Solarwinds Hack – Executive Order of Cybersecurity – and Now?

By Sven Ruppert, Developer Advocate @ JFrog

September 19, 2021

2 min read

It is essential to know that the SolarWinds company produces software that is used to manage network infrastructure. With the name “Orion Platform, ” this software should help manage and administer the network components efficiently. If you look at the product description on the SolarWinds website, you can read that the software can monitor, analyze, and manage the network infrastructure. And that’s exactly what the customers did. The company itself has around 300,000 customers worldwide, including individual companies and government organizations, and corporations from a wide variety of areas. To always stay up to date, the software platform includes an automatic update mechanism. And that was exactly what the attackers were after. They saw in the SolarWinds company a multiplier for their own activities. But how can you go about this? The attackers obtained the necessary software tools by breaking into the FireEye company and infiltrating the SolarWinds network. The goal was the software development department in which the binaries of the Orion platform are created. Here, the CI routes have been manipulated to include compromised binaries in every build of the software. As a result, the company produced these binaries and put them into circulation through the automatic update process. In this way, around 18,000 targets could be infiltrated and compromised within a short time.

What does that mean for us now?

There are two angles here. The first is from the consumer’s point of view. However, for your own production, it must be ensured that no compromised binaries are used. That means that all, and here I mean all binaries used, must be checked. These are the dependencies of the application and the tools used in the production process. This includes the tools such as the CI server used, e.g. Jenkins, or the operating system components of the infrastructure and Docker images.

The second perspective represents the point of view that one has as a software distributor. This means anyone who distributes binaries in any form. This includes customers in the classic sense and other departments that may be considered consumers of the binaries created. The associated loss of trust can cause a company severe financial damage.

Speakers

Sven Ruppert

    Sven Ruppert

    Developer Advocate

    Sven is working as Developer Advocate for Jfrog and coding Java since 1996 in industrial projects. He was working over 15 years as a consultant worldwide in industries like Automotive, Space, Insurance, Banking, UN and WorldBank. He is regularly speaking at Conferences and Meetups worldwide and contributes to IT periodicals, as well as tech portals. Additional to his main topic DevSecOps he is working on Mutation Testing of Web apps and Distributed UnitTesting besides his evergreen topics Core Java and Kotlin.

    Video Transcript

    hello and welcome to this video it’s a
    pleasure to see you here
    and i want to highlight a little bit
    what we are discussing
    about today so first of all how to start
    with
    security inside your devops world so how
    to migrate from devops to devsecops
    i want to highlight a little bit what
    tools you have what are the low-hanging
    fruits
    and how to start efficiently if you have
    already
    already in existing ci environment the
    next thing i want to highlight is what
    happened with the solarwinds hack how
    this changed our world
    our i.t world and the reaction the
    executive order from the u.s president
    mr biden
    what does it mean how this will affect
    our i.t
    environment how far this will go and if
    this is just something for the u.s
    area or will it influence the rest of
    the world
    as well so if you’re interested in this
    all these cyber security topics then
    you’re exactly right now
    here by the way my name is sven i’m
    developer advocate for jfrog
    and as you can see i’m right here in the
    forest
    and we will have two journeys one is to
    the deaf segal’s world the other one is
    to some places here in the woods
    so i will take you with me and if you
    saw already a few of my videos
    welcome back if you are just here the
    first time in one of my videos
    welcome from my side it’s a pleasure to
    see you here
    in this video and well if you want to
    see more about this
    check out the youtube channels one on
    the j frog side and my private one so i
    have them in
    german as well as in english and it
    would be a pleasure to
    get from you not only a few thumbs up on
    my youtube videos
    i would really appreciate to see you as
    my new subscriber
    but now it’s time to start so what we
    want to start first
    let’s see who solarwinds and why this
    affected
    our whole view on the cyber security
    world
    well solarwinds itself is a company in
    the u.s company and they have three
    hundred thousand customers i say
    and they are developing a tool that is
    able to manage network infrastructure
    and guess what’s important if you want
    to manage network infrastructure
    well you need very high right so it’s
    exactly
    what you need to switch something in
    this configuration
    and the other thing is that if you’re
    managing
    this infrastructure of a company then
    you’re in one
    of these really critical infrastructure
    parts of the company because
    all the communication everything relies
    on the network infrastructure
    so solarwinds is a company that builds
    the orion platform
    and this rm platform is exactly the tool
    to manage networks
    so but what happened what happened
    during the solarwinds hack and how this
    infected the rest of the world so the
    hacker grip
    just broke into the system from the
