Abstract image of a woman sitting on books and studying on a laptop

Embracing DevSecOps: A Changing Security Landscape for the US Government

Download as PPTX, PDF
D
DJ Schleen

The document discusses the importance of integrating DevSecOps within the U.S. government's security strategy, highlighting the need for automation in security toolsets and the significance of establishing baselines for normal operating behavior. It also illustrates the vulnerabilities and risks associated with software supply chains, referencing notable security breaches and the rapid proliferation of potential threats through malicious code. The overall message emphasizes the need for improved security practices to protect against evolving attack landscapes and enhance application quality.

Government & Nonprofit
1 of 42
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
DJ Schleen Embracing DevSecOps A Changing Security Landscape for the US Government @djschleen
2 devsecops
3 not just for hipsters
reduce risk @djschleen 4
culture
Photos courtesy of Pixabay and Pexels. the three ways
7 AUTOMATE Automate security toolsets by integrating them into your SDLC in an unobtrusive and transparent way. DISSEMINATE Collect information from your toolsets, aggregate them into actionable KPI’s, and deliver them to the appropriate stakeholders. INVESTIGATE Establish baselines that define normal operating behavior and investigate abnormalities that appear EFFICIENCY @djschleen
WHHHHHHYYYYY?
100:1 9 DEVELOPERS OUTNUMBER SECURITY
The faster a team can deploy to production, the quicker an organization can remediate critical vulnerabilities and zero days 10 Cycle Time: Weeks - Months Cycle Time: Minutes - Hours 10 – 20 Releases Your imagination is the limit... Plan Deploy Operate Agile DevSecOps … Design Build Test Deploy Operate Design Build TestDesign Build Test Plan Design Build Test Deploy Operate Design Build Test Deploy Operate Observation @dschleen Increased Flow can reduce the risk of outdated software stagnating in production When change is normal and expected, fire-drills become a thing of the past Learn Learn LearnLearn AGILE ISN’T AGILE ENOUGH
Large Scale Exploit March 10 Equifax applications breached through Struts2 vulnerability AprMar May Jun Jul Aug Sept March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 July 29 Breach is discovered by Equifax. Probe Crisis Management 11 @dschleen TIMELINE OF AN ATTACK
@djschleen
March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 Today 8,780 continue to download vulnerable versions of Struts 57% of the Fortune 100 3 Days in March March 8 NSA reveals Pentagon servers scanned by nation-states for vulnerable Struts instances Struts exploit published to Exploit-DB. March 10 Equifax Canada Revenue Agency Canada Statistics GMO Payment Gateway The Rest of the Story March 13 Okinawa Power Japan Post March 9 Cisco observes "a high number of exploitation events." March ’18 India’s AADHAAR EQUIFAX WAS NOT ALONE April 13 India Post December ’17 Monero Cryptomining 13
AVERAGE DAYS BEFORE VULNERABILITY IS EXPLOITED
risk @djschleen 15
85%-97% 16 CODE YOUR DEVELOPERS DON’T BUILD
@dschleen NIST SPECIAL PUBLICATION 800-161
@dschleen NIST SPECIAL PUBLICATION 800-161
@dschleen SAY HELLO TO YOUR SOFTWARE SUPPLY CHAIN
NOT ALL PARTS ARE CREATED EQUAL @devstefop s
AUTOMATION ACCELERATES OSS DOWNLOADS
1,096 new projects per day 10,000 new versions per day 14x releases per year • 3M npm components • 2M Java components • 900K NuGet components • 870K PyPI components
@djschleen
24 DEFECT PERCENTAGES FOR JAVASCRIPT @djschleen
85% to 97% of modern apps consist of assembled components. 25
