Over the last ten years, we’ve seen cybercrime accelerate beyond all comprehension and the growing and relentless impact it has on our society and economies. It’s taken a long time for the world to act, but finally, we’re coming together to resist this uniquely 21st-century evil.
At the heart of the resistance are developers. Whatever role you have, whatever programming language or software you use - the battle is at your door.
In this session, we’ll brief you on the state of the situation and what you can do to be more prepared.: we’ll look at the bad guys and how they operate, examine recent legal and government responses and, most importantly, how the software industry is working together to create the tools, frameworks and education needed to help us all become the developers we need to be.
3. @spoole167
Photo by Bastian Pudill on Unsplash
Do we imagine someone
walking down the road
trying the handles of cars
as they pass
Looking for a car to steal
8. @spoole167
this talk
• Is a reality check about what the bad guys are really doing and why
• What’s happening to help address these attacks
• What should you be doing next
21. @spoole167
There are still..
• There are still botnets out there trying to get into your systems
• There are still bad guys who want to steal your secrets
• There are still people who will ransom your data
• There are still cryptocurrency miners trying to steal your CPU
cycles
22. @spoole167
Plus ..
• There are still botnets out there trying to get into your systems
• There are still bad guys who want to steal your secrets
• There are still people who will ransom your data
• There are still cryptocurrency miners trying to steal your CPU
cycles
• Now there are open source project hijacks
• Now there are fake packages in repos
• Now there is malware in the build process
• Now the aim is long term control and stealth
23. @spoole167
Now there is cyber-warfare
• Motivations are different - it’s not about money
• Skillsets are higher - professional, well funded.
• Perseverance is much greater - specific targets, not just
targets of opportunity
24. @spoole167
Now there is cyber-warfare
• Motivations are different - it’s not about money
• Skillsets are higher - professional, well funded.
• Persistence is much greater - specific targets, not just targets
of opportunity
• EVERYONE – Every state or political body, every
disenfranchised or suppressed group is or will be taking part.
25. @spoole167
Now there is cyber-warfare
• It’s been happening behind the scenes for some time.
• Now it’s mainstream.
You personally
Your personal networks
The organizations you work for, belong to or help
Your country
Potential
Targets
32. @spoole167
be ready for massive increases in attacks
on software everywhere
s/w in the car
s/w on the phone
s/w on the watch
s/w on any device
s/w on the laptop
s/w on server
s/w on the wifi router
s/w at the supermarket
34. @spoole167
Now they make their own
Typosquatting
A lookalike
domain,
dependency with
one or two wrong
or different
characters
Open source
repo attacks
Attempts to get
malware or
weaknesses
added into
dependency
source via social
or tools
Build Tool
attacks
Attempts to get
malware into the
tools that are
used to produce
dependencies
Dependency
confusion
Attempts to get a
Different version
added into a binary
repository
Often “latest”
Automated Social engineering
35. The Zero Day Window is Closing
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 201
1
2012 2013 2104 2015
1
0
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Average
45
15
201
7
2019 2021
Struts2
36. The Zero Day Window is closed
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 201
1
2012 2013 2104 2015
1
0
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Average
45
15
201
7
2019 2021
Struts2
Nation states are paying millions of dollars to
suppress vulnerability reporting
37. The Zero Day Window is closed
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 201
1
2012 2013 2104 2015
1
0
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Average
45
15
201
7
2019 2021
Struts2
China requires all disclosures to be reported to
the government first
38. The Zero Day Window is closed
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 201
1
2012 2013 2104 2015
1
0
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Average
45
15
201
7
2019 2021
Struts2
The more severe the vulnerability, the less
chance of it being reported publically
45. @spoole167
The
Executive
Order
Recognizes the need to form a united front
against “malicious cyber actors”
Outlines a direction for closer working between
all parts of the software industry
Adds new requirements on software vendors
selling to the US government
Will change how we produce and consume
software.
46. @spoole167
Hardening the software supply chain : every
‘product’
has a SBOM
uses an automatic
supply chain process
has evidence of
software integrity
has evidence of
an automatic
vulnerability check
process
Has a vulnerability
disclosure program
Has evidence on the
providence of all
software used
Demonstrates strong
controls over the use
of internal and third-
party software and
services
Demonstrate regular
audit processes
47. @spoole167
Technical responses
1 Securing the supply chain – provable evidence trails
2 Improved understanding of vulnerable projects
3 Automating the supply chain - code to cloud (no humans
involved)
4 Education for developers
51. False confidence in our tools or not caring?
Finding out if you are
vulnerable using scanning
tools can be challenging
It’s all ‘after the fact’
requires great tools and
great data
Not everyone has equal
access
52. @spoole167
On the horizon
Switch from scanning
tools that try to work
out what you have
installed
To signed, provable,
reproduceable
“Software Bill of Materials”
Centralised signatures
Centralised analysis
tools
53. @spoole167
Software Bill Of Materials
cyclonedx.org spdx.dev
the new important term on the horizon
mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
57. @spoole167
Tackling the next level
Linux Foundation and
other groups working to
develop guidelines for
measuring good practices
and ongoing behavior
63. @spoole167
Look at how you choose open
source software
• What do you do if a open-source
component you rely on doesn’t comply?
• How much risk are you willing to take?
• Even if they say yes - how much can you
trust them?
• Do they have an SBOM?
• What’s their ability to provide updates.
• What’s their security posture.
Not just is it free,
does it do what I
want?
64. things to check for
unexpected
release frequency
number and
activity patterns
of committers
Do they do Static
Analysis and
Security Testing
(SAST)
Are they prone to
making breaking
changes
Do they often
have no path
forward
(latest version has
vulnerabilities)
65. things to check for
License /
security.md file
Vulnerability
reporting process
Development
process (how do
they review
contributions)
Build process – is
it secure? Who
can trigger it?
General
assessment of
their quality
(MTTU)
66. @spoole167
Exercise your suspicious brain, find code
smells and LOOK closely at the projects
you’re using
Build your own selection
criteria or use ours
72. @spoole167
Summary
• Cyber attacks are being industrialized, weaponized and
hidden.
• “exploit first” means Day Zero moving to Day – 1 , -20. -
Never
• Government legislation aim to force suppliers to “fix” the
problem
• How we create and deliver software will change
• How we select / consume open source software will change
• Developers must become experts at AppSec
73. @spoole167
Takeaways
• The days of just taking software off the shelf are numbered
• developers must choose software based on production value not just function
• Evidence based trust will become essential
• the software you use, how you develop, how you deploy will become a certified step in
someone else's evidence chain.
• A complex and challenging new world lies ahead.
• GDPR changed how we thought and deal with user information – supply chains are
going to get the same sort of scrutiny.
• It’s time to reassess tools and vendors
• Look for partners you can trust to build supply chains you and the world can rely on