Cybercrime and the developer 2021 style

Cybercrime and the developer 2021 style
Cybercrime and the Developer How to defend against the darker side @spoole167
Steve Poole • Developer Adocate • Sonatype @spoole167
Take away one thing As a developer, security is your problem @spoole167
Who uses wifi? Every thought about how it works? @spoole167
Would you notice one of these on the wall? @spoole167
With some simple h/w its’ easy to spoof the wifi @spoole167
How safe is your data now? @spoole167
Of course, most of us don’t know @spoole167
The world runs on software @spoole167
And software is under attack @spoole167
5 years a go I said things like this @spoole167
Organized Cybercrime is the most profitable type of crime Cybercrime was estimated to be worth 445 Billion Dollars a Year United Nations Office on Drugs and Crime (UNODC) estimated globally the illicit drug trade was worth 435 Billion Dollars • Guess which one has the least risk to the criminal? • Guess which is growing the fastest? • Guess which one is the hardest to prosecute? • Guess which one is predicted to real 2100 Billion Dollars by 2019 • Guess which one is predicted to real 6000 Billion Dollars by 2021 @spoole167
0 1000 2000 3000 4000 5000 6000 2013 2014 2015 2016 2017 2018 2019 2020 2021 Cybercrime Drug trade
What’s the status today? @spoole167
It’s much worse than predicted … As a developer your world is going to change rapidly @spoole167
Weaponised Cybercrime Nation states are preparing for the next war – and that all about software @spoole167
Cyber Attacks are rising in number and sophistication The aim is to infiltrate infrastructure and essential services… @spoole167
So they can manipulate or disable @spoole167
Cybercriminals used to search for vulnerabilities to exploit
Now they make their own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Build Tool attacks Attempts to get malware or weaknesses added into dependency source via social or tools Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” @spoole167
Put differently Payroll App V1
Payroll App V1 Most applications are 90% open source Dependencies
Payroll App V1 Bad guys still look for weaknesses Dependencies
Payroll App V1 But now they are adding their own Dependencies Tools Runtime s Platforms Code generators
Payroll App V1 Many are designed to stay hidden Until needed Dependencies Tools Runtime s Platforms Code generators
Let me tell you a story
Got one of these? @spoole167
Got one of these in it? • $2 from china
This new phase of cyber attacks Are state funded Professionally developed Regularly exercised Very sophisticated And extremely lucrative
2021 – 6 trillion dollars 2022 ? @spoole167
2021 – 6 trillion dollars 2022 - 35 Trillion dollars? @spoole167
2021 – 6 trillion dollars 2022 - 35 Trillion dollars? @spoole167
That’s $4300 per person @spoole167
What can you do? @spoole167
1: Think about the supply chain @spoole167
@spoole167
The Executive Order Recognizes the need to form a united front against “malicious cyber actors” Outlines a direction for closer working between all parts of the software industry Adds new requirements on software vendors selling to the US government Will change how we produce and consume software. @spoole167
Hardening the software supply chain : every product has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes @spoole167
SBOM – the new important term on the horizon cyclonedx.org spdx.dev @spoole167
Modern Vulnerability tools scan your builds Dependencies Payroll App V1 @spoole167
Tracking dependencies relies on tools that analyze the end result Payroll App V1 Web Server 05.1.2 Acme Framework 2.1 @spoole167
Which relies on transparency Payroll App V1 Web Server 05.1.2 Acme Framework 2.1 @spoole167
Which can be problematic Payroll App V1 Web Server 05.1.2 Acme Framework Incomplete Data Opaque Dependencies @spoole167
And is always incomplete Or even faked Payroll App V1 Web Server 05.1.2 Acme Framework What’s in the runtimes? What tools were used to build? @spoole167
Web Server 05.1.2 Acme Framework Payroll App V1 Runtime V2 OS V3.4 Compiler V9 CI/CD V2 OS V6 Compiler Environmental Information All componentry SBOMs are intended to cover ‘everything’
2: Automate everything @spoole167
SBOM raise awareness of issues 1.1 Foo 2.1 Bar 3.1 product Dependency ref @spoole167
SBOM raise awareness of issues 1.1 Foo 2.1 Bar 3.1 product Dependency ref url url SBOM signature SHA1024 SHA1024 Product URL url SHA1024 @spoole167
