SlideShare ist ein Scribd-Unternehmen logo

Game Over or Game Changing? Why Software Development May Never be the same again

Als PPTX, PDF herunterladen
Steve Poole
Steve Poole

A small but vital step on a long road was made this year. The President of the USA signed an executive order towards improving the situation on cybersecurity. In this session you’ll learn more about what was ordered and how it’s the beginning of a significant change in how software will be developed, delivered and secured in the future – not just in the USA but world wide too. The need to have a vastly improved software supply chain to counter the challenges of cyber attacks is well understood and many tools already exist. Learn more about the tooling landscape, what’s on the horizon and how presidential orders, the software industry and application development are coming together to take even bigger steps towards safeguarding the future.

Software
1 von 85
@spoole167 Game Over Or Game Changing? Why software development may never be the same again Steve Poole Sonatype @spoole167 sonatype.com/devsignup
This talk is about • How the nature of cyber attacks is changing • A new US government initiative to combat this challenge • How that initiative will impact how software is developed in the future
One day at work …
@spoole167 Files won’t open “There is no application set to open the document” “Windows can’t open this file ”
@spoole167 Systems won’t start “Unable to read config files” ‘missing dll”
@spoole167 Unexpected files on the system micro https://techdator.net/ransomware-file-extensions/ zepto locky cerber cryp1 osiris crypz locked decrypt2017 r5a enigma surprise evillock fu*ked
@spoole167 Signing in blocks
@spoole167 Explicit information
@spoole167 You’re the victim of a Ransomware Attack
@spoole167 Somewhere is a link to a cryptocurrency wallet and an amount you must pay.
@spoole167 How does it start? Mostly phishing, malware, mostly targeted at Windows clients Malware Installer Malware Malware
@spoole167 Not your usual Phishing…
@spoole167 DEAR SIR/MA'AM. YOUR ATM CARD OF $10.5MILLION DOLLARS WAS RETURNED TODAY BY OUR COURIER DELIVERY COMPANY, AND WE ARE GOING TO CANCEL THE ATM CARD IF YOU FAILS TO ACKNOWLEDGE THIS MESSAGE, WE SHALL ALSO ASSUME THAT WHAT OUR COURIER DELIVERY COMPANY TOLD US IS NOTHING BUT THE TRUTH THAT YOU DON'T NEED YOUR ATM CARD OF $10.5 MILLION DOLLARS ANY LONGER. DO ACKNOWLEDGE THIS MESSAGE AS SOON AS POSSIBLE. YOURS FAITHFULLY. YOURS SINCERELY, MR MARK WRIGHT, DIRECTOR FOREIGN REMITTANCE ATM CARD SWIFT PAYMENT DEPARTMENT ZENITH BANK OF NIGERIA. 😀
@spoole167 Federal Bureau of Investigation (FBI) Anti-Terrorist And Monitory Crime Division. Federal Bureau Of Investigation. J.Edgar.Hoover Building Washington Dc Customers Service Hours / Monday To Saturday Office Hours Monday To Saturday: Dear Beneficiary, Series of meetings have been held over the past 7 months with the secretary general of the United Nations Organization. This ended 3 days ago. It is obvious that you have not received your fund which is to the tune of $16.5million due to past corrupt Governmental Officials who almost held the fund to themselves for their selfish reason and some individuals who have taken advantage of your fund all in an attempt to swindle your fund which has led to so many losses from your end and unnecessary delay in the receipt of your fund.for more information do get back to us. …. Upon receipt of payment the delivery officer will ensure that your package is sent within 24 working hours. 😀
@spoole167 From <your boss> I’ve spoken to the XYZ company CEO and they will send us the goods if we pay $3M immediately. Details below. I’m off to the golf course – no distractions please.
@spoole167 an email from an international transport company urging recipients to open a waybill
@spoole167 Many Ransomware attacked are specifically targeted at certain types of organisation 0 2 4 6 8 10 12 14 16 18 20 Government Education Services Healthcare Technology Manufacturing Retail Utilities Finance Other % Attacks Attacks
@spoole167 Many are specifically targeted at a single company or organisation With personalized attacks you invest more and make it compelling. Your victims views on Facebook about their boss, how busy they are, important deals coming up. It all helps to craft that million dollar attack…
@spoole167 Other vectors: network and delivery vulnerabilities
@spoole167 Other vectors: supply chain attacks Hack software delivery systems - upstream
@spoole167 The aim, as always is Remote Code Execution
@spoole167 Once in the malware calls back home for encryption keys
@spoole167 And uses sophisticated techniques to encrypt your system. One file at a time Least used first ..
@spoole167 While copying critical data out, disguised as normal traffic Sometimes hidden in other payloads, protocols Sometimes as responses to ‘legitimate’ requests Almost always via botnets
@spoole167 Not new news? here’s the punchline …
@spoole167 Ransomware can often be a visible test of an attack methodology the money can be secondary
@spoole167 Cyber Attacks are rising in number and sophistication Nation states are preparing for the next war – and that all about software The aim is to infiltrate infrastructure and essential services… sonatype.com/devsignup
@spoole167 And manipulate or terminate sonatype.com/devsignup
0 1000 2000 3000 4000 5000 6000 2013 2014 2015 2016 2017 2018 2019 2020 2021 Cybercrime Drug trade
@spoole167 Sounds bad?
@spoole167 Sounds bad? $6 Trillion is just the ransomware Estimates go as high as $30 Trillion for everything else.
@spoole167 That’s about $175 000 for every adult in the world
@spoole167 This new phase of cyber attacks Are state funded Professionally developed Regularly exercised Very sophisticated And extremely lucrative sonatype.com/devsignup
@spoole167 The incentive is huge Weaponised Cybercrime is the new reality Nation states are preparing for the next war – and that all about software @spoole167
@spoole167 Open Source – the golden goose
@spoole167 Most applications are 90% open source Dependencies Payroll App V1 sonatype.com/devsignup
@spoole167 3 Million Projects 37 Million Versions 2.2 Trillion Downloads The amount of open source available is truly staggering Java Javascript Python .Net
@spoole167 Open source is built on trust. We trust it so much it’s growing at 73% per year By 2025 there could be 20 Trillion downloads a year 0 2 4 6 8 10 12 14 16 18 20 2021 2022 2023 2024 2025 downloads
@spoole167 Cybercriminals used to search for vulnerabilities sonatype.com/devsignup
Now they make their own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Build Tool attacks Attempts to get malware or weaknesses added into dependency source via social or tools Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” @spoole167 sonatype.com/devsignup
@spoole167 Put a different way… Payroll App V1 sonatype.com/devsignup
