Supply Chain Security Exposed @ JFrog Private Event Sydney 2022

Developer Security Tips from the JFrog Research Team

September 6, 2022

2 min read

Supply Chain Security Exposed! Developer Security Tips From the JFrog Research Team
Again and again, I am asked how one can start with the topic of security in an agile project environment. What are the essential first steps, and what should you focus on at the beginning? Of course, this raises the question of suitable methodologies and tools. At the same time, the company’s strategic orientation must be included in this security strategy. We have also learned in the recent past that attacks like the “Solarwinds hack” are becoming more and more sophisticated and that the attackers now focus on the entire value chain. What tools are there, and where should they be used? How can I start tomorrow to prepare myself for the future against the challenges of cyber attacks? And that’s precisely what you will get an answer to here.

Baruch Sadogursky
Principal Developer Advocate, JFrog

Baruch Sadogursky (@jbaruch) did Java before it had generics, DevOps before there was Docker, and DevRel before it had a name. He started DevRel at JFrog when it was ten people and took it all the way to a successful $6B IPO by helping engineers solve problems. Now Baruch keeps helping engineers solve problems but also helps companies help engineers solve problems. He is a co-author of the “Liquid Software” and “DevOps Tools for Java Developers” books, serves on multiple conference program committees, and regularly speaks at numerous most prestigious industry conferences, including Kubecon, JavaOne (RIP), Devoxx, QCon, DevRelCon, DevOpsDays (all over), DevOops (not a typo) and others.

View Slides Here

Speakers

Baruch Sadogursky

Developer Advocate @JFrog

Baruch Sadogursky (a.k.a JBaruch) is the Head of Developer Relations and a Developer Advocate at JFrog. His passion is speaking about technology. Well, speaking in general, but doing it about technology makes him look smart, and 18 years of hi-tech experience sure helps. When he’s not on stage (or on a plane to get there), he learns about technology, people and how they work, or more precisely, don’t work together. He is a CNCF ambassador, Developer Champion, and a professional conference speaker on DevOps, DevSecOps, Go, Java and many other topics, and is a regular at the industry’s most prestigious events including DockerCon, GopherCon, Devoxx, DevOps Days, OSCON, Qcon, JavaOne and many others. You can see some of his talks at jfrog.com/shownotes

Video Transcript

okay so let’s try and do that and so you probably also the agenda of tonight

and it has nothing to do with what’s going to happen that was the right we

lure you it’s called bait and switch but in bacon switch when we bait you and

then switch it’s usually switched to something that is worse than the original this is a very sick baking

switch it actually shifts for the weather right um

what I want to talk to you about is supply chain security

and after I will share with you some insight from the amazing job that our

security team does in jfrog maharashi is going to show you what we

can do about all the problems that we are going to talk to you about now the thing is

the first talk was supposed to be like the state of software delivery something something

and I can do this talk in one sentence the state of software delivery in 2022

is that’s the end of first off now let’s get to the next one and that’s a little

bit details about why so you can see here Google thread of a

Google trend of the interest in software supply chain it goes like there are no one cares

