SlideShare ist ein Scribd-Unternehmen logo

GIDS-2023 A New Hope for 2023? What Developers Must Learn Next

Als PPTX, PDF herunterladen
Steve Poole
Steve Poole

This document discusses the evolving threats from cybercrime and importance of securing the software supply chain. It notes that cybercrime now costs over $6 trillion annually, similar to the global GDP of major countries. Attacks have become more sophisticated using techniques like supply chain compromises and exploiting vulnerabilities before they are publicly known. Developers are urged to carefully select open source components based on security practices like using SBOMs and rapid patching. The talk recommends following secure development principles and keeping educated on improving tools that can help harden applications and their supply chains.

Software
1 von 79
@spoole167 www.developersummit.com @spoole167 A new hope for 2023? What developers must learn next
@spoole167 what do we think when we think about cybercrime?”
@spoole167 Photo by Bastian Pudill on Unsplash Do we imagine someone walking down the road trying the handles of cars as they pass Looking for a car to steal
@spoole167 Do we remember that movie we watched about a daring and sophisticated robbery ?
@spoole167 these are the two styles we often think about. The super complicated attack or the simple opportunist
@spoole167 Wrongly we think we’re not targets we think the bad guys are far away
@spoole167 The most common thoughts as a developer are ”why is it my problem?” or “I don’t really know what to do”
@spoole167 this talk • Is a reality check about what the bad guys are really doing and why • What’s happening to help address these attacks • What should you be doing next
@spoole167 Steve Poole Director, Dev Advocacy Sonatype
@spoole167 Sonatype Invented Maven Started Maven Central in 2003 Created Nexus repo and other technologies The quiet leader in secure software supply chain technology
Not just the Maven Central people
@spoole167 Latest trends in Cyber attacks
@spoole167 Cyberattacks have moved on It’s not all hackers in bedrooms doing it for fun
@spoole167 in 2016 Cybercrime cost ~415 Billion Dollars So did the illicit drug trade
@spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016
@spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016 50
@spoole167 Cybercrime has been growing at ~56% per year ever since drug trade cybercrime
@spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016 50
@spoole167 Buys you US Nimitz Class carriers 6 Trillion Dollars in 2022 50 620
@spoole167 United States: $20.89 trillion China: $14.72 trillion Cyber Crime : $6.0 trillion Japan: $5.06 trillion Germany: $3.85 trillion United Kingdom: $2.67 trillion India: $2.66 trillion France: $2.63 trillion Italy: $1.89 trillion Canada: $1.64 trillion https://globalpeoservices.com/top-15-countries-by-gdp-in-2022/ if Cybercrime was a country (by gdp)
@spoole167 There is no sign of it slowing down drug trade cybercrime US gdp
@spoole167 It’s even more scary …
@spoole167 There are still.. • There are still botnets out there trying to get into your systems • There are still bad guys who want to steal your secrets • There are still people who will ransom your data • There are still cryptocurrency miners trying to steal your CPU cycles
@spoole167 Plus .. • There are still botnets out there trying to get into your systems • There are still bad guys who want to steal your secrets • There are still people who will ransom your data • There are still cryptocurrency miners trying to steal your CPU cycles • Now there are open source project hijacks • Now there are fake packages in repos • Now there is malware in the build process • Now the aim is long term control and stealth
@spoole167 Now there is cyber-warfare • Motivations are different - it’s not about money • Skillsets are higher - professional, well funded. • Perseverance is much greater - specific targets, not just targets of opportunity
@spoole167 Now there is cyber-warfare • Motivations are different - it’s not about money • Skillsets are higher - professional, well funded. • Persistence is much greater - specific targets, not just targets of opportunity • EVERYONE – Every state or political body, every disenfranchised or suppressed group is or will be taking part.
@spoole167 Now there is cyber-warfare • It’s been happening behind the scenes for some time. • Now it’s mainstream. You personally Your personal networks The organizations you work for, belong to or help Your country Potential Targets
@spoole167 Modern attacks are supply chain attacks – and we are all part of a supply chain
@spoole167 The aim is to infiltrate infrastructure and essential services… The internet is the next battlefield. It’s all about software
@spoole167 And manipulate or terminate
@spoole167 Everything really is online There is no distance between you and the bad actors they ‘live’ next door
@spoole167 Cyber warfare is real and will drive massive changes in how we develop and deliver software
@spoole167 The only thing between you and the bad actors is software
@spoole167 be ready for massive increases in attacks on software everywhere s/w in the car s/w on the phone s/w on the watch s/w on any device s/w on the laptop s/w on server s/w on the wifi router s/w at the supermarket
@spoole167 Bad Actors used to search for vulnerabilities to exploit
@spoole167 Now they make their own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Attempts to get malware or weaknesses added into dependency source via social or tools Build Tool attacks Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” Automated Social engineering
The Zero Day Window is Closing Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2
