OSS Security and Compliance Monitoring and Gatekeeping @ DevOps Utah

June 8, 2022

< 1

OSS Security and Compliance monitoring and gatekeeping!
In this talk, we will discuss various approaches Developers and Build & Release Engineers can take to monitor various OSS components entering their organization. We also look at:

  • How to shift left in the DevSecOps landscape and gain visibility into OSS component consumption?
  • What are the automated gatekeeping options available?
  • The need for SBOM and tools available to generate the same

Speaker: Gowtham Neerukonda

Gowtham is a DevOps Acceleration Engineer at JFrog. A passionate engineer who has experience in working with Embedded Systems, Application Security, and DevOps automation. As a member of the DevOps Acceleration team, he enjoys learning new advancements in the DevOps world and helping Customers embrace the JFrog’s Universal DevOps platform. He enjoys cooking and playing board games, especially Catan. His interests also include Volleyball and FIFA(PS4).


View Slides Here


Gowtham Neerukonda

Solutions Engineer @ JFrog

Gowtham Neerukonda is a DevOps Acceleration Engineer at JFrog. A passionate Engineer who has experience in working with Embedded Systems, Application Security and DevOps automation. As a member of DevOps Acceleration team, he enjoys learning new advancements in DevOps world and help Customers embrace the JFrog’s Universal DevOps platform. He enjoys cooking and playing board games especially Catan. His interests also include Volleyball and FIFA(PS4).

Video Transcript

now and let’s yeah let’s go ahead we’ve got people
just coming in so yeah go ahead okay all right cool hey everybody uh my name is ari waller
and i am the meetup event manager for and uh we’re really excited to join you
on brett and team over here at uh devops utah it’s always uh
the uh always been interesting going through the pandemic and coming to different meetups and just meeting a lot of a lot
of new people and it’s interesting i’m not sure when the plans are to go back to face to face for you all but uh
we’re seeing it’s a good transition i actually have a face-to-face meet up right after this tonight so um it’ll be interesting to see but
anyway uh for those of you who are not familiar with jprog i usually don’t um we are the devops software company
founded in 2008 and most of you may know us by our uh flagship product
artifactory sometimes the connection is not always made there between the company and the product um
many consider us to be the gold standard in managing your artifacts and dependencies uh jfrog’s been committed to the devops
technologies communities uh we developed a free tier version of our jfrong
platform uh specifically for uh the meetup community and it’s free to use
for your projects or just to play around with as long as you like no credit cards required for it it’s not
even a trial version where it automatically starts kicking and charging you um you can use it as long as you like um one of the things uh uh
we also have free hands-on workshops that people want to try that too so i’ll drop a couple links in the chat in just a couple
moments to see if that’s uh if that’s something you want to look further into um but with that being said one of our
core values at jfrog is community happiness that’s really important to us um jprog started as an open source
product in 2006 even before we were officially a company so it’s so great uh
um to be able to come and uh j brown loves doing raffles and things at meetups now i do have a raffle today i’m
going to share my screen see if i can uh easily share my screen you think during you think with all the experience i have
with uh with all the online meetups this would be really really easy to find the share
button but you know what sometimes it plays some tricks on you um like it is at the moment
i think we’re good let me see here if i can easily share
she this works please work
oh let me try it maybe you weren’t like a host you shouldn’t have trying to do it i think we’re good
ah let’s see yes okay cool can everyone see my screen okay
no awesome so what i’m gonna do in that little predicament is i’m gonna go ahead
and think on my feet and i’m going to send this over to you brett if you don’t mind sharing this really quick
okay thank you
did you put it in the chat or you know it’s uh for some reason let me
see here it says it’s sharing when it’s not so
trying to get back there
come on
no pressure yeah i just just see you
yeah no i know i realize what i didn’t do so i logged into the zoom room but i didn’t take the time to actually log
my uh onto the zoom or i could share it so that is why and you’ll see me trying to
get in the waiting room okay there we go do you need me to i’ll make
you the co-host from
that turn myself on mute here good so you can’t hear me there
and now am i echoing no but let me
make you the co-host so you can share okay now now you should be able to share
all right
hopefully you can edit this part from the video
no problem okay
okay all this for a little bit of fun so last time we did something a little bit more serious
we used it i think we did an amazon alexa last time this time we’re doing something a little bit more fun
um there uh is a
there’s a lot of people i find in it that enjoy star wars so we’re gonna give out a little bit of a star wars toy
and officially
here we go so uh for those who are star wars fans you may have already started watching the uh book of boba fett
um and we have a boba fett let me get the screen up better so you
can see it yeah it looks a little truncated i don’t
see it yeah let me see what the pro it’s on me i think here
there we go is that better yes yeah all right wow that was uh you
know what i’ve done this a couple hundred times and this has been the this has been the this has been my most
difficult one so thanks for bearing with me everybody um so in this um everyone has a chance to
enter a raffle to win the a star wars lego helmet set for those who are present today um a winner is going to be
selected within three business days after the meetup and contacted by email so you can formally claim the prize and
