reality check about what the bad guys are really doing and why • What’s happening to help address these attacks • What should you be doing next
  • 11. @spoole167 Cyberattacks have moved on It’s not all hackers in bedrooms doing it for fun
  • 12. @spoole167 in 2016 Cybercrime cost ~415 Billion Dollars So did the illicit drug trade
  • 13. @spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016
  • 14. @spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016 50
  • 15. @spoole167 Cybercrime has been growing at ~56% per year ever since drug trade cybercrime
  • 16. @spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016 50
  • 17. @spoole167 Buys you US Nimitz Class carriers 6 Trillion Dollars in 2022 50 620
  • 18. @spoole167 United States: $20.89 trillion China: $14.72 trillion Cyber Crime : $6.0 trillion Japan: $5.06 trillion Germany: $3.85 trillion United Kingdom: $2.67 trillion India: $2.66 trillion France: $2.63 trillion Italy: $1.89 trillion Canada: $1.64 trillion https://globalpeoservices.com/top-15-countries-by-gdp-in-2022/ if Cybercrime was a country (by gdp)
  • 19. @spoole167 There is no sign of it slowing down drug trade cybercrime US gdp
  • 21. @spoole167 There are still.. • There are still botnets out there trying to get into your systems • There are still bad guys who want to steal your secrets • There are still people who will ransom your data • There are still cryptocurrency miners trying to steal your CPU cycles
  • 22. @spoole167 Plus .. • There are still botnets out there trying to get into your systems • There are still bad guys who want to steal your secrets • There are still people who will ransom your data • There are still cryptocurrency miners trying to steal your CPU cycles • Now there are open source project hijacks • Now there are fake packages in repos • Now there is malware in the build process • Now the aim is long term control and stealth
  • 23. @spoole167 Now there is cyber-warfare • Motivations are different - it’s not about money • Skillsets are higher - professional, well funded. • Perseverance is much greater - specific targets, not just targets of opportunity
  • 24. @spoole167 Now there is cyber-warfare • Motivations are different - it’s not about money • Skillsets are higher - professional, well funded. • Persistence is much greater - specific targets, not just targets of opportunity • EVERYONE – Every state or political body, every disenfranchised or suppressed group is or will be taking part.
  • 25. @spoole167 Now there is cyber-warfare • It’s been happening behind the scenes for some time. • Now it’s mainstream. You personally Your personal networks The organizations you work for, belong to or help Your country Potential Targets
  • 26. @spoole167 Modern attacks are supply chain attacks – and we are all part of a supply chain
  • 27. @spoole167 The aim is to infiltrate infrastructure and essential services… The internet is the next battlefield. It’s all about software
  • 29. @spoole167 Everything really is online There is no distance between you and the bad actors they ‘live’ next door
  • 30. @spoole167 Cyber warfare is real and will drive massive changes in how we develop and deliver software
  • 31. @spoole167 The only thing between you and the bad actors is software
  • 32. @spoole167 be ready for massive increases in attacks on software everywhere s/w in the car s/w on the phone s/w on the watch s/w on any device s/w on the laptop s/w on server s/w on the wifi router s/w at the supermarket
  • 33. @spoole167 Bad Actors used to search for vulnerabilities to exploit
  • 34. @spoole167 Now they make their own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Attempts to get malware or weaknesses added into dependency source via social or tools Build Tool attacks Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” Automated Social engineering
  • 35. The Zero Day Window is Closing Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2
  • 36. The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 Nation states are paying millions of dollars to suppress vulnerability reporting
  • 37. The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 China requires all disclosures to be reported to the government first
  • 38. The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 The more severe the vulnerability, the less chance of it being reported publically
  • 40. @spoole167 The new world of cyber security is “exploit first”
  • 43. What are we doing about all of this?
  • 44. @spoole167 17 May 2021 – US Government takes a stand Joe Biden
  • 45. @spoole167 The Executive Order Recognizes the need to form a united front against “malicious cyber actors” Outlines a direction for closer working between all parts of the software industry Adds new requirements on software vendors selling to the US government Will change how we produce and consume software.
  • 46. @spoole167 Hardening the software supply chain : every ‘product’ has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes
  • 47. @spoole167 Technical responses 1 Securing the supply chain – provable evidence trails 2 Improved understanding of vulnerable projects 3 Automating the supply chain - code to cloud (no humans involved) 4 Education for developers
  • 49. Log4Shell may be the worst ever vulnerability https://apple.news/AnKnv0_EdR3K2b-t6Z67-qw
  • 50. A canonical example of whats going wrong
  • 51. False confidence in our tools or not caring? Finding out if you are vulnerable using scanning tools can be challenging It’s all ‘after the fact’ requires great tools and great data Not everyone has equal access
  • 52. @spoole167 On the horizon Switch from scanning tools that try to work out what you have installed To signed, provable, reproduceable “Software Bill of Materials” Centralised signatures Centralised analysis tools
  • 53. @spoole167 Software Bill Of Materials cyclonedx.org spdx.dev the new important term on the horizon mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
  • 56. @spoole167 Tackling the next level 90% of an application is open source components
  • 57. @spoole167 Tackling the next level Linux Foundation and other groups working to develop guidelines for measuring good practices and ongoing behavior
  • 59. @spoole167 The Open Source Software Security Mobilization Plan https://openssf.org/oss-security-mobilization-plan/ security education risk assessment digital signatures memory safety incident response better scanning code audits data sharing SBOMs everywhere Supply chains
  • 60. @spoole167 What can you do right now?
  • 61. @spoole167 The best tools right now are these
  • 62. @spoole167 The best tools right now are these
  • 63. @spoole167 Look at how you choose open source software • What do you do if a open-source component you rely on doesn’t comply? • How much risk are you willing to take? • Even if they say yes - how much can you trust them? • Do they have an SBOM? • What’s their ability to provide updates. • What’s their security posture. Not just is it free, does it do what I want?
  • 64. things to check for unexpected release frequency number and activity patterns of committers Do they do Static Analysis and Security Testing (SAST) Are they prone to making breaking changes Do they often have no path forward (latest version has vulnerabilities)
  • 65. things to check for License / security.md file Vulnerability reporting process Development process (how do they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU)
  • 66. @spoole167 Exercise your suspicious brain, find code smells and LOOK closely at the projects you’re using Build your own selection criteria or use ours
  • 69. @spoole167 Code defensively follow secure design principles • Minimize attack surface area • Establish secure defaults • Principle of Least privilege • Principle of Defense in depth • Fail securely • Don’t trust services • Separation of duties • Avoid security by obscurity • Keep security simple • Fix security issues correctly https://www.owasp.org/index.php/Security_by_Design_Principles#Security _principles
  • 71. @spoole167 Keep a watch on available education
  • 72. @spoole167 Summary • Cyber attacks are being industrialized, weaponized and hidden. • “exploit first” means Day Zero moving to Day – 1 , -20. - Never • Government legislation aim to force suppliers to “fix” the problem • How we create and deliver software will change • How we select / consume open source software will change • Developers must become experts at AppSec
  • 73. @spoole167 Takeaways • The days of just taking software off the shelf are numbered • developers must choose software based on production value not just function • Evidence based trust will become essential • the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. • GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny. • It’s time to reassess tools and vendors • Look for partners you can trust to build supply chains you and the world can rely on