Polyglot Apps Lead to Polyglot Security Holes. It’s Time to Fight Back! @ CD Foundation Webinar – 2021

March 13, 2021

< 1 min read

Polyglot Apps Lead to Polyglot Security Holes. It’s Time to Fight Back!
With convenience on the developer side, based on dependencies, abstraction layers and the composition of technologies we are getting up speed in our production pipeline. But at the same time, it’s Pandora’s box in terms of security too. How can you close this gap and eliminate the weaknesses? I’ll show you how to start with free tools to protect your stack against known security vulnerabilities, increase productivity while working fast efficient,ly and comfortably and why quality based on an excellent test coverage will be your safety belt. What we will cover The evolution from “Dev and Ops” via “DevOps” to “DevSecOps.”

View Slides Here

Speakers

Sven Ruppert

    Sven Ruppert

    Developer Advocate

    Sven is working as Developer Advocate for Jfrog and coding Java since 1996 in industrial projects. He was working over 15 years as a consultant worldwide in industries like Automotive, Space, Insurance, Banking, UN and WorldBank. He is regularly speaking at Conferences and Meetups worldwide and contributes to IT periodicals, as well as tech portals. Additional to his main topic DevSecOps he is working on Mutation Testing of Web apps and Distributed UnitTesting besides his evergreen topics Core Java and Kotlin.

    Video Transcript

    great let’s get started today thank you
    everyone for joining us i am very
    much looking forward to introducing sun
    rupert
    from jfrog he is joining us today to
    talk about
    polyglot apps lead to polyglot security
    holes and it’s time to fight back all
    right sven
    i will let you have the floor okay
    hello hello from my side as well here
    from cold germany
    so i i was reading already a few from
    greece and mexico and hi
    it’s definitely warmer and better
    weather than here so
    what we are talking today is a little
    bit about polyglot
    security rules and during this talk
    um if you have any questions feel free
    to use the chat
    feel free to use this q a um window from
    zoom
    i will try to have an eye on this one so
    if there is anything
    i see and at the right time i will give
    an answer otherwise i
    will do this q and a in the end of this
    session
    but if there’s anything just um yeah
    feel free to
    ask why is the chat and then
    i try to give an answer during the
    talk or immediately in time if i see it
    so now one of the most critical things
    i will start sharing my screen let’s see
    if this is working
    so hopefully can everybody hear me just
    a sign hello
    i hope so so
    okay where is my powerpoints
    okay so now i have to grab my my chat
    window
    this is something weird in in zoom that
    always they are
    catching this chat window
    so let me see i have my chat back
    and now i’m ready to go so if there’s
    any question
    let me know if you have any comments
    feel free
    and now we will start so polyglot
    look note is a complicated word but what
    we want to talk about
    say first of all my name is van if you
    want to reach me
    well over the internet take take twitter
    take link in
    you can see me on on youtube by the way
    this
    background you see here um from me
    was also screen sharing it’s just taken
    from one of my outdoor trips
    i’m recording it related stuff in the
    woods so if you’re interested in this
    one
    have a look on my um youtube channel i’m
    there in german
    and in english feel free so
    and jfrog what we are doing with
    straightforward we are talking about
    devops
    and explicitly about devsecops and this
    is what i’m doing as developer advocate
    at jayprock
    say i’m focusing on the security part
    and this is where we want to go today
    so by the way slides and all this stuff
    and the raffle if you want to win
    something here it’s oh it’s an amazon
    accurate show
    five go to this bitly link
    and then you have the chance to win one
    i don’t know i think two business days
    three business days something like this
    and uh we will announce a winner so feel
    free if you want to have this um
    later on just let me know i will copy
    paste it
    in the slack later uh in the chat here
    so okay
    cloud native the big word huh and i
    don’t want to go in all these details
    but
    cloud native is perfect to show a few
    things but
    uh even if you’re working with monoliths
    or serverless or whatever
    more or less the principles i’m talking
    about is the same
    so this is um yeah this is one thing
    that
    you should have in mind don’t fix too
    much on on this cloud native stick
    here it’s just one thing but we have
    this service oriented and api
    communication these are
    quite generic things and so um if you’re
    thinking about
    splitting up for example some some uh
    some
    services to microservices then a machine
    is not really good in helping you in uh
    if you want to decide this is a use case
    for this microservices
    use case for another microsoft so here
    the human has to decide and have to
    split
    up and all this stuff the same with the
    api communication so
    you have to decide what’s going over the
    wire but the tools are start helping a
    little bit more with
    how to encode this stuff how to
    serialize unserialized and so on and so
    on
    but on the other side you have these
    generic things that
    are in these layers and if you are going