we can send it out to you because compliance purposes i’m not able to do the live drawing i would love to do over
the web but that being said it’s just the way if jfrog likes to share a little bit of community happiness with everyone else
so um what i’ll do is i’ll share this i’ll drop the links in the chat too if
it’s easier than the qr uh for the qr code i have built this set before i have about 50 different star wars lego sets
at home this is definitely one of my favorites boba fett’s obviously a pretty important character in the whole series and i’ll
go ahead and drop that along with the uh free software links in the chat in just
a few moments and again thanks for having gotham and i here in your community and
we really appreciate it so i’m going to turn it back over to you brad thanks harry um yeah i appreciate that
yeah if you share that i also took a screenshot of it so sure i’ll actually get i’ll get that
i’ll get that over to you um in just a couple minutes in the direct messaging okay all right thank you
great yeah we appreciate everyone attending and jfrog for presenting today and
gotham uh god’s going to present on open source security and compliance monitoring and
gatekeeping and i you know as more and more of us use open source software all the time and
always getting those updates on vulnerabilities we know this is just a really key
key subject because i think some people think oh look i’ve got this free software and everything’s great and
not understanding that they’re actually introducing some vulnerabilities so with gotham with that nothing let’s turn
the time over to you to present and we go tell you know about
650 maybe question and answers at the end or however you want to do it if you want
if if there’s questions during do you mind having questions during your presentations and
andrea and tiffany and i can kind of film questions as they come up is that okay
yeah uh please feel free to put them on the chat because uh right now it is very noisy here
i know uh i might not be able to catch all of them uh but i will pause uh for every
uh 7 to 15 minutes to see if there are any questions in the chat and answer them and that i can be on the
track uh for the time that he’s elected okay yeah that sounds great and we’ll as
they come up we’ll we’ll don’t worry about reading the chats we’ll read them and then fill the questions to you soon enough to
oh okay perfect you know a multitask there so go ahead thank you okay thank you
so first of all uh thank you
for providing me this opportunity to present uh some of the ideas that i have
and uh the findings that i have in the field uh about oss security uh and compliance monitoring so uh just a quick
background my name is gautham nirukanda i work as a solutions engineer at jfrog
basically i’m a very passionate engineer and always wanted to learn
the stuff around me how the technology works and at the same time i did have a lot of pleasure in sharing
my uh knowledge with others as well and that’s how i ended up in the sales
team at jfrog and again today i would like to present you with uh some of the common
patterns that organizations employ in order to monitor the open source components
as well as their software supply chain and see how can how they can enforce
certain gatekeeping capabilities around these oss components so i’ll keep it very basic and introduce you to
some of the terminology aspects as well and then we’ll move on to the
ways in which organisations are trying to protect their software supply chain
uh so coming to open source components uh as you might be aware nowadays any
organization that is developing software uh to stay competitive or to make sure
that they release faster uh to the market they rely on 85 to 90 percent of
open source components on top of which they build uh their business logic and
uh more recently with the solarwinds uh
recent uh social biology there’s a lot of senses on these software software attacks and
monitoring the open source components the entering a given operation and of course if you look at devops it’s all
about detecting the feedback at every stage and automating the process of collecting the feedback and
deploying the software and developing the software that your end consumer can
seamlessly access and as a part of this process uh it’s also an integral part of devops to
maintain the security aspect of it to make sure it is safe and reliable for
the public to consume the software and access your application that serves your
business logic so we see that a lot of industry shift is also moving towards the density parts which treats the
security as an integral part of this process so again uh
as a as a part of this talk i want to make sure that you are empowered with some of these basics and
you get to apply these in your day-to-day uh devops workflows as well on how to monitor these oss components
now coming to the problem statement the basic way in which any organization consumes
an open source component is either from a public registry like github or npm central or sorry npm registry maven
central or j center go center there are a lot of public registries
docker hub that serves these open source dependencies and
increasingly uh attackers are seeing that there’s a good way to
collect the list of these dependencies and the risks that are being introduced into
these components and there are some loopholes uh in terms of how these open
source registries host a given package they’re also trying to leverage uh these sort of uh basics on how
these public registries are serving these open source components to introduce a malicious code or malicious intent or
find out a vulnerability in an existing open source component to compromise the enterprise file applications
so mainly when it comes to an open source component when you look at it these are the
four main risks that are associated with them the
first one is a security risk uh it can be a vulnerability it can be some sort of a uh issue uh in which uh like in the
way in which the package has been designed that offers a doctor for the given
attacker to compromise the system uh when it comes to licensing risks
there might be a certain clause in an uh licensing certificate associated with
