Develop Secure Software https://develop.secure.software Practical knowledge by and for the secure software community: How-to, best-practices and trends for Dev, DecSecOps, CI/CD, and release management teams. en Wed, 30 Nov 2022 18:36:46 GMT 2022-11-30T18:36:46Z en Meta’s GDPR fine: Why your DevOps needs red teaming https://develop.secure.software/metas-gdpr-fine-why-your-devops-needs-red-teaming <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/metas-gdpr-fine-why-your-devops-needs-red-teaming" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/helen-dixon-dpc--stuart-isett--cc-by-nc-nd.png" alt="Meta’s GDPR fine: Why your DevOps needs red teaming" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/helen-dixon-dpc--stuart-isett--cc-by-nc-nd.png?width=1400&amp;height=732&amp;name=helen-dixon-dpc--stuart-isett--cc-by-nc-nd.png" alt="helen-dixon-dpc--stuart-isett--cc-by-nc-nd" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;"></strong></p> <p><strong>Meta’s been fined $276 million for leaking people’s PII.</strong><span>&nbsp;</span>But the leak wasn’t directly via a vulnerability, but rather due to<span>&nbsp;</span><i>data scraping</i>. Helen Dixon (pictured), the head of Ireland’s GDPR regulator, ruled that Meta should have prevented the scrape.</p> <p><strong>What can you do to prevent it in your shop?</strong><span>&nbsp;</span>Red-team how legitimate features could be misused. Software supply chain attacks — such as dependency confusion and typo squatting — might also open the door to scrapers.</p> <p><strong>So monitor real-time usage</strong><span>&nbsp;</span>for unusual patterns. In this week’s<span>&nbsp;</span><a href="https://blog.reversinglabs.com/blog/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we suggest how — and what to do if you find them.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>Mariah Carey has defrosted</i>.<br>&nbsp;</p> <h2 style="font-weight: bold;">Finebook</h2> <p><strong>Irish Aunty’s</strong><span>&nbsp;</span>Brian O'Donovan reports&nbsp;—&nbsp;“<a title="read the full text" href="https://www.rte.ie/news/business/2022/1128/1338739-meta-fined-265m-by-irish-data-watchdog/">Meta fined €265m</a>”:</p> <blockquote> <em><strong>“Regulating on behalf of all EU users”</strong><br>Facebook parent company Meta has been fined … by the Irish Data Protection Commission (DPC) following a data breach which saw the personal details of hundreds of millions of Facebook users published … on an online hacking forum. Facebook said at the time that the information … was "scraped" … by malicious actors through a vulnerability in its … Contact Importer tools.<br>…<br>Meta was found to be in breach of Article 25 of the GDPR. … As well as the fine, Meta has been issued with a reprimand and an order requiring it to bring its processing into compliance. … Helen Dixon … the Data Protection Commissioner said the large fine imposed on Meta is intended to have a deterrent effect. [She] said when products and services are being designed, [they] must be designed to adequately protect a person's data.<br>…<br>Ms. Dixon added that the Commission is regulating on behalf of all EU users. … No objections to the drafts were raised [by] other EU data protection authorities.</em> </blockquote> <p><strong>How much is that in real money?</strong><span>&nbsp;</span>Sam Schechner says&nbsp;—&nbsp;“<a title="read the full text" href="https://www.wsj.com/articles/facebook-parent-meta-fined-276-million-in-europe-for-data-scraping-leak-11669640402">Irish Regulator Fines Meta on User Privacy</a>”:</p> <blockquote> <em><strong>“Several dozen more ongoing cases”</strong><br>265 million euros [is] equivalent to about $276 million. [It] is the latest indication of how authorities in the [EU] are becoming more aggressive in applying the bloc’s privacy law to large technology companies. [This] is the third time Ireland has fined Meta … in a privacy case over the past 15 months, bringing the combined financial penalties to the equivalent of more than $900 million.<br>…<br>[The] fine stems from disclosures in the spring of 2021 that [the] information of more than 530 million Facebook users [leaked] from mass “scraping” of public profiles. … Ireland’s Data Protection Commission … said the company hadn’t taken sufficient technical and organizational steps to prevent such a leak.<br>…<br>GDPR has been enforced for nearly five years but is only now generating a series of decisions with big fines. [The] regulator says it has several dozen more ongoing cases involving multiple big tech companies [including] Meta.</em> </blockquote> <p><strong>How has Meta’s DevSecOps changed as a result?</strong><span>&nbsp;</span>Mike Clark penned this 18 months ago&nbsp;—&nbsp;“<a title="read the full text" href="https://about.fb.com/news/2021/04/how-we-combat-scraping/">How We Combat Scraping</a>”:</p> <blockquote> <em><strong>“Identifying and deterring scraping”</strong><br>We’d like to explain … what we’re doing to prevent scraping to protect people’s information. … Using automation to get data from Facebook without our permission is a violation of our terms. … Scrapers may not access or collect data from our products using automated means.<br>…<br>[But] it can be difficult to detect them. We do however, have a number of methods to distinguish unauthorized, automated activity. … The first way we aim to make scraping more difficult is through the use of rate limits and data limits.<br>…<br>[But] we know that scrapers are determined to find new ways to get data. That’s why we’ve also focused on developing other methods of identifying and deterring scraping. We won’t go into all of them because we don’t want to give a roadmap to scrapers.</em> </blockquote> <p><strong>Oh! That quickly turned into a whole lot of nothing.</strong><span>&nbsp;</span>Still, at least they’re doing<span>&nbsp;</span><i>something</i>&nbsp;—&nbsp;even if they won’t say what. But this<span>&nbsp;</span><a title="read the full text" href="https://yro.slashdot.org/comments.pl?sid=22467980&amp;cid=63085416">Anonymous Coward</a><span>&nbsp;</span>isn’t impressed:</p> <blockquote> <em>While a watchdog can fine and scold, nobody knows how to "un-leak" data. Since most of us only have one … real identity, one leak is all it takes.</em> </blockquote> <p><strong>Exactly! What can<span>&nbsp;</span><i>you</i><span>&nbsp;</span>do?</strong><span>&nbsp;</span>One of the best resources is<span>&nbsp;</span><a title="read the full text" href="https://github.com/JonasCz/How-To-Prevent-Scraping">JonasCz</a>’s. Here’s a tiny flavor:</p> <blockquote> <em><strong>“Unfortunately this is hard”</strong><br>Monitor your logs &amp; traffic patterns. Limit access if you see … unusual activity, such as many similar requests from a specific IP address, someone looking at an excessive number of pages or performing an unusual number of searches.<br>…<br>Limit access to your website (or show a captcha) for requests originating from the IP addresses used by … services such as Amazon Web Services or Google app Engine … proxy or VPN providers. … Don't just do it on a per-IP address basis; you can use other indicators and methods: … How fast users fill out forms, and where on a button they click; … gather a lot of information with JavaScript, such as screen size / resolution, timezone, installed fonts, etc; … HTTP headers and their order, especially User-Agent. … Use and require cookies. … If it doesn't request assets (CSS, images), it's not a real browser.<br>…<br>Obfuscate your endpoints and make them hard for others to use. … Don't expose any APIs … unintentionally. … Don't forget your mobile site and apps. … If feasible, don't provide a way … to get all of your dataset.<br>…<br>Slow down scrapers and make them ineffective. You could also show a captcha if actions are completed too fast or faster than a real user would. … Screw with the scraper: Insert fake, invisible honeypot data. … Unfortunately this is hard, and you will need to make trade-offs between preventing scraping and degrading the accessibility for real users and search engines. … Show a friendly error message that doesn't tell the scraper what caused it. Something like:<br>…<br></em>Sorry, something went wrong. You can contact support via <span>&nbsp;</span> <a href="mailto:st.20221130@richi.uk">helpdesk@example.com</a>. </blockquote> <p><strong>Other suggestions include these,</strong><span>&nbsp;</span>by<span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=17807378">SyneRyder</a>:</p> <blockquote> <em>If you haven't already, try adding some "trap streets" to your data. Map makers occasionally include streets that don't exist, so if a competitors map includes it too, it's clear that the competitor copied it.