about it no one really cares about it then boom people start carrying off

what happened why why would people suddenly be interested

in an obscure topic of software Supply engine

because hacking is is expensive what why what it has to do anything

there is a company which is called the rhodium.com those guys pay money

for uh exploit

if you find the next point you can use it for doing something bad

you can try and back companies who are in charge of those exploit to give you

money for exposure or you can go to those stocks and sell the exploit to

them they will negotiate with whoever can do something about it and will

probably make a lot of money of being a middleman but what’s interesting is how

much they make now zero click

root cause root escalation what does it mean it means it’s a hack that you get a

root privileges on desktopen server or on mobile

how much can you get for such an export well a

million dollar for a desktop and two and a half million dollar on a mobile

what does it tell you it’s hard it’s almost impossible

today finding this instrument and all of them are three million

extremely hard like Chrome root installation how familiar

right iOS 2 million dollars what’s up a million and a half

today’s cutting is very very hard because it’s been a while people know

what they’re doing their software isn’t it but you know what you don’t need to

anymore turns out that most of the software that most of the people use in with

everything right it’s not theirs right 17 of code in coin basis is open source

in 2020 80 of the company you have in your application is not even yours

and that means that you don’t know the quality

and if you don’t know the quality it means that this can be a very very easy

Target to hack comparing to traditional hacking that is now very hard

and this is great for hunters because it means that they can achieve the same

well not not exactly the same I’m going to talk to you about it in a second but

pretty much the same in much less effort by hacking the supply chain instead of

trying and hug your operating system your um or or you also

so yeah um as Nara was already introduced me my

name is this is my official business card one of the perks of being very early employee I

can name myself um as a cheat figure officer we have speakers we have stickers

we might have stickers that’s a good answer we might have stickers so if we don’t that’s um me to blame if we do

that things don’t like that um because it’s my responsibility is cheap security officer also I’m a

principal developer Advocate Jeffrey is Jeff Rock and on this uh part of my job I’m going to tell you

stories about how or some other people in jail for God and then this particular

moment our researching is that they are the most important part on this slide is

except of the awesome sticker of course on the bed frog is my Twitter handle this is the the simplest way to get them

right and couple of things to know Jay about computer or you mentioned Jeff

from x-ray that will be kind of the hashtag if you want to share something about today and then if you go to J

Baruch show notes you can find the slides already there the video hopefully

I didn’t anything up so we will have the recording maybe swearing is not okay never mind too late and because

that means that you shouldn’t really like take any pictures or write anything down because this is how it will appear

on each and every slide of this stuff so you can always go there and see what you want to see so anyway

I am I’m going to go here as I mentioned most of the knowledge here is not mine

so it’s all written down here I’m going to sneak peek in order to know what I’m

talking about right so um supply chain friends there are three types of supply

and chain threads two of them based on software renewabilities

it means something did something wrong within an existing particular software

intended or unintended and the third is purely malicious it means that this

software came to be in order to do something nasty right so

bugs those are the unintentional vulnerability and people may mistake

another software is vulnerable this particular version of the software

today’s version yesterday was fine tomorrow they’re going to fix it it will be fine as well today there is a box the

other one is Bad Girls also backdoor is a maneuverability either someone did it

on purpose inside this one so turns out this package or maybe someone managed to

hack it and insert the back door for this particular version of totally

innocent software as it was yesterday and it will be tomorrow

for those types of vulnerabilities we have the cve

identifiers which identify this particular version of software as a

vulnerable log4j version X has this bus version

doesn’t have this bug anymore we have a cve that points to version X

the third one is the most interesting and those are malicious packages they

don’t have vulnerability identifiers because it’s none of them vulnerable for

something no they behave as expected by doing something bad

and those are the most dangerous ones because from a traditional view of

software security industry there is nothing wrong with them there is no bug no one attacked them nobody exploited

them they actually do what they’re supposed to do and that being bad

so this is interesting and we’re going to talk about all three of them today

right so um local J is the example as I already mentioned on the first type

there was a button now it’s even more interesting it’s not even a bad how

familiar are you with what happened to this look for Jane uh yeah all right I’ll explain it’s very simple locality

is a login library that allows you to look what happens in the system now it’s

very flexible you can control what is being printed how it’s been printed and

where and and what it uses to be printed one of the clever things that the

authors did is the ability to load additional functionality of logging on

the Fly by using Java’s hot class loading functionality

it’s a format that we can say hey I’m going to bring more classes to my system in order to print to do logging more

successfully turns out that bringing classes and loading them on the Fly some

very secure idea who can imagine and indeed no one could imagine for years

this functionality is being in love for Jay for years nobody thought to explore

to to uh X

oh come on what is this word explode thank you to exploit it until someone actually had and there’s all the

internet God like exploded about it but it was a feature

it was by Design nevertheless it was considered a vulnerability a bug it was

fixed in the names version and this is why that’s the first time that’s the first time that’s the security bar solar