The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 Nation states are paying millions of dollars to suppress vulnerability reporting
The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 China requires all disclosures to be reported to the government first
The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 The more severe the vulnerability, the less chance of it being reported publically
@spoole167 Finding or creating vulnerabilities is a growing industry
@spoole167 The new world of cyber security is “exploit first”
@spoole167 And one more thing …
@spoole167 https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital- threats/exploiting-ai-how-cybercriminals-misuse-abuse-ai-and-ml https://techmonitor.ai/cybercrime-future/ai-cybercrime AI …
What are we doing about all of this?
@spoole167 Backstory – the scales are tipping • Open source is seen as both critical and unreliable • Big Business has managed to keep governments quiet • Business Value won over Security • 7 Trillion dollars a year and existential threats to national security  Security wins • The question isn’t whether – it’s about how. • Governments always use big sticks
@spoole167 17 May 2021 – US Government takes a stand Joe Biden
@spoole167 December 2022 – EU Updates directives .. Joe Biden
@spoole167 Hardening the software supply chain : every ‘product’ has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes
@spoole167 Technical responses 1 Securing the supply chain – provable evidence trails 2 Improved understanding of vulnerable projects 3 Automating the supply chain - code to cloud (no humans involved) 4 Education for developers
10th December 2021
Log4Shell may be the worst ever vulnerability https://apple.news/AnKnv0_EdR3K2b-t6Z67-qw
A canonical example of whats going wrong
False confidence in our tools or not caring? Finding out if you are vulnerable using scanning tools can be challenging It’s all ‘after the fact’ requires great tools and great data Not everyone has equal access
@spoole167 On the horizon Switch from scanning tools that try to work out what you have installed To signed, provable, reproduceable “Software Bill of Materials” Centralised signatures Centralised analysis tools
@spoole167 Software Bill Of Materials cyclonedx.org spdx.dev the new important term on the horizon mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
@spoole167 https://bomdoctor.sonatype.com
@spoole167 Tackling the next level 90% of an application is open source components
@spoole167 Tackling the next level Linux Foundation and other groups working to develop guidelines for measuring good practices and ongoing behavior
@spoole167
@spoole167 The Open Source Software Security Mobilization Plan https://openssf.org/oss-security-mobilization-plan/ security education risk assessment digital signatures memory safety incident response better scanning code audits data sharing SBOMs everywhere Supply chains
@spoole167 What can you do right now?
@spoole167 The best tools right now are these
@spoole167 The best tools right now are these
Avoidable Vulnerability (poor choices) Vulnerability management is largely a consumption-side problem For 96% of vulnerable downloads, there was a non- vulnerable version available Avoidability of vulnerable Maven Central downloads Unavoidable Vulnerability
@spoole167 Look at how you choose open source software • What do you do if a open-source component you rely on doesn’t comply? • How much risk are you willing to take? • Even if they say yes - how much can you trust them? • Do they have an SBOM? • What’s their ability to provide updates. • What’s their security posture. Not just is it free, does it do what I want?
things to check for unexpected release frequency number and activity patterns of committers Do they do Static Analysis and Security Testing (SAST) Are they prone to making breaking changes Do they often have no path forward (latest version has vulnerabilities)
things to check for License / security.md file Vulnerability reporting process Development process (how do they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU)
Thinking deeper about how you develop s/w
@spoole167 Exercise your suspicious brain, find code smells and LOOK closely at the projects you’re using Build your own selection criteria or use others
@spoole167 What else should you do?
@spoole167 Visit owasp
@spoole167 Code defensively follow secure design principles • Minimize attack surface area • Establish secure defaults • Principle of Least privilege • Principle of Defense in depth • Fail securely • Don’t trust services • Separation of duties • Avoid security by obscurity • Keep security simple • Fix security issues correctly https://www.owasp.org/index.php/Security_by_Design_Principles#Security _principles
@spoole167 https://owasp.org
@spoole167 Keep a watch on available education
@spoole167 Summary • Cyber attacks are being industrialized, weaponized and hidden. • “exploit first” means Day Zero moving to Day – 1 , -20. -Never • Government legislation aim to force suppliers to “fix” the problem • How we create and deliver software will change • How we select / consume open source software will change • Developers must become experts at AppSec
@spoole167 Takeaways • The days of just taking software off the shelf are numbered • developers must choose software based on production value not just function • Evidence based trust will become essential • the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. • GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny. • It’s time to reassess tools and vendors • Look for partners you can trust to build supply chains you and the world can rely on
@spoole167 Thank you bit.ly/41FGVXt google: “Brian Fox RSAC 2023” bomdoctor.sonatype.com