    company solarwinds and instead of
    stealing data or just compromising some
    stuff that’s
    not working anymore whatever they
    compromise the ci
    environment yes you heard right they
    compromised the ci environment
    in a way that with every build the build
    was not only building the binary
    the solarwinds company wanted to provide
    now they
    added compromised binaries as well so
    they have infected boundaries now
    and having in mind that this company has
    300 000 potential customers
    and an automatic update function this
    was a huge multiplicator
    so this this compromise binary
    that was now included with every build
    was provided by this update
    functionality and then pushed to the
    customers
    on the customer side has done nothing so
    just sleeping for one or two weeks and
    then it starts loading
    more binaries to the site where they are
    active
    and this means that every solarwinds
    attack is completely different so they
    have this main hole this main binary
    that
    in fact it’s a system scanning the
    binary start working
    in in terms of infecting more nodes and
    grabbing more binaries
    to this to have more functionalities on
    the other side
    you have open now a bunch of doors and
    you not even know how many doors what
    are the doors and so on
    so what do you have to do to get rid of
    solarwinds
    well you really have to shut down the
    whole infrastructure clean it and
    install it from scratch traditional
    stuff
    like i’m checking fingerprints from the
    company that’s offering this binaries
    would not work because
    the fingerprint is done over the
    infected binary so even if you’re
    checking fingerprints
    it will give you nothing so it will just
    yeah give you a wrong kind of security
    so the next question is what what are
    the different sides so what we learn
    from the solarwinds hack what is a big
    difference compared to others
    and the next step would be how to work
    against this what can you do
    to be prepared against something like a
    solarwinds hack or
    whatever attack what are the different
    sides of the solarwinds hack so
    first of all how to
    prevent that you are not consuming
    infected binary so
    what what’s the side of the customer
    that are consuming stuff
    and the other side is how to make sure
    that you are not this
    company that is providing infected
    binaries
    so you have now two dimensions and the
    other thing is
    that the tanks are not going to the
    final targets anymore they are attacking
    the supply chain so
    to compromise your system you not only
    have to protect
    your own system you have to protect the
    whole supply chain
    and this is something really new so the
    quality of the solarwinds hack was
    really a new one
    and it was something that is not so easy
    to detect so
    what tools or what basic mechanics you
    have to
    to prepare yourself against solarwinds
    hack first of all
    not consuming infected binaries to
    identify what’s going on
    to clean it and on the other side don’t
    be the next following so
    that you are not pushing compromised
    binaries to the world
    what’s dust dynamic application security
    testing
    is the way to to scan the running
    application so
    what you try to do here is that you want
    to get all the most common vulnerability
    like sql injection or whatever to take a
    running system to find out if this
    vulnerability is there so
    dynamic application security testing is
    focusing on
    testing already running application
    applications and the best thing is if
    you’re running this one against a
    production system
    what is the opposite of dust dynamic
    application security testing
    well the opposite is static application
    security testing
    what is the big thing here say what what
    you’re doing is that you’re scanning
    all existing components um and
    the system must not run so really you’re
    focusing on the static semantic of
    everything that is included into this
    tech stack that can include a source
    code it could include binaries
    configurations
    everything that’s available so static
    application security testing
    is something that you can do on
    everything that’s not running
    and dust dynamic application security
    testing is focusing on
    already running applications but what
    are the pros and cons of both of them
    what are the pros and cons of dust so
    dynamic application security testing
    implies that you have already an
    application that is running so
    you can’t start from the first line of
    code you can just start if you have
    something that’s already running
    this could be just the infrastructure
    with all to your application but it must
    run
    the next thing is dynamic application
    security testing focusing on
    identifying most common vulnerabilities
    because
    the tool stack itself is mostly trained
    to this most common vulnerabilities like
    sql
    injection you have this black box
    testing so you don’t need information
    about what technology is used
    or what’s internally used or how it’s
    done
    you’re just testing the what means just
    so
    so you’re testing the the package from
    outside so it’s an hacker approach
    and this hacker approach is mostly based
    on this most common vulnerabilities by
    the way
    um i have a video about most com
    vulnerabilities on youtube if you want
    to a little bit
    want to know a little bit more about
    this one but um
    if you want to have new attacks then you
    need some other approaches like um
    machine learning ai based stuff that is
    manipulating a little bit
    attack vector or you need some knowledge
    to
    to simulate this attack and then you