winds solar winds is an example of the second of a bad door right so it’s an

international body huge right so it was attacked and then a back door was

injected in it and again we had a version of

software that was attacked see it this is an example of third one

this is just a package that was created two still credit cards

this is what it did they obviously didn’t declare it they pretended it’s something

else but the horse the whole purpose of this package was

stealing credit cards and it didn’t even get cve because it’s not a vulnerability

really right so

let’s talk about injection methods how

vulnerabilities are injected to your supply chain

the first one is called type of squatting or there are different

types of scoring type of squatting means we create a package

and we hope that people will confuse it

because the name sounds a lot like other packages next

here is an example animal plot Club

with an O really looks a lot like

with an a that’s

the malicious right so if you typed

web install and plug lab and plot lab instead of in plug lock

you got a malicious packages another one very similar cold masquerade

masquerading is actually a little bit more advanced it not only hopes that you

will make a typo after you make this cycle it actually convinces you that you

found the right package here is an example of

Mark Js this is how Mark js3 looks like

this is how the Masquerade in package looks like it’s exactly the same rhythmi it’s

exactly the same it actually points to the same

GitHub repository as the original right all the metadata

is exactly the same the name is the same

so who can tell me how do you see what’s wrong what’s what’s not what’s not the

same so here are things that’s the read That’s the Masquerade one and that’s the

original one what’s the difference that it’s very very empty and installed

like the install can that’s different oh obviously the install command has to be different because they want you to

install the red one but how do you know which one is better exactly right the weekly downloads is

completely different how hard it is to actually think weekly

downloads what it is for that like a script

that hits it and now they didn’t even bother

this brings me to an interesting golf topic they didn’t bother because they

are not really sophisticated one of the interesting aspects that we see in those supply chain attacks that

their attacks are very much made the only reason that they are so

successful is because those are early things even distributive things like this one

actually work so you don’t have to spend time

equivalent to a million dollar in order to hug someone and this is why

they don’t now it also means that today the attack

go for breath instead of death right you can do the stupidest thing and

still get 10 people with downloading it and you know what if your package does

something which all it requires it’s a lot of people to download it like

stealing credit cards or we’ll we’ll see what that might be enough

isn’t enough can you stage this kind of attack

to attack a specific individual or a specific organization or a fish for a

very specific type of data that you need probably not right for that you need a completely

indirect different set of skills that those forms thankfully still don’t have

but they are usually enough to get enough

for them to give up okay so yeah that’s by the way the

malicious package that the mark JS compared to like a regular one they

actually obviously took all the code because it should work and then there is

one function with the obfuscated JavaScript that does what it does we’re going to talk about obfuscation a little

bit later another injection to give is tutorial

page and this is

fully functional and useful Library that also does something better

these core utilities they do it’s useful or let’s say it’s

working set of Discord utilities which by the way also steals Discord topics

right so again there are like there is stuff which is

completely fine whether it was also some stuff that sends

the the Discord token of the current user to

the owner of this Library another technique is called shadowing

namespace shadow now you might heard this one by the name dependency

confusion I find this name very confusing because

everything can be confusion names for shadowing actually describes

it a little bit better um here’s how it works

first of all you have to have a package manager oh yeah sorry at a dependency manager

like or

Factory or any other Nexus anyone you take actually they all

behave the same in order to execute because this attack actually uses a very

important feature of what we call a virtual repository or in the case of

Nexus it’s called the proxy repository of the different names in order to work

the way it works is that if you have virtual Repository

that actually unifies or combines

a set of local and remote repositories into a single URL that then

that then you use this is where you can fly and attack

so let’s say you have a library that has a version 1.6 out there

and you have a bunch of different versions 1.6 1.4 1.1 1.2 1.3 and

whatever and then your tool asks for the latest version

what are the factors will do it will check for the higher version of in all

the local repositories and then it will go and check the central repository for maybe there is a

newer version it will find it and then this is the version that will be served

now is there something wrong with this Logic

No this is how it should work that’s exactly how it could work how it

can be used to for and for an attack if the

effect managed to put here A version Which is higher than what you have than this

version will be downloaded now there are obviously a lot of techniques how to

protect and I will show you one of them in a second but you can see or identify

this package by a ridiculous High version but it has a ridiculously five different

