SlideShare une entreprise Scribd logo

DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?

DevSecCon
DevSecCon

Mitun Zavery Senior Engineer at Sonatype Bad actors have recognized the power of open source and are now beginning to create their own attack opportunities. This new form of assault, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. In this session, Mitun will explain how both security and developers must work together to stop this trend. Or, risk losing the entire open source ecosystem. Analyze, and detail, the events leading to today’s “all-out” attack on the OSS industry Define what the future of open source looks like in today’s new normal Outline how developers can step into the role of security, to protect themselves, and the millions of people depending on them

Technologie
1  sur  50
Télécharger pour lire hors ligne
Mitun Zavery Senior Solutions Architect, Sonatype @MitunZavery Open Source Developers are the front line. A Shifting landscape of attacks…
- in partnership with -
Source: Sonatype OSS Download Volumes
@MitunZavery 80 - 90% of code is sourced from external suppliers
The economics of cybercrime
In 2016 Cybercrime was estimated to be worth 450 Billion Dollars Organized Cybercrime is the most profitable type of crime In 2016 The illicit drug trade was estimated to be worth 435 Billion Dollars
Organized Cybercrime is the most profitable type of crime • Guess which one has the least risk to the criminal? • Guess which is growing the fastest? • Guess which one is the hardest to prosecute? • Guess which one is predicted to reach 2,100 Billion Dollars by 2019? • Guess which one is predicted to reach 6,000 Billion Dollars by 2021? @spoole167
0 1000 2000 3000 4000 5000 6000 2013 2014 2015 2016 2017 2018 2019 2020 2021 Cybercrime Drug trade Slide Credit: Steve Pool @spool167 Drugs are not a growth Industry
That’s about $800 for every person on the planet Slide Credit: Steven Pool @spool167
Crypto Currency: Cybercrime’s new best friend. “I have nothing of value in my application” Your server has CPU cycles Your visitors have CPU cycles Your build infra has CPU cycles Crypto Currency allows the attack to be directly monetized.
Jenkins under attack “So far, $3.4 million has been mined.”
2013 CVE-2013-2251 • Network exploitable • Medium access complexity • No authentication required for exploit • Allows unauthorized disclosure of information • Allows unauthorized modification • Allows disruption of service
Widespread Compromise post disclosure
2014
18,330,958 78% downloads were vulnerable 2015 COMMONS COLLECTION CWE-502 23,476,966 total downloads in 2016 https://wvusoldier.wordpress.com/2016/09/05/some-extra-details-on-hospital-ransomware-you-probably-didnt-know/
5 Month Opportunity to Take Corrective ActionLarge Scale Exploit March 9 Equifax applications breached through Struts2 vulnerability AprMar May Jun Jul Aug Sept March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 July 29 Breach is discovered by Equifax. Sept 7 A new RCE vulnerability is announced and fixed. CVE-2017-9805 Probing Hack Crisis Management
TIME TO RESPOND BEFORE EXPLOIT Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 10 20 30 40 50 0 AverageDaystoExploit Average 45 15 2017
Complex Interdependencies
100:1developers outnumber application security
@mitunzavery
What are the right things to do?
1945: W. Edwards Deming
Traditional Supply Chain Software Supply Chain
We are not the first INDUSTRYto face a supply chain CHALLENGE
Source: xkcd
@mitunzavery ”A set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality"
When you climb the mountain every day, it’s easier. @mitunzavery
Automation Requires Accuracy False positives and false negatives inhibit automation. The real cost of developers spending time chasing and remediating incorrect data is not always obvious
Automation Requires Accuracy Examine and match OSS components via file names and package manifests It’s prone to error. Filenames can (and have been known to) be renamed to match whitelists
The Anatomy of a False Positive
Name based matching incorrectly associates risk Issue Sonatype Cause Sonatype Vendor 1 Vendor 2 Vendor 3 OWASP DepCheck CVE-2012- xxxx poi- scratchpad True Negative False Positive False Positive False Positive False Positive CVE-2014- xxxx poi-ooxml True Negative False Positive True Negative False Positive False Positive CVE-2014- xxxx poi-ooxml True Negative False Positive True Negative False Positive False Positive CVE-2014- xxxx poi- scratchpad True Negative False Positive False Positive False Positive False Positive CVE-2017- xxxx poi-examples True Negative False Positive True Negative False Positive False Positive CVE-2017- xxxx poi-ooxml True Negative False Positive False Positive False Positive False Positive Vendor Component Name: Apache POI 3.7 Vendor Scanned Component: org.apache.poi:poi-3.7.jar CPE from NVD: cpe:2.3:a:apache:poi Savings: Research time to prove false positives. Rework time to upgrade when not required
The True Cost of False-Positives and False-Negatives
Automated decisions require high quality data • False positives and incorrect issue identification incur research costs or an upgrade costs • False negatives leave you at risk Component Sonatype Vendor 1 Vendor 2 OWASP DepCheck Commons Collections 3.2 & 3.2.1 1 True Negative 2 True Positives 1 False Positive 1 False Negative 1 Incorrect ID 1 True Negative 2 Incorrect IDs 1 True Negative 1 Incorrect ID Active MQ 12 True Negatives 2 True Positives 2 True Negatives 1 True Positive 10 False Positives 1 False Negative 2 True Positives 12 False Positives Apache MyFaces 2.0.8 1 True Negative 1 True Positive 1 True Negative 1 True Positive 1 False Positive 1 False Negative 1 True Positive 1 True Negative Apache POI 2.5.1-final-200408 6 True Negative 6 True Negative 6 False Positives 6 False Positives ICU for Java 3.4.1 7 True Negatives 7 True Negatives 7 False Positives jQuery 1.11.2 1 True Positive 1 False Negative 1 False Positive 1 True Positive Spring Transaction 3.0.5 10 True Negatives 10 True Negatives 10 False Positives 10 False Positives mysql-connector-java-5.1.40 98 True Negatives 98 False Positives Rich Faces 4.0 Final 3 True Positives 3 False Negatives 1 False Negative 2 Incorrect IDs
Name Based Matching Creates Rework and Risk. False positives are the Silent killer
6000 Components analyzed (~1531 artifact discrepancies) • 4500 Non Issues • 1034 True Positives (1 in 6 is a valid finding) • 5330 False Positives when CPE was part of the component name • 2969 False Negatives when CPE was not in the component name
Providing Accurate Data Isn’t Easy
How to Enable Developers To Build Secure Software Do not Force developers to use tools designed for security
How to Enable Developers To Build Secure Software Provide remediation guidance
Control risk across every phase of the Software Development Lifecycle
DevCDCI Prod QA UAT Block Bad Stuff Policy Enforcement Build Public Component Repositories DeployRepository Developers Policy Enforcement Source Control Monitored for new issues Early Feedback
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?

