With new software supply chain attacks reaching the spotlight at an accelerating pace, security research uncovering novel attack methods, and new mandates and guidelines starting to come into effect — it can be hard to stay on top of the latest developments and their implications.
Catch this session to see a break down the recent news related to software supply chain security and what you can do to meet new requirements and protect your software from such attacks.
Get a technical deep-dive on:
- Recent software supply chain attacks and the attack methods behind them (eg: namesquatting and placement of malicious libraries in commonly used repositories)
- Progress in standards and guidelines such as the White House Executive Order on Improving the Nation’s Cybersecurity and what action they will require
- Best practices when incorporating a shift-left security strategy into your SDLC to effectively manage software supply chain risks
- Software bill of materials (SBOM) – what you should track and how to manage it as an integrated part of your SDL
Plus, additional Assets to check out:
- Talk Slides
- It’s Time to Get Hip to the SBOM
- A Year of Supply Chain Attacks: How to Protect Your SDLC
- US Executive Order on Cybersecurity: What it Means for DevOps
- JFrog Detects Malicious PyPI Packages Stealing Credit Cards and Injecting Code
- Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling
Transcription:
Assaf and I are really excited to be here today and today of course we’ll be talking about the fun and exciting world of software supply chain! So without further ado, since we do have a long period of time ahead of us, we have an hour and a half, and thank you guys everyone for joining us! We’re trying to make this as fun and comprehensive as possible so let’s just get off and start going into it so, let’s uh get going. What’s up? So yeah, so thank you very much for attending.
We have, I would say, a packed agenda. When we tried to split the different topics into different areas so pretty much the agenda is to start with the attacker point of view about the mices of the attacker why wouldn’t pecker utilize such supply chain attack uh uh how what are the common attacks the recent ones that we see recently about implementing such an attack and how much does it cost and then we’re going to look at the defense point of view what are what are say the uh recent regulations also recent approaches for defense uh against such type of attacks and then we’re gonna uh after the break gonna look at the practical points on how can you implement security in order to make sure that you have uh secure builds and essentially protect protect yourself against those type of attacks
and as stated i’m bill manning i’m one of the solution architects here but with jfrog just a little just about five years now i watched the company grow from uh being a small little scrappy got a bunch of guys all the way up to what we are now a public company and you know very recently we had our acquisition of video and we have the wonderful wonderful stuff here with miss and uh very happy to have him be part of the company and i’m honored to have him here just talking today and this up you want to introduce yourself sure sure so uh um my name is asaf cohen i’ve been in the security industry for the past uh 20 years uh doing mostly i would say both offensive and defense like offensive simulations uh such as penetration testing and ethical hacking as well as uh doing defense work in order to protect uh organizations against those type of attacks so uh always a white hacker by the way uh and uh i’m part of uh i’m part of now jfrog but beforehand i’ve been at vidu uh so uh we video established uh security product to do automatic security testing of binaries and now with the uh acquisition as part of jfrog we uh in the process of integrating the product in to be part of the platform so uh stay tuned for uh uh more things in the j4 platform um so let’s start with i was gonna show myself a gray hacker myself by the way just so you know so
all right um if you can go to the next slide i think we we would like to start with the security orientation or the security mindset about how does attacks uh uh occurred what is the i would say small history about it what is the essence of essentially having software supply chain attacks and just as a disclaimer uh the type of attacks that you that you see here are essentially software supply chain attacks there are also powder based attacks which are out of the scope of this session but when it comes to software supply chain attacks when you look at the essence of those supply chain decks essentially uh a way for an attacker to slip malicious code into the uh into the target software it can be either a malicious component or it can be altering the the the software would somehow uh abuse the way that the software is being built along the way and so it will con it will the outcome would be that you eventually have a malicious piece of software integrated into a trusted software so you see that the history of supply chain attacks is even though it’s this topic is relatively i would say new to the community we see attacks that were conducted many years before such as the stuxnet and target and other things i think the most common ones or i would say the one that got the most publicity is the solarwinds attack that that was conducted last year uh that really uh was uh unique in its uh noble way and the amount of uh target networks that it affected but essentially if you look at the origin of all the things that is common to all of this type of uh attacks you would eventually get to the fact that someone uh along the way was able to compromise or inject malicious code in a way that it would uh be at the end at the end build and someone would eventually they can see the consumer of the software would trust this piece of software that was contained with malicious code without knowing that it has been malicious
bill maybe you can go to the next slide and i can explain about the essence about why you see this uh this type of attack getting more and more interest from the attacker point of view and now i would like to get you into the mindset of the attacker if you would have to for instance if i would take like one of the giant uh top five companies in in the world you can you can imagine like a few and i would say uh try to get and compromise like gain access to one of those networks one of those organization um so from an attacker point of view you have the target company that you wish to to compromise or you wish to get an initial foothold in and you can do it with say uh the the the i would say the most um interesting way or the quickest way would have been if you could just you know from the network trigger and exploit gain access to the to the servers in the dmz and then exploit more and more until you get to the to the where the data is reside and where is the i would say uh uh the secrets of that company so that’s one approach and uh it’s pretty much costs a lot and you can see here a screenshot from uh zirodium which is a website that that does uh like associated with uh with zero days you can see the cost of having like windows zero click uh exploit and you see the price tag of this is like one million dollars it’s cost a lot so obviously this is the most intuitive way another approach would be to do like uh phishing campaign and we see that there are a lot of awareness about don’t open emails that don’t uh open attachments that are might be malicious or unfamiliar and this is also something that that cost from an attacker point of view uh a lot in a sense that they would need to uh find a good that would say uh context where the emails being stand find the people deliver it so a lot a lot of work needs to be done and that’s all in all in order to compromise one company one person at one place and i would say that the the thing about software supply chain attacks is that you can have a very good uh return of investment from an attacking point of view if you would find a way to do those manipulations that will allow you that would allow the attacker to inject militia’s code it’s pretty much i would say a low effort because you do need to to you don’t need to do some work it’s not like anyone can do it but it’s not you can see later on when we will describe the different attacks you would see that it’s not that hard it’s something that you have development background or some uh uh devops background you see it’s not that hard and you and you can pretty much with low effort execute the attack uh and what would happen is that if you were able to compromise one of the major or main libraries you would you would immediately get a wide spread of the malware so at one shot or i would say at one effort you can essentially compromise many many companies so if i again go to the top five companies or top 10 so it seems that instead of chasing one after the other with supply chain attack you can amplify the attack in the sense that if you get a software component that is malicious being installed on many organizations you can within one attack vector compromise hundreds of companies at one shot and what actually makes this attack uh uh go go back one slide because i wanted i want to touch the last
uh people trust the software i mean if you look at your windows workstation you trust microsoft if you use google chrome you trust google if you so all of this translation and the fact that within the supply chain attack you can inject the code that will eventually become a legit piece of software from a known brand that might even use digital signatures to sign this and binary eventually this will be delivered and by having this it actually pretty much can abuse uh the translation between different companies so that’s that’s why this attack is so uh um interesting and so uh appealing i would say for attackers we see more and more from that on the next slide you can see that that what are the options for an attacker so essentially from the attacking mindset there are two things or two type of payloads that can be integrated as part of the malicious code one could be uh to set up a backdoor if me as an attacker would have been able to compromise and change some code at the component i can i can essentially uh set up a backdoor that can eventually be used and if you think about the whole security method of identifying cvs and mitigating risk and so so if you can think about it a cve is a known vulnerability but but the world today have more than the number of cvs the the number of vulnerabilities is much larger than the number of cvs that exist today in the world so there are a lot of vulnerabilities out there that have not been yet discovered and don’t have an official cve number so an attacker can can set up a backdoor that would seem like like a vulnerability that would eventually be registered as a cv but just think about the potential of having this silent mode of just putting a vector and then exploiting this later on another approach is to set up malicious code what if i can not set up as a backdoor but have this malicious code embedded uh into the software component that upon a build process it will eventually execute this malicious code on the target companies and we’ll see later on that for instance solarwinds uh was kind of this approach by having a very sophisticated malicious code that was that that was very silent