    need a way to
    train the tool to do exactly this
    approach or to do
    exactly the cyber attack so this is not
    easy
    so mostly you need very detailed
    information about the tag itself so it’s
    nothing that
    is usable by everyone but the
    core idea is that you have an already
    existing
    amount of attacks that you can run
    against this
    running application there is one pro and
    one con
    additionally so one con is
    that this is very very late in the
    software delivery lifecycle so fixing
    vulnerabilities identified by dust
    are mostly more expensive to fix because
    you have to
    do all this work again the good thing
    is if you’re testing against a
    production system you are able to
    identify all this runtime and
    configuration issues as well so
    if you have an um bad configuration this
    will open additional ports or this will
    open some attack vectors
    you are able to identify this with dust
    this is not possible with just what i’m
    explaining next
    so um yeah this is a good approach but
    have in mind you’re focusing on most
    common vulnerabilities
    you need something that is running and
    test it against the production system
    not against the test system this makes
    no sense because all this runtime
    environment
    things you can identify with dust are
    only valid if you’re testing production
    and not test systems what’s thus
    static application security testing and
    the pros and cons
    so first of all with us you have this
    white box
    approach so that you’re scanning all
    components of your test deck not only
    from outside you’re really testing every
    component that’s inside
    the good thing is you can test 100 of
    your system
    directly or indirectly it’s possible
    with dust
    but directly it’s just able to if you’re
    using
    zest tools so it means really focusing
    on the static
    semantic what is a good and bad thing
    in terms of course and fixing
    vulnerabilities first of all you can
    search for vulnerabilities as well as
    for compliance issues this is not
    possible if you’re just looking from
    outside but if you’re looking inside
    you have all components and then you can
    check what is a license
    this is running under and then you can
    decide if that
    is something that is affecting your
    business um
    you don’t need in running applications
    so you can really start from the first
    minute
    and if you’re able to identify
    vulnerabilities or compliance issues
    it’s mostly way cheaper to fix this one
    because you are way
    earlier inside the software delivery
    life cycle
    on the other side it’s not possible to
    find theory day attacks
    because you have no information about
    the runtime environment about the
    configuration
    and the behavior of the application
    itself
    because this is all inside the dynamic
    context
    and with us you’re focusing 100 percent
    of static complexity
    static application security testing it
    means on the static semantics of these
    tools what can you scan you can scan
    source code binaries configuration
    everything but have in mind
    you’re missing the context
    this application is running in on the
    other side
    you can scan on every developer machine
    so compared to dust
    that must be tested on production thus
    can be done on
    every machine because you are focusing
    just on the components
    and this will lead you to the
    possibility that
    every developer in the team can start
    with static application security testing
    on every machine on every ci built
    machine
    whatever because the runtime is not
    important at this
    testing technique okay we saw the pros
    and cons of dust and thus and what
    should i focus on
    well in ideal world you will have those
    because they are both working hand in
    hand very efficiently
    but if you just starting with security
    so
    and you’re looking for the biggest
    impact or for the
    um low hanging fruits of security you
    should focus on
    this part because this is by far the
    broadest part and
    i will explain why you should focus on
    those because it will help you to
    fulfill
    a lot of other requirements that are
    just coming from us
    but first of all what should i scan
    what will have the biggest impact if you
    start with security and you want to have
    the low hanging fruits
    well the static application security
    testing will help you
    because you have access to a hundred
    percent and you can scan 100
    and you can scan against vulnerabilities
    and compliance issues
    but what is the best part to start with
    should i scan my source code
    well looking at the source code part
    means that first of all this is a very
    tiny part compared of
    all other binaries in the system and the
    other thing is what can you identify if
    you are scanning source code
    you can identify if your source code is
    invoking some critical functions
    okay you can try to identify pattern
    that
    may be able to be misused
    so and all this may be and
    will just say exactly what the current
    state of this is so we have machine
    learning-based stuff we have ai based
    stuff we have pattern matching stuff
    but all these tools are focusing first
    of all on a very small part compared to
    the whole system
    because the biggest part are
    dependencies and the other thing
    is that you don’t have this context here
    so you don’t know how this will be
    invoked if there’s something for example
    sql injection is there something that
    makes sure that
    there is no compromised input possible
    or whatever so
    this is a little bit tricky and the
    existing tools here