<br>…<br>I did that with an online marketing dictionary I wrote years ago, some of the definitions included strange usage examples that contained the names of several of my friends. When a competitor scraped us, instead of shutting them down, the boss negotiated a data licensing arrangement with the scraper instead, so we ended up getting a revenue stream and backlinks out of the incident.<br>…<br>The DMCA is often effective. I've made DMCA requests against websites that distributed cracks of my software and they often disappeared in a couple of days.</em> </blockquote> <p><strong>But</strong><span>&nbsp;</span><a title="read the full text" href="https://yro.slashdot.org/comments.pl?sid=22467980&amp;cid=63085598">nicolaiplum</a><span>&nbsp;</span>is amazed we’re even talking about this:</p> <blockquote> <em>The amazing thing about this is that the Irish Data Protection Commission did anything at all. The second-most attractive thing about Ireland as a place to put your EU subsidiary of a US corporation is its incredibly ineffective and supine regulator (the most attractive thing is the low corporate tax rate).<br><br>There have been a lot of rumours that data protection regulators in parts of the EU that are more effective, like Germany and Netherlands, told the Irish DPC that if the Irish did not act, the Germans and Dutch would start their own enforcement actions, and that this finally prodded the Irish DPC into doing something.</em> </blockquote> <p><strong>How bad is that fine, really?</strong><span>&nbsp;</span>At the time, it was said the leak covered “more than 533 million users.”<span>&nbsp;</span><a title="read the full text" href="https://www.theverge.com/2022/11/28/23481786/meta-fine-facebook-data-leak-ireland-dpc-gdpr?commentID=96f87217-527d-491d-b4d0-3d4a670d25aa">Nitmare64</a><span>&nbsp;</span>does the math:</p> <blockquote> <em>52 cents per person affected. LOL, no wonder these companies keep doing this.</em> </blockquote> <p><strong>Meanwhile,</strong><span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/technews/comments/z74ed4/comment/iy7fmzb/?utm_source=reddit&amp;utm_medium=web2x&amp;context=3">Dudezila</a><span>&nbsp;</span>has an inquiring mind:</p> <blockquote> <em>Serious question: Who gets the money and what do they do with it?</em> </blockquote> <h2 style="font-weight: bold;">And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=PYro9G9Q84c&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">I promise not to subject you to Mariah this year</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 560px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;" src="https://www.youtube.com/embed/PYro9G9Q84c" width="560" height="315" frameborder="0" allowfullscreen></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://www.flickr.com/photos/137225243@N02/49088640158">Stuart Isett</a><span>&nbsp;</span>(<a title="Some rights reserved" href="https://creativecommons.org/licenses/by-nc-nd/2.0/">cc:by-nc-nd</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fmetas-gdpr-fine-why-your-devops-needs-red-teaming&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Wed, 30 Nov 2022 18:36:46 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/metas-gdpr-fine-why-your-devops-needs-red-teaming 2022-11-30T18:36:46Z GitHub repojacking attack: 10 lessons for software teams https://develop.secure.software/github-repojacking-10-lessons-for-software-teams-0 <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/github-repojacking-10-lessons-for-software-teams-0" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/github-repojacking-namespace-10-lessons.jpg" alt="GitHub repojacking: 10 lessons for software teams" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold;">Software supply chain attacks are on the rise because of their reach. Here are 10 valuable lessons from the recent GitHub namespace attack.</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/github-repojacking-namespace-10-lessons.jpg?width=1400&amp;height=732&amp;name=github-repojacking-namespace-10-lessons.jpg" alt="github-repojacking-namespace-10-lessons" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;"></p> <p style="font-weight: bold;">Software supply chain attacks are on the rise because of their reach. Here are 10 valuable lessons from the recent GitHub namespace attack.</p> <p>Hijacking code repositories, or repojacking, wasn't new when security researchers discovered a serious vulnerability in the mechanism GitHub uses to retire namespaces, but the flaw in the development hub made the software community painfully aware of how defenseless it could be in the face of <a href="https://develop.secure.software/blog/nvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach">such software supply chain attacks</a>.</p> <p>Repojacking targets a legitimate namespace in GitHub. The architecture of the hub allows user names to be changed through a renaming feature. After a change, traffic to the old name is redirected to the new name. The flaw <a href="https://checkmarx.com/blog/attacking-the-software-supply-chain-with-a-simple-rename/"><span>discovered by security firm Checkmarx</span></a> in October could allow adversaries to use the feature to send users of renamed repositories to malicious destinations and <a href="https://thehackernews.com/2022/10/github-repojacking-bug-couldve-allowed.html">put at risk thousands of software packages</a>.</p> <p>GitHub is the most popular code hosting platform in the world, with 90 million users and 330 million projects — putting a target on its back, said Om Vyas, chief product officer and co-founder of Oak9, a cloud-native infrastructure security provider.</p> <blockquote> <p style="font-size: 24px;"><em>"GitHub, being a central repository for developers to host their open-source software for others to consume, is a prime target to spread malware at an exponential rate."</em><br><em>—<a href="https://www.linkedin.com/in/omvyas/">Om Vyas</a></em></p> </blockquote> <p>Naomi Buckwalter, product security director at<span>&nbsp;</span>Contrast Security, said that if a threat actor can discover and exploit a vulnerability in a popular project, which also happens to be used in hundreds and thousands of applications around the world, then chances are that it’d be much, much easier to successfully attack multiple organizations at once.</p> <blockquote> <p style="font-size: 24px;"><em>"This is a huge return on investment for threat actors. Hack once, pwn everywhere. Hijack just one popular Github repository, and you can have a backdoor into multiple organizations. What threat actor wouldn’t like to try that?"</em><br><em>—<a href="https://www.linkedin.com/in/naomi-buckwalter/">Naomi Buckwalter</a></em></p> </blockquote> <p>Now that the dust has settled around the GitHub namespace flaw, here are 10 valuable lessons for software development teams.</p> <h2><strong>1. Understand what open-source software you're using, and the vulnerabilities within</strong></h2> <p>Using open-source software is now standard operating procedure on most, if not all, modern development teams, Buckwalter said. "A single vulnerability in a popular open-source library can cause havoc. Just look at <a href="https://develop.secure.software/blog/cisa-log4j-threat-will-linger-for-years">the fallout from Log4Shell</a>."</p> <h2><strong>2. Monitor whether open source has been renamed or moved</strong></h2> <p><a href="https://www.linkedin.com/in/henrikplate/">Henrik Plate</a>, a security researcher at the dependency management company Endor Labs, said monitoring open source is key. "Rather than relying on automated redirects—and related protection mechanisms<span>—</span>to work properly, you should update those resource references to the new locations," Plate said.</p> <h2><strong>3. Audit code in repositories, and create a private fork for your own use</strong></h2> <p><a href="https://www.linkedin.com/in/mbischoping/">Melissa Bischoping</a>, director and endpoint security research specialist at Tanium, said auditing was paramount. "Avoid pulling code 'live' from sources such as GitHub repos that you don’t control and audit. Otherwise, it’s impossible to conduct proper security reviews on every single change," said Bischoping.</p> <h2><strong>4. Use a software bill of materials (SBOM) for an accurate inventory of your software components</strong></h2> <p>Use SBOMs to give you insight into dependencies and risks, Bischoping suggested. "While we hope to see more software providers offering clear and transparent documentation of their dependencies and libraries, SBOM serves as an essential tool to empower the users of third-party software to understand if and when these vulnerabilities impact them."