80% to 90% of modern operations consist of assembled containers. 26 Containers Hand-built applications and infrastructure
PULLS FROM DOCKER HUB @djschleen
time
233 days MeanTTR 119 days MedianTTR 122,802 components with known vulnerabilities 19,445 15.8% fixed the vulnerability TIME TO REPAIR OSS COMPONENTS @djschleen
0 days MeanTTR CVE ID: CVE-2017-5638 March 7 Apache fixed the vulnerability March 7 APACHE STRUTS2 MEAN TIME TO REPAIR @djschleen
170,000 Java component downloads annually 3,500 unique 18,870 11.1% with known vulnerabilities 7,500 ORGANIZATIONS ANALYZED @djschleen
threats are real
@djschleen
A Shifting Battlefront of Attacks: Hackers Inject Malicious Code into Supply Chains March 2016 - August 2018 left-pad: Popular npm packages were removed from the repository, breaking thousands of websites and revealing how changes can immediately propagate to the real world. 1 npm credentials used by publishers of 79,000 packages were published online or easily compromised by dictionary attacks. 2 PyPI typosquat: The Slovak National Security Office (NBU) found 10 malicious PyPI packages. Evidence of the fake packages being downloaded and incorporated into software multiple times was noted between Jun '17 and Sept '17. 5 npm credentials: A core contributor to the conventional-changelog ecosystem had their npm credentials compromised and a malicious version of the package was published. Package was installed 28,000 times in 35 hours and executed a Monero crypto miner. 7 Backdoored npm: The npm security team responded to reports of a package that masqueraded as a cookie parsing library but contained a malicious backdoor. Published in March ’18 to introduce unauthorized publishing of mailparser; despite being deprecated, mailparser still received about 64,000 weekly downloads. 9 homebrew breach: Eric Holmes, an operations engineer at Remind, gained commit access to homebrew in under 30 minutes through an exposed GitHub API token. While he had no malicious intent, he gained access to components that are downloaded 500,000 times per month. 11 Mar 2016 July 2017 Sep 2017 Jan 2018 Feb 2018 May 2018 Aug 2018 Malicious npm: Gilbertson writes a fictional tale of creating a malicious npm packages to harvest credit card numbers from hundreds of websites. 6 3 npm typosquat: 40 intentionally malicious packages harvested credentials used to publish to the npm repository itself. 4 docker123321 images were created on Docker Hub. In Jan'18, it was accused of poisoning a Kubernetes honeypot, then in May’18 it was equated to a crypto mining botnet. 8go-bindata: after a developer deleted their GitHub account, someone immediately grabbed the ID — inheriting the karma instilled in that id, calling into question what packages and sources are canonical and immutable. 10 Backdoored PyPI: SSH Decorator (ssh-decorate), a library for handling SSH connections from Python code, was backdoored to enable stealing of private SSH credentials. 34 @djschleen
Laurie Voss, npm and the furture of JavaScript, 2018-10-10 NPM AUDIT STATS
9 years later, vulnerable versions of Bouncy Castle were downloaded… 11M CVE-2007-6721 CVSS Base Score: 10.0 HIGH Exploitability Subscore: 10.0 23M 2007 2016 BOUNCY CASTLE
Photo courtesy of Pixabay @djschleen do not boil
REDUCE DOWNSTREAM DEFECTS @djschleen
@dschleen PROTECT YOUR SOFTWARE SUPPLY CHAIN
THE REWARDS ARE IMPRESSIVE 90% improvement in time to deploy 34,000 hours saved in 90 days 48% increase in application quality @djschleen
Image by DJ Schleen inevitable @djschleen
Embracing DevSecOps: A Changing Security Landscape for the US Government

