This document discusses the evolving threats from cybercrime and importance of securing the software supply chain. It notes that cybercrime now costs over $6 trillion annually, similar to the global GDP of major countries. Attacks have become more sophisticated using techniques like supply chain compromises and exploiting vulnerabilities before they are publicly known. Developers are urged to carefully select open source components based on security practices like using SBOMs and rapid patching. The talk recommends following secure development principles and keeping educated on improving tools that can help harden applications and their supply chains.
3. @spoole167
Photo by Bastian Pudill on Unsplash
Do we imagine someone
walking down the road
trying the handles of cars
as they pass
Looking for a car to steal
8. @spoole167
this talk
• Is a reality check about what the bad guys are really doing and why
• What’s happening to help address these attacks
• What should you be doing next
24. @spoole167
There are still..
• There are still botnets out there trying to get into your systems
• There are still bad guys who want to steal your secrets
• There are still people who will ransom your data
• There are still cryptocurrency miners trying to steal your CPU
cycles
25. @spoole167
Plus ..
• There are still botnets out there trying to get into your systems
• There are still bad guys who want to steal your secrets
• There are still people who will ransom your data
• There are still cryptocurrency miners trying to steal your CPU
cycles
• Now there are open source project hijacks
• Now there are fake packages in repos
• Now there is malware in the build process
• Now the aim is long term control and stealth
26. @spoole167
Now there is cyber-warfare
• Motivations are different - it’s not about money
• Skillsets are higher - professional, well funded.
• Perseverance is much greater - specific targets, not just
targets of opportunity
27. @spoole167
Now there is cyber-warfare
• Motivations are different - it’s not about money
• Skillsets are higher - professional, well funded.
• Persistence is much greater - specific targets, not just targets
of opportunity
• EVERYONE – Every state or political body, every
disenfranchised or suppressed group is or will be taking part.
28. @spoole167
Now there is cyber-warfare
• It’s been happening behind the scenes for some time.
• Now it’s mainstream.
You personally
Your personal networks
The organizations you work for, belong to or help
Your country
Potential
Targets
35. @spoole167
be ready for massive increases in attacks
on software everywhere
s/w in the car
s/w on the phone
s/w on the watch
s/w on any device
s/w on the laptop
s/w on server
s/w on the wifi router
s/w at the supermarket
37. @spoole167
Now they make their own
Typosquatting
A lookalike
domain,
dependency with
one or two wrong
or different
characters
Open source
repo attacks
Attempts to get
malware or
weaknesses
added into
dependency
source via social
or tools
Build Tool
attacks
Attempts to get
malware into the
tools that are
used to produce
dependencies
Dependency
confusion
Attempts to get a
Different version
added into a binary
repository
Often “latest”
Automated Social engineering
38. The Zero Day Window is Closing
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 201
1
2012 2013 2104 2015
1
0
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Average
45
15
201
7
2019 2021
Struts2
39. The Zero Day Window is closed
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 201
1
2012 2013 2104 2015
1
0
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Average
45
15
201
7
2019 2021
Struts2
Nation states are paying millions of dollars to
suppress vulnerability reporting
40. The Zero Day Window is closed
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 201
1
2012 2013 2104 2015
1
0
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Average
45
15
201
7
2019 2021
Struts2
China requires all disclosures to be reported to
the government first
41. The Zero Day Window is closed
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 201
1
2012 2013 2104 2015
1
0
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Average
45
15
201
7
2019 2021
Struts2
The more severe the vulnerability, the less
chance of it being reported publically
47. @spoole167
Backstory – the scales are tipping
• Open source is seen as both critical and unreliable
• Big Business has managed to keep governments quiet
• Business Value won over Security
• 7 Trillion dollars a year and existential threats to national security Security
wins
• The question isn’t whether – it’s about how.
• Governments always use big sticks
50. @spoole167
Hardening the software supply chain : every ‘product’
has a SBOM
uses an automatic
supply chain process
has evidence of
software integrity
has evidence of
an automatic
vulnerability check
process
Has a vulnerability
disclosure program
Has evidence on the
providence of all
software used
Demonstrates strong
controls over the use
of internal and third-
party software and
services
Demonstrate regular
audit processes
51. @spoole167
Technical responses
1 Securing the supply chain – provable evidence trails
2 Improved understanding of vulnerable projects
3 Automating the supply chain - code to cloud (no humans
involved)
4 Education for developers
55. False confidence in our tools or not caring?
Finding out if you are
vulnerable using scanning
tools can be challenging
It’s all ‘after the fact’
requires great tools and
great data
Not everyone has equal
access
56. @spoole167
On the horizon
Switch from scanning
tools that try to work
out what you have
installed
To signed, provable,
reproduceable
“Software Bill of Materials”
Centralised signatures
Centralised analysis tools
57. @spoole167
Software Bill Of Materials
cyclonedx.org spdx.dev
the new important term on the horizon
mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
60. @spoole167
Tackling the next level
Linux Foundation and
other groups working to
develop guidelines for
measuring good practices
and ongoing behavior
67. @spoole167
Look at how you choose open
source software
• What do you do if a open-source
component you rely on doesn’t comply?
• How much risk are you willing to take?
• Even if they say yes - how much can you
trust them?
• Do they have an SBOM?
• What’s their ability to provide updates.
• What’s their security posture.
Not just is it free,
does it do what I
want?
68. things to check for
unexpected
release frequency
number and
activity patterns
of committers
Do they do Static
Analysis and
Security Testing
(SAST)
Are they prone to
making breaking
changes
Do they often
have no path
forward
(latest version has
vulnerabilities)
69. things to check for
License /
security.md file
Vulnerability
reporting process
Development
process (how do
they review
contributions)
Build process – is
it secure? Who
can trigger it?
General
assessment of
their quality
(MTTU)
71. @spoole167
Exercise your suspicious brain, find code
smells and LOOK closely at the projects you’re
using
Build your own selection
criteria or use others
77. @spoole167
Summary
• Cyber attacks are being industrialized, weaponized and hidden.
• “exploit first” means Day Zero moving to Day – 1 , -20. -Never
• Government legislation aim to force suppliers to “fix” the problem
• How we create and deliver software will change
• How we select / consume open source software will change
• Developers must become experts at AppSec
78. @spoole167
Takeaways
• The days of just taking software off the shelf are numbered
• developers must choose software based on production value not just function
• Evidence based trust will become essential
• the software you use, how you develop, how you deploy will become a certified step in
someone else's evidence chain.
• A complex and challenging new world lies ahead.
• GDPR changed how we thought and deal with user information – supply chains are
going to get the same sort of scrutiny.
• It’s time to reassess tools and vendors
• Look for partners you can trust to build supply chains you and the world can rely on