so speaking of that you know how do these attacks occur right so i mean the thing is is that exactly what you know assaf mentioned this is that you know by the way these are attacks on your credibility a software provider if you’re doing this which is actually in some ways more damaging than some of the initial costs that come associated with it such as you know in some cases it’s blackmailing another case it’s releasing of you know customer information or whatnot but damage reputation is much harder to actually go ahead and recover from so when we have these attacks i mean when you have your typical situation and i’m a developer and i’m on the team and i have ci processes and all these things that are involved in it and i’m building my code you know of course i depend on transit dependencies and these transitive dependencies that you depend on are susceptible right because a lot of them are public and open source and they’re they’re free on the market and you know your developers use that to accomplish the tasks that they’ve been given and when you do this you know you compile your code you put together say you know in this case like an exe or a web service or whatever you’re building it doesn’t make a difference but if your software you’re delivering to your consumers you know whether it’s downloadable or it’s something else you know the thing is that you know understanding if there’s something compromising it you know suddenly you’ve you’ve actually discredited yourself and you’ve actually corrupted the executable or the software you’re providing and when you provide this to your customer you know you’re providing it to them but it’s not only the direct dependencies and this is one of the things that comes about because a lot of focus we see on some of these attacks and what we see people talking about in the market is uh not only just directing you know dependencies but those dependencies have dependencies and those dependencies are also susceptible so when we talk about solar winds in a little bit one of these methodologies in which solarwinds was an actual component was the fact that one of the indirect dependencies to the software they were creating was actually susceptible it was introduced as part of the larger transitive dependency and once again we’re in that same construct of having this you know suddenly this nefarious component inside the software that’s sitting there in wait and when we deliver to a customer unbeknownst to them suddenly you know there is an issue and in some of these cases and like i said when we keep talking about things like solar one because it was so sophisticated i mean one of the key features of that was was the fact that it had a 14-day backdoor policy from the time it was installed the timer started and 14 days later it executed its code which compromised the system that was associated to it so just as a side thing we’re going to do a quick poll here what is the average amount of transit dependencies that is used in software today um so one thing is you know think to yourself if i’m a developer and i’m looking or you have developers on your team how much of that of that software that you’re building is comprised of dependencies
i think we’re going through a poll so we have 20 to 30 percent 30 to 40 50 to 60 70 80 or 90 plus um so go ahead and we’ll do the poll right now
see here so if you guys i think can go in and uh uh do that that’d be fantastic
well i see we’ve got a couple people uh doing it got a seven oh seven to 64.
we’ll wait for everybody to come here and uh but uh i’m really glad you’re all here today to join us on this fun exciting talk
i feel like we should be playing some music or something or actually i mean we could sing acapella stuff
can i um in the bathroom like in the shower maybe but i’m not going to go there right now i think that’d be really awkward i don’t think it’s a good idea for me to sing as well i mean i i uh
i can play guitar though i can play but cannot sing i go grab mine off the wall if you’d like and we can maybe do a little bit of a duet you know and uh figure something out
all right we’re about halfway we’re about halfway there with the voting come on people jump in i feel like i feel like we’re raising money i feel like you know dig deep give back to the community you know i feel like we’re doing like a tele like like you know we’re uh we’re raising money for something all right well we got three we got one more person come on everybody get in here donate give to somebody who needs it like us
32 all right who’s holding back here come on you got clicks you got mouses you can click on those buttons let’s do it uh i’m gonna give it another 30 seconds whoever wants to jump in oh oh we got more people attending so now the cat went up so now we’re under 50 of the people
all right oh one more all right i’m gonna give you another 10 seconds
nine eight seven six five four three two and yahtzee let’s go take a look at our poll so all right hey here we go so uh let’s see here we got uh 20 you know zero for 25th that’s a good idea 30 to 40. 50 to 60 is the highest one here huh 1780 and we have here and then 90 plus well i will tell you that right now that actually when we talk about this 85 to 95 percent and 90 of your software is somewhat else’s software um yes that’s actually a scary figure when you think about that right you are putting a majority of your software development needs into someone else’s hands somebody you don’t know right so these are people out there that are actually you know building components your software developers need something for their code this provides a function for them to do their job and the funnier part about it is or the sad part however you look at it is out of that that 99 of those 75 of them have at least one open vulnerability think about that you’re introducing the fact that you’re bringing in the software and almost most of it almost all of it has a you know three quarters of it has some sort of susceptibility to it inherently from the moment you start using it and then you know
you know what i like about the poll is that if you look at the results you see that that we got uh right now i think around like 70ish people uh in the in the audience here and almost every la everyone were 50 and above i mean it’s pretty straightforward and people now today understand that open source is an integral part and no one chose the zero to 20 percent and i think this is a very uh uh i mean for me to see like this maturity of visibility i think it’s very uh tell something about the audience yeah i was honestly kind of disappointed that we didn’t have everybody in there because i wait for that one person to say well i do all my own stuff but that’s okay um you know it’s like i wanted that one person um but at the same time the thing is about this though is is that when 49 of the code bases were analyzed out there most of them actually had at least one high risk vulnerability once again you are jeopardizing the things you’re doing by introducing these and of that the thing is is 90 of these applications right those vote you know those third-party transit dependencies are either outdated by four more years or they’re abandoned think about that somebody put it out there like um you know i mean you look at you know some of these you know tools i mean and you look and you see like if you go to their github projects you’ll see that you know hasn’t been updated in four years and here you are you’re running the newest latest most awesome application on the market and you’re using stuff that’s four years old it’s like it’s like you’re building a car and you’re like i’m not going to put a new motor in i’m going to the junkyard i’m going to go grab a junk motor and i it works but does it really work does it really fit what i’m trying to do with my new hot sports car right it’s like um you know same idea
and the thing is is that if you have all the proper information and one of the things that we’re going to talk about today is that you know we’re going to show you ways to combat this of course but one of the simplest ways you can combat this is actually just by looking at the libraries you’re using looking to see if there’s anything and we’re going to talk about remediation later on on how you can attribute to this and in this case since this is you know sponsored jfrog um you know talk we are going to show the product and i am going to show you how you can actually you know use remediation to address this so that you can lessen the ability for you know vulnerabilities and actually exposure of your company and such
so when software attacks
go ahead so if you look technically on how does how does uh those type of attacks are occurring so we’re gonna we’re gonna uh technically explain like i would say the main method that are being used recently and and were published so the first one that that we’re going to cover is i would say uh uh seems like a straightforward one but still we get this a lot uh bill we can jump to the next slide and the first one is essentially dependency type of squatting so uh if you refer to the definitions we had at start about something some some malicious code was yada yada into a trusted piece of software and the thing that we added in this slide is that which is written by humans and uh the thing that we need to remember also from security as well as like uh qa and every every star every aspect of the development of the software that people make mistakes uh uh software has bugs it’s not because people it’s not because people are bad it’s just you know things happen same for same for this thing uh the defensive type of squatting is essentially a method that that attackers use in a sense that they take uh um i would say very known components and they just create another component with a very similar name pretty much close close to the close to the to the name of the of the very known component and when developers go and just very easily do pip install or or just you know get a component from a public compulsory by accident get the wrong component which is has a similar name and so and they just do a typo and what happens is that instead of having the original library that you have you have some modified version of this and uh and this is i would say very basic and intuitive that you if you want to go to the developer and say well just don’t don’t do a typo but a title by definition is a mistake and you would think that you would never fall for that right but it turns out that a lot of people do we at uh jay fox security we have uh people that that continuously scan open repositories and try to find malicious coding so and uh on late july uh we disclosed a uh we get a scanner that will scan the repository and we disclose several malicious uh packages on pipeline that uh were found to be malicious and essentially contain a malware inside and we founded those uh uh those software components were uploaded by a single user that we don’t know who it is but a single user uploaded many many of those components that looks like the uh the original ones and 30 000 uh downloads were happening to those software components to those malicious ones we don’t know where it has been spread out and you can see the article in the hacker news and also in the jfrog security blog and it was it was published in many many other uh many many other uh um