    to this container-based infrastructure
    to this def
    segments part then you see that more and
    more the tools can help you
    with certain things and um
    here what we wanted to reach was with
    splitting up the micro service
    sure we want to have this short release
    cycles we want to rewrite instead of
    maintaining old stuff and this is it’s
    fine it’s nice we as a developer
    we like it we often to play around with
    new stuff but on the other side
    um i’m i’m cutting java now since i
    don’t know 1996
    and if i would start coding a joe go
    tomorrow
    i wouldn’t be a senior anymore so it
    would be nice i would learn it
    maybe first or not but i would do all
    the mistakes that junior would do
    more or less in the same way maybe in a
    shorter time
    but i’m not seeing anymore and this is
    something that is tricky so
    new technologies here fancy you like it
    but on the other side you have to make
    sure that these new technologies are not
    bringing a
    huge stuff in so you have new tools you
    have new
    best practices with the language and so
    on and so on
    and by default if you are talking about
    the cloud natives or in in general about
    that microservices zoo or serverless or
    whatever
    if you’re splitting up then we are more
    or less
    just increasing the amount of
    technologies and
    per definition we are talking about
    polyglot systems so
    different technologies in one thing and
    the amount of different technology is
    increasing and well
    this is something you should have in
    mind but splitting all this stuff away
    so just focusing on one single
    application called it one or let’s call
    it uh
    microservice call it serverless i i just
    okay
    we have more or less always the same
    stack here
    and here again we have two dimensions i
    want to to look at so
    first of all we are writing an
    application and this application is
    what we’re coding and we have some use
    cases and we are doing all this stuff
    after this
    we’re introducing the next layer it’s
    operating system layer for example linux
    and then we are wrapping it in docker we
    are composing it
    in kubernetes universe so all this stuff
    is more or less
    layer by layer by layer we are
    increasing the complexity somehow
    because we’re adding new technologies
    and they all have to fit together but
    one thing is for sure
    if you’re adding some vulnerabilities in
    the first layer for example inside the
    application layer
    then it will be existing over all other
    layers and the same with compliance
    issues
    so if i have the wrong license at the
    right place in inside the project
    i will have a challenge because it can
    just kill my business
    so what we are thinking about this one
    what we have to do here
    but there’s one thing even here we have
    some parts we have
    in all layers there’s more technical
    part and we have this more domain
    specific part so inside the domain
    specific part
    talking about security is more or less
    talking about the
    semantics talking about the processes or
    security per concept and all this stuff
    but if you are talking about the
    technical things and here is where the
    tools are
    way better than in the domain specific
    area
    is that they can help you scanning for
    vulnerabilities and all this stuff
    so here again on all layers we are
    adding technologies but we have a pure
    technical side we have a domain specific
    side
    and the most people what they forget in
    all of this
    is we are talking about the whole tool
    chain as well
    so insert this depth circles but this
    interesting thing in the cloud native we
    are talking especially about deaf
    cyclops not devops anymore
    means that we have the whole two things
    this is part of the whole production
    line as well
    and here we have to think about the term
    security
    but i want to talk about some polyglot
    stuff
    so um what i’m explicitly excluding here
    this part
    is a concept phase so i’m not talking
    about how to
    make a strong concept in terms of use
    cases and all this stuff so i’m just
    focusing right now on the technical part
    and um yeah that’s that is one thing
    that you should have in mind security
    starts early in the contra phase not
    just during the coding phase so
    even in the conservation you have to
    think about the term security
    but i’m excluding it here because this
    is a too broad
    scope for now so let’s see
    one thing i often hearing
    and it took some time to remember
    something is for example shift left if
    you want to learn more about this topic
    search for the terms shift left and what
    shift left means is
    if you’re just rotating this picture by
    90 degree
    and you’re starting from left and
    reading to right
    then it’s that the earliest point is
    writing an application before you’re
    wrapping it in the operating system
    before you’re using docker and so on so
    shift left means dealing with the
    security
    turn as early as possible and for this
    talk we are stopping
    with the left concept at the application
    we are not going to the concept phase
    but even this would be more left
    so what does it mean shift left means
    that we have to think about all this
    vulnerability and compliance issues as
    early as possible and there is no
    dedicated phase where we have now
    security scans and then everything is
    done but
    well i want to show an
