Demystifying the SBOM’s impact on Secure Software Deployment @OWASP Bay Area Meetup

April 28, 2022

2 min read

We are so excited to announce that JFrog is a proud host for this month’s OWASP Bay Area Meetup! Two awesome talks are planned two with good old-fashioned Pizza and Drinks!

Talk #1
Demystifying the SBOM’s impact on Secure Software Deployment
With the White House’s cybersecurity executive order in May 2021, has the Software Bill of Materials (aka SBOMs), graduated from being a “nice to have” to a “must-have” global standard when developing and deploying secure software from the cloud? In a nutshell, SBOMs provide visibility into which components make up a piece of software and detail how it was put together, so it’s easy to determine if it contains security and compliance issues. In this talk, we’ll discuss • What exactly is an SBOM? • Securing your Software Supply Chain • Why SBOM must be a key element of your software development life cycle’s (SDLC) security and compliance approach • The misconceptions that exist around SBOMs • Insights and best practices on SBOM creation and usage.

WILLIAM MANNING Solution Engineering Manager Bill is a Solutions Architect with JFrog. He is also a mentor with TechStars, Matter, and NestGSV. He has successfully exited 3
companies and took one public in Australia. He is also currently helping various startups as an advisor. In his spare time, he likes to travel with his wife and two boys. He also plays guitar, loves the ocean, and is an avid cyclist.

Talk #2
Resilient Posture for Cloud-Native Apps, Defend Against Ransomware
The talk will focus on the concept of Resilient patching which could be attained by ZeroTrust and Defense in Depth.
● Founder/CEO araali Networks
● Co-Founder/VP Eng at Cisco Tetration Analytics ● Core Member, CSA (Zero Trust Expert Group) ● Engineering leadership at Aruba, Cisco, PacketMotion ● M.S., Johns Hopkins University ● B.Tech., Indian Institute of Technology, Kanpur

View Slides Here


Bill Manning

Bill is a Senior Solutions Engineer with JFrog. He is also a mentor with TechStars (Nike Incubator), Matter, and NestGSV. He has successfully exited 3 companies and took one public in Australia. He also currently helping various startups as an advisor. In his spare time, he likes to travel with his wife and two boys. He also plays guitar, lives for the beach and rides skateboards.

Video Transcript

user avatar
US – Frog Field
Anybody paying any attention to me look at me.
loads of seats up here.
front row.
The pizza away.
Are we recording it.
Yes, okay.
Hello everybody, welcome to the April meetup for the last area in particular at the south Bay one.
My name is brandon if you’ve never met me before I see a lot of new faces here great to see that also great to see some of the old faces.
When I started when I joined this chapter in 2014 we had less than 100 people as of today, we have about five and a half thousand, so I think that’s testament to all of you for showing up and all of our hosts and presenters for putting on a show for us.
So who’s out there first meetup here for so asked me to.
OK cool I love that welcome and welcome back if you’ve been to a few of those before you probably seen me and.
Wendy at the back is pretty new Wendy either.
or here hey Wendy So if you want to learn a little bit more about also in the chapter come and talk to me or Wednesday or prashant your will help you out with that.
In particular, we need speakers, we need content, we can put on these meetups unless you put a little bit of yourself out there, and if you’ve got a conference coming up, you want to try out a new talk perfect time perfect opportunity for you.
Thank you, Joe frog for hosting again we can’t do this without our our partners and our sponsors.
there’s a lot of work goes into organizing anything like that it might seem like simple order a few pizzas and then come up and drink a couple of beers and watch a show but it’s it takes a lot of a lot of work to put these things on, so thank you for that.
And also, we need new hosts we love to keep coming back here but it’s not fair if we just keep coming to the simplest.
One quick note on our we have a code of conduct normally they have a slide I don’t have a slide here tonight.
it’s really simple behave yourself and everyone’s going to get on just fine if you don’t behave yourself like we saw a little while ago on the zoom meeting you will be asked to leave.
So please don’t make us do that we haven’t had to do it yet thankfully.
Tonight we’ve got two speakers, starting off with bill manning from our host J frog.
he’s going to talk about demystifying the F bomb impact on secure software development.
If you like, I have to deal with in my job or subject to an executive orders says, you have to have a software bill of materials for all of your software you’ll know that this is very topical and I complete.
And then abby shake is going to talk to us about resilient posture for cloud native Apps, which is the CEO and co founder of early networks and that’s what we’ve got for you tonight.
A little bit housekeeping exit to their bathrooms are there i’m going to shut up now and i’m going to hand it to our hosts who are going to give us.
I think they’re going to give something away.
So if you put a fake email address when you’re registered that’s too bad because you’re not going to go.
hi it’s really nice to have nice to see you all in person for our post covert first in person event in the office.
We, and when we heard about, you know that there is an opportunity to have an in person event we jumped at it and we really.
were looking forward to seeing all of you, so thank you for signing up and thank you for coming in a little bit about J frog if you did not know Jeff is the devops company also we secure your devops pipelines, for you.
And we have cool T shirts, so if you’re looking to looking for more information go go to our website.
A little bit about what I do at J frog i’m i’m currently building a rust platform to secure your supply chain, so if you have more questions i’ll i’ll have my email with brandon brandon or prashant if you wanted to ask me questions feel free to do that if you had any stress any.
Overall questions about J frog don’t hesitate to reach out to us, but that thanks for coming in and enjoy the meetup.
user avatar
Unknown Speaker
Working oh.
user avatar
US – Frog Field
yeah we have a we have a cool prize so scan the cat scan the qr code or go to the bitly link and sign up and we’ll do a raffle and you, you will be notified via email it’s a cool cool tool for the for the dance you get a 3D printer if you’re the lucky winner.
hey guys welcome everybody i’m super excited for my share the song Hello.
I gotta wait oh wait.
One more time.
Going once going twice, I feel like i’m raffling stuff off, I feel like I should be doing like you know, like one of those auctions.
Ever we got there qr codes everybody got their entry.
It seems to you guys but i’ll be terrible so.
shuffle up here.
There we go alright guys so we’re calling this you know demystifying s bomb impact on saw secure software development.
Right it’s a mouthful to say, but really what it comes down to are going to discuss today is software supply chain security and why the software bill materials became a thing.
Right We hear a lot about it, these days, referred, for the past year and really what we’re trying to do is explain some of methodology, some of the reasoning behind it.
And we know why we got to this point, and on top of that really what it is and its impact also things like the mystifying any sort of things that might be out there, that people have misconceptions on.
And then also to I actually have a couple of examples of both of the qualify formats as pdfs and cycling, the format’s kind of to qualified formats for software bill of materials.
So first let’s kick off with who I am so i’m bill manning I am the solution engineering manager for a new business in the Americas here at J frog i’m also a salesforce I know as well solution architect.
My very interesting past actually it’s funny as one of the companies that I helped found in the early days, I have a guy right here, sitting there.
He used to be part of one of my old companies, but you know my job here is to work with our customer base do talks like this, and on top of that many different things i’ve been with the company for over five years.
If I talk to you fast just tell me to slow down i’m a new yorker, and this is just the way I talk.
So let’s get kicked off so first of all, software supply chain attacks right, this is where we need to start, we need to understand.
The justification, the reasonings the different types of attacks and how they can affect you and your software development teams.
And the thing is, is that you know it’s not nothing new IT hasn’t you know, really, you know, been around for you know.
You know, a short period of time it’s been around for a long time, but we’re gonna talk about the events that led up to the reasoning behind it.
So, first of all, we see headlines like this, all the time right, you know, especially recently, you know we’ve been seeing things like know a tax on an exploit.
Or you know some sort of library has been compromised on just so you know we are at J frog a cna and we’ve recently like produced a bunch of CVs around and PM and other things like that so we’re very heavily invested in this kind of thing.
and also to but as we go through this whole and there we go.
You know, we hear this all the time and the thing is, is that I always make the joke, is when I talked to our customer base or I talked to other people is.