publications that we say but essentially you see the amount of like the amplification of the attack the attacker put one software component with a different name close to the main one and 30 000 downloads and what does it contain those malicious code this malicious code that we analyzed essentially was malicious code that would grab credit cards it would grab passwords it would compromise the machine so all of the things that you would say uh well seems like an attacker would go through the phishing and those i would say traditional security and traditional hacking you see this targeting towards developers and towards getting access to those companies so this is like one type of attack vector what’s funny is let me just chime in for a second because actually one of the things we’ll talk about in a minute is another type but at the same time i actually had a chance to work with one of our customers um and a very uh very exquisite customer they have a very amazing sense around security and they provided me with a list of a simple typo squatting technique that was used and it was in the spelling so the spelling of the binary actually had the ie in it so if you’re familiar with the english language you know i before e except after c and all these people did was is they found a whole bunch of libraries that had ionian part of the name descriptive name and reversed it because it’s a very natural thing for somebody to actually type it in but the ones they were bringing in in terms of typoing wise was a simple mistake of i before e and they had e and i and it caused a bunch of confusion in that respect
and the second type of effect the second type of attack is like uh not towards i would say third-party components so people get the third-party component are are risky and and you should watch an eye for those type of squatting and and you can leave your eyes but at least i know that my first party code the libraries that i create in within my company this is my code i’m safe i got nothing to be worried about but it turns out that this was a recent technique i would say earlier this year that was uh that was uh um that there is a technical article about how to implement this and you would be amazed how easy it was and how sophisticated and smart this attack is essentially dependency confusion is the fact that uh takes advantage of the of the the fact that build system would prefer public repositories over uh private repositories so that means that if you have your first party code and you would like to to uh to do linkage against one of those uh with against one of those uh i would say first party component so if the same name exists externally that would uh that would confuse the build system that would grab this malicious code and there was a security researcher that demonstrated this attack and it did it very responsibly so he did it step by step accordingly with all of those companies and so but in this in his uh concept he was able to compromise hundreds of companies and reached over 35 major companies you can see the logo in here and and was able to prove that this attacker would gain remote code execution and compromise uh computers within the target companies so this you can see again the amplification and he got 130 uh thousand dollars of bounty because of this attack a very interesting one oh and one of the other interesting bits is oh there we go so the thing is is that as part of the supply chain attack is is another thing you have to be careful of by the way is also that some of these are actually you know some of these repositories um you know they might be pulling from you know you might think they’re trusted right they’re a trusted source so you immediately jump in so the highlighted ones that i have here in the snippet i have you can see here there’s a thing for paypal now the thing is is that actually those sources right there were not paypal somebody actually went in and said hey i’m going to rename these paypal so this is one of the things is it was from a public repository instead of instead of a private repository when you’re doing this and the thing is is that you know pulling these in will cause that kind of level where you’re like oh it’s paypal it’s a trusted source but how do you know right and that’s one of one of the key differences here is the fact that we’re going to show you actually and and soft kind of alluded to it uh one of the things that we have in in the art factory product is called repo prioritization and we’ll talk about that later on as a way to combat this in addition to you know other things that we offer but you have defenses against this you have the ability that once you find a trusted source to stay with it even if in this case say that somebody does also say release a version of a binary that they have with the same name but a newer version that also could be a confusion and we’ll and we’ll definitely talk about that and of course we’ve alluded to it many times as we’ve discussed solarwinds right and and you know if you’re not familiar with it of course i’m sure everybody’s right about it everybody in this call is that you know at least you know had something or you know read about it or maybe been influenced by it or affected by it but the idea was that over 18 000 customers were affected by this and this came down to actually simply a transitive dependency that was injected into the supply chain for the actual composition of the solarwinds orion product and this simple little binary it wasn’t even that big actually it was only a couple of megabytes but the thing is though it was so went undetected but it came in as an indirect trend of dependency it was actually a very complex attack in which they did this is what they did is that one of the libraries that was used to build orion these people actually associated a new indirect dependency so that when the direct dependency was brought in to copy you know compile the product it broadened them with it and it came undetected it was very small it was innocuous nobody really thought anything about it until they started to dive into it and as i stated before what the big thing it did was is that a set of timer so it wasn’t even an immediate effect it was one of these effects that when the software went in 14 days later it started to do its magic which was to go ahead and start opening ports start opening remote calls basically saying hey world here’s everything i have jump right in and these hackers knew what to look for and they were able to go in and trace the usage because it was put into a repository that was basically public they were able to go in and say who has been downloading this and they could actually trace it down and they were able to go and attack based on the information they were getting back from the rpc calls that it was actually doing so let’s go jump to the next part and now we’re going to get into the fun stuff right the best defense is a good offense and when we start what we mean by this is that like you know first of all one of the biggest factors of actually building your software is actually understanding what your software is made from i mean i come from a development background going back uh there’s actually a guy on the call here he’s known me for about as long as i’ve been doing this um going back into the here we go ready date myself uh the le the late 90s um and you know the thing is is that you know building your software you’re always as a developer uh looking for ways to do things you need to do and do it easier and to find people who have actually taken some of the heartache out of it where it’s uh you know being able to go ahead and like change a variable type or you know variable you know value or you know present you a presentation layer in a website or whatever doesn’t make a difference whatever you’re building you have an assumption made and the thing is is that there’s a good faith aspect as a developer to think that anything that i’m using to build my code i’m putting trust in there once again i don’t know these people but i’m assuming they’re like me but they’re not you know there are people out there who definitely want to do harm in some cases there’s white hat you know hackers that are doing this to say hey look you’re exposed and then there’s others that are like we want to take all your money we want to ransom your company whatever so understanding how your software is actually being you know what’s inside that counts is really a major factor behind this and you know we mentioned solar winds and solar winds the united states actually back in may of 2021 um the binding administration enacted the executive order on improving the nation’s cyber security now it’s a very lengthy document that explains a lot of different aspects behind it but one of the key takeaways from it is is also the idea it was a answer by the to the actual solar wind attack and others because remember actually solar winds there was a lot of government agencies like the department of defense and others that were actually affected by this and so the biden administration took it upon themselves to go hey um we’re going to enact this quickly and just so you know this isn’t new this has been going on for a little while and we’ll talk about this but the major piece of it is is the fact that you’re buried in here um in in the actual full document is section four enhancing the software supply chain security and one of the major pieces of this is is that if you want to work with the united states government and if you’ve also know over time that you know these kind of of kind of mandates or these kind of things with the us government usually believed into the private sector so part of this is also an education is what