    example about this polyglot world
    and one example is if you are a
    server-side developer and you have
    for example in java and you have to
    write at least
    in graphical user interface or you have
    to create a
    web app it could be an internal one for
    administrative stuff it could be a
    customer application whatever let’s
    think about
    how to write this um web ui
    and if you’re a cool java developer then
    all this web ui stuff is far away so you
    want to have java
    and and this is where you are and then
    you have the different technologies
    for example here this html5 css and
    javascript
    because we are talking about for example
    web components on the
    graphical user insights or on the
    website
    and these are two different things but
    what
    what will happen here as a java
    developer if you’re familiar with this
    technology
    you have two choices you can learn html5
    css javascript
    so much if you want if you can if you
    have the term if you like whatever
    well the other thing is you’re searching
    for something that is wrapping this
    technology for you in a way that you
    don’t have to deal with this let’s
    let’s have this one so we have this web
    components on
    one side we have the java side where we
    want to be so where we are normally
    in and then we have this kind of
    communication in between for
    communication you will find for example
    java as well so you know
    you’re happy with this one but how to
    deal with this now
    so um here’s an example just to show how
    technology is hidden
    i’m using uh vadim vadim is an open
    source framework
    you can use it to to build on the server
    side with new button a button on the
    screen and it’s based on what components
    so have a look at this one but it will
    show you quite easily
    how we are mixing up different
    technologies and i want to show you what
    happened
    if you want to play around and what this
    convenience
    is bringing you at this part if you’re
    digging a little bit in this api you
    would see something i don’t want to go
    in all details here
    about this one because we want to focus
    on the security but
    but if you’re checking what they have
    done is for example
    they they started mapping these
    different technologies together
    because they want to have this
    convenience as a java developer and will
    give you
    some other technology some other layers
    somewhere
    and here for example if you’re dealing
    with a pure npm stack you would have
    three
    three things uh you have this npm
    install to grab web components
    so that you have it in your local
    repository okay it’s in package manager
    and you’re declaring something like take
    these components with this version and
    then it’s grabbing from external
    repository
    storing on your local hard disk and
    temporary forwarder or something like an
    m2 m.2.m2 like it’s done with maven
    and if you uh want to make this one on
    the java side for example with this
    volume framework you you would have
    something
    like an annotation and for you as a java
    developer this convenient you have just
    an annotation npm package on the class
    and you have this value it’s it’s
    exactly what you would use with the npm
    section or this coordinates or
    these components and you have the
    version so this is fine
    on the other side you would need now
    something like an import statement it’s
    the same
    like on java so you have an import
    statement of a clause so that you can
    use it
    and on html5 patriot really is the same
    you have an import and then you are
    explicitly addressing one class of one
    component
    and you would find hey i have a java
    component
    java annotation here and it’s exactly
    the same so if i want to have a badge
    then i’m i’m just taking this annotation
    and writing the coordinates from this
    web component in
    and then it’s somewhere here how to use
    this one
    how to map it to the javascript if you
    are inside the web application you would
    take this
    tag for example you are five months back
    and
    to map it to the java site you would
    have a tag like
    ui five minus batch everything together
    is more or less a mapping between
    different technologies
    at this annotation level you are purely
    on the java side
    and if one of your colleagues would do
    this one would say okay we have to code
    now
    all these web web uis but we want to
    have it as a java developer
    one of your colleagues would exactly do
    this one with what components you need
    and this is another thing you can do it
    with every web component if you’re using
    this button stick so
    um this is an example how i map the url
    five
    components for example then it would
    have a class extends component
    okay and then you have these three
    annotations
    what have you done now we we met
    not only technologies in different
    binaries we met already life cycles
    so with these three annotations at this
    java clause
    if i’m somehow creating this instance
    i would have an npm install i would have
    an import
    and i’m declaring attack so i have a
    quite complex thing he had already done
    and if one of your colleagues will use
    exactly
    this component i’m not sure if he’s
    really aware of
    all these different stacks and what he
    is behind this
    and there are some several some other
    things that are
    not so nice and they are somehow