the open source component that doesn’t allow you to reduce the given component in a certain specific
way and this is something that the legal compliance teams are really worried about and that they
constantly want to generate licensed students reports around the oss components that you consume
also when it comes to these open source components the lot of emphasis is placed on the
operational risk aspect of it whether the given open source component is being constantly updated patched
uh whether it is using the latest set of libraries uh or further downstream dependencies on
top of which it is built this is also a really important and
going to pose a lot of risk to your obligation uh when it comes to consuming this at the same time uh the software
quality emphasis all is also really important the same way you do a lot of static analysis
to figure out whether the code that you have built is really robust or not it goes through multiple layers of
testing in order to qualify it and vet it before it gets deployed into production whereas these
open source dependencies uh hosted by various public registries might not be performing the same set of
validation and security checks on these components so that’s the problem statement that we are looking at and how
an organization can safely and securely consume this open source components and make sure that their software supply
chain is secure now one of the main solution that you can employ
which we are going to talk about today uh it’s called software composition analysis or an sc
at a basic level what a software composition analysis stream does is it basically inspect the package depending
on the type of packaging technology whether it is docker npm maven nuget pi
pi each of the packaging technology has their own set of standard
in maintaining the list of dependencies and providing that as a resource
or generating the s-bomb out of it is completely different
in each of these packaging technology a software compression analysis tool can solve this problem by detecting the
package type and also uh detecting the type of open source components that are
present on the meter once the software bill of materials is available for a software compression
analysis tool it validates this list of components with a publicly known trusted
vulnerability intelligence platform or a vulnerability database that constantly gets updates
from security researchers across the globe on what the new set of package
feed has has been detected with any new set of vulnerabilities or new licensing issues
or any operation of this so these publicly available vulnerability databases have this
information so at the base level the software compression analysis tool is trying to
list out this open source components and make sure if there is any vulnerability associated
let’s proceed uh please feel free to pause me for any questions as well as
post them in the chat i’ll be happy to help you with this with providing the responses in line uh
now coming to the vulnerability and direct contingency fees uh there are
multiple nuances here but at a base level i would like you to
be aware of uh the nvd database this is a common central db
it is an open source db publicly available open to anyone to access it
it’s called national vulnerability database this is a constantly being monitored and
maintained and updated by community across the globe and there’s also something you might be
commonly hearing about called cv and cwe this is a designation
uh that a certain vulnerability will be assigned when it when it is
found in a given open source component which also has some additional details uh keep in mind that not all
vulnerabilities will have a cv number associated with them that might be a recently discovered uh vulnerability
that is yet to be designated under a certain cv identity as well
uh so why are we talking about vulnerability databases and their importance uh here the quality of an
alert that is generated by an sca tool mainly relies on the quality of the db feed that it is integrated with
let’s take as an example if you rely on an open source database like nvd the
vulnerability might be published or it might be aware to certain group of
security researchers which they first publish it in their internal db feed
or their internal security team db feed but ultimately it goes through a lot of iterations and review process before it
makes its way into the nvidia database so really uh
the powerful vulnerability intelligence db will give you quicker alerts and more
comprehensive information about the given vulnerability in a holistic manner whereas a public
open source db might be slightly delayed and might not have
a comprehensive information so it’s really important to pick up a good sa tool with strong uh vulnerability db
now uh let’s move ahead so now we came to know how organizations
are relying on open source components and how an sci tool can help them
identify the open source components and the vulnerabilities associated with them now what are the approaches using which
you can introduce these seo tools into your operation it varies between multiple organizations and uh
the way in which you introduce the tool uh also uh mainly depends on
your security emphasis where it is starting in your devops workflow whether it is starting in the prod and shifting
left or whether it is starting in the left at the dev environment and shifting
right towards your production right so i have collected various uh
information points based on my conversations with customers prospects and devops
practitioners and security practitioners and boiled it down to
these three approaches that we see here the first one is the main entry point
for any dependency to enter your organization which is the dev environment primarily uh coming to the workflow here
we’ll be seeing that the developer uh relies on certain id environments or a
local build environment they compose the code and
this code will be pulling in lot of dependencies from the internet or from the public registries so usually this
calls will happen from the local build environment to the public registry and once these uh
