A new hope for 2023? What developers must learn next
Download as PPTX, PDF0 likes30 views
Cybercrime has rapidly escalated, costing approximately $6 trillion in 2022, with modern attacks leveraging sophisticated tactics including supply chain infiltration and cyber warfare. Developers are encouraged to anticipate significant increases in software vulnerabilities and adjust their practices, including using evidence-based trust when selecting open source software. Legislative changes and calls for improved security measures highlight the future necessity for developers to become proficient in application security practices.
A new hope for 2023? What developers must learn next
- 1. @spoole167 A new hope for 2023? What developers must learn next
- 2. @spoole167 what do we think when we think about cybercrime?”
- 3. @spoole167 Photo by Bastian Pudill on Unsplash Do we imagine someone walking down the road trying the handles of cars as they pass Looking for a car to steal
- 4. @spoole167 Do we remember that movie we watched about a daring and sophisticated robbery ?
- 5. @spoole167 these are the two styles we often think about. The super complicated attack or the simple opportunist
- 6. @spoole167 Wrongly we think we’re not targets we think the bad guys are far away
- 7. @spoole167 The most common thoughts as a developer are ”why is it my problem?” or “I don’t really know what to do”
- 8. @spoole167 this talk • Is a reality check about what the bad guys are really doing and why • What’s happening to help address these attacks • What should you be doing next
- 10. @spoole167 Latest trends in Cyber attacks
- 11. @spoole167 Cyberattacks have moved on It’s not all hackers in bedrooms doing it for fun
- 12. @spoole167 in 2016 Cybercrime cost ~415 Billion Dollars So did the illicit drug trade
- 13. @spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016
- 14. @spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016 50
- 15. @spoole167 Cybercrime has been growing at ~56% per year ever since drug trade cybercrime
- 16. @spoole167 Buys you US Nimitz Class carriers 415 Billion Dollars in 2016 50
- 17. @spoole167 Buys you US Nimitz Class carriers 6 Trillion Dollars in 2022 50 620
- 18. @spoole167 United States: $20.89 trillion China: $14.72 trillion Cyber Crime : $6.0 trillion Japan: $5.06 trillion Germany: $3.85 trillion United Kingdom: $2.67 trillion India: $2.66 trillion France: $2.63 trillion Italy: $1.89 trillion Canada: $1.64 trillion https://globalpeoservices.com/top-15-countries-by-gdp-in-2022/ if Cybercrime was a country (by gdp)
- 19. @spoole167 There is no sign of it slowing down drug trade cybercrime US gdp
- 20. @spoole167 It’s even more scary …
- 21. @spoole167 There are still.. • There are still botnets out there trying to get into your systems • There are still bad guys who want to steal your secrets • There are still people who will ransom your data • There are still cryptocurrency miners trying to steal your CPU cycles
- 22. @spoole167 Plus .. • There are still botnets out there trying to get into your systems • There are still bad guys who want to steal your secrets • There are still people who will ransom your data • There are still cryptocurrency miners trying to steal your CPU cycles • Now there are open source project hijacks • Now there are fake packages in repos • Now there is malware in the build process • Now the aim is long term control and stealth
- 23. @spoole167 Now there is cyber-warfare • Motivations are different - it’s not about money • Skillsets are higher - professional, well funded. • Perseverance is much greater - specific targets, not just targets of opportunity
- 24. @spoole167 Now there is cyber-warfare • Motivations are different - it’s not about money • Skillsets are higher - professional, well funded. • Persistence is much greater - specific targets, not just targets of opportunity • EVERYONE – Every state or political body, every disenfranchised or suppressed group is or will be taking part.
- 25. @spoole167 Now there is cyber-warfare • It’s been happening behind the scenes for some time. • Now it’s mainstream. You personally Your personal networks The organizations you work for, belong to or help Your country Potential Targets
- 26. @spoole167 Modern attacks are supply chain attacks – and we are all part of a supply chain
- 27. @spoole167 The aim is to infiltrate infrastructure and essential services… The internet is the next battlefield. It’s all about software
- 28. @spoole167 And manipulate or terminate
- 29. @spoole167 Everything really is online There is no distance between you and the bad actors they ‘live’ next door
- 30. @spoole167 Cyber warfare is real and will drive massive changes in how we develop and deliver software
- 31. @spoole167 The only thing between you and the bad actors is software
- 32. @spoole167 be ready for massive increases in attacks on software everywhere s/w in the car s/w on the phone s/w on the watch s/w on any device s/w on the laptop s/w on server s/w on the wifi router s/w at the supermarket
- 33. @spoole167 Bad Actors used to search for vulnerabilities to exploit
- 34. @spoole167 Now they make their own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Attempts to get malware or weaknesses added into dependency source via social or tools Build Tool attacks Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” Automated Social engineering
- 35. The Zero Day Window is Closing Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2
- 36. The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 Nation states are paying millions of dollars to suppress vulnerability reporting
- 37. The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 China requires all disclosures to be reported to the government first
- 38. The Zero Day Window is closed Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 1 0 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 201 7 2019 2021 Struts2 The more severe the vulnerability, the less chance of it being reported publically
- 39. @spoole167 Finding or creating vulnerabilities is a growing industry
- 40. @spoole167 The new world of cyber security is “exploit first”
- 41. @spoole167 And one more thing …
- 43. What are we doing about all of this?