    critical
    let’s see um you want to start building
    some attributes here it’s quite easy you
    can map it on the java site as well so
    with
    elements and property and you’re setting
    some stuff so even this
    if if you’re a java developer you can do
    this one quite easy
    have you understood the whole npm stack
    so far no
    i’m not sure you’re just reading some
    documentation and see okay there’s an
    attributes called color scheme
    and then you’re reading in the api
    documentation okay you have something
    like get
    element set property okay this matches
    and then you start mapping all this
    stuff
    i mean this is great it’s very very
    convenient
    and if you think about how to get
    something out the next thing is
    okay i’m not not only possible to set an
    attribute
    i can grab stuff out what happened now
    from the browser will be something
    encoded will be sent over the wire into
    your system
    will be converted somehow to some java
    representative
    thing instance whatever it is and you’re
    accessing it
    wow this is fame this is really good
    so the convenience factor is enormous
    because you can just start coding java
    even if you start thinking about okay i
    don’t want to have attributes i want to
    have a tree
    because i’m in the java but now you
    start thinking about how to how to map
    all this stuff
    and then you think okay if if i have a
    component and there’s a complex child in
    that i’m doing it exactly with the child
    as well so here
    you see okay there’s an url five icon
    and then you start again
    yes this is your icon clause extends
    component you’re adding
    justice free annotations and you would
    see okay
    reading a bit documentation you can
    connect both this
    setter is now something like get element
    and child and
    this one so we are now
    able to to code on the javascript a
    quite complex thing
    and you’ll have different components you
    have a huge amount of communication you
    have a huge amount of technology stacks
    in
    and in the end if you’re mapping this
    one one
    one person in your team and we’ll make a
    jar out of it
    and we’ll give it to you you as a
    developer would just see
    new ui5 edge set icon
    set text and add action listener
    whatever
    and you would get some generators on the
    screen say
    what happened here is it’s easy to map
    this technology
    you have a huge life cycle in the
    background and if you’re checking here’s
    a dependency tree it’s a nightmare
    you have not only one technology you
    have now two technologies you have two
    package managers in the background
    you’re dealing here even if you’re not
    seeing it with different technologies
    in a level at a level that is
    well well hidden so you have to search
    for all these traps way or
    just combining technologies like this on
    the other side
    i’m assuming that this trend will be
    coming more and more because if you want
    to have more complex things if you want
    to have more generic things on the
    on the inside but more easier ways to to
    formulate your use cases and all this
    stuff
    you need this convenience to have the
    right speed
    to to have this use case fast enough
    on the market so we are talking about
    time to market and so there’s a
    requirement it must be pushed to
    production as soon as possible
    so we will have this one and this is
    just a layer
    inside the application you will have the
    same on the operating system or inside
    docker inside kubernetes
    and this is something that is more and
    more coming
    and this means we need more aware of it
    and we need tools that help me to
    identify
    what’s going on here by the way
    if you want to have a look at this
    you’re a java developer you have to do
    what web components you want to try it
    out
    i have this one on github and then you
    can just try it out
    it’s it’s a good running proof of
    concept i use it for some some small
    projects
    it’s open source apache license grab it
    try it and if you have some feedback let
    me know i’m more than happy to
    to see it what we what we have now
    we have now the following we have now
    an application and instead of playing
    with one package manager
    we are playing indirectly with two
    package managers
    with all the life cycles with all the
    dependencies we are all grabbing these
    binaries
    and now we need something that will help
    us to identify
    the whole stack not only the java site
    it would be a disaster if you’re just
    checking
    vulnerabilities on the javascript we
    have to check it on the npm side now as
    well
    and this as early as possible i have on
    youtube a few examples so
    how to do this one i’m explaining it
    here in a few words
    but if you want to have the long version
    go to youtube and
    check it out um for example how to
    harden this body
    framework with the stuff i’m showing
    here right now
    so next is
    thinking about this convenience part and
    thinking about
    that we are just using what means just
    we are using open source i
    i really love open source because we
    have the possibility to check we have
    supported visibility to to analyze to
    fix
    bugs and all this stuff but if you’re
    looking
    how much of this open source stuff we
    have in
    it’s quite a huge thing so half
    maybe 16 maybe 40 i don’t want to be so
    strict with a percentage but