dependencies are resolved uh the developer performs certain quick tests
locally before they commit the changes into the version control system in this case this is very good to start
monitoring and enforcing an sca tool in the development environment because shifting left will save you a lot of
money and time and if you imagine a situation wherein
a given build or a software package is ready to be shipped to production in the next few minutes and you found out that
there’s a critical vulnerability that is highly going to impact your
obligation it’s really going to cost you a lot uh the the release will be delayed
uh your customers will be impacted your business will be impacted there there might be a revenue loss
as well but imagine a situation wherein the same vulnerability is found in the
first place when the developer declared it in the first time in their local build environment it it consumes very
less time and very less effort to address it so in this case
these are the benefits that you’re going to get as i mentioned and this is also a good visibility point as well
some of the sample tools that are available in the market for you to address or empower your
developers with a feedback loop on what sort of uh dependencies that are
that they’re consuming and the vulnerabilities and licensing issues associated with them is uh some sort of
id plugins they have certain cli based tools that can provide a quick
report on what sort of voices components are present some of the tools can also integrate
with the source code repositories and can scan the source code uh to list out the
dependencies as well as uh create pull requests with the fixed versions of
dependencies that are found available in the public registries and
create a pull request so that you can quickly merge it and address the given security
vulnerabilities so these are some of the tools that are available one quick advancement that you can also
make in this case uh to better monitor the dependencies uh in this case is by
employing a binary repository manager like jfrog artifactory
so here by having a binary repository manager you are not only just
scanning these artifacts and providing their feedback to the developer but every call
that you are making to the public registry are now proxied through the artifactory remote
repositories so this is something that a unique capability that any binary repository
manager uh can have basically they perform an on-demand proxy caching of this public registry so
now any call that the developer tries to make for a given dependency it will be going through
the given binary repository manager and the binary repository manager checks the cash in the first place if the given
dependency is not available it will pull it from the internet so in this way
the security administrators devsecops engineers or devops engineers can
quickly examine this cache to get a quick heads up or early warning on what sort of
dependencies are being consumed in the div environment and the other advantage is you can also create security
licensing and operational policies which is a common way in which an sci tool offers you to do automated density of
gatekeeping and some of the powerful actions that you can perform at this stage we are sending email notifications
to the developer to the security administrator to the policy editor uh that is responsible for the given
policy like an auditor you can also block the download or consumption of a given artifact so that it stopped like
the consumption is stopped and it cannot enter your organization you can also create jira tickets so that you can have
an automated curation workflow a security administrator will examine the dependency see if there are any
available alternatives recommend the developer to switch to a different version uh lots of ways in which
uh these kind of events are trashed again this is completely specific to each organization so that’s why uh i’m
not saying any specific best practice over here but enforcing the policies and having a
binary repository manager caching these dependencies will greatly help you uh again uh a quick heads up uh the
jfrock platform do offer artifactor as a binary depository manager and extra has an sca tool uh this is something that uh
we also support okay gotham i just had a question over there
is so does it do that in real time so if you had if you had
like jfrog or or a nexus or some repository as a cache mechanism and so let’s say a developer
is doing a adding something doing a maven bill that’s it to their palm file
and and we use that as a a proxy so it goes to
to the repo first it doesn’t find any cache so then it goes to maybe a public repo when it brings it in
will it scan it there in real time or will it have a catalog of vulnerabilities or is that something
after the fact that the developer would get it right then and then somewhere later after some scans you’d
be notified of hey there’s a vulnerability in this new dependency you just added
so it can scan in real time so of course you need to make sure that x-ray has that bandwidth for example the
sci tool that is performing the analysis should have that bandwidth and
ideally i would recommend having a dedicated sa tool for the dev environment because your ci cd
transactions is another big behemoth that you need to be dealing with so if
you really don’t want to halt the developer from consuming the given dependency
and still want to intercept the call in real time uh you have to employ at the
sa tool in line and it can perform the scan in real time so for example in our
case we have two options uh block download and at the same time there’s a sub menu
called block unscanned artifacts as well so to your question
uh block download can be only enforced on existing artifacts that are already
scanned uh and are already available in the cache keep in mind that if a given developer
pulls glitchy 2.0 uh it will be available in the cache now a separate team in a separate uh
view request the same dependency uh that specific dependency is already available in the
cache which will be readily served and the specific actress scan is already done and you can quickly leverage or
reuse the skins the same scan result of course i see that this is also something