Recommandé

The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
HackerOne
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
Adam Barrera
 
Best & Worst of Cybersecurity
Best & Worst of CybersecurityBest & Worst of Cybersecurity
Best & Worst of Cybersecurity
David Amrani
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
CrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
Dev Secops Software Supply Chain
Dev Secops Software Supply ChainDev Secops Software Supply Chain
Dev Secops Software Supply Chain
Cameron Townshend
 
INTSUM
INTSUMINTSUM
INTSUM
worldwidebranding
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 

Recommandé

The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
HackerOne
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
Adam Barrera
 
Best & Worst of Cybersecurity
Best & Worst of CybersecurityBest & Worst of Cybersecurity
Best & Worst of Cybersecurity
David Amrani
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
CrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
Dev Secops Software Supply Chain
Dev Secops Software Supply ChainDev Secops Software Supply Chain
Dev Secops Software Supply Chain
Cameron Townshend
 
INTSUM
INTSUMINTSUM
INTSUM
worldwidebranding
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Cameron Townshend
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
CODE BLUE
 
How secure is your company's information?
How secure is your company's information?How secure is your company's information?
How secure is your company's information?
eLeaP
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
Jeremiah Grossman
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat report
Cyren, Inc
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
Nevada County Tech Connection
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking survey
Cyren, Inc
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
CrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
WE16 - They're People Not Data! The Human Side of Insider Cyberthreats
WE16 - They're People Not Data! The Human Side of Insider CyberthreatsWE16 - They're People Not Data! The Human Side of Insider Cyberthreats
WE16 - They're People Not Data! The Human Side of Insider Cyberthreats
Society of Women Engineers
 
Enhanced threat intelligene for s ps v3
Enhanced threat intelligene for s ps v3Enhanced threat intelligene for s ps v3
Enhanced threat intelligene for s ps v3
Neil King
 
Top 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsTop 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty Programs
HackerOne
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
Jeremiah Grossman
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
CrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
Cyren, Inc
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
CrowdStrike
 