    they will help you identified smelling
    code
    but it’s not easy
    and compared to the amount from the
    whole testic you’re scanning
    this is something i would not focus
    first
    so this is something additionally this
    helpful for sure
    and maybe in a few years the tools that
    are available are way better than today
    but to have really a big impact you
    should focus on binaries
    should i scan binaries and i would say
    yes why binaries are by far the biggest
    part of your system so
    if if you’re looking at everything in
    your text text so i didn’t
    only mean what you’re creating by
    yourself but all other dependencies say
    how many dependencies you have in your
    project how many binaries you’re using
    the operating system the docker lays the
    kubernetes universe
    the whole tooling part so your ci
    environment your jdk
    your compiler whatever so if you’re
    checking everything so
    if you’re looking at this one binary is
    by far the biggest part in your whole
    test deck
    during time as well as during the
    production
    and then it makes sense to skin all
    binaries looking at the solar intake
    they compromise the ci environment
    and just a question to you did you ever
    check your ci environment
    against vulnerabilities well
    but it makes sense to check all these
    binaries because
    they are available they’re easy to
    identify they’re easy to
    uh what means easy but they are good
    in terms of how to identify
    vulnerabilities
    compliance issues and if you have
    something like a package manager
    you have all the metadata around say
    this dependency
    is based on the following dependencies
    directly or indirectly
    so should i scan binaries yes because
    this is the
    biggest beast and you can scan against
    non-vulnerabilities
    as well as compliance issues and this is
    the biggest amount
    of weak points you will have inside your
    system
    okay what are the requirements for a
    good binary scanner
    so if you should focus on scanning
    binaries you need a good binary scanner
    and what are the
    requirements the requirements are mostly
    based on the
    metadata not on the scanner itself so
    scanning one binary
    is one taut it’s well defined so you
    have the input you’re scanning the
    binaries you have some
    meta data maybe in terms of
    i can identify why a fingerprint this is
    this binary and exactly this one so you
    can have this blacklisting or
    whitelisting approach
    but what’s really impactful is
    if you have all metadata around this
    binary base on the package managers
    so mostly all dependencies in a system
    direct or indirectly are managed by
    package managers and if you have the
    knowledge about the package manager you
    know
    all this meta information around there
    so direct and indirect
    dependencies sometimes you are able to
    identify
    even the dependencies over technical
    borders
    so what are the best requirements for
    binary scanner
    the knowledge about package managers
    access to this package managers being
    able to go over technology borders and
    not only focusing on one tech layer so
    a binary scanner that’s just focusing on
    docker layers
    is not so good as a binary scanner that
    can scan the maven dependencies the
    debian packages
    the docker layers the home charts and
    all the stuff where this tech stack is
    running in
    so these are the requirements for
    perfect binary scanner
    so one question might be what should i
    use or should start with
    well i would recommend to have a look at
    the free tier because there we have
    artifactory
    and we have x-ray and artifactory is a
    package manager so you have exactly all
    this meta information about the package
    managers itself so direct and indirect
    dependencies
    you have the information about the build
    itself if you’re using build information
    or
    storing build information there as well
    and on the other side x-ray is scanning
    over all these package managers and
    technologies
    and the bad thing inside the free tier
    you can use it for your own projects
    privately or commercially for free so
    you just
    register for the free tier or come to
    one of the workshops i will
    show how to deal with this one or just
    try it by yourself
    if you want to know how to start with
    this one and you are
    not able to wait until the next workshop
    will start
    just go to my youtube channel i have a
    few how to how to start and ramp up
    a basic project and the 3d
    what is the right time to skin binaries
    um
    if if you’re focusing on scanning
    binaries because this is the biggest
    part so it makes sense to scan them
    during production like inside the
    production environment
    well to say the truth my personal
    opinion is that it doesn’t make sense to
    scan binaries in production
    because you have all these previous
    steps and inside production you don’t
    have more information about the static
    semantics you just have additional
    information about the runtime
    environment so a tool that are scanning
    for static stuff makes no sense to use
    so
    in production the only thing is
    monitoring and
    dust tools because they can use
    environment
    and configuration and all this meta
    information that’s available in run
    signed
    runtime systems so scanning binaries in
    production
    my personal view is makes no sense so
    what is a better place
    okay if scanning binaries makes no sense
    to do it
    inside the production time because you
    don’t have additional information
    that you can use for static analyzers
    then what is the right time
    okay so it means you must do it earlier
    before i’m talking about what are the