No company wants to be a headline for the wrong reasons right this there is such a thing as bad press.
and finding out that suddenly because of a stupid software supply chain attack a library that went bad or something in your software suddenly you’re leaking data customer information.
Whatever anything that’s acceptable that could have been resolved right, this is a very normal thing.
And if you look at the history of like the things that really brought everything to precedent, you know, we have all the standard stuff I mean.
The big one, will talk about, of course, his solo runs but The thing is, is that this has been going on for a long time, and then we started in 2012 but to be honest it’s been going on much longer than that.
You know the thing is when you think about software supply chain attacks and you think about third party transitive dependencies which we’ll talk about in a bit you know I grew up as a developer, you know, since I was a kid.
You know my first job was developments and then i’ve done various things over time through the years.
But when it comes down to as a developer, you know we have this inherent naive approach to how we do our jobs.
You know, when we look at the libraries, we need to perform the functions that we do the things that we do.
We look at the objectivity behind and say here’s a here’s a tool, I need to get my job done to have my KPI to have you know my sprint finish without thinking about all the pieces that come along with it we’re going to talk about that today.
You know, solar winds was the big thing that really rocked everybody’s world right, and the only reason why it was or 18,000 customers right 18,000 customers were affected by an issue, and this issue is a very.
It was very interesting it wasn’t heavily sophisticated but was pretty sophisticated, at the same time, if you’re not familiar with the way this actually worked.
The issue was a third party fourth level transitive dependency in their product line.
It was a library that was brought in with a series of other libraries under the radar and the best part about this was I actually admired the way this attack was built and The thing is, is that.
It didn’t do anything for the first 14 days.
So if you use this the built the software, the distributed to their customer the minute that they sparked it up it’s set off a timer 14 days later, it did it’s nasty bits right, but the thing is Is that really what.
really like drew to this was is the number of customers, but also the type of customers Department of Homeland Security Federal Reserve Bank.
Right, I mean you can go on with all the government agencies that use a solar and products for what they do and this really put it here and it’s all.
estimating now that’s 100 billion dollar remediation globally for this that’s insane and that’s from a simple library, if you look at the size of the library, by the way to it was 1.27 megs.
that’s it, it was super small it was under the radar nobody knew about it, but it’s part of the software supply chain.
So when you think about software and you’re building it you gotta remember 85 to 90% of your software is someone else’s software right, you have your code and everything else is below it.
You know you depend on these libraries to do your job to build your products to get your stuff to market and, like I said you try to do it as rapidly as possible and if you’re looking for something that’s going to.
need a string it’s going to make a bitmap whatever whatever you’re doing you just want to find the right tool and get the right job done, you know when I talked about this software to, and I mean how many guys, if you want here do mpm development.
i’m copying, a couple right I call mpm the House party you invite three and five three libraries to your party right do you have implicitly stated and 500 show up and can wreck the party right that’s The thing is, like this is the kind of things we’re dealing with.
And remember, software as everywhere and automation and also the big thing is, is that, as we automate more as we get you know build more fat more you know faster, more rapidly.
You know, we want to get things to market faster smaller sprints you know the deal get ahead of your competition.
All those risks are amplified just because of the fact you blahnik get there, faster and you should not compromise security just because you want to get your stuff to market faster.
top of that, the thing is remember all your software is not built by your teams right, I mean even the transitive dependencies you depend on.
have other transitive dependencies and they have transitive dependencies and they’re built by people, you will never meet.
You will probably never meet in your entire lives and you’re trusting your software with these people.
you’re looking at these people and you’re just like okay I don’t know you but i’m going to inherently trust you, and that is a problem and, at the same time.
We don’t want to remove that approach of of you know, building right we don’t want to ruin that naivety, because I even he actually makes us better developers right, we want to build the software, we want to build.
Also to The thing is, is that one of the problems with all these potential attacks and all these things that are going on.
Is insane is the fact that there’s no financial and there’s no like non financial rewards right it’s not traceable summer financial some are not summer just I want, I want to show the light did it.
Right, I mean the solar winds attached to this day nobody’s really sure where I tracked down to right there’s no inherent orange and that’s a very typical scenario, but a lot of bragging rights and boards actually do this.
74% of the libraries you use though keep this in mind, is they can be repaired by simple remediation.
Just by upgrading by paying attention to the software you’re using looking at the versions.
finding out using tools there’s plenty of security tools out there, I mean a J frog we have our X Ray products but there’s a multitude of tools that are out there.
And no matter what you use it’s your responsibility to protect your customers your users your company and reputation.
But the thing is, is that most of these tools provide some sort of remediation data and that data that you can utilize to make sure that you’re always up to date and addressing the potential issues that can cause problems.
And the thing is I don’t have the slide here they usually would show but here’s The thing is.
is about 80% of the software that you’re using these transitive dependencies you’re using our old, outdated and haven’t updated in over four years, think about that in a lot of ways you’re using antiquated technology to build the latest in the harvest.
You know, when you think about it’s 99% of all software and 85% of it is composed of components right there was a 62% increase in exploit exploitation attacks from 2015 2020 more.
I know I have a number that’s even scarier in a minute, because I stopped at 2021.
Because of the fact that is growing year over year right these inherent value think you know potential nastiness it’s happening more and more every day, the incentives are higher the actual ease of entry is super easy to do and we’ll talk about that in a minute.
But the thing is, is that, why is software supply chain attacks so easy and why is it such a systemic problem with the industry.
So number one is low effort it’s super low effort, I mean a lot of these aren’t that sophisticated they can they don’t have to do a lot.
You know the other thing too it doesn’t take a lot of technical knowledge to do what you need to do in this respect.
The other thing is too is, if you get in the right technology and you’re actually you’re attached these binaries to popular items like what would happen with solar winds.
The actual speed in which it can be deployed across the globe is insane as things get faster and faster, this is one of the inherent problems.
And the other thing too is that when this happens in abuses the trust relationship between you, your corporation and other entities and even.
The thing is, is, I mean how many companies out there, and maybe in this group I don’t know but.
there’s a lot of companies out there that have these extreme measures right cut it off right air gap, or you have to go ahead.
and request the libraries and Info SEC has to take a look at it, evaluate the binaries and give you authorization give it to you right there’s all these stopgaps that companies you’re trying to do to try to stop this.
And the thing is it’s like it’s almost like walling up a damn where it’s not just a pinhole but it’s a gigantic ash and you’re trying to put your whole body in there to stop it and it’s not going to stop the flow keeps going.
But the thing is, though, is they bury themselves in the Community.
And that’s the problem, a lot of these attackers when they do the things they do, they get the trust of the Community behind the packages.
They build the software with them, they contribute they act as active participants kind of shadow the nefarious causes.
And the thing is, is that you’re not sure if they’re heading in back doors or malicious code or things like that right that’s The thing is, is that in this idea of communal software like I know you said you have the gfs.
sweatshirt over here right and i’ve contributed to a lot of open source projects is, the more the merrier it’s a Community you join it’s a piece of something you feel you’re part of.
When you contribute you feel awesome when people say you should download counts on the stuff that you’ve produced right you’re like people care, people are using my stuff.
But the problem is that there’s other people that see that and go hey I am going to I want to get an exploit done just because I want the kudos.
Of the other side of this, the black hat community, the Community that’s looking for chaos right these agents of chaos or just trying to get a susceptible to the Community and they get accepted and then they do the work.
So how the attacks occur, and when we talked about this, you know i’m a developer developing my code and I go okay here’s the tasks, I need to do here’s like api’s like I said here’s my sprint’s that I need to do.
And they go out to the world, and I find all the transitive dependencies to do my job better right, I can use a function to do something, but I need a library for the function and that library that I call on these other libraries.
But the thing is, is that, if one of these actual library says something nefarious inside and I can pilot unbeknownst to me.
And I send this to my customer i’ve just send something bad i’ve done either if i’m going to share my software i’m watching a web service anything like that, whatever you’re doing whether it’s embedded software doesn’t matter.
