Más contenido relacionado

Similar a Cybercrime and the developer 2021 style(20)


Más de Steve Poole(19)


Cybercrime and the developer 2021 style

  1. Cybercrime and the Developer How to defend against the darker side @spoole167
  2. Steve Poole • Developer Adocate • Sonatype @spoole167
  3. Take away one thing As a developer, security is your problem @spoole167
  4. Who uses wifi? Every thought about how it works? @spoole167
  5. Would you notice one of these on the wall? @spoole167
  6. With some simple h/w its’ easy to spoof the wifi @spoole167
  7. How safe is your data now? @spoole167
  8. Of course, most of us don’t know @spoole167
  9. The world runs on software @spoole167
  10. And software is under attack @spoole167
  11. 5 years a go I said things like this @spoole167
  12. Organized Cybercrime is the most profitable type of crime Cybercrime was estimated to be worth 445 Billion Dollars a Year United Nations Office on Drugs and Crime (UNODC) estimated globally the illicit drug trade was worth 435 Billion Dollars • Guess which one has the least risk to the criminal? • Guess which is growing the fastest? • Guess which one is the hardest to prosecute? • Guess which one is predicted to real 2100 Billion Dollars by 2019 • Guess which one is predicted to real 6000 Billion Dollars by 2021 @spoole167
  13. 0 1000 2000 3000 4000 5000 6000 2013 2014 2015 2016 2017 2018 2019 2020 2021 Cybercrime Drug trade
  14. What’s the status today? @spoole167
  15. It’s much worse than predicted … As a developer your world is going to change rapidly @spoole167
  16. Weaponised Cybercrime Nation states are preparing for the next war – and that all about software @spoole167
  17. Cyber Attacks are rising in number and sophistication The aim is to infiltrate infrastructure and essential services… @spoole167
  18. So they can manipulate or disable @spoole167
  19. Cybercriminals used to search for vulnerabilities to exploit
  20. Now they make their own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Build Tool attacks Attempts to get malware or weaknesses added into dependency source via social or tools Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” @spoole167
  21. Put differently Payroll App V1
  22. Payroll App V1 Most applications are 90% open source Dependencies
  23. Payroll App V1 Bad guys still look for weaknesses Dependencies
  24. Payroll App V1 But now they are adding their own Dependencies Tools Runtime s Platforms Code generators
  25. Payroll App V1 Many are designed to stay hidden Until needed Dependencies Tools Runtime s Platforms Code generators
  26. Let me tell you a story
  27. Got one of these? @spoole167
  28. Got one of these in it? • $2 from china
  29. This new phase of cyber attacks Are state funded Professionally developed Regularly exercised Very sophisticated And extremely lucrative
  30. 2021 – 6 trillion dollars 2022 ? @spoole167
  31. 2021 – 6 trillion dollars 2022 - 35 Trillion dollars? @spoole167
  32. 2021 – 6 trillion dollars 2022 - 35 Trillion dollars? @spoole167
  33. That’s $4300 per person @spoole167
  34. What can you do? @spoole167
  35. 1: Think about the supply chain @spoole167
  36. @spoole167
  37. The Executive Order Recognizes the need to form a united front against “malicious cyber actors” Outlines a direction for closer working between all parts of the software industry Adds new requirements on software vendors selling to the US government Will change how we produce and consume software. @spoole167
  38. Hardening the software supply chain : every product has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes @spoole167
  39. SBOM – the new important term on the horizon @spoole167
  40. Modern Vulnerability tools scan your builds Dependencies Payroll App V1 @spoole167
  41. Tracking dependencies relies on tools that analyze the end result Payroll App V1 Web Server 05.1.2 Acme Framework 2.1 @spoole167
  42. Which relies on transparency Payroll App V1 Web Server 05.1.2 Acme Framework 2.1 @spoole167
  43. Which can be problematic Payroll App V1 Web Server 05.1.2 Acme Framework Incomplete Data Opaque Dependencies @spoole167
  44. And is always incomplete Or even faked Payroll App V1 Web Server 05.1.2 Acme Framework What’s in the runtimes? What tools were used to build? @spoole167
  45. Web Server 05.1.2 Acme Framework Payroll App V1 Runtime V2 OS V3.4 Compiler V9 CI/CD V2 OS V6 Compiler Environmental Information All componentry SBOMs are intended to cover ‘everything’