@spoole167 Most applications are 90% open source Dependencies Payroll App V1 sonatype.com/devsignup
@spoole167 Bad guys used to look for code weaknesses here Dependencies Payroll App V1 sonatype.com/devsignup
@spoole167 Now they are adding their own upstream Dependencies Tools Runtimes Platforms Payroll App V1 Code generators
@spoole167 Many are designed to stay hidden until needed Dependencies Tools Runtimes Platforms Payroll App V1 Code generators sonatype.com/devsignup
@spoole167 Blind trust in Open Source software is evaporating 5% of the projects on Maven Central already have a vulnerability of CVSS 9 or 10 Now there are direct attacks on open source projects and maintainers to gain access to source repos or release processes Now there are direct attacks to insert malicious code via pull requests Now there are direct attacks on the compilers and packaging tools
@spoole167 sonatype.com/devsignup
@spoole167 This year we finally came together to try to do something about cyber attacks – it focuses first on making s/w more trustworthy sonatype.com/devsignup
@spoole167 17 May 2021 Joe Biden sonatype.com/devsignup
@spoole167 The Executive Order Recognizes the need to form a united front against “malicious cyber actors” Outlines a direction for closer working between all parts of the software industry Adds new requirements on software vendors selling to the US government Will change how we produce and consume software. sonatype.com/devsignup
@spoole167 Hardening the software supply chain : every product has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes sonatype.com/devsignup
@spoole167 SBOM – the new important term on the horizon cyclonedx.org spdx.dev sonatype.com/devsignup
@spoole167 Modern Vulnerability tools scan your builds Dependencies Payroll App V1 sonatype.com/devsignup
@spoole167 Tracking dependencies relies on tools that analyze the end result Web Server 05.1.2 Acme Framework 2.1 Payroll App V1 sonatype.com/devsignup
@spoole167 Which relies on transparency Web Server 05.1.2 Acme Framework 2.1 Payroll App V1 sonatype.com/devsignup
@spoole167 Which can be problematic Web Server 05.1.2 Acme Framework Incomplete Data Opaque Dependencies Payroll App V1 sonatype.com/devsignup
@spoole167 And is always incomplete Or even faked Web Server 05.1.2 Acme Framework What’s in the runtimes? What tools were used to build? Payroll App V1 sonatype.com/devsignup
@spoole167 A SBOM provides evidence on how software was built Web Server 05.1.2 Acme Framework Payroll App V1 Runtime V2 OS V3.4 Compiler V9 CI/CD V2 OS V6 Compiler Environmental Information All componentry sonatype.com/devsignup
@spoole167 1.1 Foo 2.1 Bar 3.1 This product Dependency ref sonatype.com/devsignup
@spoole167 1.1 Foo 2.1 Bar 3.1 Becomes this product Dependency ref Dependency SBOM ref url url SBOM signature SHA1024 SHA1024 Product URL url Product signature SHA1024 sonatype.com/devsignup
@spoole167 Becomes this 1.1 Foo 2.1 Bar 3.1 url url SHA SHA url SHA1024 Gcc 3.6 RHEL url url SHA SHA zip url SHA Jenkins url SHA Github action url url
@spoole167 And you ‘inherit’ all their SBOM info too (and all their dependents) 1.1 url SHA1024
@spoole167 Which means? More likelihood of finding issues 1.1 url SHA1024
@spoole167 Which means? More issues more often 1.1 url SHA1024
The way you build software is going to change You can expect every government to follow suit on this sort of initiative Even if you're not selling directly, you could be in a chain that is The prediction is that by 2025 every software vendor, open source project etc will have to provide this proof Manual anything is going to be problematic sonatype.com/devsignup
@spoole167 You will need • to be able to track back exactly how, where and with what your s/w was built. • To be able to deal with an increase in the number of reported vulnerabilities • Be able to build your s/w automatically at a moments notice • To provide to others your ‘SBOM’ The next wave is moving from IAC to EAC (Everything as code) sonatype.com/devsignup
@spoole167 The way you choose open source software is going to change • What do you do if a open-source component you rely on doesn’t comply? • How much risk are you willing to take? • Even if they say yes - how much can you trust them? • Do they have an SBOM? • What’s their ability to provide updates. • What’s their security posture. Not just is it free, does it do what I want? sonatype.com/devsignup
@spoole167 What tools can you use to help?
@spoole167 Many tools to help with your code
@spoole167 And quite a few to tell you about your dependencies
@spoole167 but even with the best tools in the world …
@spoole167 The best tools right now are these
@spoole167 The best tools right now are these
@spoole167 Time to exercise your suspicious brain, find code smells and LOOK closely at the projects you’re using Build your own selection criteria or use ours
things to check for License / security.md file Vulnerability reporting process Development process (how to they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU) sonatype.com/devsignup
things to check for unexpected release frequency number and activity patterns of committers Do they do Static Analysis and Security Testing (SAST) Are they prone to making breaking changes Do they often have no path forward (latest version has vulnerabilities) sonatype.com/devsignup
@spoole167 This is obviously hard and time consuming Getting your own supply chain in a fit state is one thing
@spoole167 This is obviously hard and time consuming What about all your dependencies?
obvious thoughts BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies
obvious thoughts BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies Those that can create automated, highly productive supply chains will have an immediate competitive advantage
This is the cost for dealing with BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies The new motives behind cyber attacks The increase in risk of being attacked – because your in someones supply chain Open Source still the primary vector The long term transformation of open source communities
This is the cost for dealing with BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies The new motives behind cyber attacks The increase in risk of being attacked – because your in someones supply chain Open Source still the primary vector The long term transformation of open source communities It’s still all software – it’s still up to us to make the world safer.
@spoole167 Takeaways • The days of just taking software off the shelf are numbered : choose software based on how it’s produced not just what it does • Evidence based trust will become essential : Your own supply chain – the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny. • It’s time to reassess tools and vendors. Look for a partner you can trust to build supply chains you and the world can rely on sonatype.com/devsignup
@spoole167 Questions?
bit.ly/software-supply-chain @spoole167 sonatype.com/devsignup