that uh security practitioners greatly love because uh if you
just give one time exception there is a good chance that the same
dependency will appear again in ci or testing phase and as i said as you move towards the right
it’s much more time taking and painful process to address the given vulnerability so i
have seen a lot of practitioners supporting this option as well and this is where i would
say the industry is also moving towards okay okay great thank you
now let’s go to the basics of what a security policy and
licensing policy might look like so to your question like hey does it already know
the vulnerability signatures or does it already know what type of action it needs to perform so
as i mentioned the sca tool will have uh information from the vulnerability db
sources and mainly when it comes to security policies that you can define which are the rules that dictate what
type of action and what type of relating that needs to take place when a given vulnerability is detected they use these
two yardsticks to determine the criticality of it so the first one is a standard called cvss core v3
this is the newer standard in this case it will give you uh the criticality level of a given
vulnerability from one to ten one being a very low impact and ten being the most
uh impactful for your organization same way if you prefer to have a different
sort of uh mechanism or a selection criteria to degrade given policy in an sca tool you
can go with no severity uh medium severity high severity or critical severity right so again these policies
can be global which is a one policy that can be applied for all the teams
or in some cases it can be a team specific or repo specific or
application specific policy as well okay same way when it comes to the
licensing side of things uh you will have a similar
uh set of criteria in this case uh basically the sea tool will be
presenting you with uh a list of allowed licenses or list of bank uh whistle or
licenses that you don’t want to use in your organization these two aspects are completely dictated by the legal
compliance schemes uh generally speaking the aca tools uh do not have any specific recommendation
here because uh in some organizations certain licenses are deemed to be permitted whereas the
same license clauses might not be liked by the legal compliance teams
that’s why this is something that uh uh the legal team should be closely watching around and uh
dictating in your organization same way here we have global and team specific policies
when it comes to the automated actions you might say that hey if the given component is found with a
rbsd license i want to block it if a given component is found with an apache license i am good with it and it can be
allowed in the organization for for example so you can define these policies
and uh make sure that the sea tune can enforce it
uh and make sure that your supply chain is uh safe now
let’s take a look at the second approach now once the
given dependency or sorry once the local build is successful
the developer might push the changes into the version control system now you have your ci tool or an automation build
tool that gets triggered nightly hourly or based on a comic webhook
it will utilize the internal build tools specific to the ci tool and it tries to
pull these dependencies from the remote repositories in these cases you can
employ a command line based sca analysis as a part of your pipeline and uh
get the scan results within the scan pipeline itself and this is something that uh is also
gaining a lot of traction with the biden mandate joe biden’s executive cyber security order last year
uh it requires all the organizations working with federal government to produce a software bill of
materials which is like a list of all the software constituents with which the given software package has been built
and this will make sure that the software consumer
utilizing the software is well aware of the constituents and that they can also
leverage some sort of an automation tool in the downstream to know about the vulnerability licensing and operational
risks associated with the given software package that has been delivered and we see that this will have a ripple effect
on the entire devops industry as well no matter which vertical you are in uh fintech healthcare uh automotive
industries uh what not everyone will start in implementing this uh s form uh
publication method and here in this case one more good approach would be
integrating your binary repository manager with your ci tool there are so many benefits associated
with them the first one being the remote repository cache is already populated
with all the dependencies that you have used in the step one during the development phase or in the
first approach in the development phase having the ci tool resolve the
dependencies from a binary repository manager can also make sure that there are faster and
stable bills because even if the public registry is down or the dependency that you are relying on is removed from the
public registry you are still continuing your development activity and now one of the security best factors that i
would recommend in this in this case is you can have a policy for your dev cache
or your dev environment and after you closely monitor
and enforce a policy on these set of cached dependencies you can also make
sure that there’s a white listed or approved set of artifact dependencies
that your organization can consume so now your ci tool should only point to the
whitelisted libraries or curated libraries so that starting from here
this is the main entry point in like of these software components or oss components they can make their way
into your organization into your proprietary software so this is the first and uh good place uh to enforce
that uh white listing and curate the dependencies that you are
consuming same way uh you can have more lenient policy on
the dev environment because you don’t you might not want to block every
developer from consuming certain dependency at the same time between the time that they first perform
the local bill to the time that they publish the version control changes