Empfohlen

Realtime Analytics with Storm and Hadoop
Realtime Analytics with Storm and HadoopRealtime Analytics with Storm and Hadoop
Realtime Analytics with Storm and Hadoop
DataWorks Summit
 
Why oracle data guard new features in oracle 18c, 19c
Why oracle data guard new features in oracle 18c, 19cWhy oracle data guard new features in oracle 18c, 19c
Why oracle data guard new features in oracle 18c, 19c
Satishbabu Gunukula
 
Apache Spark Tutorial | Spark Tutorial for Beginners | Apache Spark Training ...
Apache Spark Tutorial | Spark Tutorial for Beginners | Apache Spark Training ...Apache Spark Tutorial | Spark Tutorial for Beginners | Apache Spark Training ...
Apache Spark Tutorial | Spark Tutorial for Beginners | Apache Spark Training ...
Edureka!
 
An Overview of Ambari
An Overview of AmbariAn Overview of Ambari
An Overview of Ambari
Chicago Hadoop Users Group
 
How Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site DesignHow Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site Design
New York Technology Council
 
An Overview of Apache Cassandra
An Overview of Apache CassandraAn Overview of Apache Cassandra
An Overview of Apache Cassandra
DataStax
 
Introduction to Apache Spark
Introduction to Apache SparkIntroduction to Apache Spark
Introduction to Apache Spark
datamantra
 
OSMC 2021 | pg_stat_monitor: A cool extension for better database (PostgreSQL...
OSMC 2021 | pg_stat_monitor: A cool extension for better database (PostgreSQL...OSMC 2021 | pg_stat_monitor: A cool extension for better database (PostgreSQL...
OSMC 2021 | pg_stat_monitor: A cool extension for better database (PostgreSQL...
NETWAYS
 

Empfohlen

Realtime Analytics with Storm and Hadoop
Realtime Analytics with Storm and HadoopRealtime Analytics with Storm and Hadoop
Realtime Analytics with Storm and Hadoop
DataWorks Summit
 
Why oracle data guard new features in oracle 18c, 19c
Why oracle data guard new features in oracle 18c, 19cWhy oracle data guard new features in oracle 18c, 19c
Why oracle data guard new features in oracle 18c, 19c
Satishbabu Gunukula
 
Apache Spark Tutorial | Spark Tutorial for Beginners | Apache Spark Training ...
Apache Spark Tutorial | Spark Tutorial for Beginners | Apache Spark Training ...Apache Spark Tutorial | Spark Tutorial for Beginners | Apache Spark Training ...
Apache Spark Tutorial | Spark Tutorial for Beginners | Apache Spark Training ...
Edureka!
 