Empfohlen

Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Steve Poole
 
Arp spoofing
Arp spoofingArp spoofing
Arp spoofingLuthfi Widyanto
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its typesVishal Tandel
 
IIJmio meeting 13 海外トラベルSIMはどうしていつものSIMと違うのか?
IIJmio meeting 13 海外トラベルSIMはどうしていつものSIMと違うのか?IIJmio meeting 13 海外トラベルSIMはどうしていつものSIMと違うのか?
IIJmio meeting 13 海外トラベルSIMはどうしていつものSIMと違うのか?techlog (Internet Initiative Japan Inc.)
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
ウォーターフォール・アジャイル・DevOps どんなチームでも開発・テスト・リリースでVSTS/TFSをフル活用する方法
ウォーターフォール・アジャイル・DevOps どんなチームでも開発・テスト・リリースでVSTS/TFSをフル活用する方法ウォーターフォール・アジャイル・DevOps どんなチームでも開発・テスト・リリースでVSTS/TFSをフル活用する方法
ウォーターフォール・アジャイル・DevOps どんなチームでも開発・テスト・リリースでVSTS/TFSをフル活用する方法慎一 古賀
 
Nmap
NmapNmap
NmapMegha Sahu
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 

Empfohlen

Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Steve Poole
 
Arp spoofing
Arp spoofingArp spoofing
Arp spoofingLuthfi Widyanto
 
honey pots introduction and its types
honey pots introduction and its typeshoney pots introduction and its types
honey pots introduction and its typesVishal Tandel
 
IIJmio meeting 13 海外トラベルSIMはどうしていつものSIMと違うのか?
IIJmio meeting 13 海外トラベルSIMはどうしていつものSIMと違うのか?IIJmio meeting 13 海外トラベルSIMはどうしていつものSIMと違うのか?
IIJmio meeting 13 海外トラベルSIMはどうしていつものSIMと違うのか?techlog (Internet Initiative Japan Inc.)
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
ウォーターフォール・アジャイル・DevOps どんなチームでも開発・テスト・リリースでVSTS/TFSをフル活用する方法
ウォーターフォール・アジャイル・DevOps どんなチームでも開発・テスト・リリースでVSTS/TFSをフル活用する方法ウォーターフォール・アジャイル・DevOps どんなチームでも開発・テスト・リリースでVSTS/TFSをフル活用する方法
ウォーターフォール・アジャイル・DevOps どんなチームでも開発・テスト・リリースでVSTS/TFSをフル活用する方法慎一 古賀
 