is a software bill of materials because the united states government clearly states if you wish to work with this you need to go ahead and supply us with this because they want to be able to see everything from what’s inside and also things like license and governance and we’re going to go into details on this in a bit but this is a way to ensure and like i said a majority of you know different organizations when it comes to now like the industries of like med tech and fintech um and others you know that deal with sensitive data are going to adhere to this and actually probably in the future very very soon in the future a lot of companies when they go to purchase your software or go to use your software you know some companies ask for like sock2 compliance documentation and things like that soon they’re going to be asking you for as part of the delivery we have your software bill of materials because we want to know what we’re actually purchasing and knowing that because of the fact is is that if you need to know where the actual inception came from and the reason why i’m showing some delicious german chocolate delight here is the fact that the co you know the actual the portion of the actual government that enacted this idea is the fda the food and drug administration and the reason why is this was actually a call to action around software developers and companies that make software for things like medical devices you know if you’re putting software into a device that is meant to keep somebody alive and there’s malicious code in there that could potentially kill someone or say an insulin pump that’s not working correctly or a heart rate monitor that isn’t working properly things like that you want to know what’s inside so that you can address it it’s very similar to having ingredients inside anything that you’re cooked the food and drug administration says you need to tell all the consumers what they’re consuming and also give applicable warnings to say that certain people wouldn’t have any sort of allergies to these they need to be made aware to so that when they buy this they know what they’re getting and the real driver behind us too well like i said was also the national you know the ntia which is just a fun acronym to say uh but the thing is back in 2018 they work for food and drug administration to provide the software transparency project and this is like i said a way for device manufacturers for medical devices to have an accountability behind what they’re producing to make sure that if they did put something into the software that is powering the devices that they have it’s a way to inform the consumers that oh by the way here’s the list of software that i’m putting in here here’s some potential threats and also to just some common guidelines behind the software and knowing that brings you into the idea of what is a software bill of materials well it’s simply a list of ingredients of what’s inside the software is what you might think but the thing is like yes it includes libraries includes any properties uh you are using some free and paid components um you know what kind of data is restricted and accessed as part of this right so say you have a product that says uh for improvement purposes you’ve always seen the warnings would you like to notify us of any improvements that we have and would you like to supply us with the data from what you’re doing so that we can make our products better well this is actually some of the kind of access controls you need to notify your customers on but in addition to this you also want to make sure that you understand how it was constructed and we’ll discuss that and how you can get that kind of level of information uh today you know a lot of this stuff is not unattainable there’s actually ways to do this yes we will show our products substantially but at the same time this is a generalized knowledge for the better of betterment of mankind right this is not just about what we know us as jfrogs saying this we want to make the world a safer place and through software and one of the ways to do this is to understand and educate the masses on what this really means and so you know who uses this right who would be the people who would actually want to use this so it could be everything from the producers of software to keep a catalog on you know on change agents you know like how we progressed over time and how is our software product interchanged if there’s some sort of problem we can you can use this information by the way and i’ll show this later on as a way for root cause analysis so say one version three is differently than another you can actually use this information to say what changed objectively between these two versions to cause such a mess it’s also used for people who are doing procurement right so people who are choosing to buy software now giving this to them you know some companies have regulations it comes down to like you know we use zoom as our platform for our conferencing you know some companies have regulations that say you can’t use zoom it’s compromised well why is it compromised well you can always look at the software build of materials and maybe there’s components inside or maybe there’s license compliance inside that says we can’t use anything that’s gpl or you know or you know things like that they might have regulations say well this library has been unapproved by our security team due to xyz they can parse through this data and understand that and then when it comes down to people who operate software once again it’s a it’s a nice way to have asset management it’s a nice way to have a a direct correlation on how you’re actually building implementing and distributing your software itself so this is actually it’s really a multi-fold kind of thing it’s not just you it’s not just me it’s not just the companies you work with this is more of a global idea and a global presence in this way everybody knows what’s going on so there’s you know cutting down and mitigating a lot of the risks that are inherent into this kind of situation
so before we jump into once again we’re going to talk about the scope and the scale of this um you know what are the benefits once again identifying mitigating and avoiding right these are kind of the top level items that you have right away you know one of these we’ll talk about later on is remediation um another thing is your legal team will be starting you know are going to start hounding you hey guys you know what you’re making the software we need to provide to a customer uh we want to make sure that the licensing uh that the license you has adheres to our standard our legal team said these are the licenses for software components because every software component should have a license and if it doesn’t you should discard it immediately um but every licensed component that you have should have a license and those licenses some company some corporate things like medtech and fintech have very stringent policies by their security teams their infosec teams on what licensing they can use but also being able to go ahead and you know you know look and actually be able to mitigate risk over time right understanding what’s in there is an excellent way of having that high level picture of your software it’s not just what you produce but it’s everything else associated to it and in addition to that it’s just a nice way to also lower operational cost because you have a basically a catalog of information to work with it allows you to you know go through and if you do need to do root cause analysis you do need to do risk assessment you do the things that make your company more safe and secure this is just one more piece of the ammunition you need to defend yourself against potential threats by knowing everything you want about it a soft do you want to jump in and you want to add anything more so yeah so when i look from from a security standpoint the way i see if i if i would summarize where we at right now so we have we start with like the attacker mindset and the uh runtime attacks that can occur to execute a software supply chain and the defense approach that we see so far is that they say well it’s happening and the way we can we can have visibility towards those processes essentially to start to aggregate a lot of data so right now we’re in the position that s bomb some companies already collect this some companies not but if i would look five years five years from now we’re gonna have so much information that first it will have to get respectfully between parties so if i make if i create a software i can know what are in the libraries that i get for instance as well as the asset owner can know at the end product what they get and let’s assume that something occurred so we have for instance either the new solar winds or the next attack we can get for stability immediately and identifying what are the water blight spots so the defense approach is about start to collect data so we can start to manage this and handle this and before that we we were discussing about the tax at runtime how do i uh what are the attacks that that occur like how do they occur and uh later on by the way just the way i’m doing these summaries because later on we’re going to address both the aspects of how do you do runtime protections as well as how do you collect this information that we described right now