</p> <h2><strong>5. Secure your GitHub account</strong></h2> <p><a href="https://www.linkedin.com/in/mackeytim/">Tim Mackey</a>, principal security strategist at the Synopsys Cybersecurity Research Center, said it’s important to understand that any GitHub attack first starts with compromising a GitHub account. "Enabling two-factor authentication or the use of the GitHub Mobile registration are two key options to reduce the potential for any GitHub account to be compromised," Mackey said.</p> <h2><strong>6. GitHub repository owners should define an end-of-life for their repos</strong></h2> <p>Mackey said ownership and management of repos is key. "That includes having trusted individuals as owners or group accounts and defining a GitHub successor — in addition to publishing explicit end-of-life or deprecation statements," Mackey said.</p> <h2><strong>7. Software teams should look for evidence of good health in GitHub repositories</strong></h2> <p>Mackey said that anyone choosing a new project shouldn’t be looking at the historical popularity of a project, but instead for evidence that the project is actively maintained and is healthy. Healthy projects can be determined by the project’s GitHub Insights and its Code Contributors and Code Frequency data.<span>&nbsp;</span></p> <p>"If the project is popular, and there is limited activity or activity is limited to a handful of contributors, then that project isn’t as healthy as its popularity might indicate," said Mackey. "<span style="background-color: transparent;">Unhealthy, but popular, projects are precisely the types of projects that attackers will gravitate towards, as unauthorized changes to the code or configuration are more likely to fly under the radar screen for an extended period of time," he added.</span></p> <h2><strong>8. Get really good at asset management</strong></h2> <p>Buckwalter noted that asset management comes down to three things: Knowing what open-source libraries are currently used in your environment, their true source locations, and their known vulnerabilities.</p> <p>"There is a saying in information security: 'You can’t protect what you don’t know about,'" Buckwalter said.<span> </span>"The same holds true for supply chain attacks via Github. Keep an accurate asset inventory of your open-source libraries and make sure they always point to their true source locations — not the location that’s been redirected — and keep the libraries themselves up-to-date."</p> <h2><strong>9. Contribute more time and money to open-source projects</strong></h2> <p>Software supply chain attacks have become a never-ending story, said <a href="https://www.linkedin.com/in/scott-gerlach-kaakaww/">Scott Gerlach</a>, co-founder and CSO of StackHawk, an API security testing provider.</p> <p>"All of the light being shined on the issue should drive developers to actively check in on the public packages and repos they use," Gerlach said. "But that’s the problem. Repos and <a href="https://develop.secure.software/blog/iconburst-npm-software-supply-chain-attack-grabs-data-from-apps-websites">package services like npm</a>, composer <a href="https://develop.secure.software/blog/new-malicious-packages-in-pypi-repo">and PyPi</a>, are run by volunteers in their free time. If we really expect these widely-used resources to become more secure, people will have to start contributing more time and money into maintaining them."</p> <h2><strong>10. Security must be a first-class concern for software projects</strong></h2> <p><a href="https://www.linkedin.com/in/johncampbelljr/">John Campbell</a>, director of content engineering at Security Journey, an application security education firm, said security must be muscle-memory to developers and those who support the software development lifecycle (SDLC).</p> <p>"Security education fills the gaps in higher education programs for many professional software developers," Campbell said. "A solid, ongoing secure code training program establishes security principles that developers can rely on to make good, proactive decisions and provide prescriptive actions to improve the organization’s security posture."</p> <h2 style="font-weight: bold;">It's all about awareness and taking action</h2> <p>By understanding security principles, developers can implement supply chains and build pipelines that are protected against attacks, Campbell said.</p> <blockquote> <p style="font-size: 24px;"><em>"We can reduce the attack surface by implementing processes that maintain software components by pinning them to specific component versions, while using private vendors to control them and avoiding direct links to repos like Github."</em><br><em>—<a href="https://www.linkedin.com/in/johncampbelljr/">John Campbell</a></em></p> </blockquote> <p>&nbsp;</p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fgithub-repojacking-10-lessons-for-software-teams-0&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Software Bill of Materials (SBOM) Dev & DevSecOps Wed, 23 Nov 2022 16:19:33 GMT jpmellojr@gmail.com (John P. Mello Jr.) https://develop.secure.software/github-repojacking-10-lessons-for-software-teams-0 2022-11-23T16:19:33Z Your support must scale: Don’t be like Meta, dev teams https://develop.secure.software/your-support-must-scale-dont-be-like-meta <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/your-support-must-scale-dont-be-like-meta" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/frustration--icons8-team-r-enAOPw8Rs-unsplash.png" alt="Your support must scale: Don’t be like Meta, dev teams" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/frustration--icons8-team-r-enAOPw8Rs-unsplash.png?width=1400&amp;height=732&amp;name=frustration--icons8-team-r-enAOPw8Rs-unsplash.png" alt="frustration--icons8-team-r-enAOPw8Rs-unsplash" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;"></strong></p> <p><strong>A rash of small businesses on Facebook found their accounts locked</strong><span>&nbsp;</span>after being hacked. And it’s impossible to contact Meta to get the problem fixed.</p> <p><strong>A trickle of reports have turned into a flood.</strong><span>&nbsp;</span>Meanwhile, businesses, charities and non-profits are losing revenue, while Facebook fails to deliver. Online self-service flows are broken, Meta support follows useless scripts and promised callbacks never materialize.</p> <p><strong>The moral of the story?</strong>&nbsp;Don’t neglect the tooling to support users — even if the service is “free.” In this week’s<span>&nbsp;</span><a href="https://blog.reversinglabs.com/blog/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we are the product.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>Vandalizing old email</i>.<br>&nbsp;</p> <h2 style="font-weight: bold;">Facebook farce</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Tatum Hunter reports&nbsp;—&nbsp;“<a title="read the full text" href="https://www.washingtonpost.com/technology/2022/11/21/hacked-facebook-account/">The long, lonely wait to recover a hacked Facebook</a>”:</p> <blockquote> <em><strong>“Not much appears to have changed”</strong><br>Lucretia Groce … got kicked out of her account. Someone had posted abusive content from her page. … Her account had been hacked. Groce said she cried for hours.<br>…<br>How, without access to her personal account, could she recover the business page she had worked hard to grow? [She] estimates she has lost $18,000 in income after waiting for months for her account to be unlocked. … Her old videos were still making money … but none of that money was appearing in her bank account.<br>…<br>Her frustrating experience is not unique. [I’ve] received hundreds of emails from people locked out of their Facebook accounts … Many lose their accounts to hackers, who take over Facebook pages to resell them or to game search-engine rankings. … Despite reporting revenue of more than $27 billion in the third quarter … Meta is a multinational technology giant without real customer support.<br>…<br>The company says 40,000 [people] are devoted to safety and security efforts. … Last year [it said] it was working on new processes to solve these problems. A year later, not much appears to have changed.</em> </blockquote> <p><strong>That sounds like a big ball of suck.</strong><span>&nbsp;</span>Here’s<span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=33618796">treborhclew</a>’s experience:</p> <blockquote> <em><strong>“This is a disaster”</strong><br>My startup company's Facebook account was … "permanently suspended" shortly after creating a Facebook Business Ad Account. I don't have a personal Facebook, so I was required to create one; I did so using my company email and then made a Business Ad Account.<br>…<br>I was able to lift the suspension on my personal account by uploading a photocopy of my ID. However, the suspension on the company's Facebook account is still active. Automated emails from Facebook say to expect a response in 48 hours, but I have been waiting to hear back for a week.