they have to make sure that the given dependency is now part of the
whitelisted entry either by complying with the policies which will automatically
qualify the given dependency to make its way into the whitelisted repo or by requesting a
temporary exception from the security admin that this dependency has no
alternatives or this is the best possible version that is available out there for
example so there can be multiple conditions which will require a manual approval okay so this is how you are also
securing the set of dependencies your ci tune can consume and also making sure that
it is faster and more reliable and one another advantage here is that
some of the ci tools as well as binary repository managers will give you an option to
enhance the s-bomb by collecting the system environment variables or tool set that you have used
to create the given build because the same source code might not produce the same artifact if you build it again due
to varying build conditions or due to varying transitive dependencies so
you should always enhance the s-bomb by working with the ci tool as well as the binary of repository manager uh to make
sure even the transfer dependencies are collected during this process for example in case of jfrog platform we
give you a cli tune to collect this information but i have seen that a lot of other ci tools as well uh have some
kind of an integration or a plug-in uh that can uh perform this enhancement
so gotham um yeah can i jump in sorry i was waiting for it
um so i have kind of a question here we talk about throwing this into the ci build that’s great
in my experience working with like github and stuff a lot of the cvs that are issued for dependencies like
are not particularly relevant is there a good way is there a good tool maybe jfrock does
this maybe like the oswap s bomb tool does it to debounce those and
that’s the first question right like how do we manage these number of requests from when most of them are entirely frivolous and secondly what kind of
process do you recommend in your example there you highlighted asking the security officer for an exception but
that seems kind of weird because the security officer is usually like an i.t guy who doesn’t necessarily know like
the code or the project and whether you’re even using the method that is a part of the cve right
yeah so to your first question uh yes that’s the biggest challenge that
the industry is facing uh a lot of sci alerts that are coming out of a tool
might not be relevant for your organization and this is where uh a lot of uh
vendors out there are trying to deliver something called contextual analysis by going one level deeper into
uh the binary or utilizing some sort of source code
available for it in certain certain packaging technologies to find out whether the vulnerable function within
the library impacted library is being invoked or not that’s one way to you
know decouple those irrelevant alerts and only address
the ones that are most relevant for your organization i’ve also seen in some cases
this context can be coming in from the packaging layer that is encompassing the
application for example your docker container might not be exposing the service port associated
with the vulnerable library so in that case you are not going to be impacted by the given cv so this is something that
some intelligent or smart sci tools are aiming towards aiming
to implement in the solution so that you can reduce the noise of alerts coming out of your sca tool uh to your second
question uh yes it’s not a common scenario where an
idea administrator will be having that kind of due diligence to
certify or allow a temporary exception as i mentioned these are some of the scenarios that
i’ve seen of course uh the specific example that i’m talking about here has a dedicated security team
or analysts who constantly uh stay in touch with the development team and
they’re at a stage wherein they want to do this enforcement at a very strict uh way
and uh the developer is also aware of the workflow that they need to go through or the burden that they need to
go through to get an exception right you know in a way
it is making it hard for the developer to consume a given dependency but
at the same point some sort of events might have triggered the operation to take this strict
approach they might be impacted with a recent oss component that has caused them a lot
of reputation loss or revenue loss or you know as a part of the vendors that they are working with or customers that
they’re working with they have to make sure that everything is safe and secure so i see that that is a approach but
again as i mentioned each of this best practice you should always take a phased
approach to onboard it uh the first step would be getting the visibility at least
you know what is coming in from the internet right uh rather than allowing the developer to consume anything from
anywhere right now you know what sources they’re relying on what dependencies they’re relying on
right that’s a good first step second step is to go with a lean indian policy saying that hey i’ll send you an
email alert uh try to address them at least try to address the critical severity issues and
then in the phase two you give them a mandate saying that security is something that is picking up
a lot of importance and there’s an ordinance from cso for example i’m just talking about
some of the scenarios that can happen for an organization to move to the full restrictive approach right do you agree
with that yeah
okay um so
let’s go with the third approach now as you might be aware the entire uh
[Music] devsecops or devops implementation contains multiple stages and at each
stage uh the given software package or application goes
through certain set of tests or waiting or qualification that makes it tangible to move to the
next stage in the devops lifecycle and devops is all about feedback as we
talked about and in the same way security cannot be a
or a software composition analysis scan cannot be a snapshot one time scan
that allows a given component to be utilized in your organization we have seen just now on
on how to secure the dev environment and how to secure the cia environment