Nmap
NmapNmap
NmapMegha Sahu
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
3GPP LTE Detailed explanation 3 (TAU_Tracking Area Update)
3GPP LTE Detailed explanation 3 (TAU_Tracking Area Update)3GPP LTE Detailed explanation 3 (TAU_Tracking Area Update)
3GPP LTE Detailed explanation 3 (TAU_Tracking Area Update)Ryuichi Yasunaga
 
Interception Act vs Privacy Act
Interception Act vs Privacy ActInterception Act vs Privacy Act
Interception Act vs Privacy ActVARUN KUMAR
 
IIJmio meeting 25 スマートフォンはなぜ「つながらない」のか
IIJmio meeting 25 スマートフォンはなぜ「つながらない」のかIIJmio meeting 25 スマートフォンはなぜ「つながらない」のか
IIJmio meeting 25 スマートフォンはなぜ「つながらない」のかtechlog (Internet Initiative Japan Inc.)
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Petya Ransomware
Petya RansomwarePetya Ransomware
Petya RansomwareSiemplify
 
Summer biathlon
Summer biathlonSummer biathlon
Summer biathlonUliana Rudik
 
IIJmio meeting 16 スマートフォンがつながる仕組み
IIJmio meeting 16 スマートフォンがつながる仕組みIIJmio meeting 16 スマートフォンがつながる仕組み
IIJmio meeting 16 スマートフォンがつながる仕組みtechlog (Internet Initiative Japan Inc.)
 
zero day exploits
zero day exploitszero day exploits
zero day exploitsAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
SecurityOnion ile Ağ güvenliğini İzlemek
SecurityOnion ile Ağ güvenliğini İzlemekSecurityOnion ile Ağ güvenliğini İzlemek
SecurityOnion ile Ağ güvenliğini İzlemekFurkan Çalışkan
 
Malware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesMalware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesJoseph Bugeja
 
Vernacular Is NOW, Not The Future – A $300 Bn Opportunity Today.pdf
Vernacular Is NOW, Not The Future – A $300 Bn Opportunity Today.pdfVernacular Is NOW, Not The Future – A $300 Bn Opportunity Today.pdf
Vernacular Is NOW, Not The Future – A $300 Bn Opportunity Today.pdfRedSeer
 
IIJmio meeting 17 MVNOの制度について
IIJmio meeting 17 MVNOの制度についてIIJmio meeting 17 MVNOの制度について
IIJmio meeting 17 MVNOの制度についてtechlog (Internet Initiative Japan Inc.)
 
Cyber-Physical Systems とは何か?
Cyber-Physical Systems とは何か?Cyber-Physical Systems とは何か?
Cyber-Physical Systems とは何か?maruyama097
 
5G Technology.pptx
5G Technology.pptx5G Technology.pptx
5G Technology.pptxSabarnakrishnamurthy
 
IIJmio meeting 14 IIJmioタイプAとSIMフリー端末について
IIJmio meeting 14 IIJmioタイプAとSIMフリー端末についてIIJmio meeting 14 IIJmioタイプAとSIMフリー端末について
IIJmio meeting 14 IIJmioタイプAとSIMフリー端末についてtechlog (Internet Initiative Japan Inc.)
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
4G LTE ネットワークの脆弱性 [LTEInspector_A Systematic Approach for Adversarial Testing...
4G LTE ネットワークの脆弱性 [LTEInspector_A Systematic Approach for Adversarial Testing...4G LTE ネットワークの脆弱性 [LTEInspector_A Systematic Approach for Adversarial Testing...
4G LTE ネットワークの脆弱性 [LTEInspector_A Systematic Approach for Adversarial Testing...Ryosuke Uematsu
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Steve Poole
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptxSteve Poole
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextSteve Poole
 

Weitere ähnliche Inhalte

Was ist angesagt?

3GPP LTE Detailed explanation 3 (TAU_Tracking Area Update)
3GPP LTE Detailed explanation 3 (TAU_Tracking Area Update)3GPP LTE Detailed explanation 3 (TAU_Tracking Area Update)
3GPP LTE Detailed explanation 3 (TAU_Tracking Area Update)Ryuichi Yasunaga
 
Interception Act vs Privacy Act
Interception Act vs Privacy ActInterception Act vs Privacy Act
Interception Act vs Privacy ActVARUN KUMAR
 
IIJmio meeting 25 スマートフォンはなぜ「つながらない」のか
IIJmio meeting 25 スマートフォンはなぜ「つながらない」のかIIJmio meeting 25 スマートフォンはなぜ「つながらない」のか
IIJmio meeting 25 スマートフォンはなぜ「つながらない」のかtechlog (Internet Initiative Japan Inc.)
 