High version because it tries to be higher than every possible version that

you might have right and the way we can protect it here is and here’s an example of

um x-ray actually finding it and again like ridiculously

that when it first made Splash like more than

a year ago in February last year I blogged about it and explained how artifactory actually protect you against

it if you go ahead and do some precursions for example you mark the

your private repositories as priority resolution and then you say for whatever

comes from this repository never check for a higher version in public

repository you can also do it with exclusive patterns whatever starts with

condo jfrog in our example never check for in in public repositories this is

our internal packages even if someone tries to hurt us and publishes a package

with a higher version don’t check there it’s probably fake it’s not that much

right so there are several ways to overcome it but still great another one is hijacking

now hijacking works by hijacking the user or the

the namespace of a certain package in a central Repository right so here for

example a very popular like very popular uh JavaScript library that was hijacked

by hijacking an ambient account how can you hijack an npm account well

for example you can look for expired domains

domain expired that means that you can go ahead and register it then

connect it to your email account and ask for a password reset from npm

register you will get a link to reset the password to your email which is connected to the domain that you just

purchased you can log in and you can release a new version of the same

library with your managed code GitHub protected by forcing it using

two-factor authentication and very registry does not

completely different type of attack is protest work now produce wear is

something that we only recently kind of discovered and it comes in couple of

different ways right so the first one that you might heard

about was and colors dress colors Js

added an apologize I colorize

text in the console for nbm banks and it

added some module that just [Music] created an infinite Loop and that was a

protest of the author against not being paid for its open for for their open

source work they were upset that all the wealthy

corporations used their package with and and he and they will now never

compensate for it so it just made their package and you unuseful unusual

um right so another one is node IPC no APC

was another example of protest wear that was a political protest against uh the

war that Russia wages against Ukraine um so the author of this package checked

the IP of whoever tried to use their package and if the ID was Russian they

printed bunch of blue and yellow hearts in the console

represented like Ukrainian flag but deleted files on the local operating system

um let’s talk about payloads let’s talk

about after the package was hijacked or introduced in one way or another what do

they try to do the first one is very boring stealing

stealing credit cards right same passwords this one goes to Chrome

default and then select from Green cards off the of the database of of your of

your local Chrome browse same passwords from your Microsoft edge

browser select from logins trying to find plugins

this one this again and we already spoke about it Discord tokens

I don’t know what’s going on with you remember how we spoke about naive

type of attacks it turns out that one of the most important things that those

folks are after are Discord uh logins and and Discord

um uh like login data why there are number of reasons some of them are

spamming using other people’s accounts the other are

trying to find conversations that they can inject themselves to and this kind of stuff but

pretty neck but yeah so you can see here

a lot a lot of that um

sending the information back to uh

to the settings right so you can see here received show command string and then

sending them back to the server that was uh that was originated

another type of uh another type of payload is download and

execute and download and execute the most popular type of software that is

downloaded and executed are crypto miners uh we spoke about how they aim for

breath instead of being narrow attack you don’t care what computers of whom

are encrypting are mining the crypto for it right so that’s another part of that

and it’s as naive as opening as as like running shells that will download a

crypto Miner on your computer and just start executing it

last thing that I want to talk about is obfuscation how they try to hide what they injected

into those packages first of all at one obfuscated function or a method

inside a package is suspicious by itself all the code is open source it’s right

there for everybody to read and then boom an obfuscated method an obligated Factor

this by itself is kind of fishy and it

smells bad but still we will use it and the obfuscation methods are also pretty

much very naive this one is just encodes everything in

base64. I mean that’s not very hard confiscation

obfuscation to break but it is what it is another one a little bit more

complicated but also pretty naive is trying to confuse the flow of the system

so it will be harder to understand when you look at it not someone after their

University degree ever tries to comprehend the flow of software by just

telling it like we’ll use the ID we will follow the flow so I’m not sure how that