More Related Content

PDF
How Components Increase Speed and Risk
CA Technologies
 
PDF
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
jerryhargrove
 
PDF
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon
 
PPTX
Velocity 2015 Amsterdam: Alerts overload
sarahjwells
 
PDF
Security in the FaaS Lane
James Wickett
 
PPTX
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Codemotion
 
PPTX
Codemotion Milan 2015 Alerts Overload
sarahjwells
 
PPTX
Defining DevSecOps
Uchit Vyas ☁
 
How Components Increase Speed and Risk
CA Technologies
 
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napoca
jerryhargrove
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon
 
Velocity 2015 Amsterdam: Alerts overload
sarahjwells
 
Security in the FaaS Lane
James Wickett
 
Sarah Wells - Alert overload: How to adopt a microservices architecture witho...
Codemotion
 
Codemotion Milan 2015 Alerts Overload
sarahjwells
 
Defining DevSecOps
Uchit Vyas ☁
 

What's hot (20)

PDF
Release Your Inner DevSecOp
James Wickett
 
PDF
Hacker Games & DevSecOps
lokori
 
PDF
Serverless Security: A How-to Guide @ SnowFROC 2019
James Wickett
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
PDF
Evolving DevOps in the Age of Cloud Native
VMware Tanzu
 
PDF
Practical Chaos Engineering
SIGHUP
 
PDF
Serverless Swift for Mobile Developers
All Things Open
 
PDF
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon
 
PPTX
5681 Sample
B.Rick Roder
 
PDF
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Sven Krasser
 
PDF
The Seven Habits of the Highly Effective DevSecOp
James Wickett
 
PDF
Chaos Engineering: Why the World Needs More Resilient Systems
C4Media
 
PDF
Tools & techniques, building a dev secops culture at mozilla sba live a...
SBA Research
 
PDF
Kubernetes: Learning from Zero to Production
Rosemary Wang
 
PDF
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
CA Technologies
 
PPT
Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
Jeff Bollinger
 
PPTX
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
DevOps.com
 
PDF
Applying principles of chaos engineering to Serverless
Yan Cui
 
PDF
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
Mario-Leander Reimer
 
PDF
The present and future of serverless observability
Yan Cui
 
Release Your Inner DevSecOp
James Wickett
 
Hacker Games & DevSecOps
lokori
 
Serverless Security: A How-to Guide @ SnowFROC 2019
James Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
Evolving DevOps in the Age of Cloud Native
VMware Tanzu
 
Practical Chaos Engineering
SIGHUP
 
Serverless Swift for Mobile Developers
All Things Open
 
DevSecCon London 2017: Their-problems-are-your-problems-devseccon by Tim Kadlec
DevSecCon
 
5681 Sample
B.Rick Roder
 
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
Sven Krasser
 
The Seven Habits of the Highly Effective DevSecOp
James Wickett
 
Chaos Engineering: Why the World Needs More Resilient Systems
C4Media
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
SBA Research
 
Kubernetes: Learning from Zero to Production
Rosemary Wang
 
Completing the Microservices Puzzle: Kubernetes, Prometheus and FreshTracks.io
CA Technologies
 
Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco
Jeff Bollinger
 
Tackling the Container Iceberg: How to Approach Security When Most of Your So...
DevOps.com
 
Applying principles of chaos engineering to Serverless
Yan Cui
 
A Hitchhiker’s Guide to the Cloud Native Stack. #DevoxxPL
Mario-Leander Reimer
 
The present and future of serverless observability
Yan Cui
 
Ad

Similar to Embracing DevSecOps: A Changing Security Landscape for the US Government (20)

PPTX
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
PPTX
Top Lessons Learned From The DevOps Handbook
XebiaLabs
 
PDF
2019 04-04-dev secops-software supply chain_fst-2
Cameron Townshend
 
PPTX
2019 Top Lessons Learned Since the Phoenix Project Was Released
Gene Kim
 
PPTX
Nadog dev secops_survey
Curtis Yanko
 
PDF
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
CA Technologies
 
PDF
Open Source, Open Governance and Your Developers
Dev_Events
 
PDF
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
DevOps Indonesia
 
PPTX
DevOps and the Importance of Single Source Code Repos 
Perforce
 
PDF
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
PPTX
The Unicorn Project and The Five Ideals (Updated Dec 2019)
Gene Kim
 
PDF
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Serena Software
 
PPTX
DevOps and the Death & Rebirth of Childhood Innocence
Robert Douglass
 
PPTX
My Top Five DevOps Learnings
Predix
 
PDF
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
PDF
Cloud-Native Fundamentals: Accelerating Development with Continuous Integration
VMware Tanzu
 
PPTX
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
PDF
The Unicorn Project and the Five Ideals.pdf
VMware Tanzu
 
PPTX
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Shannon Williams
 
PDF
Divine and felonios cyber security devopsdays austin 2018
John Willis
 
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
Top Lessons Learned From The DevOps Handbook
XebiaLabs
 