Petya Ransomware
Petya RansomwarePetya Ransomware
Petya RansomwareSiemplify
 
SecurityOnion ile Ağ güvenliğini İzlemek
SecurityOnion ile Ağ güvenliğini İzlemekSecurityOnion ile Ağ güvenliğini İzlemek
SecurityOnion ile Ağ güvenliğini İzlemekFurkan Çalışkan
 
Malware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesMalware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesJoseph Bugeja
 
Vernacular Is NOW, Not The Future – A $300 Bn Opportunity Today.pdf
Vernacular Is NOW, Not The Future – A $300 Bn Opportunity Today.pdfVernacular Is NOW, Not The Future – A $300 Bn Opportunity Today.pdf
Vernacular Is NOW, Not The Future – A $300 Bn Opportunity Today.pdfRedSeer
 
Cyber-Physical Systems とは何か?
Cyber-Physical Systems とは何か?Cyber-Physical Systems とは何か?
Cyber-Physical Systems とは何か?maruyama097
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
4G LTE ネットワークの脆弱性 [LTEInspector_A Systematic Approach for Adversarial Testing...
4G LTE ネットワークの脆弱性 [LTEInspector_A Systematic Approach for Adversarial Testing...4G LTE ネットワークの脆弱性 [LTEInspector_A Systematic Approach for Adversarial Testing...
4G LTE ネットワークの脆弱性 [LTEInspector_A Systematic Approach for Adversarial Testing...Ryosuke Uematsu
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 

Was ist angesagt? (18)

3GPP LTE Detailed explanation 3 (TAU_Tracking Area Update)
3GPP LTE Detailed explanation 3 (TAU_Tracking Area Update)3GPP LTE Detailed explanation 3 (TAU_Tracking Area Update)
3GPP LTE Detailed explanation 3 (TAU_Tracking Area Update)
 
Interception Act vs Privacy Act
Interception Act vs Privacy ActInterception Act vs Privacy Act
Interception Act vs Privacy Act
 
IIJmio meeting 25 スマートフォンはなぜ「つながらない」のか
IIJmio meeting 25 スマートフォンはなぜ「つながらない」のかIIJmio meeting 25 スマートフォンはなぜ「つながらない」のか
IIJmio meeting 25 スマートフォンはなぜ「つながらない」のか
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Petya Ransomware
Petya RansomwarePetya Ransomware
Petya Ransomware
 
Summer biathlon
Summer biathlonSummer biathlon
Summer biathlon
 
IIJmio meeting 16 スマートフォンがつながる仕組み
IIJmio meeting 16 スマートフォンがつながる仕組みIIJmio meeting 16 スマートフォンがつながる仕組み
IIJmio meeting 16 スマートフォンがつながる仕組み
 
zero day exploits
zero day exploitszero day exploits
zero day exploits
 
SecurityOnion ile Ağ güvenliğini İzlemek
SecurityOnion ile Ağ güvenliğini İzlemekSecurityOnion ile Ağ güvenliğini İzlemek
SecurityOnion ile Ağ güvenliğini İzlemek
 
Malware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesMalware and Modern Propagation Techniques
Malware and Modern Propagation Techniques
 
Vernacular Is NOW, Not The Future – A $300 Bn Opportunity Today.pdf
Vernacular Is NOW, Not The Future – A $300 Bn Opportunity Today.pdfVernacular Is NOW, Not The Future – A $300 Bn Opportunity Today.pdf
Vernacular Is NOW, Not The Future – A $300 Bn Opportunity Today.pdf
 
IIJmio meeting 17 MVNOの制度について
IIJmio meeting 17 MVNOの制度についてIIJmio meeting 17 MVNOの制度について
IIJmio meeting 17 MVNOの制度について
 
Cyber-Physical Systems とは何か?
Cyber-Physical Systems とは何か?Cyber-Physical Systems とは何か?
Cyber-Physical Systems とは何か?
 
5G Technology.pptx
5G Technology.pptx5G Technology.pptx
5G Technology.pptx
 
IIJmio meeting 14 IIJmioタイプAとSIMフリー端末について
IIJmio meeting 14 IIJmioタイプAとSIMフリー端末についてIIJmio meeting 14 IIJmioタイプAとSIMフリー端末について
IIJmio meeting 14 IIJmioタイプAとSIMフリー端末について
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
 
4G LTE ネットワークの脆弱性 [LTEInspector_A Systematic Approach for Adversarial Testing...
4G LTE ネットワークの脆弱性 [LTEInspector_A Systematic Approach for Adversarial Testing...4G LTE ネットワークの脆弱性 [LTEInspector_A Systematic Approach for Adversarial Testing...
4G LTE ネットワークの脆弱性 [LTEInspector_A Systematic Approach for Adversarial Testing...
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 

Ähnlich wie Game Over or Game Changing? Why Software Development May Never be the same again

Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Steve Poole
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptxSteve Poole
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextSteve Poole
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxSteve Poole
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleSteve Poole
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
 
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsOpen Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys
 