<br>…<br>And, if that wasn't enough of a headache, I have a signed agreement with the local news to advertise my company/product towards the end of November. This is a disaster.</em> </blockquote> <p><strong>How does this work?</strong><span>&nbsp;</span>Ashley Belanger explains&nbsp;—&nbsp;“<a title="read the full text" href="https://arstechnica.com/tech-policy/2022/11/small-businesses-say-facebook-is-enabling-hackers-who-took-over-accounts/">Meta keeps booting small-business owners for being hacked</a>”:</p> <blockquote> <em><strong>“Resulted in financial losses”</strong><br>[This] has happened to seemingly dozens of individuals and small-business owners: … A hacker gains access to a Meta account, then adds their account to the business owner’s ad account before removing the original account owner. At that point, the hacker has taken over the ad account completely. Then, the hacker moves quickly to knock the original user off Meta before they notice.<br>…<br>To do this, the hacker posts inappropriate content like pornography, which quickly prompts Meta content moderators to disable the original account. Once an account is disabled … many business owners [said] attempts to appeal Meta’s decisions are repeatedly rejected.<br>…<br>This scam is likely a tricky one for Meta because hackers gain access to accounts using emails the company believes have been compromised, making account reinstatement still risky. … And while the ad payments would ordinarily be disabled when the account is disabled, the hackers deleting the original accounts as a manager means those ad accounts remain active and exploitable. [This] has resulted in financial losses for many small-business owners, and Meta knows about it.</em> </blockquote> <p><strong>Anything else?</strong><span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/technology/comments/z1af4q/comment/ixc8ew3/">u/Rymbra</a><span>&nbsp;</span>has been on the receiving end, so to speak:</p> <blockquote> <em>[They] hit up your friends/2nd degree associates for money. They’ll review how you speak/your mannerisms since they have access to your DM history and will message them with an emergency so the urgency clouds judgment.<br>…<br>One of my friends is an indie musician in another state I collab with sometimes. The hacker got control of his Instagram and they hit me up on IG messenger as him asking to borrow like $50 for medicine for his aunt and he’d pay me back next day. … Someone else that is only cool with him online might’ve fell for it.</em> </blockquote> <p><strong>Because you are the product?</strong><span>&nbsp;</span><a title="read the full text" href="https://arstechnica.com/civis/threads/small-businesses-say-facebook-is-enabling-hackers-who-took-over-accounts.1487981/post-41402836">Fatesrider</a><span>&nbsp;</span>brings tough love:</p> <blockquote> <em><strong>“Facebook will throw any user under the bus”</strong><br>As much as I get how awful this is for someone trying to make a living online, relying on social media … to continue/maintain the business is pretty much a suicidal move.<br>…<br>I get that Facebook could be less absolutist in how they handle instances of infractions … but she wasn't their customer. She was their<span>&nbsp;</span><strong>commodity</strong>. They literally have no incentive at all to continue keeping her as a user.<br>…<br>She presumes she has importance of some kind to Facebook when, in fact, she has almost none. … I feel for her, but Facebook will throw any user under the bus and not feel one iota of remorse.</em> </blockquote> <p><strong>So how is Meta’s support flow working?</strong><span>&nbsp;</span>Not well, says<span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/facebookdisabledme/comments/z1n3rl/and_the_shit_show_continues/">u/No-Fox3243</a>:</p> <blockquote> <em><strong>“Like a bad joke”</strong><br>Firstly, Meta will remove your existing compromised emails and send you a password reset link against the new, never used on FB before, email you supply them. If you are like me … you will go straight to settings and add your phone number, and a back up email, knowing how precarious having one email only in there is. This will get you locked right out again.<br><br>The only way to get back in, is pass the equivalent of the squid games. From a list of about 10, totally out of context comments, you need to pick which 4, were made by you. If you fail that (and I allege that it's flawed as I picked 4 I<span>&nbsp;</span><strong>know</strong><span>&nbsp;</span>I made) then … 3 friends need to verify your identity through a link FB will send them.<br>…<br>I'll just pick my family who are right here in the room. No, no you won't: You will pick 3 from a list of 10 generated by Facebook. Then you need to call or text them, convince them it's you, and get them to click the suspicious looking FB link. … Of that 10, 7 are acquaintances from sport, one's your grandma with Alzheimer's, and you don't even know who 2 are, let alone have contact details for.<br>…<br>And now you are ****ed. … It's like a bad joke.</em> </blockquote> <p><strong>Catch 22?</strong><span>&nbsp;</span><a title="read the full text" href="https://arstechnica.com/civis/threads/small-businesses-say-facebook-is-enabling-hackers-who-took-over-accounts.1487981/post-41402828">close</a><span>&nbsp;</span>closes the book:<span>&nbsp;</span><em>[You’re fired—Ed.]</em></p> <blockquote> <em>Facebook makes it so you need an account to report and block fraudulent activity? Isn't this actively enabling a crime if you don't give the victim the quickest possible way to report it at least?</em> </blockquote> <p><strong>Meanwhile,</strong><span>&nbsp;</span>how about contacting a friend of a friend who works for Facebook?<span>&nbsp;</span><a title="read the full text" href="https://tech.slashdot.org/comments.pl?sid=22408028&amp;cid=63059452">Spatzmania</a><span>&nbsp;</span>illustrated the oint in that flyment:</p> <blockquote> <em>When hired, every Facebook employee is warned that the accessing another's Facebook account … is recorded and closely monitored and that accessing an account without the owner's explicit permission is a first-time firing offense. The warning (and the fact you'll be fired for it) is repeated at the time of access too.</em> </blockquote> <h2 style="font-weight: bold;">And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=5sn9zVdT-zM&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Don’t try this at home, kids</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 560px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/5sn9zVdT-zM" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://unsplash.com/photos/r-enAOPw8Rs">Icons8.com</a><span>&nbsp;</span>(via<span>&nbsp;</span><a title="Some rights reserved" href="https://unsplash.com/license">Unsplash</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fyour-support-must-scale-dont-be-like-meta&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Tue, 22 Nov 2022 20:49:01 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/your-support-must-scale-dont-be-like-meta 2022-11-22T20:49:01Z 4 ways GitOps can help secure your software pipeline https://develop.secure.software/4-ways-gitops-can-help-secure-your-software-pipeline <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/4-ways-gitops-can-help-secure-your-software-pipeline" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/secure-your-software-pipeline-gitops.jpg" alt="4 ways GitOps can help secure your software pipeline" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold;"><span style="color: #000000;"><img src="https://develop.secure.software/hs-fs/hubfs/secure-your-software-pipeline-gitops.jpg?width=1400&amp;height=732&amp;name=secure-your-software-pipeline-gitops.jpg" alt="secure-your-software-pipeline-gitops" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;"></span></p> <p style="font-weight: bold;"><span style="color: #000000;">GitOps can help control configuration drift and enable your infrastructure security to shift left, for starters. Here are four ways it can enable better software security.</span></p> <p><span style="color: #000000;">Software development and DevOps teams that are using the GitOps deployment model to automate application and infrastructure provisioning can also gain several security benefits from it.</span></p> <p>With GitOps, administrators can store and manage Infrastructure as Code (IaC) using Git version control systems such as GitHub, or a private Git repository. GitOps uses merge requests for team collaboration and infrastructure changes, and uses a Git flow with <a href="https://develop.secure.software/blog/8-cicd-security-best-practices-software-pipeline">continuous integration/continuous delivery (CI/CD)</a>. As the central location for configuration and code that manages all changes to the infrastructure, the repository is the single source of truth of the desired state of the infrastructure.