And the thing is, is that usually not a first level transitive dependency in that case, that is implicitly stated library I utilize to do my job.
Well, the problem is, is that that library depends on other libraries that depends on other libraries and it just keeps going and going and going.
So unbeknownst to me once again I made this library that I might brought in by the fine, but one of the dependencies it has actually will cause the same sort of systemic problem that i’m running trying to avoid in the first place.
So the thing is is in 2021 there was a 650% increase in supply chain attacks.
Think about that you know, the thing was is that we were talking before about numbers of like 25% you know 40 pretty low very low numbers 650% increase in supply chain attacks.
pandemic was terrible for boredom and if you’re bored you might do this right so The thing is, is that you know, in the increase the pine attacks, how do you defend yourself.
And there are ways like I said there’s plenty of tools out there, I mean.
God if you’re using you know if you’re just using github you have dependable right, I mean that’s one method you could use like I said, we have X Ray there’s sneak there’s tons of security companies but we’re all heading towards the same goal.
And that’s software security because the thing is, is that when I talked to my customers about security and that and it’s a product I use i’m like hell yeah i’m going to help you out because you have my data.
i’m doing it from a personal perspective and that’s the way you almost have to attach this to is when you take these kind of inherent steps to ensure security thinking about you, as the customer.
Right your customers putting in you know trust in you and you can erode that trust very easily trust me there’s a lot of companies out there that have lost trust and faith in their customer you know right by the user base based on something like this.
So when software attacks right so that’s the kind of various things we have things like if you’re a developer, you have things like.
Hypo squatting yes, there are a group of individuals out there that have actually built nefarious libraries, where I before he doesn’t exist, and he before I guess right simple things like that you miss type something in.
Some most of the time you won’t get something occasionally if you’re not paying attention you will, and that can be some social something threatening.
there’s other ones too like dependency confusion, this is, these are huge systemic problems The thing is, is that.
You know, there are companies that release software out there for people to use, I mean think about netflix right, I mean netflix kind of define the standards of a lot of different things, I mean my favorite tool in the world.
For a long time was chaos monkey you know I mean chaos monkey is just.
I just I still love it I think it’s a brilliant piece of software right, I mean it’s totally destructive in its nature, but it shows resiliency in the stuff that you build awesome.
You know, but these are things people put out there.
But what about something like this you’re out there and you’re like hey you know what I need I need a library to do the things that I want to do hey look here’s one for analytics only here’s the one for authentication.
You know what hey it’s from PayPal PayPal is a very secure entity there a bank, when you think about what PayPal comes down to their bank.
And you want, if you’re going to pull from somebody and you want the highest security you’re going to assume pay Paul, is the best know what the what the problem is.
This is an absolute lie, this is not from PayPal.
This is not, this is actually somebody putting it out here, and then suddenly you put in your authentication and you’re passing all your information at all your identity and stuff off to somewhere unbeknownst to you.
Who knows, but this is a very typical attack right that’s an assumption you’ve made you know they make fake sites they make you know i’m a developer PayPal things like that.
So that’s where software bill materials became a thing, and the reason why we hear so much about.
Was these attacks, you know the increased and, like I said when you start messing with the US Government.
Yes, there is going to be repercussions right and other governments around the world and the solar, wind stuff was the fire that ignited the next phase of this, and the reason why I started off with the government and now it’s bleeding into the other sectors banking medical.
you name it is now going to have the regulations around things like software material bill materials.
So actually before they even started by the way, just so you have a little context on why it, how it actually started is a software bill of materials actually started initially from the.
From the from the Food and Drug Administration and then part of that is the National Telecommunications information administration ntia.
And this was because medical devices that’s the reason why the FDA got involved and behind this think about it you’re writing software for things that keep people alive.
These are things that can kill people I actually gave a talk one time that was totally code kill and I gave really horrible statistics on how many people died based on software bucks it was a bad talk it didn’t work out so well.
But the idea here was is the FDA came along and said before you release any sort of medical device or any device that’s used in human form.
That you know could affect somebody’s life in need, you need to know what’s in the software.
You need to know the pieces behind it, you need to know the information so if something does go wrong there’s liability aspects there’s traceability aspects, the multitude of things you would come to know.
Well, in 2021 and may 12 specifically because of the actual solar winds attack the binding administration came up with the executive order for improving the nation cyber security suddenly everything became a thing.
Right now suddenly a you know rules, regulations you wanted to work with us government, you have to do in these guidelines.
Now i’m not going to go through the whole thing I did read the whole thing and it took me a while, because there was a lot of sleepiness.
involved, because it is a lot of legalities but for our section we’re going to concentrate on one specific area and that section for enhancing software supply chain security.
They recognize this as a potential devastating issue that could affect America.
And in this case like I said this is now also around the world, so it’s not just the us a lot of governments have actually adopted the same mentality.
Think about this like I said, do you want the God the Department of Defense to suddenly have a exploitation in the stuff that they do like I don’t know.
Launching nuclear weapons right, I mean think about this right, these are things that are really implicit but Section seven actually talks about that.
Any provider of basically software for the government needs to supply the government with a software bill of materials on the contents of the software that they are purchasing.
This was immediately adopted by the medical industry next, including hospitals and insurance.
This has been taken on by the banks and financial institutions and now it’s growing so a lot of companies are expecting if you deal with them they’re going to start asking you for a software building materials.
So what is it, so I don’t like talking about software all the time, so basically since it’s the FDA it’s the same thing, what is inside that box of yummy German chocolate, the light.
And the thing is, is that it even includes things like warnings right may contain wheat in and also may have broken the ingredients.
But the idea here is it’s letting you know what’s inside and that’s what counts so let’s talk about cake.
So you know kick ass ingredients, I like formulating software development cake and, yes, I do like cake.
So, of course, you have a bunch of ingredients that you put into this cake right but here’s what I mean it’s interesting i’m not telling you how to make it i’m just telling you there’s these this stuff that you need to put in and bias quantity.
So really what it is it’s just a list of ingredients that’s inside your software right there’s includes libraries modules you know either free paid proprietary doesn’t matter.
The things with restricted access, you name it this stuff needs to be in here now The thing is, is the version, and this, the actual library itself.
It also can include additional information is not required tooling environmental information settings versions, right now, these are things that you can add in just to enhance the experience i’ll show and SP dx and cycling, the experiments, these are implicitly stated just so you know.
On top of that, the thing is is like what is it useful she’s for accountability, of course, right it’s used for maintenance, you know.
I have one version of the software versus another version of the software what’s changed between them and we’ll discuss that.
And also allows people when they go into negotiation, so when they’re doing any sort of software negotiation and purchasing your software or anything like that.
They usually are going to start adding this into either the contract or the evaluation for purchase we’ve seen this already with some procurement people.
they’re actually saying now we need to have this as one of our checkbox items to deal with you as a company before we can issue a utopia.
On top of that it’s also for operators right, so if you’re installing a piece of software and that piece of software happens if you remember every company is a software company, no matter what they do.
Right, the idea here is, is that this is a way to actually mitigate any sort of inherent risk and bringing that software in by understanding the pieces components of how it was built.
And, in some cases to it also lists things like licensing anybody who’s dealt with a lot of companies or any sort of.
You know, being acquired or anything like that there’s always a thing around licensing, making sure that the licenses that are using the software, you have are compliant.
To the restrictions right just because it has an open source license doesn’t mean it’s a valid one right there’s 435 Open Source licenses in the world, just you know, yes, it is a really crazy number 435.
And you know what if it’s not one of those you know why and also each one of them has their own merits thrown things they do of course ever dealt with it it’s always a pain in the butt.
Then you know what are the benefits right so first of all identify mitigating and avoiding known vulnerabilities it’s a great thing thing is, you can parse through this list.
and take a look at the software components and it’s pretty easy because it comes in a standardized format, especially with cycling dx and.
And also spx formats their standard foreignness there’s lenders out there, where you can actually go through.
Our through these to see quickly whether something is there that I mean the thing is, is that most of the time most software was black box not understanding the components in them can be terrible.
