As part of this change, all contractors and government software developers will need to think critically and not only ask themselves “does the code have vulnerabilities,” but “could it have vulnerabilities,” and “how do we know either way?”
Learn how with the right tools, and embedded security across the entire development process, you can stay ahead of adversary leaving the software supply chain secure so mindshare can be left for other critical national security issues.
7. 7
AUTOMATE
Automate security
toolsets by integrating
them into your SDLC in
an unobtrusive and
transparent way.
DISSEMINATE
Collect information
from your toolsets,
aggregate them into
actionable KPI’s, and
deliver them to the
appropriate
stakeholders.
INVESTIGATE
Establish baselines that
define normal
operating behavior and
investigate
abnormalities that
appear
EFFICIENCY
@djschleen
10. The faster a team can deploy to
production, the quicker an organization
can remediate critical vulnerabilities
and zero days
10
Cycle Time: Weeks - Months
Cycle Time: Minutes - Hours
10 – 20 Releases
Your imagination is the limit...
Plan Deploy Operate
Agile
DevSecOps
…
Design
Build
Test
Deploy
Operate
Design
Build
TestDesign
Build
Test
Plan
Design
Build
Test
Deploy
Operate Design
Build
Test
Deploy
Operate
Observation
@dschleen
Increased Flow can reduce
the risk of outdated software
stagnating in production
When change is normal and
expected, fire-drills become a thing
of the past
Learn
Learn LearnLearn
AGILE ISN’T AGILE ENOUGH
11. Large Scale Exploit
March 10
Equifax applications
breached through
Struts2 vulnerability
AprMar May Jun Jul Aug Sept
March 7
Apache Struts releases
updated version to
thwart vulnerability
CVE-2017-5638
July 29
Breach is discovered
by Equifax.
Probe Crisis Management
11
@dschleen
TIMELINE OF AN ATTACK
13. March 7
Apache Struts releases
updated version to
thwart vulnerability
CVE-2017-5638
Today
8,780 continue to
download vulnerable
versions of Struts
57% of the Fortune 100
3 Days in March
March 8
NSA reveals Pentagon
servers scanned by
nation-states for
vulnerable Struts
instances
Struts exploit published
to Exploit-DB.
March 10
Equifax
Canada Revenue Agency
Canada Statistics
GMO Payment Gateway
The Rest of the Story
March 13
Okinawa Power
Japan Post
March 9
Cisco observes "a high number
of exploitation events."
March ’18
India’s AADHAAR
EQUIFAX WAS NOT ALONE
April 13
India Post
December ’17
Monero Cryptomining
13
22. 1,096 new projects per day
10,000 new versions per day
14x releases per year
• 3M npm components
• 2M Java components
• 900K NuGet components
• 870K PyPI components
34. A Shifting Battlefront of Attacks:
Hackers Inject Malicious Code into Supply Chains
March 2016 - August 2018
left-pad: Popular npm packages were
removed from the repository, breaking
thousands of websites and revealing how
changes can immediately propagate to the
real world.
1
npm credentials used by publishers
of 79,000 packages were published
online or easily compromised by
dictionary attacks.
2
PyPI typosquat: The Slovak National
Security Office (NBU) found 10 malicious
PyPI packages. Evidence of the fake
packages being downloaded and
incorporated into software multiple times
was noted between Jun '17 and Sept '17.
5
npm credentials: A core contributor to the
conventional-changelog ecosystem had their
npm credentials compromised and a malicious
version of the package was published.
Package was installed 28,000 times in 35
hours and executed a Monero crypto miner.
7
Backdoored npm: The npm security team
responded to reports of a package that
masqueraded as a cookie parsing library but
contained a malicious backdoor. Published in
March ’18 to introduce unauthorized publishing of
mailparser; despite being deprecated, mailparser
still received about 64,000 weekly downloads.
9
homebrew breach: Eric Holmes, an
operations engineer at Remind, gained
commit access to homebrew in under 30
minutes through an exposed GitHub API
token. While he had no malicious intent, he
gained access to components that are
downloaded 500,000 times per month.
11
Mar 2016 July 2017 Sep 2017 Jan 2018 Feb 2018 May 2018 Aug 2018
Malicious npm: Gilbertson writes a
fictional tale of creating a malicious
npm packages to harvest credit card
numbers from hundreds of websites.
6
3 npm typosquat: 40 intentionally
malicious packages harvested
credentials used to publish to the
npm repository itself.
4 docker123321 images were created
on Docker Hub. In Jan'18, it was
accused of poisoning a Kubernetes
honeypot, then in May’18 it was
equated to a crypto mining botnet.
8go-bindata: after a developer deleted their
GitHub account, someone immediately
grabbed the ID — inheriting the karma instilled
in that id, calling into question what packages
and sources are canonical and immutable.
10
Backdoored PyPI: SSH Decorator (ssh-decorate),
a library for handling SSH connections from
Python code, was backdoored to enable stealing
of private SSH credentials.
34
@djschleen
35. Laurie Voss, npm and the furture of JavaScript, 2018-10-10
NPM AUDIT STATS
36. 9 years later, vulnerable
versions of Bouncy Castle
were downloaded…
11M
CVE-2007-6721
CVSS Base Score: 10.0 HIGH
Exploitability Subscore: 10.0
23M
2007 2016
BOUNCY CASTLE