</p> <p><span style="color: #000000;">Here are four ways GitOps can help secure your software development pipeline.</span></p> <h2><strong><span style="color: #000000;">1. GitOps can help control configuration drift</span></strong></h2> <p><span style="color: #000000;">Manual changes in production environments can often lead to configuration drift where a system's current state is very different from its original or desired state. Configuration drift is a common issue at many organizations and can result from ad hoc changes to application code or changes at the infrastructure and network layer. It can cause compatibility issues and make systems behave in unexpected and potentially risky ways.</span></p> <p><span style="color: #000000;">With GitOps, the Git repository is the sole source of truth for configuration information for infrastructure and applications. The repository contains declarative descriptions of the production environment as it should exist, in its desired state. DevOps teams commit all approved changes to infrastructure or application code via the Git repository and the changes roll out across the entire system in a completely automated way. </span></p> <p><span style="color: #000000;">The process ensures that the declared state in the Git repository always matches the state of the production environment. Git's version control features prevent changes from creeping in that could cause a drift from the desired or declared state in the repository.</span></p> <p><span style="color: #000000;">Matt Rose, Field CISO at ReversingLabs, said the fluid and often aggressive nature of release cycles can often result in <a href="https://www.infoq.com/articles/iac-configuration-drift/">configurations drifting from the approved architecture</a>.</span></p> <blockquote> <p style="font-size: 24px;"><em><span style="color: #000000;">"Configuration drift is a huge issue. Having checks and balances that allow you to verify whether you are drifting away from the approved architecture is very important."<br>—<a href="https://www.linkedin.com/in/mattarose/">Matt Rose</a></span></em></p> </blockquote> <h2><strong><span style="color: #000000;">2. GitOps allows DevOps team to push infrastructure security further left</span></strong></h2> <p><span style="color: #000000;">Daniel Kennedy, Research Director for The 451 Group, said one of the most interesting aspects of the GitOps approach from a security standpoint is its handling of infrastructure as code. GitOps shifts infrastructure provisioning further left in the lifecycle which means DevOps teams have an opportunity to identity configuration issues that could cause security vulnerabilities, sooner. </span></p> <blockquote> <p style="font-size: 24px;"><em><span style="color: #000000;">"</span><span style="color: #222222;">Scanning for known vulnerabilities earlier has all the benefits inherent in ‘shift left’. </span><span style="color: #222222;">The cost of addressing the vulnerability is considerably lower the earlier it is identified."<br>—<a href="https://www.linkedin.com/in/danieltkennedy/">Daniel Kennedy</a></span></em></p> </blockquote> <p><span style="color: #222222;">Lisa Azevedo, CEO of the container security company Containn, said GitOps can help reduce or even eliminate potential security issues in infrastructure and application code early on. In an infrastructure as code environment, DevOps teams can leverage intelligent, automated infrastructure deployment tools to ensure the declared production environment in the repository contains all the required security and compliance controls right from the outset. </span></p> <p><span style="color: #222222;">DevOps teams can store security policies and configurations as code in the repository, and thenpply any changes or updates to those controls across the system in an automated and scalable manner, Azevedo said.</span></p> <blockquote> <p style="font-size: 24px;"><em><span style="color: #222222;">"If you build in security and compliance from the start using intelligence, then you are addressing all the different required controls before you test and deploy the system into production. You can shrink the attack surface versus reactively scanning the pipeline for vulnerabilities and fixing them."<br>—<a href="https://www.linkedin.com/in/lisa-azevedo-7031274/">Lisa Azevedo</a></span></em></p> </blockquote> <h2><strong><span style="color: #000000;">3. GitOps enables better transparency, and the ability to audit infrastructure changes</span></strong></h2> <p><span style="color: #222222;">GitOps is composed of three parts around infrastructure automation: IaC, the merge request process, and CI/CD similar to DevOps, said Kennedy. </span><span style="color: #222222;">The latter two have security advantages related to strong software configuration management processes.&nbsp;</span></p> <p><span style="color: #222222;">With merge requests, DevOps teams can version control infrastructure changes the same way they do with application code, Kennedy said. This means that all changes that that a DevOps team might make to the declared state in the repository have a trail back to the committer and to when the changes were committed. "Thus, you can see what changed, review comments, install reviews, and so forth," he said.</span></p> <blockquote> <p style="font-size: 24px;"><em><span style="color: #222222;">"If there’s a problem, you can roll back changes and it allows an organization to correct for infrastructure configuration drift."<br>—Daniel Kennedy</span></em></p> </blockquote> <p><span style="color: #222222;">The fact that a Git repository is the single source of truth in GitOps means organizations can view changes to a system from a single source as well, Rose said. </span><span style="color: #222222;">"Having everything in a consistent, repeatable fashion I think is very beneficial because everyone knows what is happening, what's expected, and what the processes are."</span></p> <h2><strong><span style="color: #222222;">4. GitOps reduces dependency on static images</span></strong></h2> <p><span style="color: #55565b;">GitOps enables development and operations teams to consistently spin up containers and virtual machines using always updated images that contain all the required security and compliance controls, Azevedo said. It allows organizations to get away from using "golden," or static, images to spin up infrastructure. Administrators use golden images as a template for spinning up identical virtual machines or containers. They can help save time and ensure infrastructure consistency.&nbsp;</span></p> <p><span style="color: #55565b;">However, static images can quickly become outdated given the velocity and cadence of change in modern development environments. They are a static, point-in-time image of a desired configuration state. Vulnerabilities can manifest in a golden image over time — because of unpatched vulnerabilities for instance — and those vulnerabilities can get quickly replicated across an environment when the image is used to build new containers or virtual machines, Azevedo said. </span></p> <p><span style="color: #55565b;">GitOps, when implemented correctly, gives organizations a way to continuously build fresh new images for deploying VMs and containers without having to worry about potential vulnerabilities and outdated security controls.</span><span style="color: #55565b;">&nbsp;</span></p> <h2 style="font-weight: bold;"><span style="color: #55565b;">When visibility and transparency matter</span></h2> <p><span style="color: #55565b;"><span style="color: #000000;">As GitLabs notes, "GitOps is an </span><span>operational framework</span><span style="color: #000000;"> that takes DevOps best practices used for application development such as version control, collaboration, compliance, and CI/CD, and applies them to infrastructure automation."</span></span></p> <p><span style="color: #222222;">GitOps' core capabilities deliver greater transparency into the infrastructure and application environment, and give DevOps teams a way to more effectively identify issues and address them, Kennedy said.&nbsp;</span><span style="color: #55565b;"><span style="color: #000000;"></span></span><span style="color: #55565b;"></span></p> <p><span style="color: #222222;">If your team makes a mistake, they can roll back quickly and potentially have the ability to return to the best-known state, Rose said.</span></p> <blockquote> <p style="font-size: 24px;"><em><span style="color: #222222;">"GitOps provides the opportunity to see who did what. It allows you to be a lot more transparent."