An explosion of supply chain attacks is having potentially fatal real-world consequences

All Day DevOps 2020 - Opaque open source supply chain a matter of life and death, attendees hear

Would you eat food, board a plane, or get into a car if the origin of only 50% of its components were known to the manufacturer?

“Of course you wouldn’t,” said Brian Fox, co-founder and CTO at Sonatype, during his opening remarks at the fifth annual All Day DevOps conference today (November 12).

This is the “simply unacceptable” status quo in application development today, despite recent improvements in the visibility of software supply chains.

Held virtually – as it was even before Covid-19 struck – the 24-hour All Day DevOps conference features 80 speakers discussing AppSec topics such as CI/CD, cultural transformation, site reliability engineering and, for the first time, government, to an estimated 25,000 attendees.

Speaking on the DevSecOps track, Fox said that about 85% of the application codebase ecosystem was now open source.

However, the ecosystem’s inherent advantage – crowdsourcing the talents of the global development community – was being exploited by cybercriminals at scale.

Swimming upstream

Security teams could no longer passively rely on firewalls and await the ‘downstream’ emergence of vulnerabilities, amid a four-fold increase in ‘upstream’ attacks that poison development building blocks with backdoors, among other techniques, warned the former Apache Maven chair.

Thousands of new components land on the NPM repository each year, with the five most popular packages alone used in most applications.

“Figure out how to exploit one or two of those, and you have massive reach,” said Fox.

INTERVIEW Sonatype’s Brian Fox on open source security and ‘drama-free’ DevSecOps

Stolen credentials for 79,000 packages – 14% of the NPM repository – have been found online, he warned.

Bad actors are also exploiting vulnerabilities faster. Attackers, for example, started probing systems for the Apache Struts vulnerability that resulted in the high-profile Equifax breach in 2017 within two days of its coordinated disclosure.

Real-world impact

The botched 2014 recall of millions of Chevrolet Cobalt cars due to malfunctioning ignition switches, which was linked to 13 deaths, offered a salutary lesson to developers.

“They had to recall all of them as they had no way of distinguishing good switches from bad switches”, said Fox.

Tackling the malicious infiltration of open source components was also a matter of life and death, the security pro argued.

In 2017, for instance, a ransomware gang exploited a vulnerability in the popular commons collection Apache library to cripple LA’s Hollywood Presbyterian hospital for a week, which statistics suggested could have fuelled a higher fatality rate because ambulances were rerouted.

The automotive analogy offers a path forward too, with Fox referencing engineer W Edwards Deming’s principles for automotive supply chain management best practice: source parts from fewer and better suppliers, use only the highest quality parts, never pass known defects downstream, and continuously track the location of every part.

Industry insight

Explaining ‘why security-aware developers are the new Security RockStars’, meanwhile, Stefania Chaplin, EMEA solution architect at Secure Code Warrior, offered All Day DevOps attendees a blueprint for fresh DevSecOps strategies.

Chaplin retraced the history of software development, from the Waterfall-based approach to the Agile and, now, DevSecOps paradigms. She explained why security is a shared responsibility and why security-aware developers are the future, and mapped a route “from Dev to DevSec”.

INSIGHT What is DevSecOps? A guide from PortSwigger

DevSecOps is more than just a toolset; it’s about fostering the right culture too, Chaplin argued.

With “about 100 software developers for each application security expert”, she said developers should be empowered with security knowledge, either as expert “security champions”, or at least with the foundational principles.

Still to come during this year’s All Day DevOps sessions, web application developer Brittany Belle will run at least one demo of a free and open source (FOSS) vulnerability scanning tool in a real-world project.

Belle, who is speaking from 6:30pm, will also survey the eclectic landscape of dependency scanning tools, and offer advice on choosing the right tool, running scans, and evaluating and acting on the results.

Then at 2:30am UTC, Salman Khwaja, application security manager for digital payment solution provider TPS Pakistan, will reflect on how software security is often neglected in the financial sector in favor of compliance issues.

Khwaja will also recount how his team implemented SAST and DAST scanning, systems hardening and security automation, and how they tackled PA-DSS audits (PDF).

Elsewhere, Chetan Conikee, who has developed mission critical software for more than two decades, will argue that many static application security testing (SAST) tools are ineffective at identifying context-dependent vulnerabilities, such as business logic flaws, data leakage, insider threats, or hard-coded secrets.

At 8:30pm UTC, the former chief data officer of CloudPhysics will demonstrate how to find conditions leading to business logic flaws, identify sensitive data variables and map their flows across all sources and sinks, uncover hard-coded secrets and literals in source code, and incorporate security checks into pull requests or builds without slowing releases down.

This year’s DecSecOps track has 27 presentations and the event has 180 sessions in total, which are all available to watch online.

RECOMMENDED Need for global security perspectives underlined at Black Hat Asia 2020