Join us virtually for our upcoming meetup to learn:
- Why adopt a fresh approach and redefine how you view critical risks within your software supply chain?
- How can we deal with the paradox of enhancing protection for expanding attack surfaces and the dynamic nature of threat actors, especially in the world of the Generative Code AI amidst budget constraints?
4. What are we going to talk about today
Overview of CISO daily challenges
Information Security Risk Landscape in 2024
Information Security Strategic Business Impacts
CISO Daily Challenges in Practice
Q&A Session
3
5. Information Security Risk Landscape in 2024
5
Current Threats on
the Rise
Emerging
Technologies
Regulatory
Changes
Ransomware, phishing,
software supply chain attacks
AI powered automated vulnerability
discovery, sophisticated "deepfake"
phishing, IoT vulnerabilities
Always ever-changing, but even
more so with emerging
technologies and evolving global
data privacy laws
6. A Day in the Life of a CISO
4
CISO JOB
CISO Mind Map: An Overview of The Responsibilities and Ever Expanding Role of The CISO
Business
Enablement
Project Delivery
Lifecycle
Security
Architecture
Compliance
and Audits
Legal & Human
Recources
Budget
Selling InfoSec
(Intermail)
Security
Operations
Identity
Management
Risk
Management
Governance
Merger/
Acqusition
Cloud
Computing
Mobile
Technology
Threat
Prevention
Threat
Detection
Incident
Management
Process
7. CISO Daily Challenges in Practice
6
Our Goal:
To continually reduce risk to the appetite
level of our organization
The Challenge:
Battling all responsibility fronts when you only
have to hands!
8. CISO Daily Challenges in Practice
7
The Strategy:
Prioritize, Prioritize, Prioritize. Continually!
The Tactics:
Utilizing every resource and tool out there to do that
9. CISO Daily Challenges in Practice
8
The Prioritizing CISO Mindset:
The Methodology
Keeping all of our stakeholders content (business,
engineering, compliance, and many more)
Maximizing "Risk ROI":
In terms of number of issues fixed per effort
In terms of business impact / application impact
over resources used
10. Information Security Strategic
Business Impacts
9
Equifax
147 million americans
2017
Massive data breach exposing the personal
information of 147 million Americans, severely
damaging brand reputation and trust.
Marriott International
500 million guests
2018
Estimated damages exceeding $10 billion, targeting
critical infrastructure and causing widespread data
loss and system disruptions.
Yahoo
3billion accounts
2014
Massive data breach compromising 3 billion accounts,
eroding user trust and leading to a steep decline in
market value.
Targe
t
40million credit cards
2013
Data breach of 40 million credit and debit cards,
triggering investigations and damaging customer
confidence.
Reputation Loss:
Stephane Nappo, Global Head of
Information Security for Société
Générale International Banking.
It takes 20 years to
build a reputation and
few minutes of cyber-
incident to ruin it.
11. Stay Resilient! Perseverance is Protection
10
The ever-shifting domain of information security demands both
vigilance and strategic action
Security is not a one-time endeavor, but an ongoing journey
By consistently prioritizing proactive defense we can make software development
that is trustworthy, resilient, and protected
13. Yoad
Fekete
• A DevOps enthusiastic turned avid DevSecOps Supporter.
• Formerly at Prime Minister's Office Elite Unit, Samsung Next, Microsoft.
• Founded next-gen SCA company Myrror Security.
• Cat Lover (Yes, Dogs as well).
• Musician, when life allows.
• Weird last name (which means "Black" in Hungarian).
Formerly At: Founded:
Raised From:
Who Am I?
2
14. What are we going to talk about today
• Dependency Vulnerability Risk & Prioritization
• Attack Risk & Detection
Managing Software Supply Chain Risk
The XZ malware - How we can detect that - DEMO
Q&A Session
3
15. Supply Chain as an Attack Surface
4
Source: The Open Source Security
& Risk Analysis (OSSRA) Report
Open source libraries
are the foundation for
literally every
application in every
industry.”
The challenge: Rising above the noise and yet zeroing in on the critical
The supply chain serves as a significant attack surface in the
development & deployment phases
Increased OSS Usage (>90% of companies use OSS, 80% of the
code is Open Source)
Analysis
Design
Development Deployment
Testing Maintenance
16. Vulnerabilities / Attacks
5
A vulnerability: A supply chain attack:
• A non-deliberate mistake (aside from very
specific sophisticated attacks)
• Identified by a CVE
• Recorded in public databases
• Defense possible before exploitation
• Includes both regular vulns and zero-day ones
• A deliberate malicious activity
• Lacks specific CVE identification
• Untracked by standard SCAs and public DBs
• Typically already attempted to be exploited
Example: Log4Shell is a vulnerability Example: SolarWinds is a supply chain attack
Two main risk vectors we must consider to secure our SSC:
17. Implementing CTEM for
our Software Supply Chain
6
5 steps in the Cycle of Continuous
Threat Exposure Management
By 2026, organizations that
prioritize their security
investments based on a
continuous exposure
management program will
be 3x less likely to suffer a
breach.