    it will be a bigger party and that means
    we are grabbing something because we
    don’t want to reinvent the wheel on the
    other side we have to trust something
    that’s coming from outside
    so we have to check against
    vulnerabilities and we have to check
    against
    compliance issues and this of all
    transitive dependencies
    if you’re just adding a few dependencies
    just for fun
    generate the whole dependency tree of
    your application and check how many
    dependencies you have and
    just assume how much time you would need
    to scan all of this
    but we have two different things i
    mentioned compliance issues
    and i mentioned um vulnerabilities
    and one thing is even in the polyglot
    system you have this
    in direction to other technologies means
    you have to have an eye on compliance as
    well of the whole stack
    but the good thing with compliance
    issues is in the beginning you need a
    lawyer that’s defining this is a good
    license for your project
    and there’s a bad license for your
    project whatever if this is done once
    then the machine can do it constantly
    and
    if you have a compliance issue somewhere
    then it’s just this tiny
    thing so you have this library you have
    to grab it out
    and you have to find a semantic equal
    solution
    running under different license so the
    the process is quite clear
    the machine must be uh yeah must must
    initialize must be initialized
    with the information what’s a good
    license for the battery license but if
    there’s something found the process is
    clear
    you have to remove it that’s it
    it’s vulnerability it’s a different
    piece
    if you have vulnerabilities in different
    parts of your application over the whole
    stack
    then maybe the single vulnerability is
    not really
    bad or high risk or whatever but
    all these vulnerabilities can can be
    combined to different attack vectors
    and that means you’re not only talking
    about the single vulnerability here
    you’re talking about the whole
    composition of vulnerabilities and this
    of
    all dependencies and this overall
    technology layers
    and this is a base so you need something
    that will give you the full impact graph
    so it makes no sense just to focus on
    one layer
    or one technology you need the whole
    text stack
    everything from the application up to a
    health child everything
    even the tooling itself but what what is
    the lifetime of
    vulnerability and what’s a critical part
    and where we can jump in
    with this um if there is a vulnerability
    and it’s created by accident or
    someone want to have this vulnerability
    in somewhere
    we have no way to influence this one so
    someone
    will create some vulnerability some
    vulnerability will be
    somewhere and then we have this time
    until this
    is found um do we have any chance to to
    influence this one or two to make this
    faster shorter whatever
    yeah if you’re a security researcher we
    can work on this topic but i assume that
    most of us are not security researchers
    so
    we have just wait then there is this
    information
    found so this vulnerability is found
    someone found it now we have to waste a
    good one and the bad one the bad one is
    just selling it on
    in the darknet and the good one is going
    to the company
    that is a provider of this binary or
    this group or whatever project
    i will give this information to them and
    sometimes they decide okay
    we’ll wait until two weeks before we are
    making the public so that you can create
    a patch and all this stuff
    and can we influence this time frame
    now if you’re not directly yeah affected
    because we are the
    person that’s contacted we have no
    choice
    or no no possibility to to to make this
    shorter
    then there is this information available
    do we have access to it
    well mostly not directly
    so we have different we have this free
    vulnerability databases we have
    commercial vulnerability
    databases and there’s a big gap between
    the commercial and the free one
    if you like it or not i what whatever i
    don’t want to say it’s good it’s bad
    it’s whatever i just mentioning
    that mostly the commercial vulnerability
    databases are faster
    and have more information as a free one
    maybe the free one will have the same
    but maybe later
    so what can we do here we can wait until
    this information is consumable for us if
    you’re spending money for service or if
    you’re just
    waiting whatever you’re choosing at some
    point this information will be
    available for you so it’s now consumable
    you’re not even
    just know it it’s not consumable until
    this time
    is uh that this information is
    consumable for you
    the timer is starting so now that the
    clock is running you would say insurance
    so
    now you must be fast so if you have a
    good cr environment
    everything is automated perfect now you
    can start thinking about
    okay i know there is a vulnerability i
    have to
    change somewhere in my stack and it must
    run in production so time to market we
    are talking about exactly the same
    time to market so there is a need and we
    have to push it as fast as possible to
    production so and this is the only time
    we
    completely have under control and mostly
    this is a
    quite long time so for a lot of projects
    even this there is a vulnerability until
    it’s running production we are talking
    sometimes about