Also to being able to manage and qualify licenses right identify security unlicensed bias requirements that actually come with companies.
Right and they’ve been qualification for inherent software and also a complete comprehensive analysis of how is actually using also maybe even to lowering operating costs that’s a whole nother discussion i’m not going to dive into it.
But it allows you to also go in and just understand that software has a lot of stuff right it’s just a lot of stuff.
Well let’s go back to our cake instead right because there’s all different types and pieces.
So once again let’s look at this cake right this cake is a pretty cake, we know that somebody made it, we know that it was mixed somehow is baked in the oven.
Right it’s probably decorated maybe it’s not we’re hoping it’s tasty it probably is very tasty I like chocolate cake that works, but we know the used ingredients right, once again we know they used ingredients.
So when I look at this The thing is, is that, once again, I know that, but the thing is, you can enhance it because you can have so much more.
You could include the environmental requirements for that right, you need another needs to be at 350 you can.
You know, say that you know these components were dependent on other components to make this case right The thing is, is that there’s a lot of information that’s in stored inside this level of detail for each piece of software that you build.
Now, what happens if we take a look at one of the ingredients let’s look at baking soda right, this is one of the libraries inside of this cake that’s used to do it.
And suddenly you get the next version of this and what happens is baking powder that doesn’t seem right baking soda baking powder now.
I am not a great cook and I have actually made this mistake before but The thing is, is that your results are completely different.
This is the same level of idea behind actually doing the software itself right knowing was changed between two versions at a glance.
Being able to parse out the differences between two pieces of software also helps in terms of things like remediation if something has gone bad something has gone wrong isn’t not performing the way what’s changed between them.
And as a software developer and supplier I supply this information to the actual customers when they request it, if something goes wrong between them, they have a quick reference point in which they can say yeah.
yeah it’s different.
Now what’s inside that counts is really what I mean by this is is that let’s look at the software example again.
Right so i’ve gone ahead, I built the software that I have you know i’m pulling my transitive dependencies I built the program i’m going to do.
Now I can produce a software bill of materials there we go it’s a suit you know, being able to apply this to say this piece of software, I have has the list of all the ingredients that I use to create it.
And then, when it goes in I now have accountability, and I can ship this to my customer and they know exactly what they bought right it’s the same idea like I said you buy any food, you can look at the ingredients at any time.
Now, what if something changes between two versions, well, I can reflect that in the software bill materials, so I know.
What if I read the news and suddenly I find something inherently terrible and you know as a developer I or say a company says.
hey you know what I read, I read this thing there’s a CV out there for an exploit has done with a library that was built in Java and I think the program we bought was based in Java well.
I can go ahead and review the software bill materials and know instantly whether or not the software, I have installed in my environment is infected or not with the actual potential threatening component.
it’s a quick way for mediation.
Now, like I said there’s tools out there that do that, we have ours that exposes that lets you know how far back, something is is actually been used right, one of the questions we always get is is that root cause analysis and software problems with companies.
can take days or weeks with the proper tool set you can knock it down to minutes and hours right if you have the metadata available for you to find the information.
Through a software bill materials, you can find out if you’re affected if you’re a company producing software, you can also use the same level of detail to find out rapidly how far back a possible exploit you’ve had.
So when you’re looking at software bill materials and you find something, and you have a software bill materials for every single version you release You can check those and find out how far back, something is gone.
This gives you a chance to get ahead of the situation to talk to your customers become one with the fix like, in this case for one day for.
Now, the thing is, is that that’s just a single piece of software, what about something with a lot of layers right, I always call you know joke around about this part but I say you know what each piece can be different.
Right, each one was baked differently.
I don’t know who made each one of these layers I don’t know i’m sure it’s delicious together some things might have baking soda baking powder there might be nuts in one right, this gives me the ability to go and take a look.
When I was looking at a web service which is made up of multi different layers right, you have like the idea of like a home chart which I call the frosting.
And then you have the different layers of the cake, which can be the actual positive side of the containers that are actually running the actual services below.
But what’s great is is that even when I look at things like even like a runtime like a docker container right it contains a lot of different stuff and has an application layer it has a runtime that runs the application and then has a base level ios.
I still need to produce software bill materials, because once again all anybody uses docker you bring in a base level image without understanding what’s inside.
You install the components to run this and it’s the same thing, like I said it’s all a crapshoot whenever you build your software every time you do this and you bring something in.
yeah you’re probably you might be reading something in that could be detrimental.
But the thing is when we start talking about web services right where you have helm charts and docker images yeah once again, you know if something’s infected, I want to know it and decide the software bill materials for even individual components.
Now, the thing is, is it can include things if you want to include your ci tooling if you want to say you know when was it built if you want to have all your stages, like any sort of testing give you might have a few at.
to assure your customers that they went through say I don’t know scalability testing.
Right, you know what’s foster you know components for you so free and open source software, they are you know the old adage you know you know free as the speech not as in beer.
You know, also like one environment was think beta right, I mean the thing is, is that you know you might be sent to less than might be debian based it might be window space so might people on your MAC knows.
Right and then also to, are there any security vulnerabilities that could be potentially threat.
Right, these are, once again, these are things that you can add in and say there’s an exploit but it’s known that this exploit isn’t being used in the software, because the function that’s.
Actually, in question is being used, so why should I throw the whole thing out right, and then you can explain that to your customer so they don’t go hey you’re using this.
So some of the misconceptions that we hear a lot from people is well number one is this a roadmap for the attacker know, once again, I can give you a pile of stuff and tell me bake me a cake I don’t tell you if you guys have ever wants to reproduce break off.
You know, like to have the one of the challenges is they give no instructions it just give a list of ingredients and everybody tries to interpret the best same kind of idea, you can try, but you don’t have all the level of information.
No, no, software disclosure, you do not need to disclose your software source code, if you do and somebody asked you for that unless it’s illegal and you have like legal documentation in place, no one should ever asked.
And then lastly doesn’t expose an intellectual property know it just has pieces, it has parts of stuff that you’re using it doesn’t even have to even include your libraries, just so you know it doesn’t have to explain that explains all the stuff you use to do your job.
So when we walk away from this right, if you want to work with us government, you need to have software bill materials, this is now changed by the way this is bled over everywhere.
FAA is requiring this right, a lot of government agencies, of course, but like I said medical financial and others or adopting the standard.
Right it’s a list of all the foss components paid components whenever that you’re utilizing what you do.
It provides an audit trail and traceability for anything potentially threatening it also protects you as an organization so don’t.
don’t forget that right, because it allows you to get ahead of it allows you to say yes, we know there was something bad in there, but we’ve had it for the past six months, but we’ve addressed.
And you can prove it by giving a software real materials to say yeah it’s been updated don’t worry we fixed it.
And then the thing is is at the same time it prize easy secure license compliance information.
So if you’ve ever had to work with your legal teams and try to provide them with be like hey you know what we’re filing for this we need you to supply us with a list of all the libraries are using all their licenses.
Right that’s there’s usually a big grown aside and i’ll get to that later.
So that’s all i’ve got and thank you, I will share one thing, just so you guys can see, this is what a standard format looks like this really quick.
If you take a look here, you can actually see oh sorry i’m in the middle of doing something so bring that down below so actually if you look here, this is actually an SP dx format.
From a software bill of material that I created you know it gives you some basic level behind the software, it has the basic inherit list at the top of the modules that i’m actually utilizing.
And then from below that it goes it goes on for a while this whole lot there’s a lot here.
Then it goes into the individual components, so you can actually see like I said every little piece of software that you produce parcel and usable.
The other format that people are also asking about is cycling dx right So these are the two formats that most people utilize if you look here, you can see inherently, it is a different level of format.
It has the version, and then it actually breaks things down into their components and interdependencies so.
Just to let you know, like I said, this is all readily available it’s out there and definitely I will take your question in a second but um yeah that’s all i’ve got today Oh, thank you.
Man and blue.
yeah and no actually.
This is that, so the question that was asked was is that will are there companies that take this and put it into other pieces of software say for accountability.