- 44. @spoole167 17 May 2021 – US Government takes a stand Joe Biden
- 45. @spoole167 The Executive Order Recognizes the need to form a united front against “malicious cyber actors” Outlines a direction for closer working between all parts of the software industry Adds new requirements on software vendors selling to the US government Will change how we produce and consume software.
- 46. @spoole167 Hardening the software supply chain : every ‘product’ has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes
- 47. @spoole167 Technical responses 1 Securing the supply chain – provable evidence trails 2 Improved understanding of vulnerable projects 3 Automating the supply chain - code to cloud (no humans involved) 4 Education for developers
- 49. Log4Shell may be the worst ever vulnerability https://apple.news/AnKnv0_EdR3K2b-t6Z67-qw
- 50. A canonical example of whats going wrong
- 51. False confidence in our tools or not caring? Finding out if you are vulnerable using scanning tools can be challenging It’s all ‘after the fact’ requires great tools and great data Not everyone has equal access
- 52. @spoole167 On the horizon Switch from scanning tools that try to work out what you have installed To signed, provable, reproduceable “Software Bill of Materials” Centralised signatures Centralised analysis tools
- 53. @spoole167 Software Bill Of Materials cyclonedx.org spdx.dev the new important term on the horizon mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
- 56. @spoole167 Tackling the next level 90% of an application is open source components
- 57. @spoole167 Tackling the next level Linux Foundation and other groups working to develop guidelines for measuring good practices and ongoing behavior
- 58. @spoole167
- 59. @spoole167 The Open Source Software Security Mobilization Plan https://openssf.org/oss-security-mobilization-plan/ security education risk assessment digital signatures memory safety incident response better scanning code audits data sharing SBOMs everywhere Supply chains
- 60. @spoole167 What can you do right now?
- 61. @spoole167 The best tools right now are these
- 62. @spoole167 The best tools right now are these
- 63. @spoole167 Look at how you choose open source software • What do you do if a open-source component you rely on doesn’t comply? • How much risk are you willing to take? • Even if they say yes - how much can you trust them? • Do they have an SBOM? • What’s their ability to provide updates. • What’s their security posture. Not just is it free, does it do what I want?
- 64. things to check for unexpected release frequency number and activity patterns of committers Do they do Static Analysis and Security Testing (SAST) Are they prone to making breaking changes Do they often have no path forward (latest version has vulnerabilities)
- 65. things to check for License / security.md file Vulnerability reporting process Development process (how do they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU)
- 66. @spoole167 Exercise your suspicious brain, find code smells and LOOK closely at the projects you’re using Build your own selection criteria or use ours
- 67. @spoole167 What else should you do?
- 69. @spoole167 Code defensively follow secure design principles • Minimize attack surface area • Establish secure defaults • Principle of Least privilege • Principle of Defense in depth • Fail securely • Don’t trust services • Separation of duties • Avoid security by obscurity • Keep security simple • Fix security issues correctly https://www.owasp.org/index.php/Security_by_Design_Principles#Security _principles
- 71. @spoole167 Keep a watch on available education
- 72. @spoole167 Summary • Cyber attacks are being industrialized, weaponized and hidden. • “exploit first” means Day Zero moving to Day – 1 , -20. - Never • Government legislation aim to force suppliers to “fix” the problem • How we create and deliver software will change • How we select / consume open source software will change • Developers must become experts at AppSec
- 73. @spoole167 Takeaways • The days of just taking software off the shelf are numbered • developers must choose software based on production value not just function • Evidence based trust will become essential • the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. • GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny. • It’s time to reassess tools and vendors • Look for partners you can trust to build supply chains you and the world can rely on