helps but again so instead of this code they write this and for some reason that

should be for us harder to crack uh those are interesting using the

Unicode characters that look the same but actually different right so you can

see you can see see here how they say hello is different than they say hello

because this age is actually a Russian M which looks like h

again the only people who can get confused is to just staring the code

even here you can see by sentence highlighting that this doesn’t look like

this one and obviously we can follow the flow of the system and say that it

sounds like that um this is also very interesting again

using uh Unicode symbols

it looks like this if actually is there and it’s

working but actually it’s not it’s a part of the comment the end of the

comment is moved by using a Unicode control sequences that move it to the

right because it actually instructs it to look at this code instead of left to

right from right to left

again I mean how naive is that that’s Java for you but it’s the same idea

right it looks like all this is a comment but actually this sequence ends the

comment then you have a method that does something it brings up like a cigarette

or something and then this sequence actually opens another comment and this

one ends it so yes if you paste it in your Visual

Studio code that just do syntax highlighting and doesn’t do like analysis you might miss it but

everything more complicated with that will actually see it right away and also for our tools

that try and find those vulnerabilities this looks suspicious as

anyway how do we detect those

so there are number of things that you can do in

order to be safe the first is as well software bill of materials is at least

of everything that goes into your software yes whatever 78 of the code

that is your software is not yours but it doesn’t mean that you have no idea what is there you actually know

especially if you use software like geography battery and drive for

pipelines they create this as one for you it will be called the building for

uh in in our terminology in the end of the day you know what software there is

there once you know what software there is there you can go ahead and check if

this software has vulnerabilities how can you check for example you can go

to the sample repositories and check whether they have information that those

packages are problematic now unfortunately Central repositories are not very good in providing you with this

information for example the central python repository will just delete the

malicious packages you won’t know that there is a problem you will just know that it’s not there

also removes the package with a code

that’s a security holding this package and you will get some damage package in style this is also not very helpful you

don’t know which versions actually bad you don’t know the version that you used was before this package was hacked and

maybe it’s completely safe you don’t have this information Industries are in I start but not enough

you know what is enough yeah and obviously there is another problem that

I mentioned in the beginning some malicious packages are not vulnerabilities so if you scan them to

actually find vulnerabilities they will tell you there are no vulnerabilities and they’re modded everything is great

but you actually use a malicious package it’s just not a vulnerability it was designed to be malicious and you

accidentally start using it because of masquerading because of

um type of squatting or because it was a jump none of that is malicious right

so how can it fix it actually is going to show you how we’re

going to fix it and then basically Jeff Rock and specifically General mixer

all right yeah so at jprop we always believe security has to be part of each

and every step that we have in our svlc lifetime right so what we’re seeing traditionally is okay your security team

comes in where we do a build now it’s in the qsand security testing the next

video security stance right now think of that we are working on towards like well

so we have release that is coming on Friday right and now my spirit is saying

that hey you’re not really this because it has 10 critical by medium or 20 lows

right we cannot do it so now we are going back to a development team and say hey let’s go and fix it but now what we

want to do is how I can make my developers is more efficient or empowered with the information that I’m

sharing which I’m giving them right after builds right so what we’re gonna do because see this information right

there in our Ides right so there is an IDE plugin for intelligent eclipse

you can see the same data what we are looking at a plugin called J proc it’s a

free plugin 100 developer thousand developer they all can download once we have x-ray configure against

your ID uh your instructions and this is where what I’m seeing is my package

remember you can do this oh this is very cool all right there we go all right so

what we are looking at here is for my Maven I see I have log 4G right known

one and now on the right side what I can do is look at uh click on the log

project I’m seeing all the CVS on the right I’m also seeing the likes on subscription will be okay so now if I’m

seeing GPL probably I should now switch something else because my legal thing

doesn’t like it me using GPR all right so what I’m looking is okay it has a remediation version so now if I’m a