Target List of Hesper-BOT Malware
Target List of Hesper-BOT MalwareTarget List of Hesper-BOT Malware
Target List of Hesper-BOT Malware
Senad Aruc
 
Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Targeted attacks on major industry sectores in south korea 20170927 cha minse...Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Minseok(Jacky) Cha
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
Positive Hack Days
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
Eoin Keary
 

Contenu connexe

Tendances

[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
CODE BLUE
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
Nevada County Tech Connection
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
CrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
Enhanced threat intelligene for s ps v3
Enhanced threat intelligene for s ps v3Enhanced threat intelligene for s ps v3
Enhanced threat intelligene for s ps v3
Neil King
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
Jeremiah Grossman
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 

Tendances (20)

Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
 
How secure is your company's information?
How secure is your company's information?How secure is your company's information?
How secure is your company's information?
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat report
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking survey
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
WE16 - They're People Not Data! The Human Side of Insider Cyberthreats
WE16 - They're People Not Data! The Human Side of Insider CyberthreatsWE16 - They're People Not Data! The Human Side of Insider Cyberthreats
WE16 - They're People Not Data! The Human Side of Insider Cyberthreats
 
Enhanced threat intelligene for s ps v3
Enhanced threat intelligene for s ps v3Enhanced threat intelligene for s ps v3
Enhanced threat intelligene for s ps v3
 
Top 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsTop 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty Programs
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
 
Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
 
Target List of Hesper-BOT Malware
Target List of Hesper-BOT MalwareTarget List of Hesper-BOT Malware
Target List of Hesper-BOT Malware
 
Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Targeted attacks on major industry sectores in south korea 20170927 cha minse...Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Targeted attacks on major industry sectores in south korea 20170927 cha minse...
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
 

Similaire à DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?

Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
MAXfocus
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008
tswong
 

Similaire à DevSecCon London 2019: Are Open Source Developers Security’s New Front Line? (20)

Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
 
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
 
ScotSecure 2020
ScotSecure 2020ScotSecure 2020
ScotSecure 2020
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 style
 
SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...
SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...
SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
 
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone UnderwearThe Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 
Trusted, Transparent and Fair AI using Open Source
Trusted, Transparent and Fair AI using Open SourceTrusted, Transparent and Fair AI using Open Source
Trusted, Transparent and Fair AI using Open Source
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019
 
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityOpen Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defense
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 

Plus de DevSecCon

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon
 

Plus de DevSecCon (20)

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?