2019 04-04-dev secops-software supply chain_fst-2
Cameron Townshend
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
Gene Kim
 
Nadog dev secops_survey
Curtis Yanko
 
DevOps Patterns Distilled: Implementing The Needed Practices In Practical Steps
CA Technologies
 
Open Source, Open Governance and Your Developers
Dev_Events
 
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
DevOps Indonesia
 
DevOps and the Importance of Single Source Code Repos 
Perforce
 
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
Gene Kim
 
Edit Privacy Settings Analytics FREE Collect Leads Micro Focus DevOps Drive-i...
Serena Software
 
DevOps and the Death & Rebirth of Childhood Innocence
Robert Douglass
 
My Top Five DevOps Learnings
Predix
 
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
Cloud-Native Fundamentals: Accelerating Development with Continuous Integration
VMware Tanzu
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
The Unicorn Project and the Five Ideals.pdf
VMware Tanzu
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Shannon Williams
 
Divine and felonios cyber security devopsdays austin 2018
John Willis
 
Ad

More from DJ Schleen (6)

PDF
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
PDF
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
PDF
Why happier developers create more secure code
DJ Schleen
 
PPTX
Blue is the new green
DJ Schleen
 
PPTX
CVS Health Automating Security with DevSecOps
DJ Schleen
 
PDF
Don't Fear the Four Horsemen of the DevSecOpalypse
DJ Schleen
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
Why happier developers create more secure code
DJ Schleen
 
Blue is the new green
DJ Schleen
 
CVS Health Automating Security with DevSecOps
DJ Schleen
 
Don't Fear the Four Horsemen of the DevSecOpalypse
DJ Schleen
 

Recently uploaded (20)

PPTX
Workshop introduction and objectives. SK.pptx
Ahmed Ali
 
PDF
Item # 1a - August 11, 2025 Meeting Minutes
ahcitycouncil
 
PPTX
CHS rollout Presentation by Abraham Lebeza.pptx
Abraham Lebeza
 
PDF
The Landscape Observatory of Catalonia. A Journey of Fifteen Years
Pere Sala i Martí
 
PDF
The GDP double bind- Anders Wijkman Honorary President Club of Rome
Energy for One World
 
PDF
MC No. 08 s. 2025 of the CSC Omnibus Rules on Appointments and Other HR Actions
bingeaocoo
 
PDF
RBI-FORM-A-By Household_Revised 2024.pdf
carolus5
 
PDF
Abhay Bhutada Foundation’s Commitment to ESG Compliance
Harsh Mishra
 
PPTX
International Tracking Project Unloading Guidance Manual V1 (1) 1.pptx
usmanshah2319
 
PDF
ACHO's Six WEEK UPDATE REPORT ON WATER SACHETS DISTRIBUTION IN RENK COUNTY - ...
JohnMutPamYar
 
PPTX
Robotics_Presentation.pptxdhdrhdrrhdrhdrhdrrh
JalArquiza
 
PDF
Item # 10 -- Set Proposed 2025 Tax Rate
ahcitycouncil
 
PDF
PPT Item # 9 - FY 2025-26 Proposed Budget.pdf
ahcitycouncil
 
PPTX
2019.05.19.AMS_.Sermonsssssssssssss.pptx
LAWRENCEJEREMYBRIONE
 
PDF
Dean, Jodi: Concept Paper - Multi Family Lot
Jodi Dean
 
PPTX
Key Points of 2025 ORAOHRA of the CSC from CSI
bingeaocoo
 
PDF
PPT Item # 10 -- Proposed 2025 Tax Rate
ahcitycouncil
 
PPTX
Community Contracting Protocol, DLG, MOHCA
2403031047055
 
PPTX
Parliamentary procedure in meeting that can be use
MarizaSandaCollado
 
PPTX
Local Govt Code Review Roadmap_Oct2024.pptx
AldrinNolasco2
 
Workshop introduction and objectives. SK.pptx
Ahmed Ali
 
Item # 1a - August 11, 2025 Meeting Minutes
ahcitycouncil
 
CHS rollout Presentation by Abraham Lebeza.pptx
Abraham Lebeza
 
The Landscape Observatory of Catalonia. A Journey of Fifteen Years
Pere Sala i Martí
 