developer I see this data I can simply go here update the version let’s go to the latest version which says 217.1

all right let’s do a safe read it locally at this time I have not pushed

my code to a Version Control yet it’s even happening prior to that as well so now if you are looking here log 4G is

green right there is no known CV I can also see if I have a dependency for example let’s say about it struck I can

click on it I can see dependence dependency whereas the one it is actually coming from so it gives me more

like a kind of a deep dive view of that open source library that I’m kind of pulling it into my first particles right

so that’s the first thing now for example let’s say you have a developer which is using at home right so atom we

don’t have plugin now they can do a scan right they can use tap CLI it’s a very simple command that they need to do as

long as they have a problem you know what we are looking is I go to my terminal I do JF audio

okay if it’s a Docker I can also do a JF Docker scan I can scan it just hit enter

you can see here it’s pretty much doing build uh it’s doing a scan as well and it’s

going to show me the exactly same data that I am seeing as part of my IDE level like the plugin levels okay

so this is something we can do from any formula window that we have now for the docker

yes they do right they do but they want to do a scan one way you can use jfox

clip the other way there is a depth or desktop application that or Docker desktop

all that we have and there is an extension for jfron so now all the docker images that I have on my local

machine I can switch I can see the scan results I can see exactly same data so

now my developer cannot say Hey you know we miss it right they have this

information they can see they can fix it at the first time all right now as they

are using Art Factory as if they are kind of resolution the costly what they can do is in x-ray as a security team I

can go and say hey if you find a critical do not resolve that request so now if developer is trying to download

off 4J 2.10 it doesn’t resolve from our battery so now we are not resolving

those requests so now they are not allowed to use right so you can do creation process in between as well all

right so this is the IDE level what’s next that’s enough for coming

okay they are not using IDE what happens right so Version Control right so

whenever you open up a full request you can figure a scanning expert so now whoever is reviewing my full request

they can see the scan results as far like here if it’s a claim it’s good if

it’s not clean they can see it’s a critical Market then it’s up to them do they want to merge it or not right most likely not

right so that’s the second hit now third gate comes as a Bill Gate right you can say hey if we found a critical order I

want to fail that though okay so you can do those kind of things as well now everything is looks good x-rays pass it

tomorrow let’s say log 4G and it’s now vulnerable we can do the same here we can block it notify someone etc those

things all configurable okay now what we want to see on today’s question is more on

how the data looks like how can get into a jfrog platform and

kind of see this information so what we are looking here is

basically a security and compliance and the scanners either macro power space being scanned

it can be in my local first particle or it can be a remote I used for downloading them and search Library I

can do a scan on to this video I can do the same thing for this so the build that I am scanning is let’s

say which is actually getting an offer image right and what we are looking here is let’s say it was the build that I

have refreshed

foreign

and kind of find a check so kind of see how it’s being used well it’s being used

right so this is where we go to a build and this is where I can see kind of where it’s too publicly right which will

happen published it if I have a assessor like let’s say this specific layer has been used by all

these five times right I can see those data right and this is where when we talk about good full audit Trail I can

see right there we’re not practicing and this is where if I go back here on the build side

x-ray is actually showing me three main things right now first what are the

quantities that I have second what are the compliance issues that I can have and the third and most important as part

of mentioned 78 open source out of that 78 most likely 55 or 60 percent is

outdated right we write a code we let it run because it’s working fine

we are never going to update right and this is where what we are looking it’s called operational press so now

start with the quantities what we are looking here is for spring framework webmdc what we are looking here is there

are a bunch of CVS and out of those series there is a pin icon next to it what it means is gfrof research team looked into those

cves and kind of provide all the information that we found now when we look at this particular series

let’s start with what it’s coming from MBD database digital monetary database what we are looking here is pretty much