Yes, I know that there’s tools out there that companies are using.
they’re basically cataloging systems now there’s so now, this is your software bill materials and there’s format now of course companies go hey you know it’s so nice to have a catalog for this.
And so there are kinda like companies that are coming out, but a lot of companies are just taking this and inherently storing it somewhere, it depends on whether there’s no standard per se, so if there’s a startup idea so.
Yes, drew so I know you by name, so I can actually harass you.
Use yours export it, you would export and storage independently or you can actually store it wherever you want right there’s no there’s no regulation on where you can store it as long as it’s accessible and you can provide it.
So if you wanted to you can always check it in right, you can always check it into your good if you were doing on version, or like for us like you’re using something like our.
Guy i’m gonna mention my company or my artifact worry, you can always actually if you want it, you publish it as part of the bill, you can always upload to this part of it yeah that’s probably the way you can do it if you want it to its independent is separate.
Yes, it is so single a single ass bomb for each for each piece of product that you produce.
Well, all right oh way in the back.
It depends on the size of the project oh.
Oh, these ones here so they’re asking what is like the typical size up, to be honest i’m not really sure i’d have to go look at the actual look on desk and tell you.
But I can I can find that out and it’s only a couple of K it’s not it’s not it’s just json data, if you look at it it’s basically a reformatted version of json data, you know I mean so in every big.
All right, oh one more.
It well, it depends right So if you look here, if you take a look at this one i’m like this is so, this is so, this one here is the cycle in the X format right and this one doesn’t really have have the half my still showing i’m not sure.
It might help sorry, let me go back to sharing where is my I might help if I was actually showing it right.
yeah So if you take a look here, you can see where there’s really not any hash value right, and if you look at, but some it depends, like some do you have it right so here’s a check some right here.
For the individual components, but it’s funny, though, because some of them don’t then when you go into the if you go into like this side, yes, everyone has a checks.
Well, most software calculation check someone probably just just shows up as a blank which is, if you take a look that actually shows up as a blank.
One more.
So the question was is, you know how, how come some of these libraries are pre certified and other things right, you know how do we qualify libraries beforehand.
And that’s a good question, there are some out there that are qualified that companies will do that, but most of them are independent developers right.
And most independent developers like they’re just going to produce and do.
But you know, like companies out there, there are like I said, there are lots of tools out there that are.
scanning these vulnerabilities like I said, we have ours, so we can look at the potential threats and vulnerabilities on ingest.
right to make sure that before they even get utilized that they are safe and secure before they get in and, to be honest, a lot of these exploits don’t get fired you know figure it out further down the line I mean look at log for J.
Right log for Jay for how long was this out in the public and then thing is, is that here’s The funny part, by the way, is up before the actual issue happened there were lots of info and warnings going out saying that this was under there was investigations and nobody paid attention.
Oh well, oh Thank you guys I don’t know who’s next.
Here, he comes.
In it we got the man of the hour come on.
user avatar
Unknown Speaker
Thank you.
user avatar
Unknown Speaker
user avatar
Unknown Speaker
user avatar
US – Frog Field
yeah we’re ready to start if you if you guys don’t mind settling down again and we have our next speaker abby shake.
from early networks.
and handed over double check.
So i’ll talk about resilient posture for cloud web Apps.
The team is about how do we create self defending Apps even when they are vulnerable, how can they be defending and resilient in spite of being vulnerable.
So, my name is abby shake sing i’m the founder and CEO of early networks right early I was a Co founder at iteration analytics acquired by Cisco Systems i’m also a core member of CSA zero trust expert group.
And there’s my.
zoom got disconnected so.
user avatar
Unknown Speaker
yeah amen.
user avatar
US – Frog Field
These are the highlights from a study done by IBM and the main thing here is that time to detect breaches is 27 days it’s expensive obviously and us is the most attacked country.
But the main theme is that no one is safe, even a person with a single server gets ransomware for 1500 bitcoins they don’t always talk about it.
But no one is safe it’s, not just for big corporations, and this is a real story from a real friend in the hospitality sector, he had a hotel and he got ransomware for 1500 dollars, he paid for it.
Mostly goes unreported.
zoom window again.
zoom is connecting.
Was projecting here.
Still still connecting.
user avatar
Unknown Speaker
user avatar
US – Frog Field
So, in terms of resiliency what comes to mind is zero trust it’s a very maligned term that everybody uses every vendor uses this term zero trust i’m not here to sell zero trust itself but tell you what this is all about the zero trust is actually pretty simple it’s about.
All the President United States gets protected by the secret service and the three questions you need to answer, who is the President.
Where is he at all times and who has access to him.
You don’t protect the President by guarding the border of United States right they have very simple questions to answer and that’s again my zoom into.
This is not working out.
And I do.
Talk amongst yourselves.
technical difficulties.
user avatar
Unknown Speaker
New Center.
user avatar
Unknown Speaker
it’s already.
user avatar
Unknown Speaker
you’re once again.
user avatar
Unknown Speaker
playing with one.
user avatar
US – Frog Field
yeah so zero trust is a strategy and the main thing you need to answer is, what are you protecting and define least privilege policies to protect that resource.
Zero trust can be applied to any reason, when applied to vpn it means zero trust network access to zero trust can be applied to any resource that you’re trying to protect for vpn is the DNA or clouds I am.
And four Apps is what we’re going to talk about.
is how do you protect Apps with zero trust concepts.
This is a nice definition of zero trust and by this definition of perimeter firewall is a valid zero trust device.
Right to the firewall is untrusted after the firewall it’s trusted but still a perimeter based firewall Defense is not considered zero trust.
And the reason is there’s a lot of trust happening between the enforcement point and the resource.
And that’s a problem if an intruder is inside, they can access the resource and skip the check and that’s the issue with.
firewalls being a zero trust device the other part, is policy who writes the policy for firewall to make its least privilege so writing policy has always been a hard part when people try to practice your trust it’s all about who gets right the policy.
In terms of what needs to change, we have always relied on perimeter defenses, not just on Prem but even on cloud we talk of vpc virtual private cloud you’re relying on that being a.
Shell with hard exterior soft interior inside is pretty much open even coupon, it is hard experience often period.
That needs to change implied trust within the vpc has to be replaced with continuous verification I am based trust you can’t authenticate ones, and then let it access forever right, you have to authenticate every time.
it’s a strategic reading, you have to assume breach zero trust.
means you assume breach and still be resilient to be able to defend against that it means that you assume that inside your vpc there is some bad element.
The speaker before me was talking about supply chain attacks and solar winds, you have to assume the solar oven inside and can you still be resilient with.
That in mind, you have to prioritize your security inside out every APP on its own so every APP becomes self defending because another check has moved from perimeter to the APP itself.
So you’re able to create a firewall function close to the APP, and that is why it becomes self defending your mood zero trust right at the resource.
Zero to us again is so popular, it has been applied to multiple dimensions and, this being a.
meetup I want to highlight that APP is actually the centerpiece, this is a Microsoft slide it has seven pillars for zero trust identity that’s your okta I put a representative vendor to.
make it easier to understand what each pillar means right, so we talked about endpoint it’s about hdr hdr the crowd strike Microsoft sit there Apps we have a play there for network it’s your micro segmentation you can use the letters to segment your networks and there is some.
Network segmentation from a vpn point of view, as these players.
In terms of infrastructure, you can have zero trust for your vm environments or network and vmware is a player that infrastructure space, but again, the point is that it’s not.
So confusing and so complicated it’s actually much easier than that, and this is the main takeaway from this presentation, if you do end to end zero trust.
The rest of it dissolve they don’t matter as much What it means is when Internet started.
All the layers for insecure and then you had Max SEC for layer to IP SEC layer three ssl for layer for, but when you have APP to APP security.
You don’t need the heart by heart you don’t need to secure the wire secured a secure the electrons and protons yeah into and that’s what matters when you have APP.
it obviates the need for infrastructure network and endpoint zero trust you’re going to end up to have in the middle guys don’t matter.