    previous steps i want to highlight the
    trim shift left because you will find
    this in documentation or other videos as
    well
    and shift left is one thing that
    means that if production is on the right
    side and start writing codes on the left
    side
    all the steps in between you have
    if you are going more to the left it
    means
    you are shifting left so you are pushing
    something more to the left
    more to the beginning of the production
    and
    yeah read a little bit more about on
    beginning on wikipedia or other
    resources you will find in the internet
    so shift left means
    pushing more and more to the beginning
    to the root
    of creating or consuming or adding
    vulnerabilities
    so right side is production left side is
    the concept phase
    and now we start shifting more and more
    left because
    what is the best part to skin and what
    are the different steps you can use
    okay if shift left means that we are
    going from production a little bit more
    to the
    creation process to the left side
    um what what is the next part the next
    part is the ci environment so everything
    that
    will be built automatically after you
    created something everything that’s
    preparing
    its binary that are running in
    production make a sense to scan inside
    the ci environment
    yes definitely because here you’re
    composing all the final binaries here
    you’re consuming all binaries
    this is a working horse it’s your
    environment so it makes sense that
    here some kind of scanning is
    implemented
    because everything should go through
    this
    final step so it’s the last border
    before you are going to production
    and the machine is doing a good job so
    because doing
    always with the same quality with the
    same speed and with the same behavior
    yeah scanning inside the ci environment
    definitely so
    shift inside your ci environment um
    what is a bad thing the bad thing is
    that you wasted already some time during
    the cooling time so
    is there’s any previous step you can use
    additionally to
    scanning inside the pipeline yes we have
    one step that is a bit more powerful in
    the beginning of
    the production phase what’s more left
    than
    scanning inside cci pipeline well this
    is
    immediately inside your ide so shifting
    left inside the ide has some pros and
    cons
    and it’s one of the earliest parts where
    we can start scanning against
    non-vulnerabilities and compliance
    issues
    and we definitely start
    investing time we not even have already
    invested time that means if you’re
    scanning inside the ci pipeline this is
    good because this is a final body
    this is a quality gate you have to pass
    there is a verification but to find a
    tool to
    work or to fight against
    non-vulnerabilities and compliance
    issues
    the better place is inside your ide
    because what you’re doing if you start
    coding
    you’re writing a few lines of code and
    then you start adding some dependencies
    and this is exactly the right time to
    scan
    because if inside your ide you will get
    the information oh there is a
    vulnerability or this is a wrong license
    or
    there is an indirect dependency that
    doesn’t
    fulfill our requirements you can react
    immediately you can stop using this
    library you can change it you can
    change the version whatever is necessary
    so
    inside the ide you wasted less time less
    money
    you are mostly more flexible as changing
    during the ci phase
    and that means fighting against
    non-vulnerabilities and compliance
    issues
    the best place from my personal point of
    view
    is you should start inside the ide with
    it
    and well if this everybody
    in your team is doing then
    vulnerabilities will have nearly no
    chance what’s the lesson learned from
    the solo intact
    well first of all what is new so the new
    thing here and the really the the
    big thing here is that the attacks are
    not against the final targets anymore
    the attacks
    are against multipliers against supply
    chains
    so it means that instead of
    focusing on the target they want to
    hike they’re going to somewhere who’s
    delivering something so they’re going
    to some part in the delivery chain and
    this will lead to a few questions for
    example
    are you part of a delivery chain are you
    part of
    this um yeah target they want to reach
    and i would say
    yes definitely we are directly or
    indirectly
    now targets because the solarwinds hack
    is not focusing
    on the main things they want to get
    now they are focusing on everybody that
    is somehow related
    to the supply chain so if solarwinds is
    affecting
    the supply chain and try to find
    multiplicator so
    if there’s a risk for us yes definitely
    because we are consuming binaries we are
    consuming so many binaries so
    during the time we’re occurring we are
    adding dependencies so we are consuming
    binaries we are using technologies like
    docker kubernetes the surface container
    whatever
    yes this is consuming binaries we are
    using operating systems we
    are consuming binaries because we are
    not writing operating systems by
    ourselves
    and have in mind includes a whole text
    stack for your production as well so
    scan your ci environment scan your
    linker
    your compiler your tooling what you’re
    using
    because these are all binaries that can
    be or could be compromised
    so we are consuming banners definitely
    should we scan all of them
    definitely but what was the other side
    of the solar intake
    the other side of the solarwind tag yeah
    definitely it was
    distributing binaries are we