1
2
3
4
5
Validation
Scoping
our Software Assets
Monitor your code base
constantly to validate
your
Reachability,
Exploitability, Impact, Fix
availability
Vulnerabilities
and Attacks
Discovering
Risks
Prioritization
Comprise a robust
remediation plan
Remediation
18. Vulnerabilities
and Beyond
7
Scoping & Discovery
1
2
3
4
5
Validation
Scoping
our Software Assets
Monitor your code base
constantly to validate
your
Reachability,
Exploitability, Impact, Fix
availability
Vulnerabilities
and Attacks
Discovering
Risks
Prioritization
Comprise a robust
remediation plan
Remediation
19. How Scoping & Discovery is Being
Done Today - SCA
8
Challenges: Navigating False Positives, Alert
Fatigue, and Code Attack Blindness
Analyzing Assets - Scanning SBOM / manifest files
a complete picture of direct & indirect dependencies
vulnerabilities is generated
- but Completeness is not always great
Application
Transitive
Dependency
Transitive
Dependency
Transitive
Dependency
Direct Dependency
20. Alert Fatigue
9
Definition: Flow:
Graphics of an exhaustive list of alerts
Vulnerability Alert Fatigue is when
application security professionals
become desensitized to SCA
vulnerability alerts, and are not sure
which vulnerability to address first.
Alert fatigue
follows
SCA Platforms
generate alerts for
vulnerabilities
There are a lot of
dependencies, and thus
a lot of vulnerabilities
Security Alerts
Time
Mar 31, 2021
@
17:32:39.401
Mar 31, 2021
@
17:03:34.911
Mar 30, 2021
@
17:02:44.667
Mar 30, 2021
@
16:33:56.221
Mar 30, 2021
@
08:52:39.351
SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score
less
than 80% (56)
SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score
less
than 80% (55)
SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score
less
than 80% (56)
SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score
less
than 80% (55)
SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score
less
than 80% (56)
5
5
5
5
5
19003
19003
19003
19003
19003
Description Level Rule ID
21. Code Attacks
742%
61%
Source: NIST CSRC https://csrc.nist.gov/glossary/term/supply_chain_attack
Attacks that allow the adversary to utilize
implants or other vulnerabilities inserted
prior to installation in order to infiltrate
data, or manipulate information technology
hardware, software, operating systems,
peripherals (information technology
products) or services at any point during
the life cycle.
10
YoY Increase In Attacks
of all U.S. businesses were directly
impacted by SSC attacks between Apr
22' and April 23' (Gartner research)
22. Types Of Supply Chain Attacks
Typosquatting
Malicious Code in Repo
Distribution Server Attacks
Dependency Confusion
CI/CD Attacks
Maintainer Compromise
11
23. How to detect attacks
12
Inspect the source code of the libraries for malicious code
Verify the end compiled binary to ensure it matches the source code.
Analysis
Design
Development Deployment
Testing Maintenance
24. Rise Above
The Noise with
Prioritization
13
1
2
3
4
5
Validation
Scoping
our Software Assets
Monitor your code base
constantly to validate
your
Reachability,
Exploitability, Impact, Fix
availability
Vulnerabilities
and Attacks
Discovering
Risks
Prioritization
Comprise a robust
remediation plan
Remediation
25. Achieving Relevance with Prioritization
To achieve relevance we regard four things:
Exploitability
Use Case
Reachability
Fix Available
Exploitability
Reachability
Use case
Fix available
Is this vulnerability possible to exploit?
Is vulnerable code actually being used?
What is the use case in the application?
Can we fix it?
14
26. Is a Fix Available?
15
Direct
Dependency
There's a vulnerability in the
transitive function (like we
see here), but do we have a
version on the direct
dependency that fixes it?
Vulnerable Function
Application
InDirect
Dependencies
fix?
Easy Peasy?
Direct Dependency Fix vs.
Transitive Dependency Fix
Upgrading all the vulnerable
dependencies in one shoot vs.
one by one
29. Reachability
Source: https://myrror.security/the-definitive-guide-to-vulnerability-
reachability-analysis-part-1/
18
Formal Definition:
In vulnerability analysis terminology, reachability is a
property of a piece of code that indicates whether it will
(or will not) be called under an application’s normal
operational conditions.
Application code
hibernate
jackson
slf4j
spring-web
mongodb
REACHABLE
UNREACHABLE
The reachable part of
Jackson does not call
the vulnarable function
UNREACHABLE
The reachable part of
monogdb does not call the
vulnarable part of slf4j
30. Remediating
in One Go
19
1
2
3
4
5
Validation
Scoping
our Software Assets
Monitor your code base
constantly to validate
your
Reachability,
Exploitability, Impact, Fix
availability
Vulnerabilities
and Attacks
Comprise a robust
remediation plan
Discovering
Risks
Prioritization
Remediation
31. Take Action - Comprise a Remediation Plan
20
Using the power of all former
analyses and capabilities
We generate a Remediation Plan
that handles what actually matters
Software Composition
Analysis
Reachability
Engine
Exploitability
Engine
Software
Integrity
AI Engine
Remediation
Plan
Generator
33. 22
Continuous Monitoring Feedback Loop Adaptive Remediation
Conducting a real-time ongoing
surveillance of our software to
detect vulnerabilities and
threats guarantees the security
measures we took are in
check, validating our risk
mitigating course of action.
Taking remediation action and
keeping an ongoing effort to
improve our supply chain
establishes a feedback
mechanism creating a
continuous improvement of our
security posture ensuring our
application reliability.
This feedback loop of constant
monitoring and remediation of
our systems over time allows
us to gain insights and evolve
our remediation strategies,
enhancing our robustness to
emerging threats
Validation - Always Vigilant
35. Conclusions
Securing a supply chain is hard work and getting harder
Implementing methodologies of rigorous prioritization is the path forward
Wishing everyone a secure SDLC!
24