Possible cyber security threats of 2016
Possible cyber security threats of 2016Possible cyber security threats of 2016
Possible cyber security threats of 2016James_08
 
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsMost notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsCyphort
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of securityMatthew Pascucci
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalPriyanka Aash
 
2014 Technology Predictions
2014 Technology Predictions2014 Technology Predictions
2014 Technology PredictionsChris Powell
 
2014 Tech Predictions by Daily Deal Builder
2014 Tech Predictions by Daily Deal Builder2014 Tech Predictions by Daily Deal Builder
2014 Tech Predictions by Daily Deal BuilderMarc Horne
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
 
Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys
 
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Black Duck by Synopsys
 

Ähnlich wie Game Over or Game Changing? Why Software Development May Never be the same again (20)

Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptx
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn next
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptx
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 style
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker Side
 
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsOpen Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
 
Possible cyber security threats of 2016
Possible cyber security threats of 2016Possible cyber security threats of 2016
Possible cyber security threats of 2016
 
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsMost notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictions
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
 
Pentest trends 2017
Pentest trends 2017Pentest trends 2017
Pentest trends 2017
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New Normal
 
2014 Technology Predictions
2014 Technology Predictions2014 Technology Predictions
2014 Technology Predictions
 
2014 Tech Predictions by Daily Deal Builder
2014 Tech Predictions by Daily Deal Builder2014 Tech Predictions by Daily Deal Builder
2014 Tech Predictions by Daily Deal Builder
 
Data breach
Data breachData breach
Data breach
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
 
Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...
 
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
 

Mehr von Steve Poole

Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven CentralSteve Poole
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxSteve Poole
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxSteve Poole
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureSteve Poole
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020Steve Poole
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Steve Poole
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Steve Poole
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization Steve Poole
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkSteve Poole
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...Steve Poole
 
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Steve Poole
 
Keynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourKeynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourSteve Poole
 
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Steve Poole
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaLocking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaSteve Poole
 
Dashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your BehaviourDashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your BehaviourSteve Poole
 
QCon London - Java at Scale
QCon London - Java at ScaleQCon London - Java at Scale
QCon London - Java at ScaleSteve Poole
 

Mehr von Steve Poole (20)

Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chain
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven Central
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptx
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptx
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and Culture
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
 
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
 
Keynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourKeynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviour
 
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaLocking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
 
Dashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your BehaviourDashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your Behaviour
 
QCon London - Java at Scale
QCon London - Java at ScaleQCon London - Java at Scale
QCon London - Java at Scale
 

Kürzlich hochgeladen

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 

Kürzlich hochgeladen (20)