The GDP double bind- Anders Wijkman Honorary President Club of Rome
Energy for One World
 
MC No. 08 s. 2025 of the CSC Omnibus Rules on Appointments and Other HR Actions
bingeaocoo
 
RBI-FORM-A-By Household_Revised 2024.pdf
carolus5
 
Abhay Bhutada Foundation’s Commitment to ESG Compliance
Harsh Mishra
 
International Tracking Project Unloading Guidance Manual V1 (1) 1.pptx
usmanshah2319
 
ACHO's Six WEEK UPDATE REPORT ON WATER SACHETS DISTRIBUTION IN RENK COUNTY - ...
JohnMutPamYar
 
Robotics_Presentation.pptxdhdrhdrrhdrhdrhdrrh
JalArquiza
 
Item # 10 -- Set Proposed 2025 Tax Rate
ahcitycouncil
 
PPT Item # 9 - FY 2025-26 Proposed Budget.pdf
ahcitycouncil
 
2019.05.19.AMS_.Sermonsssssssssssss.pptx
LAWRENCEJEREMYBRIONE
 
Dean, Jodi: Concept Paper - Multi Family Lot
Jodi Dean
 
Key Points of 2025 ORAOHRA of the CSC from CSI
bingeaocoo
 
PPT Item # 10 -- Proposed 2025 Tax Rate
ahcitycouncil
 
Community Contracting Protocol, DLG, MOHCA
2403031047055
 
Parliamentary procedure in meeting that can be use
MarizaSandaCollado
 
Local Govt Code Review Roadmap_Oct2024.pptx
AldrinNolasco2
 

Embracing DevSecOps: A Changing Security Landscape for the US Government

  • 1. DJ Schleen Embracing DevSecOps A Changing Security Landscape for the US Government @djschleen
  • 3. 3 not just for hipsters
  • 6. Photos courtesy of Pixabay and Pexels. the three ways
  • 7. 7 AUTOMATE Automate security toolsets by integrating them into your SDLC in an unobtrusive and transparent way. DISSEMINATE Collect information from your toolsets, aggregate them into actionable KPI’s, and deliver them to the appropriate stakeholders. INVESTIGATE Establish baselines that define normal operating behavior and investigate abnormalities that appear EFFICIENCY @djschleen
  • 10. The faster a team can deploy to production, the quicker an organization can remediate critical vulnerabilities and zero days 10 Cycle Time: Weeks - Months Cycle Time: Minutes - Hours 10 – 20 Releases Your imagination is the limit... Plan Deploy Operate Agile DevSecOps … Design Build Test Deploy Operate Design Build TestDesign Build Test Plan Design Build Test Deploy Operate Design Build Test Deploy Operate Observation @dschleen Increased Flow can reduce the risk of outdated software stagnating in production When change is normal and expected, fire-drills become a thing of the past Learn Learn LearnLearn AGILE ISN’T AGILE ENOUGH
  • 11. Large Scale Exploit March 10 Equifax applications breached through Struts2 vulnerability AprMar May Jun Jul Aug Sept March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 July 29 Breach is discovered by Equifax. Probe Crisis Management 11 @dschleen TIMELINE OF AN ATTACK
  • 13. March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 Today 8,780 continue to download vulnerable versions of Struts 57% of the Fortune 100 3 Days in March March 8 NSA reveals Pentagon servers scanned by nation-states for vulnerable Struts instances Struts exploit published to Exploit-DB. March 10 Equifax Canada Revenue Agency Canada Statistics GMO Payment Gateway The Rest of the Story March 13 Okinawa Power Japan Post March 9 Cisco observes "a high number of exploitation events." March ’18 India’s AADHAAR EQUIFAX WAS NOT ALONE April 13 India Post December ’17 Monero Cryptomining 13
  • 14. AVERAGE DAYS BEFORE VULNERABILITY IS EXPLOITED
  • 19. @dschleen SAY HELLO TO YOUR SOFTWARE SUPPLY CHAIN
  • 20. NOT ALL PARTS ARE CREATED EQUAL @devstefop s
  • 22. 1,096 new projects per day 10,000 new versions per day 14x releases per year • 3M npm components • 2M Java components • 900K NuGet components • 870K PyPI components