<br>—Matt Rose</span></em></p> </blockquote> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2F4-ways-gitops-can-help-secure-your-software-pipeline&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Dev & DevSecOps Mon, 21 Nov 2022 16:11:00 GMT jaikumar.vijayan@gmail.com (Jaikumar Vijayan) https://develop.secure.software/4-ways-gitops-can-help-secure-your-software-pipeline 2022-11-21T16:11:00Z Track this: Apple, Google hit with BIG privacy law claims https://develop.secure.software/apple-and-google-hit-with-big-privacy-law-claims <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/apple-and-google-hit-with-big-privacy-law-claims" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/iphone-privacy-joshmcconnell.png" alt="Track this: Apple, Google hit with BIG privacy law claims" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong>Within the space of a few days, both Google and Apple</strong><span>&nbsp;</span>have suffered huge legal challenges. The two tech titans were accused of various privacy violations.</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/iphone-privacy-joshmcconnell.png?width=1400&amp;height=732&amp;name=iphone-privacy-joshmcconnell.png" alt="iphone-privacy-joshmcconnell" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;"></p> <p><strong>Within the space of a few days, both Google and Apple</strong><span>&nbsp;</span>have suffered huge legal challenges. The two tech titans were accused of various privacy violations.</p> <p><strong>State laws in the U.S. are a bit of a mess:</strong><span>&nbsp;</span>There’s no single overarching set of regulations such as the GDPR, which Europeans “enjoy.” State AGs are on the warpath: DevOps teams need to tread a precarious path to remain within everyone’s laws.</p> <p><strong>Google lost a long standing privacy case,</strong>&nbsp;with more in the works. And now Apple faces a big ol’ privacy class action. In this week’s<span>&nbsp;</span><a href="https://blog.reversinglabs.com/blog/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we navigate the minefield.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>For Sharky</i>.<br>&nbsp;</p> <h2 style="font-weight: bold;">The state of disunion</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Cecilia Kang reports&nbsp;—&nbsp;“<a title="read the full text" href="https://www.nytimes.com/2022/11/14/technology/google-privacy-settlement.html">Google Agrees to $392 Million Privacy Settlement</a>”:</p> <blockquote> <em><strong>“Google prioritized profit over the privacy of people”</strong><br>Google agreed to a record $391.5 million privacy settlement with a 40-state coalition … for charges that it misled users into thinking they had turned off location tracking in their account settings even as the company continued collecting that information. … The attorneys general said that the agreement was the biggest internet privacy settlement by U.S. states. It capped a four-year investigation into the internet search giant’s practices.<br>…<br>States have taken an increasingly central role in reining in the power and business models of Silicon Valley corporations, amid a vacuum of action from federal lawmakers. … In lieu of federal law, states including California, Colorado and Virginia have enacted their own privacy rules, creating a patchwork of regulations.<br>…<br>“For years, Google prioritized profit over the privacy of people who use Google products and services,” said … the Oregon attorney general. … “Consistent with improvements we’ve made in recent years, we have settled this investigation which was based on outdated product policies that we changed years ago,” said [Google].</em> </blockquote> <p><strong>So Google will stop breaking the law now?</strong><span>&nbsp;</span>Jessica Lyons Hardcastle’s got news for you&nbsp;—&nbsp;“<a title="read the full text" href="https://www.theregister.com/2022/11/15/google_391m_privacy_settlement/">States win case for privacy</a>”:</p> <blockquote> <em><strong>“Used this data to rake in advertising dollars”</strong><br>Google … does not admit to any wrongdoing or violating any laws. … This is the second privacy lawsuit Google has settled with US states in as many months. In October, Google agreed to pay $85 million to settle a similar lawsuit in which [Arizona] also alleged deceptive tracking practices.<br>…<br>Google faces more of these fines: … In January, attorneys general of Indiana, Texas, Washington state, and Washington DC filed lawsuits … alleging that the search giant uses deceptive user interface designs known as "dark patterns" to obtain customer location data without adequate consent. … In other words, disabling "location history" didn't actually fully do that.<br>…<br>It then used this data to rake in advertising dollars, according to the states.</em> </blockquote> <p><strong>Still, at least<span>&nbsp;</span><i>Apple</i><span>&nbsp;</span>respects your privacy, right?</strong><span>&nbsp;</span>Christopher “call me Chris” Brown isn’t so sure about that&nbsp;—&nbsp;“<a title="read the full text" href="https://news.bloomberglaw.com/litigation/apple-hit-with-class-action-over-tracking-of-mobile-app-activity">Apple Hit With Class Action Over Tracking</a>”:</p> <blockquote> <em><strong>“Unjust enrichment”</strong><br>Apple Inc. records users’ private activity on mobile applications without their consent and despite its privacy assurances … a new proposed federal class action alleged. [It says] Apple has assured users that they are in control of what information they share … but that those assurances are “utterly false. … Privacy is one of the main issues that Apple uses to set its products apart from competitors. … But Apple’s privacy guarantees are completely illusory.”<br>…<br>The tech giant continues to collect, track, and monetize their data even after consumers have chosen to disable sharing, it said. [For example] Apple’s “App Store” app … records every action users take, what they tapped on, which apps they searched for, what ads they saw, and how long they looked at a given app, the lawsuit alleged. [And] consistent ID numbers [allow] Apple to track user activity across its services, it said.<br>…<br>The case is Libman v. Apple, N.D. Cal., No. 5:22-cv-07069. … Causes of Action: unjust enrichment, invasion of privacy, violations of … the California Invasion of Privacy Act … (CIPA).</em> </blockquote> <p><strong>One rule for Apple, another for 3rd party app devs?</strong><span>&nbsp;</span>Sarah Perez crunches the numbers&nbsp;—&nbsp;“<a title="read the full text" href="https://techcrunch.com/2022/11/14/apple-faces-new-lawsuit-over-its-data-collection-practices-in-first-party-apps-like-the-app-store/">Data collection practices in first-party apps</a>”:</p> <blockquote> <em><strong>“There is no justification”</strong><br>In the wake of a recent report by independent researchers who found Apple was continuing to track consumers in its mobile apps, even when they had explicitly configured their iPhone privacy settings to turn tracking off … plaintiff Elliot Libman is suing on behalf of himself and other impacted consumers.<br>…<br>App developers and independent researchers Tommy Mysk and Talal Haj Bakry discovered that Apple was still collecting data … across a number of first-party apps … including the App Store, Apple Music, Apple TV, Books and Stocks … even when users had turned off [a] setting that promises to “disable the sharing of Device Analytics altogether.”<br>…<br>In addition, users are left to believe that Apple would stop collecting their data if they turn off other settings, like “Allow Apps to Request to Track” or “Share Analytics.” Despite configuring these privacy controls, the lawsuit states that Apple “continues to record consumers’ app usage, app browsing communications, and personal information in its proprietary Apple apps. … There is no justification for Apple’s secret, misleading, and unauthorized recording and collection of consumers’ private communications and app activity.”</em> </blockquote> <p><strong>I will sit right down.</strong><span>&nbsp;</span>Waiting for the gift of<span>&nbsp;</span><a title="read the full text" href="https://tech.slashdot.org/comments.pl?sid=22386837&amp;cid=63051857">sound+vision</a>:</p> <blockquote> <em>It's fair to say at this point, that if they have the technical capability of doing it, they are doing it. [Google] scan all your photos and categorize what's in them with some kind of AI. Similar scanning happens to anything you say that gets picked up on the hot mic that is your phone.<br><br>That stuff freaks people out more than the location tracking, so they keep quieter about it. In 10 years there will be a whistleblower or a document leak to fill in the details, and we might see another lawsuit like this with some insignificant fines.