    weeks or months or even longer so it’s
    it’s a disaster
    we’re not checking the whole system
    application layer for example
    and the difference between make and buy
    makers you’re writing it by yourself
    bias you’re adding a dependency you will
    see that insults application
    you will have at least some some part of
    make because this
    is the biggest part mostly because
    you’re writing all this stuff
    but even the bypass so this i have a lot
    of dependencies
    is a quite big one if you are going to
    the operating system
    mostly i’m just adding some
    configuration and the rest of this
    operation system
    is a dependency and the same with docker
    the first statement is from so
    it’s it’s just a dependency and then
    we’re adding some stuff and the same
    with kubernetes and so on and so on
    and the whole tool stack for example if
    you’re compiling your jvm and all this
    stuff
    it’s a dependency model so we are
    grabbing a huge potion to our tech stack
    and this is a binary that’s coming from
    outside
    and this is why i’m saying mostly if you
    want to start with the security part
    focus on the binaries the external
    dependencies because this is the biggest
    part in your whole text act whatever
    text that you’re looking at
    mostly this is the biggest part so if
    you’re focusing on scanning this one and
    making different clean against non
    vulnerabilities and compliance issues
    you have the
    low-hanging fruit the quick wins done
    then you can start analyzing your code
    with ai
    or whatever but having the dependencies
    under control
    is a key point if you want to start with
    security so
    what is helping you you have this
    vulnerability and compliance issues and
    those
    will push you to some change in your
    code
    and if you’re changing something well
    the best you could have is
    a perfect test coverage so if you have a
    really strong test coverage
    then you can start shifting versions
    around
    that’s a test suite run and be sure that
    you can push it to production because
    you have the same behavior of your
    application
    and i personally i’m a fan of mutation
    testing
    because it’s way stronger than pure line
    coverage
    whatever fits to your needs and decide
    what is the strongest line coverage you
    have or how to make this test coverage
    as strong as possible because this is
    your safety belt
    because the first line or the first
    thing
    working against vulnerabilities means
    you need a very
    efficient dependency management because
    a very efficient dependency management
    will have the biggest impact or the
    fastest impact
    of the biggest part of your project so
    tdd
    is just working hand in hand with
    security that means
    quality and security they’re just going
    in the same direction and this is
    perfect so they are not running in
    different directions
    if you’re not thinking about okay we
    have different dependencies we have
    different technologies and even inside
    the application i have different
    technologies because we are
    talking inside an application about
    polygonal systems but
    even if i have different microsoft this
    polyglot system is
    is even bigger even more components and
    technologies are running around
    it would be perfect if you would have
    something that is able to handle all
    these dependencies
    all these different dependency managers
    to aggregate all binaries in one logical
    point
    why this is important because if you
    have all binaries all
    this logical point where everything is
    running together
    you have the perfect place for scanning
    the dependencies so scanning
    against compliance and vulnerability
    issues
    and this is what we are delivering here
    with artifactory and with x-ray
    so without factory here there’s
    dependency management
    inside so a binary repository and you
    can have your maven repository your
    debian repository and everything
    together
    and if you have this your artifactory
    instance as a getaway
    then you can go with x-rays as a binary
    scanner
    can you connect and analyze against
    compliance and vulnerabilities
    if you want to try it out we have a
    freight here i will share the url
    finish so that you can just try it in
    the cloud but
    it’s on hybrid environments means half
    cloud half
    on prem or completely on prem so it
    doesn’t depends but you need this
    you need this single point where you can
    just analyze all binaries
    of all technologies and the most people
    and this is one thing
    the most people forgetting just the tool
    stick itself so they have all
    dependencies of the application
    but they are not scanning their binaries
    they are using inside the protector line
    and even this it’s just a dependency
    you’re declaring it you need to place
    the stored
    take a generic repository put your
    compiler in put your
    whatever just just push all this stuff
    in to make sure that
    it’s immutable so that you can reproduce
    the state every time to analyze it and
    on the other side that you can just scan
    your binaries
    that’s it and even a compiler can have a
    wrong license
    okay we have different ways to to
    formulate it so if you have an
    um auditing system or you have some
    compliance rules or some documentation
    that’s describing all the stuff you need
    some ways to to describe
    uh what’s written down somewhere