  • 24. 24 DEFECT PERCENTAGES FOR JAVASCRIPT @djschleen
  • 25. 85% to 97% of modern apps consist of assembled components. 25
  • 26. 80% to 90% of modern operations consist of assembled containers. 26 Containers Hand-built applications and infrastructure
  • 27. PULLS FROM DOCKER HUB @djschleen
  • 28. time
  • 29. 233 days MeanTTR 119 days MedianTTR 122,802 components with known vulnerabilities 19,445 15.8% fixed the vulnerability TIME TO REPAIR OSS COMPONENTS @djschleen
  • 30. 0 days MeanTTR CVE ID: CVE-2017-5638 March 7 Apache fixed the vulnerability March 7 APACHE STRUTS2 MEAN TIME TO REPAIR @djschleen
  • 31. 170,000 Java component downloads annually 3,500 unique 18,870 11.1% with known vulnerabilities 7,500 ORGANIZATIONS ANALYZED @djschleen
  • 34. A Shifting Battlefront of Attacks: Hackers Inject Malicious Code into Supply Chains March 2016 - August 2018 left-pad: Popular npm packages were removed from the repository, breaking thousands of websites and revealing how changes can immediately propagate to the real world. 1 npm credentials used by publishers of 79,000 packages were published online or easily compromised by dictionary attacks. 2 PyPI typosquat: The Slovak National Security Office (NBU) found 10 malicious PyPI packages. Evidence of the fake packages being downloaded and incorporated into software multiple times was noted between Jun '17 and Sept '17. 5 npm credentials: A core contributor to the conventional-changelog ecosystem had their npm credentials compromised and a malicious version of the package was published. Package was installed 28,000 times in 35 hours and executed a Monero crypto miner. 7 Backdoored npm: The npm security team responded to reports of a package that masqueraded as a cookie parsing library but contained a malicious backdoor. Published in March ’18 to introduce unauthorized publishing of mailparser; despite being deprecated, mailparser still received about 64,000 weekly downloads. 9 homebrew breach: Eric Holmes, an operations engineer at Remind, gained commit access to homebrew in under 30 minutes through an exposed GitHub API token. While he had no malicious intent, he gained access to components that are downloaded 500,000 times per month. 11 Mar 2016 July 2017 Sep 2017 Jan 2018 Feb 2018 May 2018 Aug 2018 Malicious npm: Gilbertson writes a fictional tale of creating a malicious npm packages to harvest credit card numbers from hundreds of websites. 6 3 npm typosquat: 40 intentionally malicious packages harvested credentials used to publish to the npm repository itself. 4 docker123321 images were created on Docker Hub. In Jan'18, it was accused of poisoning a Kubernetes honeypot, then in May’18 it was equated to a crypto mining botnet. 8go-bindata: after a developer deleted their GitHub account, someone immediately grabbed the ID — inheriting the karma instilled in that id, calling into question what packages and sources are canonical and immutable. 10 Backdoored PyPI: SSH Decorator (ssh-decorate), a library for handling SSH connections from Python code, was backdoored to enable stealing of private SSH credentials. 34 @djschleen
  • 35. Laurie Voss, npm and the furture of JavaScript, 2018-10-10 NPM AUDIT STATS
  • 36. 9 years later, vulnerable versions of Bouncy Castle were downloaded… 11M CVE-2007-6721 CVSS Base Score: 10.0 HIGH Exploitability Subscore: 10.0 23M 2007 2016 BOUNCY CASTLE
  • 37. Photo courtesy of Pixabay @djschleen do not boil
  • 40. THE REWARDS ARE IMPRESSIVE 90% improvement in time to deploy 34,000 hours saved in 90 days 48% increase in application quality @djschleen
  • 41. Image by DJ Schleen inevitable @djschleen