excellent thanks for so once again we’re back here again right so we have the idea of compiling your software using your transit dependencies and you know you know putting you know if you find out there’s something in your code um you know and suddenly you’re back to where you began again right you’re now delivering potentially threatening software to your you know any sort of external source then on top of that we talked about once again oh my screen would blank there we go transitive dependencies both direct and indirect and how they can do that well one of the one of the key factors here is a wait for the slide deck just catch up there we go um for some reason it’s taking a second here um it’s not liking my clicks but let’s go to the next phase which is well that’s great but one of the fact is is that you know when you have this software in these transit dependencies you know and when you’re building it one of the nice things you can do is of course have the software build the materials now with the software bill of materials one of the nice features about this is is that you know when you do find say something that’s actually nefarious in this case you now have a record of actually is there something nefarious inside or maybe there’s something that’s potentially threatening something that’s identified you know assaf talked about things that may not have a cve yet but might be on the radar such as you you know one of the things is is that with cve information you have everything from low to critical but a lot of people ignore the info and warnings because some of the info and warnings that you actually get are saying by the way that there are potential threats that are being assessed at this time right this might potentially be something and it might get upgraded to a cve and actually have one and those things is that inside you can have that in your manifest and your software build materials so that when you do identify something potentially threatening and you should you tell your customers when you supply it to them they can go in themselves and look at the software build materials and so can you to say hey by the way um you know what this has actually been affecting um you know the software we gave you and this customer was like hey we’re just gonna ring you on that and you know at least you there’s the same page and and the thing is is at least there’s awareness right awareness and a way for you to go in and actually address it but the best part too is if you start collecting your software building materials and you have say a vulnerability that’s been found at some point with the software build materials you can go ahead and say hey by the way let’s go look at the versions that we’ve released over time and you can say oh you know what between 1.1 and 1.3 we actually released this to it so once again root cause analysis remediation and action right this gives you the ability to also cut down on the amount of time it would take you to go ahead and research this you know the thing is by not having this kind of level of competency with your with your binaries i mean artifactory provides you with a level of competency is the fact that this allows you to go in and look at this information and see how far does it go i i call it last rig right because when you find something you want to know how far it goes and this will allow you to go in and trace it so that you can see what’s affected over time now the same thing goes when you have highly complex components like say docker remember people always talk about docker but remember docker is not just a place to host your application has many different components it has the app layer it has the runtime to run the application and also has the operating system and you should be able to actually produce a bill of materials for this right you need to be able to produce a build of materials that shows all the contents and i’m going to show you an example of that today actually you also when you have let’s say large-scale services you know when you start looking at things like web services which are like helm charts and say you know other you know multiple docker images you know like this can be another thing this also is another layer that you can actually have a software materials you know it’s basically you have a build materials for each component and then you can also have an overarching uh bill of materials and one of the things that we have at jfrog is this concept of release bundles and release bundles allows you to pull together various different software together into a singular release that’s digitally signed but also too it can provide you with a manifest a bill of materials for a bill of materials so you you know what the entirety of the actual service itself is so yes we’re throwing a lot at you right now and the whole life the whole thing is is that you know we understand you’re in devops or devsecops right i always say double second ops i try to avoid devops now because you know what security shouldn’t even be an afterthought it should be part of everything that you do it should be a mindset that you gain as part of the devops organization but of course you know fires are going on constantly you’re trying to keep going you know how do you keep control of this right so i’m going to talk about one thing i’m going to go through and talk about the jfrog platform for a few minutes then we’re going to take a break i’m going to give a quick demonstration of some of the pieces and we’re going to show how to defend yourself as an actual software you know company utilizing some of our components so of course we have our typical development workflow that we kind of started talking about a little bit about before i’m a developer i’ve been given a task you need to build a project i chose mpm in this case of course when i build my my project one of the things i’m going to do is define what transit of dependencies do i need to create my software as a developer what am i going to need and of course as i have a larger team and i start using ci tools we’ll talk about that in a bit but as a developer i’ve got to start somewhere so of course i just i define my package.json i put all my information in it could be it could be everything from a pom file and maven um it could be you know uh you know a go mod file fusion go it could be a docker file if you’re doing docker it doesn’t make a difference because once again i depend on third-party transit of dependencies you know if you use npm guys you’ll know the joke is is the fact that you know you you put one library and 200 000 come along with it uh because just the way inherently the way npm works but this in itself is is okay the problem is there’s no consistency there’s no accountability so now let’s go ahead and well this is our art of factory if you’re not familiar i’m assuming if you’re here you’ve heard of us you know what we do we’re universal buying a repository manager but the thing is is that what we what we do as an organization and where we supply you with the tools you need to get through this is the fact that when you implement artifactory as part of the solution you’re actually going to proxy those third-party transit requests from the source right in this case maybe mpm to its destination the developer oci tool and the way you do that in artifactory is through a thing called the remote repository a remote repository is a lazy proxy so that when requests come through artifactory to the remote source they come in and they cache inside of the remote layer later on we’re going to talk about x-ray on how you can evaluate these to stop yourself from having things nefarious but the idea of the remote repository is is the fact that if you say you have a thousand developers and you’re all working on the same project and developer zero pulls down in the binary and you’re using artifactory the the actual but you know the module the library whatever you’re using will go into the remote repository and will be delivered to the developer and then all 999 other developers will go ahead and pull that same binary by the way this does one thing that or everybody asked me to boil down what we do and i per se we provide a consistency engine you’re providing consistency of development methods for your developers and tools to create your software so you’re also going to produce software right because you’re also going to go ahead and you’re going to want to you know go ahead and build things so that’s where art factory has local repulsive points this is where you store your binaries your docker images your your maven builds or whatnot and then what you can do is in just a little side a little best practices thing here is that you can actually design your repositories to match your software development life cycle we have a promotion api that allows you to promote those builds you create through that life cycle providing accountability and we’re going to talk about accountability and we’re going to talk about sdlc as part of this because that is an essential part that you can include in your software bill of materials maybe such things and even if it’s not the full bill of materials you supply to your customer but it might be part of actually the knowledge base you have in the software you produce internally to say hey there’s a problem with the software did it pass qa and we’ll talk about that in a bit but then we also encapsulate everything for ease of use into a virtual repository which allows a single entry point into this multi-repository method and the thing is we’ve made it super easy to implement if you use our product you know we have set me up instructions on how to do this but what you’re doing is is that you’re actually going ahead and you’re you’re actually taking the stuff you’re doing pointing it to artifactory and now you’re actually going ahead and you have a place to store those transit dependencies indirect and direct you have a place to store your builds you have accountability so you can build a software bill of materials and we’ll talk about the information you gather with that but in addition once you do this there’s no change in some way to the things that you’re doing so mpm in this case still works and if you want to use our jfrog cli tool it’ll work but then you’re using artifactory to pull these in the next thing is is adding that layer of security so this is where our x-ray product comes in this allows you and we’ll show you in a bit on how you can look at the issues that you might be facing in terms of cbe we’re going to talk about license compliance and governance as part of this but this is also another way for you to go in and attack right this is your attack your attack factor on defending yourself is actually being proactive and the x-ray product allows you to be proactive we’ll talk about shift left the idea of you know the onus on the developer how to integrate into your ci process and also part of your release process but of course this is only one part of it because once you’ve actually gone ahead and built this you’ve implemented some layer of security you’re going to want to automate this and so whether you use your own ci tool or you can use our tool which is a c i d and ci orchestrator um this really gives you the ability to start automating these processes and ensuring things and we’ll talk about a ways of accountability as part of your ci process how to extend it and also to a way for you to go in and have justifiable cause on how those actual phases those steps are actually being done with digital ways of actually having accountability behind that too and then lastly it just doesn’t stop there so of course you’re going to want to extend this out and have it as part of your distribution too so we actually have an inherent distribution component called surprisingly enough distribution and one of the key components of this is being able to separate your rci from your cd so what you’re producing and manufacturing and what you’re delivering whether it’s a web service whether it’s iot devices automobiles medical devices what not but do it in such a way that is safe and secure and once again this goes back to accountability this is information you can include in your software bill of materials understanding not only its inception right from the developer but also down to its its consumption it’s distribution right it’s deployment so i always like to say when people ask us what we do and i say well our platform which includes everything here um can be everything from developer to deployment code to cloud developer to device uh with the military to compile the combat um you know whatever you want to say but this thing provides you with an end-to-end solution but not only that all the other ancillary kind of technology you can be integrated into it too and at the end of the whole cycle you can have a level of of actual uh information software build materials in this case or mike i we like to say also it could almost be an enterprise build of materials because it has everything or deployment build materials you can segment pieces of this out from the information we actually gather but this gives you a way for you to have end to end abilities here