Means more fixes to apply 1.1 Foo 2.1 Bar 3.1 url url SHA SHA url SHA1024 Gcc 3.6 RHEL url url SHA SHA zip url SHA Jenkins url SHA Github action url url
Since SBOMS inherit from dependencies 1.1 url SHA1024
More info is available 1.1 url SHA1024
More updates, more often, all the time 1.1 url SHA1024
Time to EXPLOIT? Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 2011 2012 2013 2104 2015 10 20 30 40 50 0 Average Days to Exploit Average 45 15 2017 @spoole167
2 days @spoole167
2 days Oh wait that was 2016 – what’s the number now?
2 days @spoole167
2 seconds @spoole167
The way you build software is going to change You can expect every government to follow suit on this sort of initiative Even if you're not selling directly, you could be in a chain that is The prediction is that by 2025 every software vendor, open source project etc will have to provide this proof Manual anything is going to be problematic @spoole167
You will need to be able to track back exactly how, where and with what your s/w was built. To be able to deal with an increase in the number of reported vulnerabilities Be able to build your s/w automatically at a moments notice To provide to others your ‘SBOM’ The next wave is moving from IAC to EAC (Everything as code)
3: Lower your trust levels @spoole167
The way you choose open source software is going to change What do you do if a open-source component you rely on doesn’t comply? How much risk are you willing to take? Even if they say yes - how much can you trust them? Do they have an SBOM? What’s their ability to provide updates. What’s their security posture. No more: is is it free and does it do what I want? @spoole167
Evaluating open-source projects means more than checking their license License Vulnerability reporting process Development process (how to they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU) @spoole167
4: Code defensively @spoole167
Exploitation comes often from simple mistakes Clean code Defensive architecture comprehensive tests Exception path testing Useful error messages Test dependencies Compartmentalisation of data Secured pipelines No ‘dev mode’ Code Reviews Thinking defensively …
And poor behavior Ever googled for: “very trusting trust manager” “Getting Java to accept all certs over HTTPS” “How to Trust Any SSL Certificate” “Disable Certificate Validation in Java”
We’ve found 72,609 code results AlwaysValidTrustManager TrustAllServersWrappingTrustManager A very friendly, accepting trust manager factory. Allows anything through. all kind of certificates are accepted and trusted. A very trusting trust manager that accepts anything // Install the all-trusting trust manager OverTrustingTrustProvider AllTrustingSecurityManagerPlugin.java AcceptingTrustManagerFactory.java AllTrustingCertHttpRequester.java
And poor behavior curl –insecure wget --no-check-certificate sudo apt-get --allow-unauthenticated @spoole167
And poor behavior curl –insecure wget --no-check-certificate sudo apt-get --allow-unauthenticated
And by not understanding the code and tools we use “I thought I was using the tool correctly” “I didn’t realize what the default setting was” “I trusted the tool to do the right thing” @spoole167
IF you contribute to open source • Take these behaviors with you • Think about software safety • Think defensively. @spoole167
Summary Cyber attacks have entered a new and aggressive phase Automated, evidence based Everything- as-code is the direction Open Source is still the primary vector Risk of attack is rising dramatically BYO pipelines will get replaced by commercial ones Consuming open source directly will reduce. You’ll pay for trusted versions How we write code must change How we work with other developers will change
Takeaways • The days of just taking software off the shelf are numbered : choose software based on how it’s produced not just what it does • Evidence based trust will become essential : Your own supply chain – the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny. • Software is critical to every facet of our lives – the world has woken up to that . @spoole167
As developers, we’re on the front line @spoole167
Thank you Any questions? @spoole167

Check these out next

Cybercrime and the developer 2021 style

Recomendados

Más contenido relacionado

Presentaciones para ti(20)

Similar a Cybercrime and the developer 2021 style(20)

Más de Steve Poole(19)

Último(20)

Cybercrime and the developer 2021 style