    distributing binaries
    oh yes because i’m cutting some stuff
    and then
    i’m distributing i’m distributing to our
    production system or i’m distributing
    something that our customers are using
    i’m distributing boundaries because i’m
    offering a free open source project
    whatever so we ssf developer we have now
    these two
    angles of the solar winds hack we are
    consuming boundaries
    definitely and we are pushing boundaries
    we are multiplicators
    so this means we should be aware of
    what’s going on of the whole supply
    chain and
    this is what we learned from the
    solarwinds hack
    scanning the whole supply chain so we
    are not the only one that learned from
    this
    solarwinds hack so lesson learned well
    even the us government got a big lesson
    learned because
    governmental institutions departments
    also were infected by solarwinds hack
    and this was
    bringing a big wave inside their
    internal communication and structures
    and this was leading to the executive
    order and who gave it
    it was a mr president mr biden from us
    and he gave an executive order
    on or off cyber security so it means
    there was a statement it was related
    more or less to the solarwinds hack
    because this was definitely a new
    quality and the impact of the solarwinds
    hack was huge
    because to get rid of solar winds surf
    you’re not even
    removing a binary you really have to
    remove the infrastructure and
    ramp it up from scratch so what is it
    let’s learn so
    who gave this one it was the president
    of the
    from the u.s and why it wasn’t reaction
    on the solarwinds hack but
    me as a non-native or non-us citizen
    i never heard about ex-term executive
    order so
    what is an executive order and what does
    it mean
    the first time i heard this term
    executive order to say that she is i had
    no clue what does it mean because i’m
    from germany i have no clue about the
    governmental structures and the rules
    and all this stuff from us
    but i started reading a little bit and
    what i found out
    i’m not a lawyer so it it’s just a very
    simplified
    explanation but the executive order
    is coming from the ceo of the company
    usa
    let’s say the president is the only one
    that can give
    executive orders and if you look on
    to this president like the ceo of a
    company
    what can he do he he can influence the
    way this company is working
    he can’t change the rules outside
    without any rule so he can’t cannot just
    decide where we are increasing taxes or
    decreasing taxes or we are changing some
    law or whatever but he can give this
    executive order that means
    how this governmental organization is
    operating
    so and if this executive orders
    is against the law the u.s law then
    there are some other institutions that
    can work against it or can
    say this executive order is not right or
    whatever so i’m i’m not very
    detailed informed about this one but the
    main thing is an executive order will
    influence
    how the governmental structure will work
    and the executive order of cyber
    security
    will make sure that everything that has
    something to do
    with software that is used or produced
    by the us government
    will be infected by this executive order
    and then is the next question how is
    this legal binding of this one so what
    it is
    and now the question is why should i
    care about an
    executive order in us if i’m in europe
    or somewhere in the world
    and these are two questions i want to
    have a short look at
    now so how is an executive order from
    the president and he’s the only one that
    can give this executive orders
    how this legal binding so um there are
    several rules here the executive order
    can only be
    done for how the government works so for
    internal structures how this
    is operating and what are the rules
    he cannot use an executive order to
    increase taxes or decrease taxes or
    change law that’s affecting everybody on
    the street directly so for this they
    have other structures
    but mostly it’s in in a way that this
    executive order
    is influencing the governmental
    structure and the governmental structure
    and how it operates
    will influence directly or indirectly
    the economy as well so the main question
    how is this legal binding well it’s just
    an advice or it’s it’s an um it’s a
    construction that will
    change how the government internally
    will work
    and then they will check if this against
    law yes or not
    okay there are a few things left so
    first of all what is the content of this
    executive order so
    what what they are defining so the
    executive order is now describing this
    as bombs the software builds of material
    and you need
    a fully list or description of all sorts
    of components that are used
    directly or indirectly speaking in terms
    of java for example if you have a maven
    dependency
    it’s not enough to write down i’m
    consuming the dependency a b and c
    you need to write down what dependencies
    these dependencies are using so all
    direct and indirect dependencies the
    next thing
    is it’s not only for the software that
    is created it’s for the whole text text
    so
    all software that is running must now be
    included in this
    software builds of material and this is
    a huge thing on the other side
    it’s something like the complete
    documentation about
    every tiny piece that’s running well
    this infect us
    or will it change something first of all
    it will immediately change something on
    the u.s market so everybody who is
    directly or indirectly producing
    software for the government
    or something that is used by the
