Secure Software Ecosystem Teqnation 2024

Secure Software Ecosystem
22 May - Soroosh Khodami & Ali Yazdani

NOT VERY LONG AGO

██╗░░░░░░█████╗░░██████╗░░░██╗██╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██║░░░░░██╔══██╗██╔════╝░░██╔╝██║██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░░░░██║░░██║██║░░██╗░██╔╝░██║╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░░░░██║░░██║██║░░╚██╗███████║░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
███████╗╚█████╔╝╚██████╔╝╚════██║██████╔╝██║░░██║███████╗███████╗███████╗
╚══════╝░╚════╝░░╚═════╝░░░░░░╚═╝╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝
CVE-2021-44228
CVSS Score 10 / 10
CVE-2024-3094
CVSS Score 10 / 10
CVE-2022-22965
CVSS Score 9.8 / 10
CVE-2020-10148
CVSS Score 9.8 / 10

Wearelivinginunsecureworld
everythingisprobabletoget
exploited.Wecouldbethenext
target,areweready?

of all downloadsof Log4J are still
vulnerable to the Log4Shell
Vulnerability 30%Reported By Sonatype (Maven Central)
Previous Update: https://www.sonatype.com/en/press-releases/critical-log4j-vulnerability-still-being-downloaded-40-of-the-time
2 Years After Release

WHY WE ARE HERE
SECURITY ENGINEERD E VI LD E VE L O P E R

WHO WE ARE
SECURITY ENGINEER
D E VE L O P E R
Ali Yazdani
Soroosh Khodami
+10 Years of Software Development Experience
Researcher in Software Supply Chain Security
Solution Architect at Rabobank via Code Nomads
+10 Years of Security Experience
Principal Security Engineer @ Scoutbee
OWASP DevSecOps Guideline Project Lead
@SorooshKhlinkedin.com/in/sorooshkhodami
[email protected]/in/aliyazdani

CLASSIC
CYBER ATTACKS
SQL InjectionCross-Site Scripting
(XSS)
Cross-Site Request
Forgery (CSRF)DDoS
Man-in-the-Middle
Remote Command
ExecutionMalware InjectionBuffer Overflow
Privilege EscalationZero-Day Exploits
Server-Side Forgery
(SSRF)
Read More
§https://portswigger.net/web-security/learning-paths
§https://www.certifiedsecure.com
Phishing

Security Risk Transformation
Read More
https://owasp.org/www-project-top-ten/

Supply chain attack
Dependency Confusion
Software Supply Chain Hijacking
Counterfeit Components
Third-Party Compromise
Compromised Build Environments

Dependency Confusion
mycompany-ui-component
version : 6.6.6
mycompany-ui-component
version : 1.2.5
Private Repository
Source Code
?
Read More
•How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

HOW TO DOWNLOAD
WHOLE INTERNET
WITH ONE COMMAND ?

$ npm install

Let’s create a HELLO WORLD APP

HELLO WORLD Dependency GRAPH
Depth = 0 -> 1 Dependency
Depth = 1 -> 32 Dependencies
Depth = 2 -> 65 Dependencies

Supply Chain Protection Best Practices
Reserve
Namespace / Scope / Prefix
Version Pinning
No Latest or RangePackage Integrity Check
Using SCA Tools
Using Dependency
Firewall
Official Repositories
MUST
GOOD
NICE
Read More
•How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
•https://xygeni.io/blog/lack-of-version-pinning-and-dependency-confusion/
•https://github.blog/2021-02-12-avoiding-npm-substitution-attacks/
•https://books.sonatype.com/mvnref-book/reference/running-sect-options.html#running-sect-deps-option
Keep Dependencies
Up to Date
Clean Up
Unused Libraries
Immutable Versions

When Security is Involved in
Software Development?
Application Development Journey Already Changed!

Traditional Approach
DesignDevelopDeploy StagingProduction
Lucky security tester
Unlucky security tester

Detect Early, Pay Less!
Refrence
https://www.nowsecure.com/blog/2017/05/10/level-up-mobile-app-security-metrics-to-measure-success/
https://www.packtpub.com/product/practical-cybersecurity-architecture/9781838989927

Modern Approach
DesignDevelopDeploy StagingProduction
§DAST
§Load/Stress Test
§4-Eyes Principle
§Secret Scanning
§SAST/SCA
§IaC Scanning
§Container Image Scanning
§Security Design
§Threat Modelling
SHIFT LEFT
Phases can cover but can't replace each other.
•Continuous Dependency Monitoring
•Firewall
•Runtime Application Security
•Pentest / Bug Bounty
•Vulnerability Disclosure Program
•Logging & Monitoring
•Cloud Native Application Protection
Read more
•OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline

Still ...
DevelopDeploy StagingProduction
§DAST
§Container Image Scanning
§Load/Stress Test
Secret Scanning
SAST/SCA
Scanning
•Continuous Dependency Monitoring
•Firewall
•Runtime Application Security
•Pentest / Bug Bounty
•Vulnerability Disclosure Program
•Logging & Monitoring
•Cloud Native Application Protection
https://www.youtube.com/watch?v=gdsUKphmB3YRead more
•OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline

Continuous
Dependency Monitoring
In Production

Continuous Dependency Monitoring
Generating list of
Dependencies (SBOM)
Continuous Monitoring
After Deploying to Production

Software Bill of Material (SBOM)
DependenciesComponents / Libraries
LicensesVulnerabilities
Suppliers
App Meta-DataApp Identifier
Authors

Which Application ?
Who to contact ?
How to Fix ?
How to detect ?
██╗░░░░░░█████╗░░██████╗░░░██╗██╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██║░░░░░██╔══██╗██╔════╝░░██╔╝██║██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░░░░██║░░██║██║░░██╗░██╔╝░██║╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░░░░██║░░██║██║░░╚██╗███████║░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
███████╗╚█████╔╝╚██████╔╝╚════██║██████╔╝██║░░██║███████╗███████╗███████╗
╚══════╝░╚════╝░░╚═════╝░░░░░░╚═╝╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝
CVE-2021-44228
CVSS Score 10 / 10
Which Application ?
Who to contact ?
How to Fix ?
How to detect ?
Which Application ?
Who to contact ?
How to Fix ?
How to detect ?
Which Application ?
Who to contact ?
How to Fix ?
How to detect ?
Which Application ?
Who to contact ?
How to Fix ?
How to Fix ?
How to detect ?

SBOM Management
SBOM In Practice
SBOMApp
SBOMApp
SBOMApp
SBOMApp
Continuous
Monitoring
ZERO DAY
ALERT !
Search Apps Based On Dependency or CVE
Which Applications ?
Authors/Committers Information is Available
Who to Contact ?
Continuous Monitoring on New SBOMs
Are we safe now ? (Realtime-overview)
Application Metadata
Prioritization on Fix

HowtoGenerateSBOM

SBOM Generation
Artifact
Container ImageSource Code
Runtime Env

SBOM Journey In CI/CDGenerate Software Bill of Material

SBOM Generation -Generic
Read more
•OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline

SBOM Generation –Java Ecosystem
Version +3.3
Read more
•OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline
•Securing the Supply Chain for Your Java Applications by THOMAS VITALE - https://www.youtube.com/watch?v=VM7lJ0f_xhQ

SBOM Generation -Docker
Read more
•OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline
•Securing the Supply Chain for Your Java Applications by THOMAS VITALE - https://www.youtube.com/watch?v=VM7lJ0f_xhQ
•https://earthly.dev/blog/docker-sbom/

Software Composition Analysis
(SCA)

SBOM Journey In CI/CDSoftware Composition Analysis (SCA)

Software Composition Analysis (SCA)

Software Composition Analysis (SCA)
CommercialFree/Open-Source
Read more
•OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline

SBOM Journey In CI/CDSBOM Management & Continious Monitoring

SBOM Management

SBOM Management
Commercial Tools
Free / Open-Source
OWASP Dependency Track Read more
•OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline

Am I Prepared Now?
FirewallContinuous MonitoringLogging & Monitoring

Dev Sec Ops

The team story

The team story
DevSecOps destroy silos to achieve
the goal of delivering secure and
stable software quickly.

Regulations Insights

Regulations
Read more
•NITA -https://www.ntia.gov/page/software-bill-materials
•NIST -https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1+
•EU Cyber Resilience Act (CRA)
§Executive Order 14028 on Improving the Nation’s Cybersecurity
§DHS Software Supply Chain Risk Management Act
§FDA Medical Device Cybersecurity Requirements
§NIST SP 800-218
•DORA – EU Cyber Resilience Operation (Financial Sector)
•GERMANY – TR - 03183: SBOM Requirements for CRA

Regulations –CRA Timeline
NOW
Enter Into Force
2024 – Q2 Deadline 2026
Q1
Read more
•https://medium.com/@bugprove/eu-cyber-resilience-act-cra-all-you-need-to-know-in-a-nutshell-b843d149e18a

Regulations –DORA Timeline
NOWEnter Into Force
Deadline 2025 - Q1
Read more
•https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
•https://www.eiopa.europa.eu/document/download/2888a8e8-4a20-4e27-ad51-7ad4e5b511f7_en

Standards
ISO/IEC 27036
Cybersecurity — Supplier relationships
Frameworks
Supply-chain Levels for Software Artifacts
Read more
•https://www.iso.org/standard/82905.html
•https://cyclonedx.org
•https://spdx.dev/
•https://slsa.dev/
SBOM Format Standard
Software package data exchange (SPDX)
SBOM Format Standard
CycloneDX (CDX)

Thanks for your attention
Please Rate This Talk in NLJUG App
If you have any other questions, you can reach out to us via Social Media
@SorooshKhlinkedin.com/in/sorooshkhodami
@asecengineerlinkedin.com/in/aliyazdani
QR CODE

Secure Software Ecosystem Teqnation 2024

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Secure Software Ecosystem Teqnation 2024

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx