Quick Wins and Low Hanging Fruit @ DevOps Türkiye (Istanbul) Community Meetup

July 7, 2020

< 1 min read

DevSecOps: Quick Wins and Low Hanging Fruit
These days Software Development is reliant on multiple dependencies (ie… Kubernetes, Operating System Layer, Java App etc..) Building one logical point for all dependency vulnerability scanning is something you can easily institute.
In this lightning talk we will:
• Show you a tool you can freely access to create a single point for dependency scanning before you build your proof of concept.
• show you how to access free vulnerability scanning access using X-Ray for fast, easy, and accurate results

View Slides Here

Speakers

Sven Ruppert

    Sven Ruppert

    Developer Advocate

    Sven is working as Developer Advocate for Jfrog and coding Java since 1996 in industrial projects. He was working over 15 years as a consultant worldwide in industries like Automotive, Space, Insurance, Banking, UN and WorldBank. He is regularly speaking at Conferences and Meetups worldwide and contributes to IT periodicals, as well as tech portals. Additional to his main topic DevSecOps he is working on Mutation Testing of Web apps and Distributed UnitTesting besides his evergreen topics Core Java and Kotlin.

    Video Transcript

    hi everyone
    good evening
    let us wait for a couple of
    seconds
    so i think we can start um hybrid
    everybody um sorry for delay by the way
    because there was a problem on the uh
    leaf uh the arranging the exact time so
    uh sven here uh with us and he is
    developer advocate from jfrog company
    you know it is very famous uh company
    uh known by the developers and he will
    talk about their second topics so
    sven it’s yours
    okay so hello from germany i hope you
    all are doing well
    um i assume you can hear me if you can
    see my slides
    i haven’t checked them on youtube at the
    same time so i don’t know but if you
    have any questions i will try to have an
    eye on the chat so if you have any
    questions with that i may
    try to answer this one otherwise there
    are several things or ways to reach me
    so
    let’s
    talk a little bit about the topic we are
    talking about the low-hanging fruits
    here the low-hanging fruits of the
    sagubs and um yeah assuming the audience
    has a lot of knowledge about devops i’m
    not sure who have you already played
    around with the security topic so
    the questions i want to answer through
    today is what are the low hanging fruit
    so what’s a quick wins means you’re
    having devops environment and you’re
    going to start with the security topic
    so what are the possibilities what is
    the best way to start with is what are
    the quick wins means the easiest way to
    start with most impact and this is
    addressing everybody who wants to start
    with the security part and
    um yeah we’ll find a way to
    get first
    things up and running so
    okay then
    my name is van robert i’m the developer
    advocate for jfrog and i’m based in
    germany and since covert i’m mostly
    running
    in the woods round and instead of going
    to conferences i’m just
    recording a lot of stuff and pushing it
    to youtube and if you like to see job
    related stuff or
    security related stuff devops
    or dev segments related stuff have a
    look at my youtube channels i have to
    i’ve
    won the german one for sure i’m a german
    native speaker so that’s one thing but i
    have an english one as well so just
    search for my name in english or just my
    name then you will find it and i really
    would like to have you as my new
    subscriber so if you like the outdoor
    style perfect and if you just want to
    see watch crafting so nothing about
    technology check out my private channel
    about auto skills okay so
    you can win the jay frog shirts
    if you are
    live attendee here at this um streaming
    and if you are one of the first 15 so
    go to jfrog.com show notes they will
    find corresponding to this event
    the possibility to run roughly here to
    jetroc.com istanbul t-shirt and the
    first 15 will win should so
    try to grab one of them
    so
    what we’re talking about
    security for sure and i’m using cloud
    native as an excuse but everything what
    i’m saying is not only bound to cloud
    native cloud native is just one way to
    look at an architecture and it shows or
    highlights a few things that are coming
    out more and more but
    if you’re in a traditional organization
    with monolith or whatever you can adopt
    all this stuff what i’m saying in the
    same way don’t worry
    if you’re looking at this cloud native
    or if you’re looking at the general
    topic of of these applications we have
    different layers and you have different
    possibilities that
    source code or that and then
    program can help you so and
    we we have to think a little bit more
    about what what are the different
    players where is the best place to start
    for example if you have this micro
    service or service oriented architecture
    or whatever then
    if you want to map a bunch of use cases
    for example to a bunch of microservice
    there is no tool that will say oh use
    case a and b fits perfectly to this
    micro service and this use case is a
    separate use case microservice and so on
    or function or whatever
    so if you want to divide your use cases
    in several parts
    there’s a machine that will do the job
    for you you have to do it as a human so
    you as a human has to decide okay i want
    to distribute use cases and this is a
    good way thinking about security
    yeah what is the best
    composition of use cases in terms of
    business security or making the
    information
    central at one place or sharing
    information this is something the
    machine is not able to help you so you
    really have to think about
    the service oriented architecture for
    example here
    and what is holding which part
    if you’re going a little bit more to the
    communication itself so you have now two
    services and you decided what is going
    on the wire the machine is not good in
    telling you oh it makes sense to use
    this three bits of information to send
    it over the wire and then your business
    is safe and the security is not or the
    tools is not able to to
    help you to make a business case secure
    in terms of it couldn’t be misused or it
    couldn’t be compromised on the
    business level so
    the communication between two services
    this is a different thing and here’s a
    computer author the program can help you
    more the i.t
    because the tools can start encrypting
    channels can deal with different keys
    and all that stuff so it’s a
    not the content but the way how to
    exchange communication is something you
    can um yes secure on a technical layer a
    little bit more what you’re learning
    from this one is
    if you’re talking about security you
    have to divide it in different parts
    concepts and all this stuff and
    technical or technically related stuff
    and if you are going to this technical
    layer more and more you will see that
    the programs in the tools and all that
    stuff is more powerful to support you
    going down to the container-based
    infrastructure
    dealing with resilience and and
    against in our service attacks and and
    breaking through this architecture in
    terms of getting user access in the
    operating system all that stuff it’s way
    stronger the tools because they are
    just technical things and not this
    business related stuff i think you got
    the point but security is really really
    strong inside the devs segues
    environment and this is where jfrog is
    focusing on the dev sega
    part and the on the container-based
    infrastructure so delivering to a
    container-based infrastructure or
    delivering to production systems but if
    you want to start with security um
    the really easiest part is if you’re
    starting inside your development
    environment or during the time you are
    creating your binaries so this um what
    what is a good and the bad part for this
    microsoft stuff so for all
    uh we have with microsoft shorter
    uh life cycles
    or release cycles means that
    you’re writing something you can put it
    to production okay this microsoft is not
    nice it is something bad and then you
    can just throw it away and rewrite it
    it’s good in terms of getting rid of old
    technology but it’s bad in the same way
    because if you’re changing technology
    maybe you are not sustainer anymore but
    who you are in the other one so for
    example for me
    i’m since ages in java since really ages
    in general i never learned go means if
    i’m
    if i’m now writing a microservice in go
    it’s fun for me for sure i will learn a
    lot of stuff but i’m a junior again so
    not in terms of the language this is not
    exactly what i’m meaning but it’s a
    whole ecosystem so what are the best
    tracks with compiler what are the good
    libraries who’s what’s the trustable
    community inside the go community what
    are the good reference and so on and so
    on so you have to learn all this stuff
    again even if you’re a really
    old senior in one language you will
    learn very fast but you will do a lot of
    this beginner mistakes anyway so
    it means that um
    having the possibility to
    go was the time to to fast adapt to new
    technologies in the same way it’s
    dangerous because you have to re-learn a
    lot of stuff in this field
    [Music]
    thinking about micro services functions
    cloud native whatever
    what you can see in the composition of
    use cases is that we are going more more
    to polyglot environments but polyglot
    environments leading to polyglot attack
    vectors means that if you have different
    technologies and you are connecting
    different technologies you have
    different ways to attack your system and
    not only based on one technology but on
    multiple technologies and the attack
    vector could be
    quite um complex and this is not easy to
    understand so you need tools that are
    able to deal with a whole package not
    only one stack not only one micro
    service now the whole impact graph of
    the whole architecture so and political
    environment sometimes even inside and
    micro service itself and so thinking
    about for example this open source tool
    vadim budin is from finnish company and
    they build this you’re writing a java
    your code and it’s
    translating it to honor translating it’s
    building a
    web app based on web components
    but you have written it down in java so
    it’s not transparent it’s just
    connecting two things it’s connecting
    java with the npm stack and then you
    have html5 you have javascript and the
    npm sake and all this stuff so the
    developer will quit in java but in the
    end you have a stack that relies on the
    live cycle java on the live cycle npm
    the whole dependency management there
    the whole um vulnerability and
    compliance issues that you can have here
    and so on and so on so polyglot
    environments are sometimes even inside
    one micro source
    but
    throwing everything away what you see
    around this different microservice model
    is whatever focus on one single part so
    we’re focusing now on one single
    application if you’re focusing on one
    single application
    with every abstraction layer you’re
    adding you’re adding more complexity
    different technologies and so on
    so if you have the application and there
    are vulnerabilities in and you let it
    run inside linux or an operating system
    before you
    use a virtualization technique like
    docker or whatever means that with every
    layer you’re wrapping around the
    vulnerabilities in the previous layer is
    still there
    and
    it could be used
    direct or indirectly but the
    vulnerabilities are there so it means
    with every new layer you’re just adding
    vulnerabilities even if you’re adding
    zero vulnerabilities but you’re never
    removing vulnerabilities and this is one
    thing that you should be aware always
    that with every new wrapper around
    you’re just adding vulnerabilities per
    definition and the same with compliance
    issues so talking about security means
    that we are not only talking about
    vulnerabilities and how to hack your
    system and all that stuff it’s fancy
    sure but on the other side the
    compliance part is important as well
    because the wrong license or the right
    license it’s wrong place in your
    whole production line can be a huge
    damage to your whole organization or can
    kill the project or even the company so
    security means security in terms of
    being
    yeah able to
    defend against and attacks in the same
    way as make your business secure in
    terms of compliance issues
    and here again you have two layers you
    have the domain specific part so tools
    are not good in making your domain
    specific thing secure so can i misuse
    this text rule to do something weird but
    on the other side it’s a technical thing
    can i prevent against or can i defend
    against sql injections
    this is something that technology
    is good so even here you have two
    dimensional thing it means one thing is
    a domain specific thing this must be
    done by humans for sure there is no
    really good tool
    on the other side the technical thing
    tools can support you
    enormously so
    but the most the most project people
    developer whatever you want to say
    they’re forgetting one thing and this is
    a whole devops
    tool stack
    um for this just a short side note
    you all heard more or less about the
    solo insect
    what happened here um the company
    solarwinds they have 300 000 customers
    and they have a product and this product
    is managing networks okay so
    um this means the software orion
    platform is the name um will be
    installed somewhere in the network and
    is able to do a lot of stuff with admin
    rights monitor
    things reconfigure things and so on
    and
    if you have 300 000 customers
    most likely the most customers are
    customers with huge networks not just
    tiny networks because then you’re not
    buying this management software right so
    what what happened
    there was a hacker group
    they broke in through into the system
    from solarwinds and the target was not
    to compromise binary or to steal data or
    to
    destroy something so no this was not the
    type what they have in mind is or what
    they had in mind is that they
    broke into the ci environment of this
    company
    and they insert the ci environment they
    manipulated the ci environment so that
    with every release built
    they start building compromised binaries
    by themselves so they just provided
    internally and it was a little bit
    hidden there’s boundaries they wanted to
    add inside the ci environment one of the
    last steps was just grabbing this binary
    and adding it to the program
    okay and then they had an automatic
    update so they built a huge release it
    was already compromised binary then they
    offered it via an automatic update to
    all of their 300 000 customers and in a
    few days they infected over 15 or 20 000
    networks
    not servers networks because
    huge companies with huge networks are
    using this
    software
    and this was more or less a disaster so
    the attack was not against the final
    target the attack was against the supply
    chain this is something we should be
    aware as a developer so we are now the
    targets and with this we have two
    dimensions now we have two dimensions
    and this means uh the first one is that
    um i need
    or i have to make sure that i’m not
    compromising
    uh i’m not using compromise stuff
    on the other side
    i have to make sure that i’m not pushing
    compromise stuff out so that i’m not a
    multiplicator so we have now two attack
    vectors against ourselves a pro um
    protecting ourselves and protecting our
    customers or consumers of all software
    even if it is inside the company no it’s
    the next department
    so uh yeah so uh the first question to
    you is any one of you ever checked uh
    for example the
    jenkins against non-vulnerabilities
    who have you protected your compiler and
    all this stuff so you have to make sure
    that the whole supply chain you have
    must be
    secured
    and this against non-vulnerabilities and
    compliance issues but
    non-vulnerabilities is here it’s a big
    part
    there’s a term
    called shift left shift left is you
    should start as early as possible with
    the security stuff
    it makes no sense to do it in the end
    and for me to remind what shift left
    means is i’m just rotating this picture
    of application line and soccer and so on
    and shift left means
    going to the left and the third thing
    what we are doing is we are writing
    application we are creating source code
    so that’s the earlier thing and we
    really have to start there during the
    time we are writing software not if
    everything is done and it’s running no
    that’s too late we have to start as
    early as possible
    what i’m excluding here is the concept
    phase
    because this is something we have to do
    um on a human level inside the
    organization but we are focusing here on
    the technical thing so having now in
    mind that
    we have all these different layers and
    we have all these different uh attack
    vectors inside every text layer we have
    to think about um what what is a
    composition per layer
    so
    as the first thing is
    if i’m writing a java application i have
    something that is managing my
    dependencies because i’m writing some
    piece of code and the other thing is i’m
    using some dependencies i will cover
    this in a few minutes
    but
    what is sure is per layer we have
    corresponding dependency managers
    because we are not reinventing the wheel
    we are working with dependencies we are
    grabbing stuff from outside and this is
    for every
    tech layer so the application may be in
    maven linux is a debian layer maybe or
    dockers the docker repositories
    kubernetes and so on but again the most
    people are forgetting if they are
    starting with security the whole text
    stack so all binaries inside this text
    stack should be
    available in an immutable
    way or repository as well to make sure
    that there is no compromisation so okay
    but if you are thinking about this
    single point that will try to help you
    to understand
    the whole tech layer
    you need something that’s able to
    understand every text layer and then you
    need something that’s able to work with
    this metadata we at jfrog we have
    artifactory that’s a binary manager or a
    manager for dependency managers we have
    a different kind of repositories where
    all this meta-information and binaries
    are stored and then we have x-ray that
    is connecting through it and working
    with binaries and the meta information
    to get the full impact graph i will
    cover the full impact graph in a few
    minutes again but um have in mind that
    these are the essential tools to deal
    with the whole meta information built
    info and all the stuff and binaries and
    on the other side where it’s a
    possibility to have access to all layers
    and don’t forget your tool stick this is
    really really important so don’t forget
    your toolset scan your jenkins check
    your compiler check whatever
    we have different terms and
    if you start with security
    there’s mostly a challenge with
    different parts of the company so how to
    implement security what the best way and
    one thing i always see is that there is
    a lack of
    wording
    so a lot of companies are
    using more or less are describing the
    same mechanism using different words
    and so on and here are two things that
    are highly recommended to think about
    and talk with management for example
    about it if you want to start
    implementing security
    the first thing is time to market
    if you’re talking to a management layer
    time to market is very common for them
    what they understood or what they’re
    meaning with this is you have this use
    case
    we have this description then we have
    this time of creating this stuff and
    then it must be as fast as possible
    delivered to the customer so that they
    can use it the company can charge it
    okay so if i want to get money for it
    means i have to clearly a vision what i
    need
    and then i have this production phase
    and this must be as short as possible
    and as cheap as possible and then i need
    the possibility to use it
    why why i never understood it why not
    thinking with security in the same way
    so what is security security is a
    requirement like a use case there is a
    vulnerability for example
    then you have exactly the same behavior
    it must be delivered as fast as possible
    to production
    not the vulnerability but the back fix
    of the security fix okay
    so you have that requirement there is a
    vulnerability must be fixed then you
    have the possibility to fix it then it
    must be as fast as possible delivered to
    production so that it couldn’t damage
    not get more money but not losing more
    money okay it’s the same it’s just the
    opposite of it
    right
    i see so often that
    process of there is a use case and then
    do it and push it to production and then
    we will test it this is optimized yeah
    and then you can just do it
    but for security issues they have
    different processes
    and then they have this
    this guy must say yes the next one must
    prove it the next one has to do
    something and then they have a really
    slow process of fixing vulnerabilities
    and this is just a nightmare so if you
    have the knowledge about vulnerabilities
    then it’s a requirement handle it like a
    refinement optimize a whole production
    line to get rid of this stuff as fast as
    possible and make sure that you have the
    same lean processes to push stuff to
    production
    and as i mentioned i see so many
    environments where the use case is fast
    on a fast track and security fix are on
    the slow track that makes no sense so
    talk about time to market with your
    management with your lead or whatever to
    get that thing done make this process
    lean fast easy and fully automated the
    next step is make or buy
    the most people know okay we don’t have
    this knowledge and then we can hire an
    external and he will do everything great
    because he had so many experience and he
    saw it in so many different companies
    and
    then i’m just paying money and stuff is
    done okay let’s make a buy on the
    economic pattern and i think we all had
    our experience with this
    the pros and cons
    but
    we as a developer we’re doing exactly
    the same and we have exactly the same
    issues we are not hiring external but we
    are using externals in terms of we are
    adding dependencies and here again it’s
    the same mechanism and the same way of
    talking about the risk the investment
    and all this stuff
    should i learn this stuff by myself
    should i know enough about this
    technology that i
    um that i’m able to identify if my
    depends here if this external guy is
    doing the right thing
    how to make sure that i have a good
    amount of quality in my external
    dependencies
    and i don’t
    or i shouldn’t reinvent the wheel by
    myself so if the if i have no clue about
    how to create a pdf
    then it makes mostly no sense to learn
    all the pdf specs writing a pdf
    generator and then doing this one
    because i know more about pdf after this
    for sure i have a lot of security issues
    for sure and then i have to maintain
    that stuff no time for this on the other
    side if i’m adding a pdf library i must
    be able to understand what is a bad
    thing in pdf oh yeah you can add
    javascript and then it could be executed
    okay so you need to learn a little bit
    about pdf then you must be able to test
    and verify the functionality then you
    have to decide what’s enough and what’s
    a good dependency so what is external
    you can trust
    okay i think this is more or less clear
    so we have to deal with dependencies and
    we should treat it in the same way so
    don’t add just dependency because yeah
    it looks nice and then do it you
    wouldn’t do it with next certain
    consultant
    okay you wouldn’t just say hey yeah
    looks cool just do it and forget and
    then firing the next one don’t do the
    same stuff with your dependencies okay
    we have different approaches inside the
    security area and there are two main
    parts one is a developer centric part
    it’s zust static application security
    testing the next one is the ops part
    more or less a dynamic application
    security testing and then we have a few
    combinations and rasp as a
    runtime protection
    okay so uh what’s this
    with zest we mean
    that we are able to scan all static
    parts of an application
    and searching for known vulnerabilities
    okay what what mean non-vulnerabilities
    non-vulnerabilities are identified
    vulnerabilities with knowledge how to
    get rid of them or there’s a patch
    already and whatever so it’s maybe not a
    patch already but we know this
    vulnerability what’s going on so uh
    these are non-vulnerabilities then there
    is a certain amount of unknown
    vulnerabilities and the unknown
    vulnerabilities is everything we don’t
    know and then we have to think a little
    bit about the balance between
    non-vulnerabilities and unknown
    vulnerabilities
    if i can trust different
    reports i was i had the chance to read
    or different other companies
    that are doing way better research than
    me because i’m not a security researcher
    in detail and i don’t have too many
    statistical material but
    what they are saying is that the whole
    amount of non-vulnerability is just
    constantly growing okay except because
    the non-vulnerability is never removed
    you have something against it that’s a
    vulnerability there
    okay so this amount is constantly
    growing and then the amount of unknown
    vulnerability is smaller than the amount
    of known vulnerability first of all the
    non-vulnerability amount is constantly
    growing since a long time and
    the amount of unknown vulnerability is
    limited by the people that are able to
    create no
    new vulnerabilities and this is
    this is not a group that is
    exponentially growing this amount of
    humans that are creating vulnerabilities
    so the assumption is that the amount of
    known vulnerabilities is in some range
    but more or less constant
    but from this
    step-by-step vulnerabilities are
    converted to known vulnerabilities and
    this amount is constantly growing
    okay having this in mind means that
    fighting against known vulnerabilities
    has the fastest and biggest impact and
    this is something you need to do because
    this is growing anyway
    okay so and this is where static
    application security testing is focusing
    on so static application security
    testing is losing the dynamic context of
    an application but it can search for
    already known vulnerabilities and here
    you can scan hundred percent of the
    whole test tastic okay
    the opposite is dynamic application
    security testing for this one you need
    an already running system
    just you can do immediately with the
    first code of line of code you’re
    writing you can start with scanning what
    you have on the other side with dust you
    need something that’s running and then
    it must run in the same context of the
    operation system you want to protect so
    it makes no sense to have a dust
    application where you’re testing stuff
    and in the end you’re using a completely
    different environment to run it so you
    would lose a lot of the power of dust
    tools
    these test tools they have this hack
    approach they are looking from outside
    to an application and try to identify
    the weak points here
    the attack vectors are mostly based on
    the most common vulnerabilities most
    common vulnerabilities that are defined
    so like
    sql injection heat them
    so memory terms and all that stuff so
    you have a list of this one that are
    language neutral and mostly
    yeah mostly
    seen already
    and then the the weak point with dust
    towards is first of all you need
    something that’s already running so it’s
    very late in production it’s again shift
    left
    the next thing is a tool need
    if it is just as soft as a server thing
    you need access to your to your
    application it’s way better if you have
    it on some production like systems
    because then you have the potential to
    identify
    reconfigurations or open ports and all
    that stuff
    and
    the next thing is that most attack
    vectors are built based on this
    multicore vulnerabilities
    and um there is a tiny chance to or
    mostly no functionality to define your
    own attack vectors against the system
    and if there is a new attack vector that
    will take a bit time
    not endless but a bit time depending on
    your service you are using to adopt to
    this new
    attack vector
    okay
    and then the next approach if you have
    zest and dust the next next logical step
    was to merge both its interactive
    application security testing so you’re
    merging both approaches it’s like a
    security debugging of your system so
    you’re ramping up your application you
    have full access to all
    components of your system you’re
    checking all binaries and all
    configurations all this stuff you’re
    bringing it in in context and then
    you’re doing this dust stuff so there’s
    mercury vulnerability based attacks and
    then it is in a way that you can
    manipulate the attack in a way that you
    are identifying your individual attack
    vector against this system so and this
    is a b so
    theoretically this is a perfect thing
    okay because it’s just merging zest and
    dust
    if you start with security
    it makes no sense to start with
    interactive application security testing
    because you need the knowledge how to
    attack how to compromise your technology
    and all this stuff and most likely you
    need very highly educated people in this
    specific area to make the most usage of
    iest okay this is interactive
    application security testing
    these are the three testing things so
    more or less two exhausting dust and
    then the combination with
    your own attack vectors in iris
    then there is rasp
    runtime application security protection
    means
    that this system is
    used
    to
    identify an ongoing cyber attack means
    rasp
    is completely useless in test staging or
    even
    all the stages rasp is only useful in
    production
    most technologies are with this agent
    approach so you’re ramping up an agent
    this agent is manipulating the software
    you’re using and then they try to
    identify with machine learning and other
    techniques and patterns and all this
    stuff to identify they are
    different users or different actions
    that
    that looks like an attack and then you
    have to mode um
    you can just monitor it and alerting and
    the other thing you can proactively just
    stopping this application so this is a
    rasp so it’s really protecting the
    runtime production against ongoing
    cyberattacks
    what is the best order to start my
    personal opinion is that you should
    start with zest because this can you do
    with a
    minimum amount of knowledge about how to
    attack systems and all this stuff
    if you have this in place and this is
    running then you can start testing your
    environment with
    with the approach of most common
    vulnerabilities so dust tools and if you
    have budget left and you have the
    infrastructure and the possibility to
    use agent approaches so this agent-based
    approach then you can use rusp as well
    starting with rasp is mostly a very
    counterproductive thousand or a way
    because mostly the developers knobs
    people saying oh if i’m missing
    something rust will catch it and this is
    mostly
    not good for the quality and some other
    things and having in mind raspberries
    mostly on this agent approach means if
    the whole production line is weak
    you can get compromised agents as well
    so you have to harden your whole tech
    stick against non vulnerabilities and
    compromising binaries before you are
    introducing the next
    level of manipulating automatically with
    some external dependency my production
    line okay having this in mind so thus
    does rasp if you ever be able to use is
    interactive application security testing
    depends really on if you have the right
    skill people in your organization that
    are able to do it
    okay
    back to the application if you want to
    now to to start
    and the easiest way to start is just
    why and why this is good
    so if you’re looking at the whole tech
    layer applications
    how much lines of code or how many lines
    of codes you are writing by yourself and
    how many lines of code you’re adding as
    a dependency most likely it’s in a way
    that you have a huge amount of external
    lines of code grab fire dependency
    compared to what you’re writing itself
    so even if you’re writing a million
    lines of code your dependency in the
    most environments i saw not always but
    the most environment is just
    a huge amount of
    potential amount of of this lines
    as a dependency if you’re going towards
    the operating system it’s even worse
    you’re writing a few configurations
    you’re not writing a kernel driver
    mostly some people yes but mostly you
    are not writing kernel driver and the
    rest of the operating system is a binary
    you’re grabbing and there’s a huge
    amount of lines of codes so it means
    your configuration a few lines of codes
    again this amount
    of lines of code that you’re grabbing
    from outside docker is the same you’re
    writing a docker file maybe and the
    first statement is from so it is a
    dependency anyway
    and then
    you’re going to the kubernetes layer and
    then helm charts and all this stuff so
    looking at all this the amount of stuff
    you’re doing by yourself and the amount
    of stuff you’re grabbing as an ex
    external dependency looking at the whole
    text deck is
    the balance between in this way that the
    dependencies are the most dominant thing
    so
    make it sense to scan your own source
    code against non-vulnerabilities with
    zest to have machine learning running on
    your own source code
    no because it’s a tiny part
    and the tools that are scaling with
    machine learning and all this stuff your
    source code they’re missing a little bit
    the context
    you can have best practice and you
    should write
    code in best practice make sure that
    you’re not
    just using all input fields and just
    pushing it to the database sql injection
    not reading just binaries and executing
    everything and so okay that’s fine do
    this one but analyzing the source code
    with tools extensively would be the
    wrong focus focus on the dependency
    because it’s just the biggest part and
    then
    it is a part of just static application
    security testing and again what the most
    environments are for getting the dev
    segments part
    check your compiler your scripts your ci
    environment your whatever so everything
    you’re using internally is with this
    attack against supply chains
    a target so you have to harden your ci
    environment you have to scan your
    jenkins you have to scan your team city
    whatever so scan your environment
    everything
    okay
    we have two things that um
    they are all competing for um
    a condition now for
    no i mean seeing the word sorry so but
    we we have two things that are here in
    the field so it’s compliance and
    vulnerabilities and we have different um
    different
    behavior
    so compliance if you want to start with
    compliance scanning the machine is very
    good to scan all binaries into for this
    you need to understand dependencies and
    their direct and indirect dependencies
    so it makes sense to analyze analyzing
    meta information and then see okay at
    this dependency will have this
    dependency on this dependency and so on
    and then the machine can scan for uh
    license issues so for compliance that’s
    easy but the initial work here is that
    you need someone who’s able to decide
    what is a good license and a bad license
    for this part of the supply chain okay
    this is the initial thing and then you
    can feed with this machine and the
    machine can just doing this ongoing job
    in a very fast way make it sense to scan
    again and again against compliance
    yes
    looking at different projects for
    example a very prominent one is jakarta
    e so java ee was jakarta ee is now
    eclipse ee and is now i was eclipse e
    and i was jakarta i lost the overview so
    we have this one so moving big projects
    on the other side
    um there is a dependency and internally
    he is using maybe
    some collection library and then he
    decided to switch to another collection
    library because it’s cool
    then
    it’s not good to trust this developer
    that he will do the compliance work
    perfectly so you have the same
    dependency in a new version but
    indirectly you’re consuming a different
    dependency so it makes sense that you
    are scanning this stuff on a constant on
    a frequent base
    vulnerability there’s a different b so
    the initial effort is zero just say
    there are the binaries do it scan that’s
    it the machine is scanning on the other
    side you will find very often
    vulnerabilities and not so often
    compliance issues if you fix it once and
    then you have to do what’s going on
    the compliance issues here they’re
    tricky
    so you have a compliance issue and then
    it’s a single dot in your whole tech
    layer so the whole thing
    and the only thing to get rid of
    compliance issues is you’re removing
    this part and replacing it by semantic
    equal implementation with the same
    functionality here and this is sometimes
    really a piece of work yeah so that’s
    one thing but if you have done it once
    mostly it’s quite it’s not changing so
    often
    another thing is vulnerabilities
    vulnerability is to get rid of
    vulnerabilities you don’t have to change
    the implementation against a semantic
    equivalent you can just use a different
    version of this dependency
    and this means that the
    full amount of vulnerabilities or attack
    vectors are based on the whole
    composition of versions
    because the weak point with
    vulnerabilities is you have in different
    layers different vulnerabilities and
    they can combine two different attack
    vectors so it makes no sense just to
    scan one layer just docker images or
    just whatever wavelength is you need the
    full understanding okay this jar is in
    this web archive is used in this docker
    layer this is using this docker image
    and this was used by this helm chart and
    running there so you need the full
    understanding to know where all these
    weak points are and what are the
    possible attack vectors against your
    system okay
    but
    let’s talk a little bit about the
    lifetime of vulnerability to understand
    what is the best part where you could
    uh speed up the whole fight against
    vulnerabilities
    uh people are creating vulnerabilities
    accidentally on purpose can we change it
    no
    i can work on myself to
    to use best practices but it could
    happen that i’m creating a vulnerability
    okay
    so next thing is
    what is the first time we know so if
    this vulnerability is found someone
    thought oh there’s a weak point
    then the next thing is if he is a good
    one he will try to make this information
    public public available somehow if he is
    a bad one he will use it for himself
    selling on darknet using it for his own
    attack whatever so if it’s found by
    someone who is
    bad yeah so bad hacker then for me the
    lifeline is more or less invisible i
    can’t we can’t do anything against it
    because it’s it’s somewhere it’s there
    it’s found but from the wrong person
    if it is found by someone who will push
    it to a vulnerability database so that
    it could be consumed by everybody else
    and that a good way so the live line of
    this dependency is is visible for me now
    so i’m now a security researcher i found
    a very critical thing and now i try to
    sell it what is the best way or who i
    will sell it okay
    the first thing is that
    this is amount of money i can spend this
    money or i can earn money with this one
    and now i will decide who will give me
    the most money of this if this
    vulnerability database one or two
    i don’t know so sometimes i will sell it
    to a sometimes to be and i will just
    do it with
    well where i’m getting the most money so
    uh what does it mean
    if i’m focusing on one vulnerability
    database
    it’s always a subset of dependency oh no
    it depends it’s a subset of
    vulnerabilities why
    because i have no clue if it is sold to
    this one or that one
    so what whatever depends or
    vulnerability database i’m using or
    choosing is it will be the wrong one we
    had jeff rock learned it in the same way
    and we know it and so the only thing
    what what is possible to work around
    this or to to get this one you have to
    build a super set so if you are deciding
    to consume void you must decide who what
    vulnerability database you are consuming
    otherwise you don’t have the information
    you have to make sure that you’re using
    a superset to get the biggest umbrella
    you could get
    um
    so just one single vulnerability
    database is not enough you have to
    combine different resources and this is
    exactly what the driftwork we are doing
    we have our own security research we
    have vulnerability database free one
    open source one commercial one and so on
    and with this one now this work will
    start the knowledge of this
    vulnerability must be
    transferred in a consumable way so it
    must be available so not only is it in
    force public failure it must be
    consumable and consumable by you and
    here is if you like it or not most
    likely mostly
    the free vulnerability databases are
    smaller and slower
    why
    yes the security researchers they want
    to earn money so they are not giving it
    for free they are mostly selling it
    means you need to spend
    if if this time is critical if you want
    to speed up the
    time from the knowledge there and you
    can consume this information if you want
    to minimize this amount of time you have
    to spend some money or to find another
    way how to get to this information but
    most likely the free ones are slower
    we can endless discuss if this is good
    or bad or whatever and that is economy
    and now the information is consumable so
    you have the whatever you’re choosing so
    free one the commercial one a or b or c
    or whatever whatever information pool
    you’re using now you have the
    information so now the time is running
    because from information is consumable
    time starts running to fix in production
    that’s exactly where you should focus in
    the beginning it must be automated in ci
    environment must be fast and all this
    stuff you need to have lean processes so
    that there is no approval process and
    all this stuff is
    blocking this one so information is
    consumable until fixed in production
    that is where you should focus first on
    so that you have the most impact on it
    okay
    now as a developer
    what is the best safety belt you have
    and this is really true so against
    vulnerabilities all compliance issues
    the best safety belt for you as a
    developer is good test coverage
    why
    if you have to replace an implementation
    within semantic equiron what’s the best
    safety build it has coverage because
    then you can change first and verify
    that it’s running in the same way if you
    have to build a new composition of the
    same dependencies to get rid of
    vulnerabilities it could be inversion
    increase or decrease
    the whole composition must be with less
    vulnerabilities or less critical
    vulnerabilities means you need to use
    test coverage
    to change the version that the test
    coverage run and just push it to
    production i personally i’m a big fan of
    mutation testing because this is a very
    strong test coverage um
    identify what’s working best for you if
    you want to check it on my youtube
    channel i have the explanation about
    mutation testing and how to run it and
    the basics and the theoretical part
    behind it
    but whatever it is the best weapon
    against non-vulnerabilities and
    compliance issues is very effective
    dependency management because this has
    the biggest impact because you are
    working with 99 percent of your taste
    segment
    and as a developer
    a good test coverage is really what you
    need
    so
    back to the previous thing what is the
    best place to
    start with this if you want to have all
    known vulnerabilities in the whole
    technique you need a single point where
    all binaries are running through and
    this single point must understand not
    only the binary it must understand the
    meta information as well so this
    dependency has an expectancy as an x and
    so on and if you have the possibility to
    read this metadata and you are
    understanding the full input graph then
    you or the full dependency graph you can
    create
    the impact graph of vulnerabilities and
    this is exactly what we are doing
    without factoring x-ray
    and if you want to try it i have three
    workshops where you can just register
    and i have it every few weeks i have
    this one and you can use a factory and
    x-ray for free in the free tier so check
    out for freight here and then register
    and use this binary storage with the
    security scanner if you want to know
    more about the product how to use this
    feel free to check on my youtube channel
    or go to one of my webinars then i’m
    explaining the tool itself and how to do
    it inside an ide for example so it was
    ide plugin so very cool stuff but the
    right place to start with security is
    where all binaries are running through
    and if you’re doing it for your
    production
    why not using it for your infrastructure
    as well so if you have a router that’s
    consuming linux linux then use
    artifactory as well to correct this
    binaries over artifactory to make sure
    that you can skim all binaries that are
    coming through and so on and so on so
    don’t focus it just on dependencies for
    your app you’re creating
    it’s all infrastructure run over it
    that’s the best way because then you
    have really it’s a full input graph of
    all components of your project
    okay so slowly we are coming to the end
    so if you want to win a jfrock t-shirts
    the first 15 will get it it’s driver.com
    is some whole t-shirt um yeah you can
    stop the video at this point to write it
    uh down or we’ll write it in the
    comments maybe so that you can do it and
    then you will find the slides and have a
    mind if you want to hear the stuff in
    german go to my german youtube channel
    or go to my english youtube channel sven
    cooper in english so i really would like
    to get you as my new subscriber if you
    have any feedback contact me by linkedin
    twitter
    don’t use email that’s just a mess but
    all the social media stuff works fine so
    if you have any questions feel free and
    connect and i really would appreciate to
    have a discussion with you about the
    pros and cons and all this stuff and
    this i can just say thank you very much
    for attending whatever time you’re
    looking at this video and watching it i
    can say enjoy the rest of the day stay
    safe and see you somewhere
    virtually or maybe real in the future
    okay
    so i think
    i’m done with my topic
    yeah thank you swan by the way uh for
    your time and it was a really cool and
    helpful session i can say that
    so
    yeah
    if you have any kind of question you can
    ask on the channel so i can reflect it
    to this screen
    so
    yep
    okay
    maybe a couple of minutes you can wait
    maybe i can also as something because
    uh especially everybody nowadays using
    the containerization technologies right
    we are using docker images everywhere
    and um in order to store our docker
    images we are using different kind of
    maybe your old site registry maybe
    software as a service
    so um
    for example i i’m using koi io let’s say
    that just an example they are doing a
    docker image scanning