  46. 2: Automate everything @spoole167
  47. SBOM raise awareness of issues 1.1 Foo 2.1 Bar 3.1 product Dependency ref @spoole167
  48. SBOM raise awareness of issues 1.1 Foo 2.1 Bar 3.1 product Dependency ref url url SBOM signature SHA1024 SHA1024 Product URL url SHA1024 @spoole167
  49. Means more fixes to apply 1.1 Foo 2.1 Bar 3.1 url url SHA SHA url SHA1024 Gcc 3.6 RHEL url url SHA SHA zip url SHA Jenkins url SHA Github action url url
  50. Since SBOMS inherit from dependencies 1.1 url SHA1024
  51. More info is available 1.1 url SHA1024
  52. More updates, more often, all the time 1.1 url SHA1024
  53. Time to EXPLOIT? Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 2011 2012 2013 2104 2015 10 20 30 40 50 0 Average Days to Exploit Average 45 15 2017 @spoole167
  54. 2 days @spoole167
  55. 2 days Oh wait that was 2016 – what’s the number now?
  56. 2 days @spoole167
  57. 2 seconds @spoole167
  58. The way you build software is going to change You can expect every government to follow suit on this sort of initiative Even if you're not selling directly, you could be in a chain that is The prediction is that by 2025 every software vendor, open source project etc will have to provide this proof Manual anything is going to be problematic @spoole167
  59. You will need to be able to track back exactly how, where and with what your s/w was built. To be able to deal with an increase in the number of reported vulnerabilities Be able to build your s/w automatically at a moments notice To provide to others your ‘SBOM’ The next wave is moving from IAC to EAC (Everything as code)
  60. 3: Lower your trust levels @spoole167
  61. The way you choose open source software is going to change What do you do if a open-source component you rely on doesn’t comply? How much risk are you willing to take? Even if they say yes - how much can you trust them? Do they have an SBOM? What’s their ability to provide updates. What’s their security posture. No more: is is it free and does it do what I want? @spoole167
  62. Evaluating open-source projects means more than checking their license License Vulnerability reporting process Development process (how to they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU) @spoole167
  63. 4: Code defensively @spoole167
  64. Exploitation comes often from simple mistakes Clean code Defensive architecture comprehensive tests Exception path testing Useful error messages Test dependencies Compartmentalisation of data Secured pipelines No ‘dev mode’ Code Reviews Thinking defensively …
  65. And poor behavior Ever googled for: “very trusting trust manager” “Getting Java to accept all certs over HTTPS” “How to Trust Any SSL Certificate” “Disable Certificate Validation in Java”
  66. We’ve found 72,609 code results AlwaysValidTrustManager TrustAllServersWrappingTrustManager A very friendly, accepting trust manager factory. Allows anything through. all kind of certificates are accepted and trusted. A very trusting trust manager that accepts anything // Install the all-trusting trust manager OverTrustingTrustProvider
  67. And poor behavior curl –insecure wget --no-check-certificate sudo apt-get --allow-unauthenticated @spoole167
  68. And poor behavior curl –insecure wget --no-check-certificate sudo apt-get --allow-unauthenticated
  69. And by not understanding the code and tools we use “I thought I was using the tool correctly” “I didn’t realize what the default setting was” “I trusted the tool to do the right thing” @spoole167
  70. IF you contribute to open source • Take these behaviors with you • Think about software safety • Think defensively. @spoole167
  71. Summary Cyber attacks have entered a new and aggressive phase Automated, evidence based Everything- as-code is the direction Open Source is still the primary vector Risk of attack is rising dramatically BYO pipelines will get replaced by commercial ones Consuming open source directly will reduce. You’ll pay for trusted versions How we write code must change How we work with other developers will change
  72. Takeaways • The days of just taking software off the shelf are numbered : choose software based on how it’s produced not just what it does • Evidence based trust will become essential : Your own supply chain – the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny. • Software is critical to every facet of our lives – the world has woken up to that . @spoole167
  73. As developers, we’re on the front line @spoole167
  74. Thank you Any questions? @spoole167