    government have to fulfill this
    requirement for sure so they have to
    create this builds of material
    on the other side will this affect
    parties outside of u.s for sure we are
    globally connected so
    if we are creating something that is
    used by a company that’s providing
    something that’s delivering to
    the us company or to the government
    directly so how long this tale is
    doesn’t matter so it’s really
    we are infected directly or indirectly
    by this executive order because we have
    to fulfill this as bomber
    it’s more or less like the gdpr that was
    coming from europe
    so we defined inside europe how we want
    to deal with data protection
    and then the requirement was
    for external companies as well like this
    big
    cloud providers or whatever and this
    would
    be the step to push all this stuff to
    the us so gdpr was coming from europe
    and was swapping to u.s now the
    executive order is coming from us and it
    will definitely swap to europe and the
    rest of the world as well
    so yes we have to prepare to fulfill
    this requirements
    so next thing is before we are getting
    to this asmr topic again
    i want to see if we have already
    something that we can
    use to fulfill this requirement and yes
    we have something
    so let’s talk a little bit about the
    full impact graph
    if you’re searching for vulnerabilities
    or compliance issues
    compliance issues is one thing you want
    to check if there’s no component with
    the wrong license but
    i’m focusing here right now on
    vulnerabilities
    because with this you need a full impact
    graph why
    a full impact graph means if you have a
    vulnerability inside
    let’s say jar and maven dependency and
    this one is wrapped inside a web archive
    it’s
    used in this web archive this web
    archive is
    then embedded inside a docker layer into
    one surface container and this docker
    layer is part of a docker image is part
    of an helm chart and so on
    what we need is a full impact graph we
    need the information that
    this infected binary is used in these
    different layers or in different
    technologies as well so directly or
    indirectly
    and this means yeah this this will lead
    us to a dependency tree and we need
    knowledge about different technologies
    and the metadata of this dependency so
    we need knowledge about dependency
    manager and yeah so
    the main idea here is that
    you don’t trust your direct and your
    indirect dependencies because you have
    to scan them to make sure there are no
    vulnerabilities
    if you are able to do this over
    different technology borders
    then you are able to extract this
    dependency of this impact graph
    and i mean the full impact graph of all
    tech layers
    that is somehow used in your production
    system
    okay we need a full impact graph but how
    to extract this full impact graph for
    this
    you need one logical point where you
    have access to all dependency managers
    because if you have access to all
    dependency managers that are used you
    have access to all metadata
    and we have this dedicated place and
    that’s called artifactory it’s more or
    less the manager of repository managers
    and if all dependencies are going
    through this logical point this
    artifactory
    you are able to build the whole
    dependency tree
    and the next thing that is able to scan
    binaries
    is x-ray x-ray is connected to
    artifactory and with this
    we have now the possibility to have one
    logical point
    where all binaries are coming through
    from maven db independencies docker
    images helm charts whatever is used
    from your project your building from
    your infrastructure
    really everything and then x-ray is able
    to read all this definition so it knows
    what’s already in the system what is
    depending on what other technology or
    other dependency so we need one logical
    point and we need someone who is able to
    read this meta information and has
    access to this logical point i mentioned
    x-ray
    in combination with artifactory x-rays a
    binary scanner is a scanner for
    vulnerabilities and compliance issues
    so how this works so x-ray has all the
    information that’s inside art factory it
    could be dependency dependencies
    between technology borders it could be
    built information distribution bundles
    and so on
    and with this information we are able to
    scan these binaries and reading metadata
    to bring this in some kind of context
    and i just want to highlight how
    we are extracting or dealing with x-ray
    just in a few
    words so we have one concept called
    watches policies and rules so with rules
    we are describing in atomic steps
    what should happen if we are finding a
    vulnerability or compliance issue
    then with policies we are aggregating
    these rules
    so that we have composites of rules and
    then
    these policies are used inside watches
    and watches are
    the combination between the actual
    repositories the binaries
    and the policies the description what
    should happen here
    so i have a very detailed talk about
    this one we have webinars about this we
    have workshops how to use it so if you
    want to try it on the free tier
    just register for the next workshop but
    um the basic thing is we are able to
    describe
    what should happen based on cvs scores
    based on what technology we want to scan
    and so on
    and then we have some reactions so x-ray
    can start
    web hooks can break build can
    send emails can block downloads and so
    on
    and all functionality is available via
    rest api as well for artifactory x-ray
    distribution and so on
    so with this we are able to integrate in