An Overview of Ambari
An Overview of AmbariAn Overview of Ambari
An Overview of Ambari
Chicago Hadoop Users Group
 
How Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site DesignHow Quick Are We to Judge? A Case Study of Trust and Web Site Design
How Quick Are We to Judge? A Case Study of Trust and Web Site Design
New York Technology Council
 
An Overview of Apache Cassandra
An Overview of Apache CassandraAn Overview of Apache Cassandra
An Overview of Apache Cassandra
DataStax
 
Introduction to Apache Spark
Introduction to Apache SparkIntroduction to Apache Spark
Introduction to Apache Spark
datamantra
 
OSMC 2021 | pg_stat_monitor: A cool extension for better database (PostgreSQL...
OSMC 2021 | pg_stat_monitor: A cool extension for better database (PostgreSQL...OSMC 2021 | pg_stat_monitor: A cool extension for better database (PostgreSQL...
OSMC 2021 | pg_stat_monitor: A cool extension for better database (PostgreSQL...
NETWAYS
 
Oracle Goldengate for Big Data - LendingClub Implementation
Oracle Goldengate for Big Data - LendingClub ImplementationOracle Goldengate for Big Data - LendingClub Implementation
Oracle Goldengate for Big Data - LendingClub Implementation
Vengata Guruswamy
 
Sparkler - Spark Crawler
Sparkler - Spark Crawler Sparkler - Spark Crawler
Sparkler - Spark Crawler
Thamme Gowda
 
Hadoop project design and a usecase
Hadoop project design and a usecaseHadoop project design and a usecase
Hadoop project design and a usecase
sudhakara st
 
Neural Search Comes to Apache Solr_ Approximate Nearest Neighbor, BERT and Mo...
Neural Search Comes to Apache Solr_ Approximate Nearest Neighbor, BERT and Mo...Neural Search Comes to Apache Solr_ Approximate Nearest Neighbor, BERT and Mo...
Neural Search Comes to Apache Solr_ Approximate Nearest Neighbor, BERT and Mo...
Sease
 
Hadoop Security
Hadoop SecurityHadoop Security
Hadoop Security
Timothy Spann
 
PayPal merchant ecosystem using Apache Spark, Hive, Druid, and HBase
PayPal merchant ecosystem using Apache Spark, Hive, Druid, and HBase PayPal merchant ecosystem using Apache Spark, Hive, Druid, and HBase
PayPal merchant ecosystem using Apache Spark, Hive, Druid, and HBase
DataWorks Summit
 
Mongo db report
Mongo db reportMongo db report
Mongo db report
Hyphen Call
 
Building a Hybrid Data Pipeline for Salesforce and Hadoop
Building a Hybrid Data Pipeline for Salesforce and HadoopBuilding a Hybrid Data Pipeline for Salesforce and Hadoop
Building a Hybrid Data Pipeline for Salesforce and Hadoop
Sumit Sarkar
 
Apache metron - An Introduction
Apache metron - An IntroductionApache metron - An Introduction
Apache metron - An Introduction
Baban Gaigole
 
"Content Security Policy" — Алексей Андросов, MoscowJS 18
"Content Security Policy" — Алексей Андросов, MoscowJS 18"Content Security Policy" — Алексей Андросов, MoscowJS 18
"Content Security Policy" — Алексей Андросов, MoscowJS 18
MoscowJS
 
Mongodb - NoSql Database
Mongodb - NoSql DatabaseMongodb - NoSql Database
Mongodb - NoSql Database
Prashant Gupta
 
Basics of MongoDB
Basics of MongoDB Basics of MongoDB
Basics of MongoDB
Habilelabs
 
Spark SQL
Spark SQLSpark SQL
Spark SQL
Joud Khattab
 
Best Practices: Hadoop migration to Azure HDInsight
Best Practices: Hadoop migration to Azure HDInsightBest Practices: Hadoop migration to Azure HDInsight
Best Practices: Hadoop migration to Azure HDInsight
Revin Chalil
 
IPSec VPN Basics
IPSec VPN BasicsIPSec VPN Basics
IPSec VPN Basics
Martin Bratina
 
EAP - Accelerating behavorial analytics at PayPal using Hadoop
EAP - Accelerating behavorial analytics at PayPal using HadoopEAP - Accelerating behavorial analytics at PayPal using Hadoop
EAP - Accelerating behavorial analytics at PayPal using Hadoop
DataWorks Summit
 
Mongo DB
Mongo DB Mongo DB
Mongo DB
Tata Consultancy Services
 
Hadoop vs Apache Spark
Hadoop vs Apache SparkHadoop vs Apache Spark
Hadoop vs Apache Spark
ALTEN Calsoft Labs
 
Self-Service Data Ingestion Using NiFi, StreamSets & Kafka
Self-Service Data Ingestion Using NiFi, StreamSets & KafkaSelf-Service Data Ingestion Using NiFi, StreamSets & Kafka
Self-Service Data Ingestion Using NiFi, StreamSets & Kafka
Guido Schmutz
 
Spark architecture
Spark architectureSpark architecture
Spark architecture
GauravBiswas9
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn next
Steve Poole
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptx
Steve Poole
 

Weitere ähnliche Inhalte

Was ist angesagt?

