Mitun Zavery
Senior Engineer at Sonatype
Bad actors have recognized the power of open source and are now beginning to create their own attack opportunities. This new form of assault, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. In this session, Mitun will explain how both security and developers must work together to stop this trend. Or, risk losing the entire open source ecosystem.
Analyze, and detail, the events leading to today’s “all-out” attack on the OSS industry
Define what the future of open source looks like in today’s new normal
Outline how developers can step into the role of security, to protect themselves, and the millions of people depending on them
6. In 2016 Cybercrime was
estimated to be worth
450 Billion Dollars
Organized Cybercrime is the most profitable type of crime
In 2016 The illicit drug trade
was estimated to be worth
435 Billion Dollars
7. Organized Cybercrime is the most profitable type of crime
• Guess which one has the least risk to the criminal?
• Guess which is growing the fastest?
• Guess which one is the hardest to prosecute?
• Guess which one is predicted to reach 2,100 Billion Dollars by
2019?
• Guess which one is predicted to reach 6,000 Billion Dollars by
2021?
@spoole167
9. That’s about $800 for every
person on the planet
Slide Credit: Steven Pool @spool167
10.
11. Crypto Currency: Cybercrime’s new best friend.
“I have nothing of value in my application”
Your server has CPU cycles
Your visitors have CPU cycles
Your build infra has CPU cycles
Crypto Currency allows the attack to be directly monetized.
13. 2013 CVE-2013-2251
• Network exploitable
• Medium access complexity
• No authentication required for exploit
• Allows unauthorized disclosure of information
• Allows unauthorized modification
• Allows disruption of service
16. 18,330,958
78% downloads were vulnerable
2015 COMMONS COLLECTION
CWE-502
23,476,966
total downloads in 2016
https://wvusoldier.wordpress.com/2016/09/05/some-extra-details-on-hospital-ransomware-you-probably-didnt-know/
17. 5 Month Opportunity to Take Corrective ActionLarge Scale Exploit
March 9
Equifax applications
breached through
Struts2 vulnerability
AprMar May Jun Jul Aug Sept
March 7
Apache Struts
releases updated
version to thwart
vulnerability
CVE-2017-5638
July 29
Breach is discovered
by Equifax.
Sept 7
A new RCE vulnerability
is announced and
fixed.
CVE-2017-9805
Probing Hack Crisis Management
18. TIME TO RESPOND BEFORE EXPLOIT
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 201
1
2012 2013 2104 2015
10
20
30
40
50
0
AverageDaystoExploit
Average
45
15
2017
34. @mitunzavery
”A set of practices intended to reduce the time
between committing a change to a system and
the change being placed into normal
production, while ensuring high quality"
35. When you climb the mountain every day, it’s easier.
@mitunzavery
37. Automation
Requires
Accuracy
Examine and match OSS components via file names and package
manifests
It’s prone to error. Filenames can (and have been known to) be
renamed to match whitelists
43. 6000 Components analyzed (~1531 artifact discrepancies)
• 4500 Non Issues
• 1034 True Positives (1 in 6 is a valid finding)
• 5330 False Positives when CPE was part of the component name
• 2969 False Negatives when CPE was not in the component name
49. DevCDCI
Prod
QA
UAT
Block Bad Stuff
Policy Enforcement
Build
Public Component
Repositories
DeployRepository
Developers
Policy Enforcement
Source Control
Monitored for new issues
Early Feedback