If you love your data you secure Apps if you if you really love your data you won’t put your data at your doorstep.
In encapsulated will hide it behind an application, and that is why APP is a centerpiece, not just for all the other seven layers but even for data encapsulated don’t don’t expose the Internet.
Users or a different beast there are authenticated very differently, you have me for users, but Apps have no MFA so what he uses API secrets, which basically an activism for password.
Using secret to authenticate applications it’s very weak as weak as a password.
password gets stolen they get harvested they get distributed they get duplicated so that’s a very bad place for applications to be.
US have upgraded, so the rest of it, we can handle as APP so even the previous slide was confusing the essence of it is captured by APP, and that is why this is a good place to think about how to bring zero trust elements application security.
So this is another slide I made, which was a maslow’s hierarchy of security needs it’s a triangle you start with protecting your crown jewels the president’s your zero trust your.
things that matter if you do that well you’re good you can you can go to sleep, you can have a good night’s sleep.
The fact is, you make mistakes, you have to be Defense in depth, yet to assume things will go wrong, and that is why you go after vulnerabilities you want to make sure that.
Even if I have left some door open i’m not vulnerable hunting around vulnerabilities and trying to fix all of them, and that would upset is about you go around finding going to be fixing them.
The trick is you can’t stop there, in spite of all that effort is very overwhelming to fix vulnerabilities you have to still assume that sneaking.
So what do you do when sneaking and traditional controls current controls they’re doing some machine learning to detect threats and it’s very noisy it’s very.
it’s causing fatigue in terms of vulnerabilities that’s also causing fatigue and the reason it causes fatigue is there’s so much more limited cat have with third party.
dependencies first party is so much going on there’s too much noise there.
So what do you propose this if you do I am for Apps this privilege and do it well, it can actually solve all your pillars, if you do I am for Apps you’re protecting your crown jewels is zero trust, if you do your im for Apps.
You don’t have to worry about vulnerability and that’s the main part of the presentation, if you actually do I am for Apps because Brazilian patching.
And what that means is you Apps might be vulnerable but it’s not exploitable you don’t have to go start using this for Apps you can actually.
i’m not suggesting don’t patch your Apps should absolutely patch your Apps but not let not every longford you become a fire drill for you.
Your time because you’re absent not exploitable that’s the power of zero trust.
And if you do it well, you can’t fix because in a zero trust environment threats are locked out by design, you have no privileges.
privileges are assigned to identities and threats by being foreign elements in your environment they have no privileges, so it captures all the three aspects of our security and it’s one place where you can actually get a lot of goodness all over the place.
So this is how they’re consuming cloud today, it goes from is to pass to SAS and is obviously you’re renting the whole vm running on Cooper daddy’s clusters.
In the past case you are running Lambda functions, the SAS case you’re consuming api’s it could be a salesforce thing going a browser or it could be s3 s3 SAS you’re consuming api’s.
But the minimum dose is I am even for yourself someone is is writing the application, the patch it they maintain it, but as a consumer of cloud you still have to do, I am, and I am has the language of zero trust, so the buck stops with im even for SAS there’s someone else’s writing around.
What the cloud provider has done they’ve given you I am and I am is protecting cloud providers resource the whenever you whenever whenever your Apps access it, it will give you some.
password less mechanisms to do that Amazon has a way to do role based access to their RDS and there’s a great place to be But what if I have my own database, what if I have a third party database.
The cloud provider does not protect you there, so you have to rely on security groups network controls abstraction drops down, so I am has a modern abstraction of zero trust the moment you steer away from that it drops down.
Instead of you move the I am functionality towards the APP but every APP has us mts authorization engine built into it.
You get all the links it doesn’t matter it’s countless resource a third party resource your own resource or ransomware You can check all the links consistently that’s the power of bringing your own controls to any cloud in a consistent way you can get application security.
So, going back to the issue of cloud, we are.
very vulnerable we are as vulnerable as ever before, because there’s so many things that can go wrong with cloud the scale and piece of cloud.
There is configuration problems that can happen with all the dependency and supply chain attacks the input resulting inside, there is no.
You can’t take solace in that your perimeter control vpc controls the guys already sitting inside and thirdly you’re vulnerable applications your web APP is vulnerable someone can attack and punishes you put their code inside launch something there and cause problems.
So the theme or the point of the presentation is that we are very vulnerable.
But the thinking needs to move beyond vulnerability exploit ability, I can be vulnerable, but let me be resilient the opposite of vulnerable is resilient if you’re.
If you’re vulnerable your week be resilient how to be resilient by making sure, even if you’re weak you don’t fall down even if you are vulnerable you don’t get exploited and that’s what zero test lets you do.
This is a framework of how you become resilient and this is also how we have managed covert as a society.
The first step is identify identify the vulnerable population, the diabetic people that.
People go vaccinate them step number to protect them vaccinate them you can’t vaccinate everyone.
Like zero trust you have to vaccinate the president of the important people you have test centers for the rest of the population, once you find them you quarantine them release them.
disappear managed Cooper and that’s what become resilient as a society, but this is how nist wants you to do cybersecurity is this cybersecurity framework.
Unfortunate truth is it doesn’t work, because we have become very reactive.
yeah very become very reactive, because this will detect respond recover is a reactive thing you’re not proactively say, if you have not put productive controls to get to zero trust.
If it takes 27 days to detect problems if you have a test 600 days to come back you’re either dead or you don’t care.
And that is why the cycle doesn’t work it’s a great resilience cycle doesn’t work.
You go back to identify and protect even that is reactive you’re catching vulnerabilities that identify is reactive when someone disposable liberty, you can patch it.
What happened between disclosure and patching the 60 days according to sneak to patch a single.
thing you might be faster 66666 minutes, what happened to six minutes was breached, or something happened so that level of continuous authorization is still missing in a reactive approach.
And this can be changed by taking a more proactive stance to application security.
What we say here is, you have a continuous authorization Indian alongside your application.
So once your Apps are protected, to identify again you can’t lock everything down, but you can have this pending authorization running in monitoring mode, but every application.
and continuously it is guarding what every APP does your proactive.
When certain events happened I didn’t have a signature for it, but not for to happen, I didn’t have a signature for it, it will still respond in real time.
Because I would see a new activity which i’ve never seen before it cuts the noise out of threats it cuts, the thing about policy and gives you a clean picture here and that’s how we become proactively resilient.
You don’t take hundred days to detect some problems it’s happening in real time and seriously every Apps every activity is being authorized.
This is how we traditionally handled application vulnerabilities and i’m calling it physical patching it takes time, you have to.
Re compile you have to retest you have to make sure, nothing is broken sometimes you can’t even patch it’s not compatible the compatible patch is not available so patching is not always an option.
So people have known about it, and they have proposed virtual patching is a solution, so the overall Foundation has a big pitch on virtual patching.
It says, this is a legitimate way, make sure you have some compensating controls for the time it takes to patch the problem with, that is, that is also very reactive nature.
The virtual patching is doing content filtering that’s a technology use, you need to get signatures from somewhere would do the portal patch so still a gap between your top and the lip.
What happened between that time you don’t know it’s blacklist base every time some bad thing happens you get a signature and that signature can have problems, the malware can.
Only do polymorphous transformations to beat her signature see are not always protected, but with iam for Apps.
Signature free it’s proactive I don’t care what the vulnerability was if it does, new activity, it goes to some foreign state, I was captured it will capture every activity for every APP I am identity based.
Access if any access is made it gets long and that logging makes a big difference it’s.
it’s not just gets logged it can be enforced, and when you enforce that it’ll never go outside it might be vulnerable some foreign nation might have planted some code in your supply chain it never bought it you get blocked because you’re proactively enforced it.
And that is why, if you’re resilient pack your stuff your Apps i’m not exploitable they won’t talk to strangers, because our firewall at the edge that evaluates every access.
It won’t talk outside it won’t have any backdoor problems because I don’t let it go outside it taught misbehave under the influence of an attacker so that’s the power of resilient patching it is proactive.
versus virtual patching which still has to wait for a signature those signatures can be changed in this case it’s proactive you’re done once you put this technology in place you’ll never miss anything forever.