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 

Game Over or Game Changing? Why Software Development May Never be the same again

  • 1. @spoole167 Game Over Or Game Changing? Why software development may never be the same again Steve Poole Sonatype @spoole167 sonatype.com/devsignup
  • 2. This talk is about • How the nature of cyber attacks is changing • A new US government initiative to combat this challenge • How that initiative will impact how software is developed in the future
  • 3. One day at work …
  • 4. @spoole167 Files won’t open “There is no application set to open the document” “Windows can’t open this file ”
  • 5. @spoole167 Systems won’t start “Unable to read config files” ‘missing dll”
  • 6. @spoole167 Unexpected files on the system micro https://techdator.net/ransomware-file-extensions/ zepto locky cerber cryp1 osiris crypz locked decrypt2017 r5a enigma surprise evillock fu*ked
  • 9. @spoole167 You’re the victim of a Ransomware Attack
  • 10. @spoole167 Somewhere is a link to a cryptocurrency wallet and an amount you must pay.
  • 11. @spoole167 How does it start? Mostly phishing, malware, mostly targeted at Windows clients Malware Installer Malware Malware
  • 13. @spoole167 DEAR SIR/MA'AM. YOUR ATM CARD OF $10.5MILLION DOLLARS WAS RETURNED TODAY BY OUR COURIER DELIVERY COMPANY, AND WE ARE GOING TO CANCEL THE ATM CARD IF YOU FAILS TO ACKNOWLEDGE THIS MESSAGE, WE SHALL ALSO ASSUME THAT WHAT OUR COURIER DELIVERY COMPANY TOLD US IS NOTHING BUT THE TRUTH THAT YOU DON'T NEED YOUR ATM CARD OF $10.5 MILLION DOLLARS ANY LONGER. DO ACKNOWLEDGE THIS MESSAGE AS SOON AS POSSIBLE. YOURS FAITHFULLY. YOURS SINCERELY, MR MARK WRIGHT, DIRECTOR FOREIGN REMITTANCE ATM CARD SWIFT PAYMENT DEPARTMENT ZENITH BANK OF NIGERIA. 😀
  • 14. @spoole167 Federal Bureau of Investigation (FBI) Anti-Terrorist And Monitory Crime Division. Federal Bureau Of Investigation. J.Edgar.Hoover Building Washington Dc Customers Service Hours / Monday To Saturday Office Hours Monday To Saturday: Dear Beneficiary, Series of meetings have been held over the past 7 months with the secretary general of the United Nations Organization. This ended 3 days ago. It is obvious that you have not received your fund which is to the tune of $16.5million due to past corrupt Governmental Officials who almost held the fund to themselves for their selfish reason and some individuals who have taken advantage of your fund all in an attempt to swindle your fund which has led to so many losses from your end and unnecessary delay in the receipt of your fund.for more information do get back to us. …. Upon receipt of payment the delivery officer will ensure that your package is sent within 24 working hours. 😀
  • 15. @spoole167 From <your boss> I’ve spoken to the XYZ company CEO and they will send us the goods if we pay $3M immediately. Details below. I’m off to the golf course – no distractions please.
  • 16. @spoole167 an email from an international transport company urging recipients to open a waybill
  • 17. @spoole167 Many Ransomware attacked are specifically targeted at certain types of organisation 0 2 4 6 8 10 12 14 16 18 20 Government Education Services Healthcare Technology Manufacturing Retail Utilities Finance Other % Attacks Attacks
  • 18. @spoole167 Many are specifically targeted at a single company or organisation With personalized attacks you invest more and make it compelling. Your victims views on Facebook about their boss, how busy they are, important deals coming up. It all helps to craft that million dollar attack…
  • 19. @spoole167 Other vectors: network and delivery vulnerabilities
  • 20. @spoole167 Other vectors: supply chain attacks Hack software delivery systems - upstream
  • 21. @spoole167 The aim, as always is Remote Code Execution
  • 22. @spoole167 Once in the malware calls back home for encryption keys
  • 23. @spoole167 And uses sophisticated techniques to encrypt your system. One file at a time Least used first ..
  • 24. @spoole167 While copying critical data out, disguised as normal traffic Sometimes hidden in other payloads, protocols Sometimes as responses to ‘legitimate’ requests Almost always via botnets
  • 26. @spoole167 Ransomware can often be a visible test of an attack methodology the money can be secondary
  • 27. @spoole167 Cyber Attacks are rising in number and sophistication Nation states are preparing for the next war – and that all about software The aim is to infiltrate infrastructure and essential services… sonatype.com/devsignup
  • 28. @spoole167 And manipulate or terminate sonatype.com/devsignup
  • 29. 0 1000 2000 3000 4000 5000 6000 2013 2014 2015 2016 2017 2018 2019 2020 2021 Cybercrime Drug trade
  • 31. @spoole167 Sounds bad? $6 Trillion is just the ransomware Estimates go as high as $30 Trillion for everything else.
  • 32. @spoole167 That’s about $175 000 for every adult in the world
  • 33. @spoole167 This new phase of cyber attacks Are state funded Professionally developed Regularly exercised Very sophisticated And extremely lucrative sonatype.com/devsignup
  • 34. @spoole167 The incentive is huge Weaponised Cybercrime is the new reality Nation states are preparing for the next war – and that all about software @spoole167
  • 35. @spoole167 Open Source – the golden goose
  • 37. @spoole167 3 Million Projects 37 Million Versions 2.2 Trillion Downloads The amount of open source available is truly staggering Java Javascript Python .Net
  • 38. @spoole167 Open source is built on trust. We trust it so much it’s growing at 73% per year By 2025 there could be 20 Trillion downloads a year 0 2 4 6 8 10 12 14 16 18 20 2021 2022 2023 2024 2025 downloads
  • 39. @spoole167 Cybercriminals used to search for vulnerabilities sonatype.com/devsignup
  • 40. Now they make their own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Build Tool attacks Attempts to get malware or weaknesses added into dependency source via social or tools Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” @spoole167 sonatype.com/devsignup
  • 43. @spoole167 Bad guys used to look for code weaknesses here Dependencies Payroll App V1 sonatype.com/devsignup
  • 44. @spoole167 Now they are adding their own upstream Dependencies Tools Runtimes Platforms Payroll App V1 Code generators
  • 45. @spoole167 Many are designed to stay hidden until needed Dependencies Tools Runtimes Platforms Payroll App V1 Code generators sonatype.com/devsignup