Neural Search Comes to Apache Solr_ Approximate Nearest Neighbor, BERT and Mo...
Neural Search Comes to Apache Solr_ Approximate Nearest Neighbor, BERT and Mo...Neural Search Comes to Apache Solr_ Approximate Nearest Neighbor, BERT and Mo...
Neural Search Comes to Apache Solr_ Approximate Nearest Neighbor, BERT and Mo...
Sease
 
PayPal merchant ecosystem using Apache Spark, Hive, Druid, and HBase
PayPal merchant ecosystem using Apache Spark, Hive, Druid, and HBase PayPal merchant ecosystem using Apache Spark, Hive, Druid, and HBase
PayPal merchant ecosystem using Apache Spark, Hive, Druid, and HBase
DataWorks Summit
 
Building a Hybrid Data Pipeline for Salesforce and Hadoop
Building a Hybrid Data Pipeline for Salesforce and HadoopBuilding a Hybrid Data Pipeline for Salesforce and Hadoop
Building a Hybrid Data Pipeline for Salesforce and Hadoop
Sumit Sarkar
 
EAP - Accelerating behavorial analytics at PayPal using Hadoop
EAP - Accelerating behavorial analytics at PayPal using HadoopEAP - Accelerating behavorial analytics at PayPal using Hadoop
EAP - Accelerating behavorial analytics at PayPal using Hadoop
DataWorks Summit
 
Self-Service Data Ingestion Using NiFi, StreamSets & Kafka
Self-Service Data Ingestion Using NiFi, StreamSets & KafkaSelf-Service Data Ingestion Using NiFi, StreamSets & Kafka
Self-Service Data Ingestion Using NiFi, StreamSets & Kafka
Guido Schmutz
 

Was ist angesagt? (20)

Oracle Goldengate for Big Data - LendingClub Implementation
Oracle Goldengate for Big Data - LendingClub ImplementationOracle Goldengate for Big Data - LendingClub Implementation
Oracle Goldengate for Big Data - LendingClub Implementation
 
Sparkler - Spark Crawler
Sparkler - Spark Crawler Sparkler - Spark Crawler
Sparkler - Spark Crawler
 
Hadoop project design and a usecase
Hadoop project design and a usecaseHadoop project design and a usecase
Hadoop project design and a usecase
 
Neural Search Comes to Apache Solr_ Approximate Nearest Neighbor, BERT and Mo...
Neural Search Comes to Apache Solr_ Approximate Nearest Neighbor, BERT and Mo...Neural Search Comes to Apache Solr_ Approximate Nearest Neighbor, BERT and Mo...
Neural Search Comes to Apache Solr_ Approximate Nearest Neighbor, BERT and Mo...
 
Hadoop Security
Hadoop SecurityHadoop Security
Hadoop Security
 
PayPal merchant ecosystem using Apache Spark, Hive, Druid, and HBase
PayPal merchant ecosystem using Apache Spark, Hive, Druid, and HBase PayPal merchant ecosystem using Apache Spark, Hive, Druid, and HBase
PayPal merchant ecosystem using Apache Spark, Hive, Druid, and HBase
 
Mongo db report
Mongo db reportMongo db report
Mongo db report
 
Building a Hybrid Data Pipeline for Salesforce and Hadoop
Building a Hybrid Data Pipeline for Salesforce and HadoopBuilding a Hybrid Data Pipeline for Salesforce and Hadoop
Building a Hybrid Data Pipeline for Salesforce and Hadoop
 
Apache metron - An Introduction
Apache metron - An IntroductionApache metron - An Introduction
Apache metron - An Introduction
 
"Content Security Policy" — Алексей Андросов, MoscowJS 18
"Content Security Policy" — Алексей Андросов, MoscowJS 18"Content Security Policy" — Алексей Андросов, MoscowJS 18
"Content Security Policy" — Алексей Андросов, MoscowJS 18
 