  • 1. Mitun Zavery Senior Solutions Architect, Sonatype @MitunZavery Open Source Developers are the front line. A Shifting landscape of attacks…
  • 4. @MitunZavery 80 - 90% of code is sourced from external suppliers
  • 6. In 2016 Cybercrime was estimated to be worth 450 Billion Dollars Organized Cybercrime is the most profitable type of crime In 2016 The illicit drug trade was estimated to be worth 435 Billion Dollars
  • 7. Organized Cybercrime is the most profitable type of crime • Guess which one has the least risk to the criminal? • Guess which is growing the fastest? • Guess which one is the hardest to prosecute? • Guess which one is predicted to reach 2,100 Billion Dollars by 2019? • Guess which one is predicted to reach 6,000 Billion Dollars by 2021? @spoole167
  • 8. 0 1000 2000 3000 4000 5000 6000 2013 2014 2015 2016 2017 2018 2019 2020 2021 Cybercrime Drug trade Slide Credit: Steve Pool @spool167 Drugs are not a growth Industry
  • 9. That’s about $800 for every person on the planet Slide Credit: Steven Pool @spool167
  • 10.
  • 11. Crypto Currency: Cybercrime’s new best friend. “I have nothing of value in my application” Your server has CPU cycles Your visitors have CPU cycles Your build infra has CPU cycles Crypto Currency allows the attack to be directly monetized.
  • 12. Jenkins under attack “So far, $3.4 million has been mined.”
  • 13. 2013 CVE-2013-2251 • Network exploitable • Medium access complexity • No authentication required for exploit • Allows unauthorized disclosure of information • Allows unauthorized modification • Allows disruption of service
  • 15. 2014
  • 16. 18,330,958 78% downloads were vulnerable 2015 COMMONS COLLECTION CWE-502 23,476,966 total downloads in 2016 https://wvusoldier.wordpress.com/2016/09/05/some-extra-details-on-hospital-ransomware-you-probably-didnt-know/
  • 17. 5 Month Opportunity to Take Corrective ActionLarge Scale Exploit March 9 Equifax applications breached through Struts2 vulnerability AprMar May Jun Jul Aug Sept March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 July 29 Breach is discovered by Equifax. Sept 7 A new RCE vulnerability is announced and fixed. CVE-2017-9805 Probing Hack Crisis Management
  • 18. TIME TO RESPOND BEFORE EXPLOIT Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 10 20 30 40 50 0 AverageDaystoExploit Average 45 15 2017
  • 19.
  • 21.
  • 22.
  • 23.
  • 24.
  • 27.
  • 28. What are the right things to do?
  • 31. We are not the first INDUSTRYto face a supply chain CHALLENGE
  • 32.
  • 34. @mitunzavery ”A set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality"
  • 35. When you climb the mountain every day, it’s easier. @mitunzavery
  • 36. Automation Requires Accuracy False positives and false negatives inhibit automation. The real cost of developers spending time chasing and remediating incorrect data is not always obvious
  • 37. Automation Requires Accuracy Examine and match OSS components via file names and package manifests It’s prone to error. Filenames can (and have been known to) be renamed to match whitelists
  • 38. The Anatomy of a False Positive
  • 39. Name based matching incorrectly associates risk Issue Sonatype Cause Sonatype Vendor 1 Vendor 2 Vendor 3 OWASP DepCheck CVE-2012- xxxx poi- scratchpad True Negative False Positive False Positive False Positive False Positive CVE-2014- xxxx poi-ooxml True Negative False Positive True Negative False Positive False Positive CVE-2014- xxxx poi-ooxml True Negative False Positive True Negative False Positive False Positive CVE-2014- xxxx poi- scratchpad True Negative False Positive False Positive False Positive False Positive CVE-2017- xxxx poi-examples True Negative False Positive True Negative False Positive False Positive CVE-2017- xxxx poi-ooxml True Negative False Positive False Positive False Positive False Positive Vendor Component Name: Apache POI 3.7 Vendor Scanned Component: org.apache.poi:poi-3.7.jar CPE from NVD: cpe:2.3:a:apache:poi Savings: Research time to prove false positives. Rework time to upgrade when not required
  • 40. The True Cost of False-Positives and False-Negatives
  • 41. Automated decisions require high quality data • False positives and incorrect issue identification incur research costs or an upgrade costs • False negatives leave you at risk Component Sonatype Vendor 1 Vendor 2 OWASP DepCheck Commons Collections 3.2 & 3.2.1 1 True Negative 2 True Positives 1 False Positive 1 False Negative 1 Incorrect ID 1 True Negative 2 Incorrect IDs 1 True Negative 1 Incorrect ID Active MQ 12 True Negatives 2 True Positives 2 True Negatives 1 True Positive 10 False Positives 1 False Negative 2 True Positives 12 False Positives Apache MyFaces 2.0.8 1 True Negative 1 True Positive 1 True Negative 1 True Positive 1 False Positive 1 False Negative 1 True Positive 1 True Negative Apache POI 2.5.1-final-200408 6 True Negative 6 True Negative 6 False Positives 6 False Positives ICU for Java 3.4.1 7 True Negatives 7 True Negatives 7 False Positives jQuery 1.11.2 1 True Positive 1 False Negative 1 False Positive 1 True Positive Spring Transaction 3.0.5 10 True Negatives 10 True Negatives 10 False Positives 10 False Positives mysql-connector-java-5.1.40 98 True Negatives 98 False Positives Rich Faces 4.0 Final 3 True Positives 3 False Negatives 1 False Negative 2 Incorrect IDs
  • 42. Name Based Matching Creates Rework and Risk. False positives are the Silent killer
  • 43. 6000 Components analyzed (~1531 artifact discrepancies) • 4500 Non Issues • 1034 True Positives (1 in 6 is a valid finding) • 5330 False Positives when CPE was part of the component name • 2969 False Negatives when CPE was not in the component name
  • 45. How to Enable Developers To Build Secure Software Do not Force developers to use tools designed for security
  • 46.
  • 47. How to Enable Developers To Build Secure Software Provide remediation guidance
  • 48. Control risk across every phase of the Software Development Lifecycle
  • 49. DevCDCI Prod QA UAT Block Bad Stuff Policy Enforcement Build Public Component Repositories DeployRepository Developers Policy Enforcement Source Control Monitored for new issues Early Feedback