but you need to make sure that there’s a security check or license compliance and
vulnerability checks being performed in all the other stages as well in the test
release deploy and operate stages as well because today you might
look at locksmiths library the recent discovery of vulnerability in
the log 4j all the organizations that are impacted by it are not the ones that have consumed it
after the vulnerability has been discovered it was supposed to be secure or
assumed to be secure two years ago five years ago ten years ago and people started consuming it and
this is when uh one of the at some point in the software supply chain one of the
contributor by by mistake directly or indirectly has imposed a
uh vulnerability in it and it started ringing the chaos bans everywhere and
bringing down every organization to come back and look into the security practices that they have in the
organization so today you might certify a given library or artifact to be qualified to
be utilized in the dev environment and the cia environment but there’s no guarantee that down the line by the time
it is getting released or running in the production it might not stay secure the same way so you should enforce uh these
scs scans all across the devops lifecycle stages and
something that i highly recommend to the organizations and at the same time
as you move towards the right in the sdlc lifecycle stages you need to
make sure that you control the alerts and address the ones that are most relevant
for your organization for example a critical level severity found in fraud is going to have highest impact whereas
a critical level severity found in the environment is not going to really impact your operation because
maybe it might not make its way all the way through and ultimately get into the production so as you move
towards the right the number of binaries or the software artifacts will decrease
but at the same time uh the criticality level of them will increase so uh at each stage you need to
make sure that there’s a linear to stringent policies applied and at the same time
you need to carefully manage the violations and the noise of alerts that you’re going to get
so i’m i will move to the conclusion slide i see that we are on the top of the r
so today we have learnt about how security can be an integral part of the devops implementation and some of
the approaches that operations can take to monitor the oss components entering the organization
and we have learned some basics of what an sca2 is what a vulnerability
intelligence db is some of the terminology associated with it and the security and licensing policies how they
look and what are the best practices in implementing these tools in your organization
thank you so uh i will switch to the
chat to see if you if you have any questions and uh brett let me know
if you want me to take these questions offline or can we spend a few minutes answering the questions on the chat
no we’ve got we’ve got if there’s some if people have questions we’ve got some time um
appreciate the presentation i did put for that nvd and cve urls are those the
correct urls you’re talking about for those databases for those vulnerabilities
so i would also love to hear your the presentation and what are the techniques or tools that
you’re trying to implement in your organization i would love to chat about it uh
let me just go with the questions in the chat the first one is how do you recommend that engineers consume
these databases so generally speaking these databases are publicly available
and you can search quickly on a given dependency and see if there is any matching string or
matching cv associated with your dependency some of them are open databases some of
them are private databases nvd is open to public some of the
databases are don’t offer the browsing capabilities for example
although the best way in which the developers can consume this database is through an sca tool or through these
ide plugins which can do the heavy lifting of fetching the list of packages that they
have declared in their project and comparing it with the database and producing the results within the ide
itself or within their command line itself so that they can quickly work on the feedback
these databases and the browsing capabilities that they offer are mainly focused towards security analysts and
the security engineers who are more interested into digging deep into this vulnerability and remediation
techniques okay for instance is github and depend about
the gold standard in the space so
there is no gold standard as such every organization is taking a different
approach they have their private databases and their public databases that they rely on uh same with the jfrog
uh x-ray as well so right now uh big big companies like google uh
and some of the foundations uh cloud native uh foundations are looking to
build a standard around this standardize the way in which the developers can consume a package and
standardize the way in which these vulnerability databases are
maintained one of the popular one is sls standard or salsa standard that is
proposed by google take a look at it you will find a lot of resources but it
takes some time for the industry to adopt any change and the problem is really fresh
i would say because it’s still i would say in the last two years industry has changed a lot of focus
towards this oss supply chain and monitoring so it takes some time to go
to a standard and adopt it um okay
i think that’s the only question but i see tyler uh yeah sorry about that i’m notorious question
okay good mark yeah mark do you have a question yeah
for those of us who don’t know mark and i work at the same organization that’s why i’m picking on him oh okay okay
uh i i had a couple questions gotham like you mentioned you know shifting
left and scanning at the developer workstation and i i definitely see the benefit of it
often you know when we do that developers complain about you know performance on their
workstation if it’s constantly scanning um from from your feedback working with
other development teams have you found though it’s worth enforcing that catching it