    every ecosystem that’s already existing
    or you can just
    create dynamic workflows with it so
    i found the vulnerability i’m going to
    this reporting system the reporting
    system will call me give me all this
    data to extract and so on
    and this is the first step for two
    things first is
    how to extract the full impact graph is
    there something i will show you in a
    short
    screencast how to extract it maybe of
    the web ui
    but on the other side if we have all
    this information
    we can deliver not only the full impact
    graph we can
    prepare the s-bomb as well and this
    is why i think this is a very good
    win-win situation
    because with already fighting against
    vulnerabilities
    we have in place all the technologies we
    need to fulfill the executive order on
    cyber security for the u.s
    government as well because we are not
    only able to extract the full impact
    graph
    we are able to extract the full
    dependency tree the airspawn
    the software builds of material as well
    so what are the next steps
    so slowly the weather is changing so the
    weather forecast told me
    that we are expecting a thunderstorm a
    little bit
    maybe in an hour today so it starts
    raining a little bit so
    but it’s a perfect time to wrap up
    anyway so it’s time for the conclusion
    so what we learned so far so first of
    all
    what we learned is what is the solar
    winds hack so what happened here so with
    the solar winds hack we have no attacks
    not king
    against the final targets we have
    against it um
    the supply chain so we are infected or
    we
    are um yeah we have to prepare ourselves
    so
    not only checking what we are using
    checking what we are producing as well
    so
    scanning our own infrastructure not only
    the defense we are using during the
    coding phase
    so this one thing we saw a little bit
    the difference between dust and thus so
    dynamic application security testing for
    testing runtime environments
    good for finding bad configuration open
    ports and all this stuff
    on the other side we have some resource
    something about
    thus the static application security
    testing and this is by far the
    low-hanging fruit of the first thing you
    should focus if you start with security
    because with this we’re scanning
    all components all static
    environments or parts of that
    environment so we can test hundred
    percent
    and we can scan for vulnerabilities as
    well
    as against um compliance issues
    so should you scan your source code well
    maybe but this
    is just net on focus on binaries and
    scanning boundaries means
    that you must have a place where all
    binaries are coming together
    so that you have some meta information
    about not only the binary itself but
    about
    all dependencies for this art factory is
    a perfect place
    because here you have a manager that’s
    able to manage all the pack
    dependency managers and with x-ray we
    are able to read this information not
    only the binary itself we have not only
    access to the binary
    but at the same time we have access to
    all the meter information so we can
    extract the full impact graph
    why do we need the full impact graph we
    have two things while we need it
    first of all we need a full impact graph
    to start cleaning our system so that we
    see
    their vulnerabilities are used somewhere
    in the system directly or indirectly
    and on the other side if you’re able to
    extract the full impact graph
    we are prepared for the executive order
    and this executive order
    will just push the government to
    creating ass bombs software builds of
    material for this we need
    everything that we’re using actively or
    other directly or
    indirectly and it’s just a question of
    time that
    the requirement for the government will
    affect the economy in the u.s and it
    will
    affect the economy worldwide so wherever
    you are
    start preparing for this executive order
    for this creating
    asporms the software builds of material
    and with artifactory and x-ray you have
    all tools in your hand
    to do two things fight against
    vulnerabilities and compliance issues
    even inside your ci invent or inside
    your ide
    so shift left is possible straight down
    up to the
    uh down to the ide and on the other side
    you have all tools in your hand to start
    creating asp
    if you want to know more about this i
    will create a few more webinars to
    topics a little bit more specific on
    different
    parts of this if you want to have a
    hands-on experience
    well just register for one of the next
    um
    workshops i have so every few weeks of
    the workshops for
    devsecops and i will show you how to use
    x-ray how to ramp up how to use a free
    tier
    if you don’t want to wait just check out
    my youtube channel i have a bunch of
    youtube
    videos explaining how to start with a
    free tier and how to start with x-ray
    fear free otherwise well start raining
    it’s really time to wrap up now so
    you are able to reach me on twitter on
    linkedin
    on youtube if you want to see way more
    of these outdoor style it videos
    then just check out my youtube channel i
    would really appreciate to see you there
    as my new subscriber
    otherwise thank you for watching if you
    have any questions suggestions
    just let me know over social media or in
    the q a phase
    and that’s it from my side i have to
    pack up now
    i have to find a dry place and wait i
    think the thunderstorm there is
    estimated
    one or two hours and then i will start
    going home slowly
    okay so thank you for attending have a
    nice day
    stay safe and see you