so i think we’re going to take a quick five minute break i believe um for me if i would like i would like just to add like a few words so uh while we have the five minutes break i hope it was interesting so far uh i do encourage you to write down uh questions in case you have you can just drop them in a chat so during the five minute break we can review those and think how can we answer those during the the time that is left
so let’s take a five minute break it goes yeah we still have a lot of fun time ahead of us and uh yeah we have another half hour so we’ll do five minutes we’ll see you guys at 1 p.m or wherever you are tell me what pm pst so um we’re going to mute ourselves for a minute and then like a set if you have any questions put them into the qa box and then we’ll go from there
come on
all right
i think we’re back everyone maybe
all right everybody um it is one o’clock and uh let’s get rocking here um and uh let’s get to the next part so the next part is of course life cycle of a binary demo um this is where i’m just going to show you a couple of things um because i just want to be able to show you how you can use um you know artifactory for a couple of things i’m only going to take about five minutes i was planning on doing a little longer demo but i want to make sure we leave enough time um at the end to discuss but let’s go take a look let me share my screen for a minute uh it’s taking a minute here hold on a sec uh come on share um all right so uh oops i’ve got the uh the for some reason it was sharing the wrong
one hold on here having a technical problem for a second um let’s see here i think this is the one let’s see share uh good enough all right so let’s take a look for a second so this is actually one of the latest versions of artifactory uh that we have out here and so i’m going to log in i want to talk about a couple of things and some of the things that we’re going to talk about today is the fact is you know understanding um you know where where binaries come from right so in other words you know really quickly um just so we just as a recap of course you know we have our third you know our repository structures we have local remote and virtual local is what matters to you remote is those um third-party transitive dependencies and the last one of course is virtual which is encapsulation uh when you define your repositories you know i talked about the fact that you can go in and define your sdlc so i’ve got like dev i’ve got qa i’ve got production i think i have a staging one here somewhere
in addition to that i depend on third-party transitives and one of the questions actually came up was i noticed somebody asked about how do i do exclusion um you know how do i ensure that those sources that i’m pulling from are are the ones that we you know we wish to use so let’s go look at something like say mpm remote for example this is actually one of the most you know notorious um you know sets of libraries out there that are are compromised in some respects so a couple ways that you could go ahead and make sure that you’re not bringing anything nefarious is a couple different ways so first of all with the x-ray product itself it gives you the ability to go in and say that you want to scan it and you could paint rules on this right to go ahead and ensure that you’re not bringing anything that varies in and i’ll talk about them in a second but what there’s two methods in here that i’m going to go into a little bit of detail on what that means and one of them is this so first of all include patterns and exclude patterns these are regular expressions if you have known ones that you do not want to do you discover over time you
you can go in here and say i want to include these but i want to exclude these you know exclude patterns and regular expressions are your friends when you index an x-ray you’re going to be able to talk about that in a second but the fact is with indexing and x-ray this is actually letting just you know our x-ray product know what but you know what libraries you wish to go in and evaluate and by the way this applies also to local repositories so do not forget that but there are advanced features one of the things that we have here is this idea of prior you know prior prior hardy resolution and the idea here is saying that if i have binaries in this repository these are the ones that i wish to use so the ones that are there these are a way for you to kind of lock into the versions that you’re utilizing so this way if there is a new one that might be susceptible you can still bring it in and you can evaluate it but when you actually actually pull from the source it will pull from the trusted sources that you have already you can designate those
i’m going to send that well you know there’s information on our website behind that and i don’t have time to go to full details but this is actually one of the ways in which you can utilize this and we start talking about you know understanding the actual how do you you know evaluate binaries how do you evaluate those binaries that are pulled in that’s where our x-ray product comes in and it’s actually being handled through things called policies and launches and these are active approaches that you can take so you create policies that are based either on security or licensing and when you have security rules you can have a series of rules and then a set of criteria so if you were to think about it programmatically the criteria is the if statement and the actions are the then and now this is where it really comes to pass on understanding what you’re bringing in so first of all you can make a determination on things that have known cve so from low to critical and i remember i mentioned info and warning things because sometimes this provides information that something is being evaluated by someone somewhere of a potential threat so you have all severities also or if you’re more you know a lot of newer devsecop shops are going more of the cbs score route right it’s a more comprehensive score uh than just low me you know load of critical it actually gives you details on why this is a potentially nefarious component and of course you set your range in which you want to have that if you’re familiar with cve a cbs score it’s based on ranges so say in this case i went from 3.2 to 6.1 what do i do so in our actions we have a course that will generate a violation associated to the binary in question you can also do things more proactively so you can actually also do things such as um you know maybe something is found we have web hooks so you can actually say notify somebody like a slack channel or create a jira ticket or you know do things like that and it’s a json post and it does instant gratification notifications on them when you apply these to either your repositories your builds or your projects inside of artifactory one of the fields that it has one of the parameters is an email list so can be you know recipient list individual or whatnot this will actually go ahead and notify that person the other thing too is you if anybody’s using the deployer mechanisms this will actually notify deployers that there’s something potentially nefarious here and provide the level of information behind why it is if say you have something that’s a little bit more on the critical side right a more critical issue uh you might want to not you notify the entire list you might want to have a separate email list and a separate email list be like red team or whatever as a way to notify them there’s something critical or a cvs a score of like 9.0 to 10. now the next features are going to actually segue into the more aggressive features and these are ones that i give a cautionary tale to most of our customers to say you know what evaluate the way you’re building your software first and then implement these afterwards when you’ve kind of gotten and adjusted to the idea of that your software is probably containing a lot of bad things and but these other ones are more of the active approach so we have block download block download we’ll stop the consumption by any person or tool uh from that moment forward if something is found that is already stored in artifactory such as the third party transit dependency but how do you ensure safety before this happens and this is comes in two-fold so you can do more active which is block unscanned artifacts meaning your developers can pull in these third-party transit dependencies they come into artifactory they’re evaluated by x-ray if they pass your criteria they’re released to the developer if they do not they are blocked and they receive an error message but we’re going to talk about that’s one way to do things and we’re going to talk about shift left in a minute but let me continue on here because the next part of this is that we also have is things like block release bundle we talked about the distribution process we talked about being able to you know take a bunch of different software together or even individual software digitally sign it and distribute it out we can actually evaluate the actual release bundle before it gets to the edge level components then of course we have our ci termination event the ci termination event we’ll just send an exit you know signal to basically a ci a cli a you know ide just saying hey fail the build if something is in process we also have the same thing around license and compliance so for this though the actual actions are just as severe as we have everything else the difference is the criteria is different we have allowed licenses we have all 435 open source licenses you can add your own licenses in here too this is where you would work with your legal team to say here’s what we what we allow and here’s what we don’t so of course we have band licenses now the dare the really scary ones are third-party direct and indirect dependencies that come in that have no license though or an unknown license you