early or do you get inconsistent results and it’s better to do it at the repository
level or at a at a pull request type of event
i would say definitely it is worth it enabling that feedback
because at the end of the day at some point
or the other you will start doing the enforcement every organization that is building the software
will start to do this enforcement as i see it uh uh imminent right the lock 4g is not
like a one-time event that happened last year and uh it will go silent uh in the
next few years so as a good harbinger towards the direction
and a good practice towards the direction and i think the feedback wouldn’t hurt
definitely there are tools that impose lesser uh burden on the developers workstation
and can offload it to a certain intelligence platform uh for example so
you should definitely explore the tools and see what works best for them for example
to to me some of the developers like id feedback tools some developers said that
hey having a good report sent to me every night on the nightly bill that will help me
because i can just examine the report and see if there’s any way in which i can implement at least 10 percent of the
feedback that is available in the report for example yeah okay and another question taylor
kind of brought this up but i know a lot of the services like github and bitbucket offer security scanning
and there’s dependabot that’s you know for free um
what but then they have their advanced security which for a large organization can can
be quite a bit more expensive from from your from your experience um
are those advanced security scanning like maybe the jfrog offers at our factory and and
uh you know github and amazon those that offer those are those do you get a lot
bigger benefit from that and if so are there how do you convince management
of the you know that it’s worth paying for that service versus the free service yeah i would
definitely say it’s a tricky question being a sales engineer uh working for a company that is
producing the sca tools uh so what i see
as a common trend as well is that people are also looking at remediation
as a important
information that they need as a part of the sa sa alerts that they receive so i see that a
lot of times uh uh these premium capabilities
like uh uh you know examining all the other upstream and
downstream github projects and uh finding the best version of a
given dependency that you will need to move to this is something that usually
[Music] thank you for joining us
sorry about that uh yeah so so usually there are some benefits with it uh and uh
at some point on the other you will see that the premiums that these providers give you might not be fitting your
organization needs for example the first question that the developer asks is hey i fixed it in
this specific sub project but that is breaking the entire build at an org level or at the framework level so how
do i make sure that this helps and then you examine the github page or jfrog page and see that
hey okay this involves me to pay some extra bucks to get this capability
but again but i would say that still the freemiums are
a good entry point because it is better to have something
than nothing it is better to be security aware than completely blindsided from it and then
see what needs your developers have what initiatives or directions your
organization is heading towards and see what tool set or what feature capabilities are matching your needs and
only buy them and incrementally adopt them right that will be a good path for your
organization that’s good i can i can maybe add to that from like
the developer side i think it’s really common to have like each language each ecosystem tends to have its own sort of
sas tools so like the static analysis tools that you can run as like essentially a linter at the ide stage
and also in your ci at the workflow stage and i i don’t know maybe i’m not as sophisticated as gotham here but
like our combination we typically use like a sas at that level and then also like the
um oss scanning in terms of like the dependable alerts or like npm has one
that’s really big and that’s sort of like the two primary components and i don’t know if we necessarily need for an
organization our size at pdq that we have like a need for those big premium services but maybe if you’re
working at a big big company maybe absolutely
it varies from talk to art and it can be very specific as well some
startups just work with federal customers and they they want to certify
it uh so again it really depends on your use case
yeah and usually there’s a complimentary solution to an sca tool
which is the sas tool that uh analyzes the custom code vulnerabilities whatever
the vulnerabilities that are present in your own code can it can detect them and uh
showcase them whatever the vulnerabilities coming in from the open source dependencies that you are using
uh is something that the sea tool or software composition analysis tool can flag and you need both right you need to
make sure your your property code is safe your open source dependencies are safe which
will make your software safe great
okay uh are there any other questions from the group
if not we’re we’re out of time but gotham we sure appreciate you taking time out of your conference to speak to
us tonight and uh i appreciate the uh everyone get the leak to to enter
that raffle for the lego helmet and if you have a good chance of getting
that and then i just announced again we’re going to do these every month we’re planning on a
conference uh a year from in 2023 i think we’re shooting for may
of 2023 but we’re gonna keep doing these each month um
if there’s anyone if you know someone that would like to present we always like to get local presenters too if there’s a tool you’re using or process
you’re following or you just want to kind of show show something you’re working on
this is a great great great audience to present to and we have a pretty large mailing list that we can
can remind people to attend so uh we just encourage you to to be a
presenter let us know and thanks again for everyone coming today and uh thanks again jfrog and we’ll see
everyone next month thank you thank you everyone
thanks everyone