<br>…<br>Apple is very much on this bandwagon, too. They showed their proclivity for this kind of thing a few months ago when they announced they'd start scanning your photos for child porn. A miscalculation on their part, they had to go back on the announcement. But … they needed a way to get people used to the idea that it's OK … to do stuff like that.</em> </blockquote> <p><strong>They all do it?</strong><span>&nbsp;</span><a title="read the full text" href="https://gizmodo.com/1849760207">chaos2992</a><span>&nbsp;</span>is primed with a whataboutism:</p> <blockquote> <em>I’ll point at this case the next time an Apple user claims they use them because “Google steals and sells all my info.” They all do, some are just a lot more honest about it.</em> </blockquote> <p><strong>Still, Facebook is the worst, right?</strong><span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=33596772">justapassenger</a><span>&nbsp;</span>disagrees:</p> <blockquote> <em>Controversial statement: With the amount of scrutiny, hate and FTC oversight over companies like Facebook I have more trust in their privacy than Apple. Apple weaponized privacy to be able to enter their competitors market, all while very openly lying it’s all about the user.</em> </blockquote> <p><strong>And what’s with Google’s “we did nothing wrong” shtick?</strong><span>&nbsp;</span><a title="read the full text" href="https://forums.theregister.com/forum/all/2022/11/15/google_391m_privacy_settlement/#c_4567792">Pascal Monett</a><span>&nbsp;</span>paints a picture of punishment:</p> <blockquote> <em>It's paying almost $400 million. Why should it … if it didn't do anything wrong?<br><br>Google admits no wrongdoing? Fine. Take the CEO, put him in the middle of town square and flog him until he admits wrongdoing.</em> </blockquote> <p><strong>Meanwhile,</strong><span>&nbsp;</span><a title="read the full text" href="https://gizmodo.com/1849775820">PungentSauce</a><span>&nbsp;</span>has given up the fight:</p> <blockquote> <em>Apple already has my medical and financial info, they know my workouts and my whereabouts, they see all my texts and emails, they know what I like on XVideos. Am I really going to pretend to be concerned about them knowing what I look at on the App Store?</em> </blockquote> <h2 style="font-weight: bold;">And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=FfGdtqLjh1E&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Your two minutes of zen</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 560px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/FfGdtqLjh1E" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&amp;OE. 30.</em></p> <p style="font-size: 16px;"><i>Image sauce:<span>&nbsp;</span></i><i><a href="https://twitter.com/joshmcconnell/status/1144691437247827970">Josh McConnell</a></i></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fapple-and-google-hit-with-big-privacy-law-claims&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Privacy Wed, 16 Nov 2022 13:08:38 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/apple-and-google-hit-with-big-privacy-law-claims 2022-11-16T13:08:38Z Dropbox reveals hack: What DevOps can learn from it https://develop.secure.software/dropbox-reveals-hack-what-devops-can-learn-from-it-0 <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/dropbox-reveals-hack-what-devops-can-learn-from-it-0" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/dropbox--jun-ohwada--cc-by.png" alt="Dropbox reveals hack: What DevOps can learn from it" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/dropbox--jun-ohwada--cc-by.png?width=1400&amp;height=731&amp;name=dropbox--jun-ohwada--cc-by.png" alt="dropbox--jun-ohwada--cc-by" width="1400" height="731" style="height: auto; max-width: 100%; width: 1400px;"></strong></p> <p><strong>Dropbox was hacked last month.</strong><span>&nbsp;</span>The company has now revealed more details — and there are some big surprises.</p> <p><strong>So what can we learn from others’ misfortune?</strong><span>&nbsp;</span>One obvious lesson: Not all MFA schemes are created equal, so look to FIDO2/WebAuthn. Another is the importance of the curiously named<span>&nbsp;</span><i>SaaSBOM</i>.</p> <p><strong>And it goes without saying&nbsp;that you shouldn’t store secrets in GitHub.</strong><span>&nbsp;</span>In this week’s<span>&nbsp;</span><a href="https://blog.reversinglabs.com/blog/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we say it anyway.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>LaMDA in the 1980s</i>.</p> <p><span style="font-size: 20px;"><span style="font-weight: bold;">[ </span><a href="https://register.reversinglabs.com/free-sbom" style="font-weight: bold;">Get a free SBOM and supply chain risk analysis report</a><span style="font-weight: bold;"> ]</span></span><br>&nbsp;</p> <h2 style="font-weight: bold;">OTP FAIL: FIDO2 FTW</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Sergiu Gatlan reports&nbsp;—&nbsp;“<a title="read the full text" href="https://www.bleepingcomputer.com/news/security/dropbox-discloses-breach-after-hacker-stole-130-github-repositories/">Dropbox discloses breach</a>”:</p> <blockquote> <em><strong>“Dropbox is working on securing its entire environment”</strong><br>Threat actors stole 130 code repositories after gaining access to one of its GitHub accounts using employee credentials stolen in a phishing attack. … The company discovered the attackers breached the account on October 14 when GitHub notified it of suspicious activity that started one day before the alert was sent.<br>…<br>The successful … phishing attack … targeted multiple Dropbox employees using emails impersonating the CircleCI continuous integration and delivery platform. … On the same phishing page, the employees were also asked to "use their hardware authentication key to pass a One Time Password (OTP)."<br>…<br>In September, other GitHub users were also targeted in a similar attack impersonating the CircleCI platform and asking them to sign into their GitHub accounts. … In response to the incident, Dropbox is working on securing its entire environment using WebAuthn and hardware tokens or biometric factors.</em> </blockquote> <p><strong>MFA vulnerable to phishing?</strong><span>&nbsp;</span>David Perera counts the ways&nbsp;—&nbsp;“<a title="read the full text" href="https://www.bankinfosecurity.com/dropbox-data-breach-another-multifactor-fail-a-20406">Another Multifactor Fail</a>”:</p> <blockquote> <em><strong>“Stealing credentials in real time”</strong><br>Add DropBox to the list of tech companies experiencing a multifactor fail moment. … Employees fell for a well-crafted phishing campaign that gave hackers access to internal code repositories and some personally identifying information.<br>…<br>Acknowledgment of the hack comes after multiple Silicon Valley firms have recently found their internal security not as hacker-proof as once thought. Security experts have long recommended multifactor authentication as protection against hackers. [But] threat actors are adjusting up uptake of that advice by pivoting to stealing credentials in real time, along with one-time authentication codes. … So it was with Dropbox.</em> </blockquote> <p><strong>Ooops.</strong><span>&nbsp;</span>The Dropbox Security Team puts a brave face on it&nbsp;—&nbsp;“<a title="read the full text" href="https://dropbox.tech/security/a-recent-phishing-campaign-targeting-dropbox">How we handled a recent phishing incident</a>”:</p> <blockquote> <em><strong>“Accelerating our adoption of WebAuthn”</strong><br>In today's evolving threat landscape, people are inundated with messages and notifications, making phishing lures hard to detect. Threat actors have moved beyond simply harvesting usernames and passwords, to harvesting multi-factor authentication codes as well. … Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time.<br>…<br>The code accessed [from GitHub] contained some credentials—primarily, API keys—used by Dropbox developers. … Our security teams took immediate action to coordinate the rotation of all exposed developer credentials.<br>…<br>While the information accessed by this threat actor was limited, we hold ourselves to a higher standard. We're sorry we fell short, and apologize for any inconvenience. One way we hope to prevent a similar incident from occurring is by accelerating our adoption of WebAuthn [which] is currently the gold standard. … Soon, our whole environment will be secured by WebAuthn with hardware tokens or biometric factors.</em> </blockquote> <p><strong>What lessons are there for DevOps?</strong><span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=33433636">aborsy</a><span>&nbsp;</span>cuts to the chase:</p> <blockquote> <em>Why do these large cloud companies with thousands of employees have a work environment that is susceptible to basic attack techniques, such as phishing? It doesn’t instill confidence in the rest of their infrastructure.</em> </blockquote> <p><strong>Great motivation, but some specifics would be nice.