  • 46. @spoole167 Blind trust in Open Source software is evaporating 5% of the projects on Maven Central already have a vulnerability of CVSS 9 or 10 Now there are direct attacks on open source projects and maintainers to gain access to source repos or release processes Now there are direct attacks to insert malicious code via pull requests Now there are direct attacks on the compilers and packaging tools
  • 48. @spoole167 This year we finally came together to try to do something about cyber attacks – it focuses first on making s/w more trustworthy sonatype.com/devsignup
  • 49. @spoole167 17 May 2021 Joe Biden sonatype.com/devsignup
  • 50. @spoole167 The Executive Order Recognizes the need to form a united front against “malicious cyber actors” Outlines a direction for closer working between all parts of the software industry Adds new requirements on software vendors selling to the US government Will change how we produce and consume software. sonatype.com/devsignup
  • 51. @spoole167 Hardening the software supply chain : every product has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes sonatype.com/devsignup
  • 52. @spoole167 SBOM – the new important term on the horizon cyclonedx.org spdx.dev sonatype.com/devsignup
  • 54. @spoole167 Tracking dependencies relies on tools that analyze the end result Web Server 05.1.2 Acme Framework 2.1 Payroll App V1 sonatype.com/devsignup
  • 55. @spoole167 Which relies on transparency Web Server 05.1.2 Acme Framework 2.1 Payroll App V1 sonatype.com/devsignup
  • 56. @spoole167 Which can be problematic Web Server 05.1.2 Acme Framework Incomplete Data Opaque Dependencies Payroll App V1 sonatype.com/devsignup
  • 57. @spoole167 And is always incomplete Or even faked Web Server 05.1.2 Acme Framework What’s in the runtimes? What tools were used to build? Payroll App V1 sonatype.com/devsignup
  • 58. @spoole167 A SBOM provides evidence on how software was built Web Server 05.1.2 Acme Framework Payroll App V1 Runtime V2 OS V3.4 Compiler V9 CI/CD V2 OS V6 Compiler Environmental Information All componentry sonatype.com/devsignup
  • 59. @spoole167 1.1 Foo 2.1 Bar 3.1 This product Dependency ref sonatype.com/devsignup
  • 60. @spoole167 1.1 Foo 2.1 Bar 3.1 Becomes this product Dependency ref Dependency SBOM ref url url SBOM signature SHA1024 SHA1024 Product URL url Product signature SHA1024 sonatype.com/devsignup
  • 61. @spoole167 Becomes this 1.1 Foo 2.1 Bar 3.1 url url SHA SHA url SHA1024 Gcc 3.6 RHEL url url SHA SHA zip url SHA Jenkins url SHA Github action url url
  • 62. @spoole167 And you ‘inherit’ all their SBOM info too (and all their dependents) 1.1 url SHA1024
  • 63. @spoole167 Which means? More likelihood of finding issues 1.1 url SHA1024
  • 65. The way you build software is going to change You can expect every government to follow suit on this sort of initiative Even if you're not selling directly, you could be in a chain that is The prediction is that by 2025 every software vendor, open source project etc will have to provide this proof Manual anything is going to be problematic sonatype.com/devsignup
  • 66. @spoole167 You will need • to be able to track back exactly how, where and with what your s/w was built. • To be able to deal with an increase in the number of reported vulnerabilities • Be able to build your s/w automatically at a moments notice • To provide to others your ‘SBOM’ The next wave is moving from IAC to EAC (Everything as code) sonatype.com/devsignup
  • 67. @spoole167 The way you choose open source software is going to change • What do you do if a open-source component you rely on doesn’t comply? • How much risk are you willing to take? • Even if they say yes - how much can you trust them? • Do they have an SBOM? • What’s their ability to provide updates. • What’s their security posture. Not just is it free, does it do what I want? sonatype.com/devsignup
  • 68. @spoole167 What tools can you use to help?
  • 70. @spoole167 And quite a few to tell you about your dependencies
  • 71. @spoole167 but even with the best tools in the world …
  • 72. @spoole167 The best tools right now are these
  • 73. @spoole167 The best tools right now are these
  • 74. @spoole167 Time to exercise your suspicious brain, find code smells and LOOK closely at the projects you’re using Build your own selection criteria or use ours
  • 75. things to check for License / security.md file Vulnerability reporting process Development process (how to they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU) sonatype.com/devsignup
  • 76. things to check for unexpected release frequency number and activity patterns of committers Do they do Static Analysis and Security Testing (SAST) Are they prone to making breaking changes Do they often have no path forward (latest version has vulnerabilities) sonatype.com/devsignup
  • 77. @spoole167 This is obviously hard and time consuming Getting your own supply chain in a fit state is one thing
  • 78. @spoole167 This is obviously hard and time consuming What about all your dependencies?
  • 79. obvious thoughts BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies
  • 80. obvious thoughts BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies Those that can create automated, highly productive supply chains will have an immediate competitive advantage
  • 81. This is the cost for dealing with BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies The new motives behind cyber attacks The increase in risk of being attacked – because your in someones supply chain Open Source still the primary vector The long term transformation of open source communities
  • 82. This is the cost for dealing with BYO pipelines will get replaced by commercial ones. Automated, evidence based everything- as-code supply chains is the way forward But developer productivity is going to be impacted before we get there Consuming open source directly will reduce. You’ll pay for trusted versions or have very strict consumption policies The new motives behind cyber attacks The increase in risk of being attacked – because your in someones supply chain Open Source still the primary vector The long term transformation of open source communities It’s still all software – it’s still up to us to make the world safer.
  • 83. @spoole167 Takeaways • The days of just taking software off the shelf are numbered : choose software based on how it’s produced not just what it does • Evidence based trust will become essential : Your own supply chain – the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny. • It’s time to reassess tools and vendors. Look for a partner you can trust to build supply chains you and the world can rely on sonatype.com/devsignup