Mongodb - NoSql Database
Mongodb - NoSql DatabaseMongodb - NoSql Database
Mongodb - NoSql Database
 
Basics of MongoDB
Basics of MongoDB Basics of MongoDB
Basics of MongoDB
 
Spark SQL
Spark SQLSpark SQL
Spark SQL
 
Best Practices: Hadoop migration to Azure HDInsight
Best Practices: Hadoop migration to Azure HDInsightBest Practices: Hadoop migration to Azure HDInsight
Best Practices: Hadoop migration to Azure HDInsight
 
IPSec VPN Basics
IPSec VPN BasicsIPSec VPN Basics
IPSec VPN Basics
 
EAP - Accelerating behavorial analytics at PayPal using Hadoop
EAP - Accelerating behavorial analytics at PayPal using HadoopEAP - Accelerating behavorial analytics at PayPal using Hadoop
EAP - Accelerating behavorial analytics at PayPal using Hadoop
 
Mongo DB
Mongo DB Mongo DB
Mongo DB
 
Hadoop vs Apache Spark
Hadoop vs Apache SparkHadoop vs Apache Spark
Hadoop vs Apache Spark
 
Self-Service Data Ingestion Using NiFi, StreamSets & Kafka
Self-Service Data Ingestion Using NiFi, StreamSets & KafkaSelf-Service Data Ingestion Using NiFi, StreamSets & Kafka
Self-Service Data Ingestion Using NiFi, StreamSets & Kafka
 
Spark architecture
Spark architectureSpark architecture
Spark architecture
 

Ähnlich wie GIDS-2023 A New Hope for 2023? What Developers Must Learn Next

A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn next
Steve Poole
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptx
Steve Poole
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same again
Steve Poole
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Steve Poole
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptx
Steve Poole
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Steve Poole
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018
Steve Poole
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Nick Galbreath
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
Cyber Security Alliance
 

Ähnlich wie GIDS-2023 A New Hope for 2023? What Developers Must Learn Next (20)

A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn next
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptx
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 style
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same again
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptx
 
FOSS and Security
FOSS and SecurityFOSS and Security
FOSS and Security
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker Side
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018
 
Pentest trends 2017
Pentest trends 2017Pentest trends 2017
Pentest trends 2017
 
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsMost notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictions
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearThe Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
 
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
2014 Technology Predictions
2014 Technology Predictions2014 Technology Predictions
2014 Technology Predictions
 
2014 Tech Predictions by Daily Deal Builder
2014 Tech Predictions by Daily Deal Builder2014 Tech Predictions by Daily Deal Builder
2014 Tech Predictions by Daily Deal Builder
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
 

Mehr von Steve Poole

Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chain
Steve Poole
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?
Steve Poole
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven Central
Steve Poole
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptx
Steve Poole
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptx
Steve Poole
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Steve Poole
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
Steve Poole
 
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Steve Poole
 
Keynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourKeynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviour
Steve Poole
 
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Steve Poole
 
Dashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your BehaviourDashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your Behaviour
Steve Poole
 

Mehr von Steve Poole (20)

THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chain
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven Central
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptx
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptx
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and Culture
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
 
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
 
Keynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourKeynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviour
 
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaLocking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
 
Dashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your BehaviourDashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your Behaviour
 
QCon London - Java at Scale
QCon London - Java at ScaleQCon London - Java at Scale
QCon London - Java at Scale
 

Kürzlich hochgeladen

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 

Kürzlich hochgeladen (20)

Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 

GIDS-2023 A New Hope for 2023? What Developers Must Learn Next

  • 1. @spoole167 www.developersummit.com @spoole167 A new hope for 2023? What developers must learn next
  • 2. @spoole167 what do we think when we think about cybercrime?”
  • 3. @spoole167 Photo by Bastian Pudill on Unsplash Do we imagine someone walking down the road trying the handles of cars as they pass Looking for a car to steal
  • 4. @spoole167 Do we remember that movie we watched about a daring and sophisticated robbery ?
  • 5. @spoole167 these are the two styles we often think about. The super complicated attack or the simple opportunist
  • 6. @spoole167 Wrongly we think we’re not targets we think the bad guys are far away
  • 7. @spoole167 The most common thoughts as a developer are ”why is it my problem?” or “I don’t really know what to do”
  • 8. @spoole167 this talk • Is a reality check about what the bad guys are really doing and why • What’s happening to help address these attacks • What should you be doing next
  • 10. @spoole167 Sonatype Invented Maven Started Maven Central in 2003 Created Nexus repo and other technologies The quiet leader in secure software supply chain technology
  • 11. Not just the Maven Central people
  • 12.
  • 14. @spoole167 Cyberattacks have moved on It’s not all hackers in bedrooms doing it for fun
  • 15. @spoole167 in 2016 Cybercrime cost ~415 Billion Dollars So did the illicit drug trade
  • 16. @spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016
  • 17. @spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016 50
  • 18. @spoole167 Cybercrime has been growing at ~56% per year ever since drug trade cybercrime
  • 19. @spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016 50
  • 20. @spoole167 Buys you US Nimitz Class carriers 6 Trillion Dollars in 2022 50 620
  • 21. @spoole167 United States: $20.89 trillion China: $14.72 trillion Cyber Crime : $6.0 trillion Japan: $5.06 trillion Germany: $3.85 trillion United Kingdom: $2.67 trillion India: $2.66 trillion France: $2.63 trillion Italy: $1.89 trillion Canada: $1.64 trillion https://globalpeoservices.com/top-15-countries-by-gdp-in-2022/ if Cybercrime was a country (by gdp)
  • 22. @spoole167 There is no sign of it slowing down drug trade cybercrime US gdp
  • 24. @spoole167 There are still.. • There are still botnets out there trying to get into your systems • There are still bad guys who want to steal your secrets • There are still people who will ransom your data • There are still cryptocurrency miners trying to steal your CPU cycles
  • 25. @spoole167 Plus .. • There are still botnets out there trying to get into your systems • There are still bad guys who want to steal your secrets • There are still people who will ransom your data • There are still cryptocurrency miners trying to steal your CPU cycles • Now there are open source project hijacks • Now there are fake packages in repos • Now there is malware in the build process • Now the aim is long term control and stealth
  • 26. @spoole167 Now there is cyber-warfare • Motivations are different - it’s not about money • Skillsets are higher - professional, well funded. • Perseverance is much greater - specific targets, not just targets of opportunity
  • 27. @spoole167 Now there is cyber-warfare • Motivations are different - it’s not about money • Skillsets are higher - professional, well funded. • Persistence is much greater - specific targets, not just targets of opportunity • EVERYONE – Every state or political body, every disenfranchised or suppressed group is or will be taking part.
  • 28. @spoole167 Now there is cyber-warfare • It’s been happening behind the scenes for some time. • Now it’s mainstream. You personally Your personal networks The organizations you work for, belong to or help Your country Potential Targets
  • 29. @spoole167 Modern attacks are supply chain attacks – and we are all part of a supply chain
  • 30. @spoole167 The aim is to infiltrate infrastructure and essential services… The internet is the next battlefield. It’s all about software
  • 32. @spoole167 Everything really is online There is no distance between you and the bad actors they ‘live’ next door
  • 33. @spoole167 Cyber warfare is real and will drive massive changes in how we develop and deliver software
  • 34. @spoole167 The only thing between you and the bad actors is software
  • 35. @spoole167 be ready for massive increases in attacks on software everywhere s/w in the car s/w on the phone s/w on the watch s/w on any device s/w on the laptop s/w on server s/w on the wifi router s/w at the supermarket
  • 36. @spoole167 Bad Actors used to search for vulnerabilities to exploit
  • 37. @spoole167 Now they make their own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Attempts to get malware or weaknesses added into dependency source via social or tools Build Tool attacks Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” Automated Social engineering
  • 38. The Zero Day Window is Closing Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2
  • 39. The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 Nation states are paying millions of dollars to suppress vulnerability reporting
  • 40. The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 China requires all disclosures to be reported to the government first