10 000 feet high level information if you share this with your developer they will say okay

what should I do am I being kind of kind of impacted like

okay I’m impacted but how can I fix it so they have no clue okay this is good for security teams to understand but for

developer it’s hard to come all right and this is where J Pro research step comes in it provides the exactly

information which methods are going to go it also tell us how can we remediate as well right so do this right so this is

where developers either do a more productive offers right so they can know what they need to fix it

okay one of the interesting part about this impact analysis right and this is where we can see exactly where it’s

coming from remember the ID that I showed you the independence is dependency this is what it is right so it’s actually part of everyone that part

that that package is part of my jar jar was part of the docker layer and the darker layer is part of the document so

you can see if it’s five layers deep or materials it doesn’t matter as long as actually know the package place it works

cancel another good example that we would like to kind of go where it’s called faster XML

okay and this is where things becomes interesting so what we are looking is through CBL through severity one

civilities given by nvd which is critical the unverse degree is given by geotherm research team it’s called media

we provide a reason why we think it’s a medium right we also tell you the remediation what to

do and all right so this is where you can see data right now everyone can understand looking at this your security

team understand how it’s being utilized or your development understand how it’s being infected itself right so that’s

not fun the second part some plans

you can discover what of the licenses are being utilized which are done loan licenses are there as well

the third operational risk and this is where you can see here but not get version that I’m using the last

commit happened in 2016. there is no active maintenance so I know there might be a security issues

performance issues but has not been registered and this is where I have this information if you have a legacy system

or assist or APF that we have written or just stand up it’s working fine we forget it that’s how we get it the

creating as computer how simple is it is writer so I can go and click here

export into spdx that will be X format and this is where I share with the the

customers that I have right and kind of they can kind of feel confidently right right so those are the things

now there are new scales I’m coming in X-ray and those scanners are

basically same same view right we are looking at the scan list right and this

is where

all right so let’s start with the container so for first container let’s say as one

generation it’s right there when I go here one pizza is is exactly

the same what we saw previously right what are my series and how it’s done right now it also offers the kind of

filter or metal UI chain what is kind of interest to you at all you can also do okay let me see this column called

contextual analysis but contextual analysis means because we know the runtime is that CV is actually

applicable to you or not right and that’s where we talk about positive right not every series is applicable to

you directly or not right and this is where you can see here bunch of series there out of that this is actually

applicable to me so you can see those level of information another it’s called malicious package in

my code do I have malicious package when you click here you can see this

equal power it allows the remote access how you can remediate it

installed you can see all this information right there in your infrastructure

you can also see there is a secret detection so for containers if you have API Keys access tokens has been exposed

it will show up here you can see which file has a where is located what does it

mean all this information is right on your fingertips

then we have services so we are using let’s say Android right and for Android

what happened is if it’s the option connection it do not verify together uh

right what does it mean right so it tells you how it’s risky right yeah how

you can fix it so basically you need to do this context true right so this is

where every connection that you have is basically being secure

then we have application scanners and this is where what we are looking is let’s say you are using node.js and in

node.js express.js is one of the Zone 1 or basically IPM package that doesn’t do

enforcement on TLS for all your web communication so how you can protect it

right so you can see here you can go to use https module to create your web

servers so this is how we can kind of see or understand what are the best practices or how we can write a code

which is more secure that malicious and this is where you can

see in your python it helps it gives access to a sensitive sensitive side

right how it’s how it’s affect us so basically there is a package called site

package and this is allows us what are the passwords that we have exposing right what what should I do exactly

right it says remove this malicious packet so things like that is there for

you to understand for example if you have misconfiguration or if you have

sensitive data kind of export you can go to this terraform and this is where we

call it or we are looking at is infrastructure as a core

scanning capabilities and this is where we can see here right so all the

authenticate authorization is not important for all your API gateways and

you can see about how you should protect them as well so it’s not just detecting issues but it also telling you the

remediation which is very super helpful for your developers to kind of go and fix it

all right questions sure

and it’s now going to be then about the intelligence so when we scan the copy that all of the

scanning is happening locally or the code that is correct so basically we need to build it downloads all the

dependencies and this is where because your remote repositories or local repositories are being scanned by x-ray

you can see those candles right there right so it’s basically doing a local

bid on your machine and it shows the results right we took that I like there

are now have like help me to transfer to your server right so there is no upload happen yeah yes

there is no offload time it’s always download happen your upload is always happening through your build title

so this is where when we talk about security we are not talking about finding CVS and all that but we are also

talking about who has the access to those patterns right because your developers might not need read and write

access to affect it they might make just wait only because who needs to write access it’s just your