have the ability to stop that you have the ability to flag a binary to say we don’t know what this license is we should probably investigate it and then we have the other way too where some people will actually compromise binaries by having something like a gpl or a regularly publicly available license and then supplement it either with additional license or a custom license and this will allow you to go ahead and flag those also but once you’ve actually gone in and you’ve actually built this out and you’ve built out some rules and policies and you determine and the way byoa the way you apply these actual pieces is through things called watches where you can apply it to your projects your repositories your builds or your bundles once you’ve actually got these in place i want to show you what some of the results of this are so you have a couple of different methodologies in which you can do this first of all you have the watch violations right so this is all those watches you’ve created and this will actually return to you any of the information say around any of the binaries in totality right so you can you know search for a cve you know you can look for all the low the criticals whatever you can also go into search by specific cbe or by name or content you know it was you know when was the actual cve created and on top of that you could say i want to look at security and licensing you can produce reports you know and the reports you can produce reports on vulnerabilities license still is violation you can do it at the repository the bill the release under a project level but my favorite is is when you’re actively going in and looking at a bill and now we talk about software build materials what i’m about to show you is a good start so let’s go look at a potential build i have okay so what kind of information do i get by using a tool like artifactory i’m using artifactory because that’s us right but this can be any tool that has this kind of assessment of data but just to show you that if you are using this this is something that you can use immediately to kick start what you’re doing so first of all if you’re publishing your builds into artifactory now i’m using a jenkins server in this case i’m also using our promotion api so thus you can see that it’s released i’m using that to say here is where it is inside of the stages of my sdlc and i immediately know that there’s something critical in nature behind it but when you have this information it’s not just about what you produce but it’s how is produced and what’s contained in it so first of all here’s all our standard docker image layers right everybody knows what this looks like you do a docker poll you do a docker run and then you have it but also too i can also show you that here is my actual interface i can say hey here’s my node front end and my java backend i’m actually these are the applications i am posting inside this container and say something goes bad with the ascend suddenly build number 76 is terrible and the previous version we had of this was build number 69 well here’s instant remediation what changed what changed between these versions and i could see that my java back end and my node friendly had changed my java back and stayed the same but my node front end changed i could even select here and go look at the actual application and i’ll show you that in a bit but i also understand how it was composed i understand how this was built environmental and system information these are essential bits of information that you can compile and use what if the version of docker change what if the java chip you know version of java chains python whatever you know maybe somebody left a debug statement in as simple as that i mean a debug statement can degrade the performance of most applications then we have the x-ray analysis right this is where the nefarious components that could jeopardize your organization come in so we show you in one location the violations we show you the security threats and if i go in here say i look for a particular one maybe i look for fast.xml uh because i just happen to know that i created this by the way and my containers are terrible um and i say oh look here i have a critical security issue but here’s the component i could click on that but i also have the infected version and i also have the fixed version well let’s take a look so first of all remember we talked about that most of the issues you face can be fixed by a simple update well immediately you’re presented with the idea of remediation if i upgrade from the current version that i have to the next version this will allow me to fix it but i also want to know what it is i’m fixing so i have all the information about what this is the summary it’s a critical issue it’s found as a cvs v3 it has a cve number it has a cvss score v2 and v3 i have a bunch of reference materials that i can utilize to research this to find out hey by the way there’s a vulnerability but are we using that function or maybe it’s maybe it’s an internal function but if you look to the other side of this the important part is where x-ray excels is this we actually found a jar in a jar of a layer of an image of a build we went that deep into this and we found a potentially threatening piece of material i can also show you from the compliance aspect once again build the materials i can show you every single part of this container app os runtime and actually show you that these are all the licenses associated to it i can even export this information as a violation report a licensing report a security report as a csv adjacent or pdf so i can give it to my team so they can fix it you can even take the you can actually also get rid of the ideas of that these docker images are black boxes because once again here’s our layering but check this out here’s a layer i can see that there’s something wrong here because we’ve actually coded it i can expand it out and actually show you the contents and their individual actual components and i can view the component i can even go ahead and assign custom issues if we find it’s lower or higher due to the assessment that we’ve came about and on top of that i can have mageara issues associated to this right so i know it was fixed you know what hey customer did you guys fix this yeah we fixed this as part of this build you can see it was actually fixed as part of this jira ticket and then from a root cause analysis perspective have we been infected well you could actually go in here and not just do a diff at the app level you could actually do a diff at the artifact level the dependency level the environmental system information and on top of that we also have the release history so you can see all the information about every phase of the sdlc and on top of that you can export this all as a a json that you can ingest into various products i know somebody brought up cycle mdx and some other other standards that are out there and we when a lot of stuff talk about it later on but we will be actually supporting this towards the later part of the year and the idea is is that we’ve already built in for years a lot of the material you need to create this but it doesn’t just stop there because we also talked about remediation now we talked about remediation at the individual binary level but what happens if you want to find out how far the rabbit hole goes so let’s go pick a library i’ve got a babel core right i see there’s five versions available it’s been downloaded 247 times well let’s go look at this one that has a medium severity it’s got talent it’s been used the most and when we look at it the best part is yeah here’s the readme instructions but i can also show you every single place that this actual binary has been utilized i can show you every single build that has been compromised by the potential threat of this actual binary so i know what’s been affected so i can have attribution and remediation and also have action i have its own x-ray data if you use our distribution side you can see if it was distributed out but then this also correlates i want to show you how it’s all tied together is the fact that i can go look at this binary i can look at this whole generalized information remember we talked about direct indirect transit dependencies and one of the key pieces here is is the fact that i have all this regular information about this specific binary but in addition i also have all the other indirect dependencies are associated to it so by having this level of information and utilizing it you also can go in and not only attract it there but one more thing i want to show you is as a developer you have a responsibility to care and take part your company’s sturdy vested interest so when i show you this i could also show you that if you use our id plugins you can see that i have a software project here and if i go and i hover over it you can see i have x-ray details but the important part is is that we actually go ahead and we can show you the direct and indirect dependencies of any binary that you have at the developer level shift left where the roi is greatest i can see the version i’m running the issues i have and then we also show you the fact that there’s a critical issue here’s a link to the issue and component and but also direct remediation inside the ide having shift left having this at the developer level allows you to attack any of the potential threats to your organization where it matters most which is in the front line your developers are your resource utilize them and give them the proper tools they need to ensure your safety and security of your organization
i know there’s a lot to fit in in a short amount of time in that respect but just as a quick recap because i want you to understand these are things that you know i showed you is number one build info this is all the information you need about every piece of software that you need and the dependencies that it has here’s an example where 474 74 transit dependencies i know every piece of material directed indirect that was utilized as part of this product we also have the you know the vulnerability portion how deep does it go right you know and in our case we’re able to expose potential threats to the actual build all the way through even targey z’s zip files you know jar files whatever to find things that might be hidden deep down in the software you produce
i talked about the blast radius understanding the reach of the binaries this is another way for you to go in and say wow you know what we’ve exposed our products to this potential threat for over 30 builds we should probably do something i also mentioned the fact that we have oh i clicked it there we go repo prioritization right so this allows you to have enable safe repositories right basically the resolution order allows you to go in and instead of a virtual say a virtual repository we have the encapsulation it gives you the ability to designate certain repositories as trust right so this way when you are doing it it provides the ability for you to go in and make sure that you maybe use a current version and any new versions will be flagged so that you can go in look at them examine them before you start utilizing