  • 41. The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 The more severe the vulnerability, the less chance of it being reported publically
  • 43. @spoole167 The new world of cyber security is “exploit first”
  • 46. What are we doing about all of this?
  • 47. @spoole167 Backstory – the scales are tipping • Open source is seen as both critical and unreliable • Big Business has managed to keep governments quiet • Business Value won over Security • 7 Trillion dollars a year and existential threats to national security  Security wins • The question isn’t whether – it’s about how. • Governments always use big sticks
  • 48. @spoole167 17 May 2021 – US Government takes a stand Joe Biden
  • 49. @spoole167 December 2022 – EU Updates directives .. Joe Biden
  • 50. @spoole167 Hardening the software supply chain : every ‘product’ has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes
  • 51. @spoole167 Technical responses 1 Securing the supply chain – provable evidence trails 2 Improved understanding of vulnerable projects 3 Automating the supply chain - code to cloud (no humans involved) 4 Education for developers
  • 53. Log4Shell may be the worst ever vulnerability https://apple.news/AnKnv0_EdR3K2b-t6Z67-qw
  • 54. A canonical example of whats going wrong
  • 55. False confidence in our tools or not caring? Finding out if you are vulnerable using scanning tools can be challenging It’s all ‘after the fact’ requires great tools and great data Not everyone has equal access
  • 56. @spoole167 On the horizon Switch from scanning tools that try to work out what you have installed To signed, provable, reproduceable “Software Bill of Materials” Centralised signatures Centralised analysis tools
  • 57. @spoole167 Software Bill Of Materials cyclonedx.org spdx.dev the new important term on the horizon mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
  • 59. @spoole167 Tackling the next level 90% of an application is open source components
  • 60. @spoole167 Tackling the next level Linux Foundation and other groups working to develop guidelines for measuring good practices and ongoing behavior
  • 62. @spoole167 The Open Source Software Security Mobilization Plan https://openssf.org/oss-security-mobilization-plan/ security education risk assessment digital signatures memory safety incident response better scanning code audits data sharing SBOMs everywhere Supply chains
  • 63. @spoole167 What can you do right now?
  • 64. @spoole167 The best tools right now are these
  • 65. @spoole167 The best tools right now are these
  • 66. Avoidable Vulnerability (poor choices) Vulnerability management is largely a consumption-side problem For 96% of vulnerable downloads, there was a non- vulnerable version available Avoidability of vulnerable Maven Central downloads Unavoidable Vulnerability
  • 67. @spoole167 Look at how you choose open source software • What do you do if a open-source component you rely on doesn’t comply? • How much risk are you willing to take? • Even if they say yes - how much can you trust them? • Do they have an SBOM? • What’s their ability to provide updates. • What’s their security posture. Not just is it free, does it do what I want?
  • 68. things to check for unexpected release frequency number and activity patterns of committers Do they do Static Analysis and Security Testing (SAST) Are they prone to making breaking changes Do they often have no path forward (latest version has vulnerabilities)
  • 69. things to check for License / security.md file Vulnerability reporting process Development process (how do they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU)
  • 70. Thinking deeper about how you develop s/w
  • 71. @spoole167 Exercise your suspicious brain, find code smells and LOOK closely at the projects you’re using Build your own selection criteria or use others
  • 74. @spoole167 Code defensively follow secure design principles • Minimize attack surface area • Establish secure defaults • Principle of Least privilege • Principle of Defense in depth • Fail securely • Don’t trust services • Separation of duties • Avoid security by obscurity • Keep security simple • Fix security issues correctly https://www.owasp.org/index.php/Security_by_Design_Principles#Security _principles
  • 76. @spoole167 Keep a watch on available education
  • 77. @spoole167 Summary • Cyber attacks are being industrialized, weaponized and hidden. • “exploit first” means Day Zero moving to Day – 1 , -20. -Never • Government legislation aim to force suppliers to “fix” the problem • How we create and deliver software will change • How we select / consume open source software will change • Developers must become experts at AppSec
  • 78. @spoole167 Takeaways • The days of just taking software off the shelf are numbered • developers must choose software based on production value not just function • Evidence based trust will become essential • the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. • GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny. • It’s time to reassess tools and vendors • Look for partners you can trust to build supply chains you and the world can rely on
  • 79. @spoole167 Thank you bit.ly/41FGVXt google: “Brian Fox RSAC 2023” bomdoctor.sonatype.com