    excuse me and on the other side you need
    something that
    is mapping to this technology and here
    we have this concept of the rules
    policies and watches
    i’m not explaining everything in detail
    but the main thing is you have this rule
    that is an independent
    stateless definition if i find something
    wasn’t cvss
    7.3 or higher than
    breakabilt center web book
    sender mail whatever so different things
    you can do
    and that is independent from the
    technology you are just describing what
    should happen if i’m
    if if i found something then you have
    this policies and policies as a
    composition of this rules
    under logical name and it would be if
    you have a document an auditing document
    a security dis
    description somewhere you would have the
    single actions what should happen
    inside these rules and then every
    chapter would be a policy and then you
    can have even
    a one-to-one mapping between your
    documentation and requirements to
    what’s running in inside x-ray
    and then you want to have this
    technology independent description what
    should happen
    uh what should happen um and you map it
    against repositories
    it’s called watchers so then you’re
    combining these policies with watches
    with
    maven repositories docker whatever so
    it’s free
    free to combine and this is what we have
    watches policies and rules
    if you want to know this in detail i
    made this how to’s and then you can
    really see how to create it what are you
    doing
    all this stuff or just check out for
    them in on our side we
    then you can get this one but in the
    beginning during the beginning we spoke
    about
    um shift left what does it mean
    what does shift left mean shift left
    means that you want to start as early as
    possible
    assume the following you’re starting a
    proof of concept
    you’re happy damn yeah finally i i can
    start coding something from scratch
    i can choose some technologies whatever
    or just playing around with some stuff
    and then you start aggregating
    technologies
    you’re writing your proof of concept and
    after the first day
    you’re committing the first things and
    you’re pushing it and oh you have to
    create this pipeline and then you are
    creating the pipeline
    inside your ci environment
    the ci environment will start working
    and then at some point it will say
    oh that’s the pencil you’re using sorry
    but
    too many vulnerabilities in or wrong
    license there’s a transitive dependency
    and this is just not possible here in
    this project
    the maintain of this project was not
    good enough
    in checking if there’s one or
    maintaining a such one what have you
    done
    you just wasted a huge amount of time
    and this is a huge amount of money and
    we don’t
    like to face money because we have to
    explain it somehow
    so we have to remove this time or we
    have to shorten this time
    as much as possible so having all this
    stuff inside ccr environment
    it’s perfect but it’s not the earliest
    point you need this information
    earlier and one early stage is
    having this information inside your ide
    and that means
    if you’re working with java for example
    and you’re dealing with this
    dependency management system the first
    thing before you’re
    doing something is firstly you are
    declaring some kind of dependency
    oh i want to have j unit 5. or i want to
    have this library this pdf library or
    this
    algorithm whatever so you’re declaring
    this one inside the pom xml
    or gradle or whatever you use and
    immediately at this point
    you’re declaring the coordinates of the
    binary and the version
    and at this point the ide plugin
    that we are offering for x-ray will grab
    this
    version information this is coordinates
    and
    also vulnerability database if there’s
    anything
    that we should know any vulnerability or
    any compliance issue
    and this for all transitive dependencies
    as well
    so if you’re adding a dependency not
    only this one is important one but you
    need all transitive dependencies
    and this is the id you plug in doing so
    you can just install this id plug in
    it’s open source is free so even with
    the free tier
    you can connect with the ide plugin into
    your feed here and in the free tier you
    have
    a slightly limited version of x-ray
    that you can scan or use to scan against
    non-vulnerabilities
    so inside here we have it for intellij a
    code eclipse whatever but feel free
    so try it and then you will get
    immediately this information and
    here’s a screen uh screenshot it’s just
    showing a little bit there’s a
    tree you will get this tree of all the
    pencils so you see the whole hierarchy
    and then you can start searching for
    stuff you don’t
    want to have and then you start
    replacing this dependencies
    and again if you have good test coverage
    it’s exactly what you need so
    and how to do this one i have there um
    this whole process how to how to exclude
    it how to add a new dependency and do
    this until everything is fine
    i have a youtube video to uh in this j4
    cartoons
    where i’m explicit showing this process
    and how to install the plugin but mostly
    searching for the plugin and store so
    this is one thing
    so inside the ide you will have note the
    whole
    information about the text deck back to
    the polyglot topic
    if we have now this dependency
    my colleague mapped all this stuff