    and then let’s say that i am using jfrog
    for my artifactory and i can also store
    that part
    so
    you mentioned the diagram about this
    devsecops and it is kinda compatible
    with helm
    maven different kind of artifactory
    tooling so
    can we say that for example on the
    document generation site i am already
    scanned my image on the koi io i how can
    we just
    ignore i eliminated duplications i mean
    my image already scanned on the some
    kind of third party service and i don’t
    want to make it run on the jfrobside for
    example
    do you have this kind of integration so
    instead of
    let
    jfrog scan my image
    just provide the
    integration let’s say that
    it can be feeded by some third-party
    service
    so first of all all servers we have
    they’re available via command line
    interface and rest interface okay
    and the all components have web hooks so
    you can start external processing to do
    something and with rest interface and
    web books you have the possibility to
    create dynamic workflows whatever this
    workflow is we have a ton of integration
    to different third parties i don’t have
    all of them in mind so i really have to
    check somewhere and list what’s
    available but
    if you want to scan just maven and
    debian then for this repository you can
    activate x-ray and if you don’t want to
    scan docker images then don’t
    activate x-ray photographer images or
    docker repositories so you can very
    fine-grain decide what should happen and
    on the other side if you have the third
    party tool and that’s scanning something
    the cost of scanning inside artifactory
    the docker image itself again
    is not really huge yeah so
    it’s a traitor of what what you want
    and
    you have different ways to scan so first
    of all you have this classical thing
    that you have this policies and rules
    where defining what what is necessary so
    if i have something with a cvss value a
    or b
    break a build uh send an email
    blocks the download whatever so
    different things you can start
    and on the other side you can
    use this information inside your ide as
    well so with this ide plugin
    intellij and his code and eclipse and
    whatever and then
    you have this information about
    vulnerabilities already inside your ide
    so you’re adding inside your pom file a
    dependency jakarta comments whatever and
    immediately you will get the information
    okay in this version and all
    dependencies from this dependency you
    are adding you have the folder following
    vulnerabilities and then you have it in
    your ide already so
    way earlier before you are creating a
    docker image anyway and this is
    something i really would
    recommend that for the technologies
    you’re using
    try to identify it as early as possible
    so often i see
    that they are working
    two or three days creating a docker
    image and then they see there’s a
    vulnerability inside the
    i don’t know java layer for example
    and this is just a waste of time because
    you spend already so much time to create
    it to identify there’s a vulnerability
    and then you have to remove it
    so with all the security stuff you’re
    doing whatever you’re using try to do it
    as early as possible and the best way
    for me as a developer is
    i need this information straight away
    inside my ide directly if i’m adding a
    dependency and if i say okay version two
    has this vulnerability i have to go back
    to version one i’m doing it immediately
    including against this one
    okay
    so that’s that’s something it’s it’s
    mindset how how to deal with security
    and it’s it’s a functionality
    everybody in the devops team has a
    dedicated part where he
    can efficiently work against security
    issues with like quality
    if you are doing crap in the beginning
    it’s hard to do it later
    so it makes really sense to do it as
    early as possible and everybody the
    developer is managing dependencies he
    hopes people are running scanning
    configurations and the operating system
    and so on and so on i see there is a
    question or what about the vulnerability
    is discovered after the application is
    published
    in public
    public available did you cover any such
    scenario in real life
    i think runtime
    scanning or something like that so you
    have different approaches to this one so
    first of all this solarwinds hack was
    something like this and what they
    introduced with the executive order of
    cyber security from mr pardon is that
    the us government now wants to have
    nasbom it means a full list of all
    ingredients of software that is consumed
    or run by the government why they want
    to have it because they want to have
    this dynamic information like okay there
    is a vulnerability and then they want to
    identify what part is infected somewhere
    okay
    and we have this since a long long time
    it’s called build info and this is a
    combination between static immutable
    data and
    active data warm data the vulnerability
    databases
    so
    if you have an image and this is pushed
    already
    to scan production against
    vulnerabilities is
    semi-optimal because you have the
    knowledge of
    what are the ingredients
    and what is a place
    to let this image run so there is no
    need to scan
    production this would be a performance
    issue it would be a weak hole where you
    can sneak in and so on so i would prefer
    something like i know exactly where my
    images are running
    and i have this information
    immediately after an update of
    vulnerability database and then i have
    to fix it anyway
    until this time i can decide i have to
    shut down production or
    i let it run and i have to prepare or to
    provide and fix as soon as possible
    i’m not sure if i really covered your
    question here just let me know if if
    this was um
    another tool to what you um ask here
    so
    okay any any i don’t know how how much
    is the delay from streaming out to
    youtubers but i think just a few seconds
    so
    if there is anybody with more questions
    just write it in the comments i will see
    it here
    quite soon i hope
    okay
    yep
    i think there is no other question so
    maybe we can finish
    yeah so otherwise
    i’m
    available social media internet
    everything don’t try email please don’t
    use email that’s very important it’s a
    mess
    but everything else is fine so connect
    via twitter or
    on youtube that would be perfect then
    you can ask anyway even if you see this
    video in two weeks or three weeks
    feel free to contact me
    so
    okay
    any questions from your side
    or we are
    more or less yeah we are done yeah yes
    thank you sven again for your time and
    for your valuable information about on
    this domain so
    thank you everybody and have a nice
    evening have a nice day
    see you in the next event
    okay bye
    you

    Start Free