So identity has been a key driver of how we have made progress, and like I said for users, we have gone past vpn we are doing cta today.
We have gone past password we’re doing me for today, unfortunately, a digital identities are still living in dark parts of passwords.
So there was an attempt made by the networking industry and network micro segmentation the name of zero trust to make at least privilege, make sure you can contain a.
threat right it didn’t work very well, because your identities were network based.
You have layer layer seven identities, to keep churning in cloud the keep changing your policy keeps changing.
And that is why you should not alert for the God of problems, it is not stabilizing for years, but giving you value what.
What we propose an aim for Apps is identity focus, if you give every APP continuous identity it doesn’t change it, stable, you can discover interviews in prod.
It doesn’t change and every deployment and that solves your policy churn that’s also alert churn in our alerts are not joining the things of stabilized, and that is the power of I am for Apps and identity focus, which is taking away from networking and giving you two I am for applications.
So this kind of resilient patching also gives you a Defense in depth if so old style web Apps monolithic modern Apps are more.
Micro service based so one big fat APP has become 20 microservices this one micro service gets compromised it doesn’t put everyone else at risk.
It creates a natural Defense in depth, because to hop one microservice it will get logged on the intruder gets locked at source.
It doesn’t have an ability to move beyond the first micro service that is why it’s restoring Defense in depth in today’s modern communities cloud world it’s a flat network.
Inside the vpc it’s flat everyone sees everyone inside communities every potency every other part, so one part gets compromised every other part is at risk.
With this style of resilient patching every APP can be patched every APP becomes a boundary that needs to be crossed.
And that is bringing back Defense in depth your data is tucked away you still have to jump through some hoops to get your data, and that is lost in this cloud world we used to have this three tier architecture and old school it’s gone it’s lost now.
So we talked about resilience patching and zero trust, but it still doesn’t come together as to how something like resilient patching would help not make an APP exploitable so we took a real example here the example is of.
log for jetting.
So you might have heard of slot for Jay but with this continuous authorization contest verification you see a very different view of how long it looks like.
yeah please.
I think the audio is not coming out properly and i’ll walk you when it happens.
so long for this very scary.
Also, a dog bone here depicting that container and the process habitable taking on the container wonderful T, I can see lock for juvenility their dinner, like any replay it from beginning if I change the view to application.
And as we started.
In the last video We saw how CV 44228, also known as lock for Jay can be easily exploited to gain a foothold into any environment pretty scary.
Now we will take a look into how the concept of resident patching can be applied to prevent this class of attack so.
log four days pretty scary in the bottom right machine any machines, the curl command can hit any Java process and get a backdoor on it, the top right thing is a Java screen.
The bottom right is attacker machine what we’re doing here is hosting a malicious APP server.
So the Java guy will go to the APP server download some bad code and establish a backdoor to the left hand side and gets a Shell over there, so we showed the attack in a previous video, here we are showing mitigation and we are showing how the attack look like.
Now coming back to the earlier, this is how the APP looks like in normal operations and interest coming in to each of the Java and ssd process and no egos connection.
There is also a dog bone here depicting that container and the process have an ability taking on the container wonderful T, I can see lock 4G LTE there.
If this is what we’re tracing in terms of identity and access without enforcing anything, it will let let the attack go through and exactly how it happened.
user avatar
Unknown Speaker
I change the view to application claim, I can get a stable view of what happened here, I see my personal laptop IP connected to the front end and then a connection going to end up.
user avatar
Unknown Speaker
After that you can see a connection going to get up to download so cat which will be used to execute the reverse show.
user avatar
Unknown Speaker
Since these are unexpected behaviour for the APP they get flagged as red lines are alert if I go to the alert page, I can see a list of alerts, which are sent to the SEC OPS team.
user avatar
Unknown Speaker
now coming to remediation unlike other tools early can immediately Honorable processes, while resident touching.
user avatar
US – Frog Field
I can select the right connection for the container and turn on resident patching on the wonderful APP.
In this case, only ingress is allowed and new eagerness, which means that the connection to the old APP server is effectively locked out.
let’s go back to the term and we run the command this time I get nothing no response, there is not much I can do as an attacker.
With early you can both detect as well as remedied lock for J class of hon LTE tell your team upgrades all in a patent application.
If this sounds interesting go to early for a free main theme here was it was signature less it was no signature needed to detect lock, for they.
were still vulnerable still vulnerable to some attack coming in through a curl command but you’re not exploitable it could not go out to a malicious and Dev server.
create a backdoor, so, in spite of having no signatures, you were proactively protected you’re not exploitable That was the theme of this.
And again, a lot of people do scanning and tell you, you have locked for a very few people give you medication against it and zero trust has the power it has the power to hold things to least privileges.
And without signatures prevent bad things from happening so you’re vulnerable it’s not exploitable.
And the beauty of the platform is it’s very easy to install so once you’ve installed early on your keyboard is cluster it automatically detects all these behaviors it’s ready to apply the patch patches all the pre discovered for you.
So if you had to write this policy by hand it’s it’s hard the benefit is zero trust is good.
No one uses it, and no one uses it because too hard to write these policies, the power is in the discovery rediscovered for you, you apply a patch you’re protected for life so when.
There is exterior platforms to detect something respond, this is patch once prevent forever once you’re past something.
You can take your time again i’m not suggesting don’t patch your applications absolutely do that let not every of those things become a fire drill.
And that’s what the power of resiliency is so when people think about making their web Apps or applications resilient zero trust is a tool.
That is coming from infrastructure into the hands of application developers now they have the power to publish.
policy a score, so this is my zero trust policies, but my APP does, and you can publish it as code and your APP and policies go together so APP is becoming the Center of activity in the world forward and even.
SEC OPS, is going to be an APP function even policies when when our function traditionally these kind of controls have lived in infrastructure.
We are trying to make it APP centric so now APP SEC OPS you’re seeing what your APP does what is supply chain does, even if you have.
Multiple layers of supply chain it’s your response to be running in your premise, you have to know what it does, will give you visibility in what you have done, if someone is hiding put in your APP, you will know.
You will never live in the blind proactively always never miss anything and there’s the power of this style of thinking it’s a tool to start making your Apps resilient and sleep well at night, without.
yeah so apologies, it was not this presentation, yes, we had a discussion when he started.
And I said i’m talking zero trust and the question was is it up, and this is nothing between it’s all about Apps.
So how do you incorporate zero trust principles in the way we write Apps the main theme is policy as code, you can create.
Zero trust policy as code for your Apps even though your Apps have transitive dependencies you can you can control what they do, and you can take charge of what to do, yes.
If you think about ransomware Malcolm yeah the question was what do we mean by Apps so when we talk about ransomware and malware they’re not users it’s malicious code it sitting your premise it’s not a user.
Well, there are two elements in this presentation right and zero trust is helping both of it.
it’s making your APP self defending the firewall function that used to run at the perimeter is running at your APP So if you need to talk to five other micro services that becomes policy.
it’s only authorized entities can talk to your APP even if you’re vulnerable and intruder cannot talk to you, even if you’re vulnerable, no one can hear.
Legitimate Apps have no incentive to exploit you right so it’s creating that zero trust for yourself defending because I have a firewall function sitting next to my of protecting my APP that’s an aspect of it.
is also APP in some ways it’s malicious code malware ransomware is code it’s not a user support and that could also needs my permission to do anything.
And, by definition, it has zero privileges it’s an illegitimate APP if you create good governance, for your citizens it’s very easy to find included in your environment.
it’s a weight so again, the two ways to find threats on is by looking for bad behavior I know that a bad guy vice versa black hat and.
that’s a bad behavior right, but the other ways I know i’m a good guys i’ve put the face of my camera anything that doesn’t match these good guys that’s a violation approach is bad.
And that is why the zero trust for good governance for good Apps is also letting you do.
jailing of bad guys, they are jailed at birth at source, wherever they are, they can’t do anything that contain that source.