CI server and maybe your platform or SRE team maybe they are doing overrides or

something they might need right access but that’s pretty much run times customer developers they need to do

and this the second question is like um so let’s say the community said you gift shop for our record so actually I’m

applying I never got a chance to use it for before so we use sometimes scan before but not very strong so I don’t

know like whether your support have a GitHub is that how it happened So when you say

triggering a scan from Version Control so we do support from uh for GitHub diplomatically

okay go ahead other questions

sure um how is Jake from getting access to care foreign state

so yeah Yeah so basically the way it brought so

in perfectly we have right so there are two depository type

has been identified uh or kind of introducibly sending so if you are

storing something in attractive you can actually do a 12-hour scan on those data content

also like the actual modules you can use internally

you know I don’t think we have model support for now no yeah

any other questions okay so how many of you guys are

actually using artifact anymore almost everyone and whatever what I say

are you guys want to seriously understand a bit so that’s what in fact when I speak to some of our customers that’s

one thing I do guys a lot of them have access to everything but they’re just using the Audi Factory

using other tools for security right uh if there’s anything we can do to kind of

help you guys get enabled spot

in the two ways I think in benefits one is uh x-ray is the product that’s called

uh we used to be a quite a company

extremely capable so the the research team that I spoke

about are all Peter Fox and we used to

say well we will be scanning we will let other people to do the findings

oh you know this great quote from the Sixth Element if you want something to be done

do it yourself that was kind of our understanding after a while that if we want a first class

results of protecting your software we cannot say well someone else will do

their findings and we will do only discounting so now we do both and this

is why extra now today is one of the strongest security supply chain Security Solutions

on the market because we do both the findings the research and then we will

be scanning because now we own both parts of the equation the resource and

the research and we know about your s-bomb because the user’s Factory

so there’s really no reason to overlook the X-ray especially if you already have

you already paid for it just you have a question of how it should be used

because these customers they’ve been paying for it I never used it probably

because it was we didn’t find it good enough when we tried it or it’s not even a better

so I will encourage all of you I’m not sure if you’re all connected to yourself managers I have a

small link uh I’ll give you my coordinates I’m happy to support

as I said if you guys need any enablement for your teams for yourselves we can do that but I think it’s extremely capable and

that’s a lot of value to the overall investment you guys have made at the platforms

if you’re happy to support that much yeah and that’s that’s a good point right so because of video acquisition

now J Park itself is a partner in CNS CV number operating so we find cities we

let customers know as a zero day market and their later on with position to database like nvd and all that right and

this is where our j-profit search team hosts this site right and this is what you can see here one of the zero days we

found in last few days couple of days and which are the malicious packets so

you can see the primary focus for us is right now it’s on hyper and npm because that’s where we’ve seen all the cyber

attacks are happening mostly and this is where you can see these are the malicious package we’ve found we flagged

them there is a blog post on how we can protect also from this supply chain attacks or or any kind of attacks right

and this is where it tells you or pretty much everything what are the best practices as part of mentioned include

explode patterns you can filter it is my first party quote I don’t want let people reach out to a remote request

things like that right so very nice

really helpful for for customers okay so today’s uh are looking at

you know scaling your devops practice where it gets to an Enterprise class I

think your progress production because that’s all the case if it’s way smaller probably there are Alternate

Source kind of stuff but as I said if it’s Enterprise

we can really help you make make it worthwhile okay so here the

foreign

foreign are you guys

um in the demo stocks event at all

any of you no you got to get it you got it here you

don’t need to go through that to the conference

yes if we don’t give this opportunity to learn you guys personally a little more

proud