    against npm i’m just adding an f
    independency i’m not
    aware of this one i’m grabbing this
    dependency but the life cycle mapping
    will include all those technologies you
    will see
    there in this tree you have a tree for
    java
    maven and you will have a tree for the
    web components
    for the npm stack so first of all you
    see that there is some other technology
    in the background second you see even
    for
    this hidden technology that there is a
    vulnerability
    and you can start working against it
    even if you’re just declaring a
    component
    and that’s what is really saving time
    and money
    and is reducing risk so focus on
    something that will give you as early as
    possible this information
    later on if you are inside the
    web ui you can have the full impact
    graphics
    client interface that you can completely
    provision all this stuff via command
    line interface
    if you want or via rest
    what can you do with this if you’re
    talking about this
    um scanning against vulnerabilities you
    need some process how to handle this one
    sure you can break a build this is one
    thing
    you can notify via email okay but the
    really cool thing
    is that you have two things the rest api
    to to interact with the machine and the
    second one is a web hook because with
    this one
    you can start integrate third-party
    components and you can build
    semi-dynamic workflows there is a
    vulnerability
    in this docker image i start now i
    process it will
    make a dedicated current time repository
    i’m pushing my stuff in i’m
    automatically doing all these updates in
    this docker
    layer for example and then i’m scanning
    it again or whatever so
    you can start working with semi-dynamic
    workflows
    and this will give you the possibility
    to feed reportings like compliance tools
    you can uh
    pre-harden images uh if it’s just an
    update of the versions and so on and so
    on so that’s one thing
    and yeah if you want to try it
    uh feel free uh grab this one jeffrey
    the co
    3t devops underscore cdf and then it
    will
    come to the point where you can start a
    free tier and
    if you want to see how to do it uh some
    how to so how to start the free tier
    and platform overview if you want to
    have a short guideline otherwise check
    out the documentation
    or just ask me and then you can start
    this one
    and what should you do you start a free
    tier it will take
    five minutes or so you’re just creating
    the repositories you need for example
    your main repository
    you’re changing inside your pawn it in a
    way that you’re using
    exactly this map repository and then
    make a clean verify
    that’s it and then you have all
    informations all earlier with the eda
    plugin
    just connect to your experiences and
    later dependency scan
    that’s it so much time you need to to
    start with devsecops
    below two hours if you’re doing
    everything and slow and reading and all
    this stuff
    but then you can start even in your
    project just with
    unscanning all this stuff i want to have
    the full empty graph at least once of
    the docker layer and so on
    and want to see what’s going on so and i
    think two hours is
    not so much time if you’re doing it
    really of the whole stack and all that
    stuff
    so i think it
    is first time for the summary and second
    i yeah if you have any questions
    feel free to ask i don’t know if it’s
    allowed to
    to activate your microphone i don’t know
    but otherwise just
    ask or write it
    in the chat i will allow
    everybody to talk now so oh
    everybody at the same time
    okay so if you have a question you are
    more than welcome to come
    off mute and ask or if you’re feeling
    shy you can always
    enter it in the q a section
    yes so
    until i am hearing the first question
    i’m just summarizing be aware of
    this polyglot environments uh check for
    all technologies that are involved
    don’t forget your troll stick check this
    one as well so if you are using jkit
    then
    check your jenkins why not and
    you can do it in in different ways
    so you can have different single tools
    but i really
    will give you that advice that you have
    a tool that’s getting the whole tech
    layer so that you have a combined
    picture and the full impact graph
    shift left as much as possible so even
    inside your ide
    so that you have all informations as
    soon as possible
    and well by the way if you want to know
    how to do it with the vardin stick just
    check out this repository
    or if you if you really want to try how
    to map the components to the javascript
    so any questions let’s see
    oh no question so far
    okay um just for folks reference
    um i dropped in the chat the uh
    youtube playlist where this will get
    updated to
    um so i’ll clean it up after
    we’re done and then i’ll i’ll post it on
    this playlist so
    if you want to refer to it or share this
    with other people
    this is where this will get populated um
    and if we don’t have any questions i
    will not take any more time
    um from sun and
    the attendees and and we can wrap up
    so last year otherwise yeah otherwise
    connect via twitter connect via linkedin
    so if you have any question tomorrow
    just feel free to ping me
    okay well thank you so much then it was
    a great presentation
    and we hope to see you again okay
    thank you very much and bye-bye bye