And there’s a policy applies to both legitimate Apps and illegitimate Apps the illegitimate Apps are your threats and if all the legitimate guys do their job and do the zero trust policies, by definition, the bad guys have no privilege.
To just if every developer if every APP had this protection it locks out the bad guys.
that’s a good question, so the question is, I had some mention of xdr and.
yeah so I talked about here, the question is, do I still need a next year with this, what is the thing right the one slide I showed off when was the maslow’s hierarchy of security needs.
It starts with controls, I am goes to vulnerability management and finally tech management if do your zero trust you don’t need anything you’re done but it’s not a perfect world, everyone lived in management you don’t want to measure well, they will be threats to manage them right.
What is the exterior doing next year by some definition is TV across India, they have a lot of context for end point of contact from network marry them together becomes X Dr.
What they’re doing is throwing all those metrics or telemetry into a security data lake and then turning it would give you real time detection right.
What we are doing is at sorts, we are stitching endpoint context, identity and network context and achieving the same results.
So the reason you combine endpoint and network gives you power because network is visible behavior if you air gap something it’s safe it’s very safe.
If you are an intruder you’re still say the network, plus endpoint contexts gives you that magic and, yes, you can eliminate next year you don’t need those guys they’re reactive.
How do you deal with one does so the question is how do we deal with details right so data says, if a malicious guy is putting a lot of.
heavy traffic towards how to deal with it in my view that protection should come from cloud provider when Amazon has a diverse God.
Absolutely use it, and the reason you want to use it is if i’m providing a service scaling up getting Amazon for it.
Amazon is doing it for you, they will take care of it, I have not had to scale to defend against D DAS that’s a function that is not applicable, you have to contain it.
Infrastructure at the Amazon layer because you don’t want to scale and then protect against it at Amazon do it you’re not charging for the scale, if I had to do it.
we’re getting charged for scaling and being able to handle it, and that is why does not belong in the APP here it’s an infrastructure thing, let them under their infrastructure is which don’t Amazon and let them handle it.
So again, great question what is happening under the covers and what is novel about it, let me rephrase it in a way that I will answer your question indirectly so.
The abstractions for network security have not changed it’s called apple in Cisco speak it’s called firewall do fundamentals of five people or IP tables on Linux hyper.
IP port I people I cannot express these policies in IP tables, I cannot, I would have loved to use IP tables I have built a purpose.
built firewall using a vpn vpn is a modern mechanism that allows you to write just in time kernel code.
and using that you can create fancy obstructions, so we have created a firewall like abstraction with the grammar of zero trust identity and privileges.
You cannot even express a DNS based policy in a firewall in a traditional Linux IP tables, you cannot say I can’t talk to you have to convert it to IP and port five that’s all abstraction gives you.
for giving us a much nicer attraction identity obstruction and at a VP of layer and not talking the network i’m tracking the cisco’s who’s doing connect boosting accept.
Under the covers that what i’m doing i’m tracing who’s doing connects and accept which identity workload identity which process.
And then seeing who can talk to whom there’s nothing networking about it this process can talk to that process, let the network IP whatever it is.
But to get you the enforcement I do use networking, so I I air gap, the bad guy and that air gap thing is to network controls.
I could have chosen to kill the process but i’m not doing it because network is known to be a good way to quarantine stuff.
i’m doing a network quarantine but my policy is identity leverage not network level i’m not doing five trouble at all.
i’m doing which process cannot work process it’s a totally different paradigm does not exist, you built it from scratch from the ground up every layer of it i’m not using any IP tables to implement this in fact my policies are inexpressible in tables.
Again, yes i’m an agent, but my agent is a control to an entity that installs a VP of Program.
My data plane sits in the Linux kernel its performance efficient is not wanting a packet into a sidecar and of that is going on.
Yes, it’s an agent from a programming perspective control perspective but it’s not an agent from a data perspective, the data path is incredible performance, efficient, low overhead all of that.
hey I personally did not want to make it a rally pitch it was more about trying to infuse some zero trust ideas into how we think about APP development right so so far we have.
been chasing vulnerabilities it’s a never ending battle people think I will be resilient when i’ve covered my basis.
fact is you’ll never cover your business you’ll never become hundred percent non vulnerable, you have to think up front, so this whole.
With problem right if I say if I will do detection of covered every one right that’s a bad practice, you need resiliency when you’re most vulnerable, you need direct response most vulnerable.
you’re seeing of France i’m trying to infuse the thinking that zero trust is something to think about and don’t try to spend time kissing vulnerabilities I did not go into my solution because that was not an object of presentation.
yeah, so I am is something that corporate created and they’re very forward thinking that approach.
Amazon, by default, is denied unless you create an explicit policy, what is zero trust explicit policies default deny that’s cloud.
that’s how God operates if you don’t have a rule to come in it’s blocked out by default.
The give you I am but writing policy was the hard part now you have to go and right it’s a mess it’s a PhD to write I am policies.
This is very different, you just install the software it learns it tells you this is your policy.
We accept it you’re approving policies, there is no policy to write, but still people want their source of truth to be good, because it is a.
developer favorite tool for version control all those things right, we allow our policies to be downloaded as yama you don’t have to write it will write it for you.
download it put it in get goes to get review immutable policies code, so now the zero trust policies.
Secret code someone is asking how does the F bomb travel right this literally travels with coding you’ll get in the code gets deployed this policy gets orchestrated.
It comes with your Corbett Europe it’s kind of Aberdeen lot of ways right the policy is downloadable you can put it in get close to get review.
The differences in the im world the policy writing doesn’t he was still very complicated when I come with batteries included policies are given to you.
yeah beautiful question, so this is, we still have, I am to define your roles right and you say I created a service account and the service account allows me to access dynamo db.
And you can use a service account from Google, the problem is service account is nothing but a password it gets into github it gets stolen now you are converting access management problem to secret management.
With early kind of technology, you can take your im to any cloud, and I will federated identity across clouds for you, because these identities.
I manage independent of you still have to do, I am but put your password on the Internet because they won’t matter anymore, that I am only defines.
That, if my APP has access to the s3 this s3 better belong to my organization there’s nothing secret about it i’m defining a resource in my Amazon aws or Google or.
Whatever they call it, and that is defining that my resource has this description this org this pocket.
For the policy of who gets access his password list because I don’t let anyone go even if they have a password and intruder in.
let’s take another example, if I am so I am you have given a role to your vm your Lambda there is a very classic Lambda fundamentally you, given the role to vm.
Your APP gets compromised and in today is on the box he gets the same room and that’s the problem with network based control anyone that assumes that same IP address.
Rights on it, it gets the same privilege, not with this technology, because you’re actually doing neutralization of APP identity and then giving privileges based on that, on the land of.
I know some background, yes, I was a question on his we have an answer it also sorry for me so Lambda I have a problem with salesforce right so salesforce is saying hey.
I have a friend, he said john in salesforce have hide FBI guys very safe I don’t worry about security.
And I said is your APP vulnerable, can it be exploited and, yes, and we should get exploited Can someone launch process launch a back door.
Or do you detect it don’t know what these cloud providers have made a shared responsibility for their indirectly telling you is your Apps better be not vulnerable you’re vulnerable you’re on your own shared responsibility not my problem salesforce doesn’t care yeah they’re.
they’re multi tenant so you got an interest compromise and an attacker in your Lambda can do whatever they want without.
You doing anything but they’ve taken a foothold there and the other tenants are not affected salesforce is not affected, but you as a customer affected.
Here you’re running an untrusted environments, how do you solve that problem, so we have some ideas or, if you have not sold Lambda.
it’s a tricky problem because, in the name of sharing and caring, which is no man’s land.
And that guy doesn’t care because it’s multi tenant is other trends are not affected, these are affected, but you are affected, you running code in somebody else’s environment where they have not given you proper controls and they’re asking you do shared responsibility, I perfect good.
Thank you for coming sorry for the network issues we have some work to do on our Internet, thank you for coming and allowing us to host.