then last thing i have here oops is the other part the information what was part of the ci tooling you know when was the software built did it go through the software development life cycles how much of that was foss you know what environments were used you know where those settings of those environments and also too with their security vulnerabilities and also compliance so having all this additional information allows you to have a comprehensive analysis we also have additional features things you can do such as approval processes if you use our pipeline product where you can extend your current ci have it come into our factory you could do things like approvals did this pass our muster have a manual approval process you can have that as part of the bill of materials yeah bob signed off on it you know i i want to know if it was actually signed by somebody did it go through the phases that needed to be and you know what we released this does somebody approve it also too signed pipelines this is huge this allows you to have immutable build cycles so that when it builds completes or a process or a portion of a process completes you have an immutable digital signature representing the fact that this was a trusted now this is where it comes on like zero trust right this was a trusted process that you utilized and having a signed pipeline allows you have attribution to things that you’ve done and do it in a way that is indisputable
then the last part of this we want to leave some time is the fact that all that metadata is exposed as part of the process itself so you know when you go in that you can see if it’s been has gone through these cycles and then lastly i think it’s one of the last things i have is the release bundle and the release bundle is the end of this right that we’re actually we’ll be making more announcements about release bundle over the coming months so stay tuned but the idea of it is is a way for you to encapsulate your software have a bill of materials for all that level of information how to be able to distribute the doubt and have it in the way we have air gapping right so we have an air gap distribution this is used for a lot of secure companies we deal with where they want to package their software up digitally sign it bring it to another location and ensure its credibility by using these signatures in addition it can encapsulate the r back behind it you can also have our expert product stop it before it even goes out the door and then lastly you can even integrate it as a native step as part of our solution to ensure this and then the last part of what i was going to say is having this also being able to track as an extension is going far beyond the reach of actually production but deployment and utilization so having all that level of detail of information and the software and things you produce is a huge thing and then lastly oh well we have one question do we have a question what uh where is that yeah we have a lot of questions but i think it uh oh we’re right we’re close to the end but i think it makes sense to like maybe uh jump in and answer like some of the questions here sure all right so uh let’s see here let’s go to the bottom i see that um do you have a way yes uh so i saw that there was do you have a way to export s-bomb information so and if so do you support cycle in the s standard yes you can actually pull together information we’re working on a better process of this and the software is it towards the end of this year is that we’re talking about uh for like uh exporting the software build materials so right now in the demo you’ve seen that we have several ways to export the information from the uh from the artifactory and also from x-ray so uh we do have the possibility to export it right now to json pdf and like you saw the nissan in demo with regards to the uh cyclone dx and also spdx those are formats that are in the roadway planning we plan to store it like uh the end of q4 maybe q1 but it is in the immediate planning and people start to work on uh enabling those features and those things are in the immediate planning i would say so uh we do have a way to export right now and we do have we will have some more uh standards um later so stay tuned but this is like immediate and this comes down to the other side of this too is is that one of the question was is that when you see the metadata being stored that can be used to enforce automated devsex governance by pipeline phase does this does this go into the s-pop you can have this go into the s-bomb or you can publish it to another system it’s simple json and that can be actually utilized now i see there’s one that says can patterns be shared across repositories well we’ve just introduced federator repositories and i’ll have to double check i know that i’m not sure is this release but i think we’re working on having it so that you know you can already do properties and stuff in our federated repos please just do a jfrog federico search it’s a much easier way to do replication we already have replication by the way um across multiple instances and sites this is just an easier way to do this um but also too but the export patterns are specific by the way encode and export patterns are specific to the actual repositories themselves because you want to be able to give granulated control and usage and it says i see one here oops where did it just go i see how does artifactory know what is contained with an artifact and container images ah so we actually so we actually store our binaries as a checksum based storage that means that when you upload a binary it’s artifactory it’s a docker image jar file war file whatever you do we tear it apart we catalog that as metadata and then we store the binary as a sha-256 and then the binary data is actually represented as part of the actual object itself in the database which means we never duplicate binaries number one number two um you also know the scope right so you know the reach of these binaries and then on top of that you can add additional metadata so all those pieces and components we extract it out with our algorithm and then we store it appropriately in the metadata and as a whole and it says does x-ray support native production uh for dependency confusion prevent attacks from remote repositories if they match patrick you uh a package url or something uploaded you can write rules using the include patterns exclude patterns to do that um there’s all that materials actually there’s a lot there’s a blog on it online um and it says build info from tc jfrogtc i’m assuming team city does doesn’t give us detailed information as in shown in the demo that sounds like it might be an implementation problem um please set up you know contact your sales rep um and have it set up with one of our awesome engineers um like myself and my team and we’ll go ahead and we’ll show you how and then i see here that um it says are there plans to support package url specification i know art factory currently uses package url format um we’ll have to look into i don’t have a direct answer to that right now um so i mentioned like this and fbx are in the planning yeah so it is in the romance right now we have uh people that are examining those formats and see how can they how can this be integrated into the platform it was the best way so uh uh stay tuned and uh we’re gonna we’re gonna be able to project more uh solid information on the feature once it’s gonna be ready um so i know i know i don’t give like the immediate answer right now but i do give you uh uh i i do can tell you that i have active discussions internally about how to enable this in the platform and how it letters this excellent so i’m gonna skip the misconceptions but basically all the questions here are our answers here are no right you know they won’t be able to get your roadmap we don’t you you don’t have to disclose your source code um and even you know even if you disclose the list of components that’s the thing is is that it won’t expose your intellectual property because most of the time they’re compiled sources and things like that in addition to that it’s like getting a list of ingredients without the instructions on how to use it then lastly you know software building materials needs to work with government it’s a list of their fast libraries that you can use in the software you produce it lets you know how you know how what and when it was made it gives you audibility and traceability and potential threat metrics and on top of that the big thing is security and compliance right are the big components behind this and then i’ll let uh assaf take us out so we learned something didn’t we i hope we did um i hope you guys enjoyed this but it’s off take us out buddy
sure sure so uh uh i wanna thank you again for for being in the session and i think it was very uh uh um i hope it was interesting for all of you so uh we got we got a chance to learn about the attacks we got a chance to learn about what are the threats uh and essentially we hope right now that you have enough knowledge to to protect yourself and your company and doubles hope because that it is a winnable uh battle that you can win so as mentioned you can have you can implement uh uh runtime protection i would say against those uh typos quoting and dependency confusion attacks and you can use uh x-ray as well to generate so now you know exactly what is s-bomb what is the benefits of ask bomb and also don’t forget about the best practices and how to have signed pipelines and have the zero trust approach of building secured batteries because eventually you have the responsibility of delivering your software and you want to make sure that that this software is secured sealed and have the best practices in place um so we hope it was interesting for you and if there are any follow-up questions feel free to to email to your jeffrey representative or to us we’ll be more than happy to support and help you and uh i want to thank everyone again
excellent well thank you everybody asap absolute pleasure our first time doing this together i am super excited um thank you for all your effort on this and the time and and you know what guys thank you so much for taking time out of your day to attend this i hope this has been fruitful for you uh and look forward to seeing you in the verse have a wonderful day be safe everybody and protect your company
All right, thank you all, thank you Bill! Thank you. I think we have to wait…