</strong><span>&nbsp;</span>Training is always one suggestion, however<span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/cybersecurity/comments/yjlu6r/comment/iurzvy4/">u/richhaynes</a><span>&nbsp;</span>ain’t a fan:</p> <blockquote> <em>A company I worked for had a breach because someone revealed their credentials. So after the mandatory training for all employees … I ran a phishing campaign to test that it had been effective.<br>…<br>The results were horrifying: About 20% gave valid credentials. Worse still was that about 70% of employees didn't even scroll down the page to see the text in an image that said, "This is a fake site and you are being phished."<br>…<br>When I presented the results to the C-suite, one admitted to giving credentials and everyone of them said they didn't see the image. I didn't stay much longer.</em> </blockquote> <p><strong>How well did Dropbox handle it?</strong><span>&nbsp;</span>Steve Gibson poaches a curate’s egg&nbsp;—&nbsp;“<a title="read the full text" href="https://twit.tv/shows/security-now/episodes/896?autostart=false">Something for Everyone</a>”:</p> <blockquote> <em><strong>“Downstream damage”</strong><br>I think they handled it pretty well. But there are some lessons to be had. [It’s] yet another instance of a major security-savvy and network-savvy organization being successfully attacked and breached — even in the face of knowing that this is going on.<br><br>Their email filters … failed just enough to allow bogus phishing attacks to reach their employees. And notice that these were code developers — not, for example, less sophisticated clerical … workers.<br>…<br>The more complex an organization's setup is — which is to say that the greater the number of ancillary services an organization employs — the greater is their “phishing email attack surface.” The modern trend is products as managed services, where companies are increasingly contracting out for an increasing number of [SaaS] services rather than rolling their own in-house. … Sounds great, but recall all of the downstream damage that the breach at SolarWinds created. … And also remember all of those dental offices and hospital services that were hit with crippling ransomware when their [SaaS] was breached?</em> </blockquote> <p><strong>A great point.</strong><span>&nbsp;</span>And one that John P. Mello Jr. expands upon&nbsp;—&nbsp;“<a title="read the full text" href="https://blog.reversinglabs.com/blog/5-reasons-why-you-need-a-saasbom">SaaSBOM … SBOMs in the SaaS era</a>”:</p> <blockquote> <em><strong>“Stiff headwinds”</strong><br>Software bills of materials (SBOMs) have become a hot topic. [But] how can SBOMs be developed for vendor-managed deployment models, such as … SaaS? … Here are five reasons why your organization should consider a SaaSBOM:<br>…<br>SaaSBOMs provide fresh information about apps running in the cloud. … SaaSBOMs make service components more transparent to users. … SaaSBOMs help security teams understand all dependencies — not just libraries. … SaaSBOMs add another level of software security assurance for vendors. … SaaSBOMs will become a requirement in the software industry.<br>…<br>There are those, however, who believe SaaSBOM proliferation faces stiff headwinds. The frequency at which components change in a SaaSBOM is a challenge and might even change from customer to customer. … Some questions need to be answered before software publishers take on the massive engineering overhead needed to maintain SaaSBOMs.</em> </blockquote> <p><strong>Returning to the MFA question,</strong><span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/cybersecurity/comments/yjlu6r/comment/iurnxfx/">u/Necessary_Roof_9475</a><span>&nbsp;</span>feels like a broken record:</p> <blockquote> <em>This is once again why I will keep saying that 2FA is not "hack" proof. I'm blown away … by how many people think because they have 2FA they can't be phished or "hacked." People need to stop thinking 2FA is some magic cure.</em> </blockquote> <p><strong>But</strong><span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=33421440">sdfhbdf</a><span>&nbsp;</span>challenges the response:<span>&nbsp;</span><em>[You’re fired—Ed.]</em></p> <blockquote> <em>Using a hardware key like Yubikey would prevent such attack since the challenge-response in the browser communication with the key contains the domain (which I assume was different) and hence would fail to generate proper OTP. … I assume they, or their vendor, CircleCI … had some older implementation … that maybe relied just on the string generated … without challenge-response.<br>…<br>WebAuthn [is] a good successor. This should definitely prevent such attack vector</em> </blockquote> <p><strong>Meanwhile,</strong><span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/cybersecurity/comments/yjlu6r/comment/iupugyw/">u/Goatlens</a><span>&nbsp;</span>eyerolls furiously:</p> <blockquote> <em>Imagine that. Large company doesn’t proactively protect their network and instead reactively takes action once they’re ****ed.</em> </blockquote> <h2 style="font-weight: normal;">And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=QJbhJp0YJw4&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Alternate AI history</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 560px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/QJbhJp0YJw4" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://www.flickr.com/photos/21733281@N00/3411494669">Jun Ohwada</a><span>&nbsp;</span>(<a title="Some rights reserved" href="https://creativecommons.org/licenses/by/2.0/">cc:by</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fdropbox-reveals-hack-what-devops-can-learn-from-it-0&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Wed, 09 Nov 2022 18:27:00 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/dropbox-reveals-hack-what-devops-can-learn-from-it-0 2022-11-09T18:27:00Z Forrester Security & Risk talk: Go beyond the SBOM for software supply chain security https://develop.secure.software/reversinglabs-on-going-beyond-the-sbom-at-forrester-security-risk-forum <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/reversinglabs-on-going-beyond-the-sbom-at-forrester-security-risk-forum" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/Matt%20Rose%20Beyond%20the%20SBOM%20Video.png" alt="Forrester Security &amp; Risk Forum: Why you need to go&nbsp;beyond the SBOM for software supply chain security" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <div class="hs-video-widget"> <img src="https://api-na1.hubapi.com/video/v1/public/90936461474/poster?portalId=3375217" style="max-width: 1280px" alt="HubSpot Video"> </div> <p style="font-weight: bold;">At the Forrester Security &amp; Risk Forum, ReversingLabs Field CISO Matt Rose talks about what an SBOM provides — and how it can be put to good use. Here's a preview.</p> <div class="hs-video-widget"> <img src="https://api-na1.hubapi.com/video/v1/public/90936461474/poster?portalId=3375217" style="max-width: 1280px" alt="HubSpot Video"> </div> <p style="font-weight: bold;">At the Forrester Security &amp; Risk Forum, ReversingLabs Field CISO Matt Rose talks about what an SBOM provides — and how it can be put to good use. Here's a preview.</p> <p>The <a href="https://www.forrester.com/event/security-risk/">Forrester Security &amp; Risk Forum </a>is taking place this week in Washington D.C. with a full agenda, tackling a range of issues, from the cyber implications of geopolitical disruptions to the privacy and security implications of the Metaverse.&nbsp;</p> <p><span style="background-color: transparent;">One of the big topics of conversation this year is, of course, software supply chain risks. ReversingLabs Field CISO </span><a href="https://www.linkedin.com/in/mattarose/" style="background-color: transparent;">Matthew Rose</a><span style="background-color: transparent;"> is on hand to present a talk on "Going Beyond the SBOM."&nbsp;</span></p> <p><a href="https://www.reversinglabs.com/solutions/software-bill-of-materials-sbom">SBOMs are a hot topic right now</a> — but also one surrounded by a lot of uncertainty. The question many organizations are wrestling with is less about whether they need an SBOM, and more about what they can do with an SBOM.</p> <p style="font-weight: bold; font-size: 20px;">[ <a href="https://register.reversinglabs.com/free-sbom">Get a free SBOM and supply chain risk analysis report</a> ]</p> <p>Rose outlines in his talk what type of information an SBOM provides, and how that information can be used. He also discusses how "checkbox" SBOM compliance, where SBOMs are done without any real purpose, isn't enough to <a href="https://develop.secure.software/blog/sbom-critical-but-first-step-software-supply-chain-security">protect you from software supply chain risks</a>.&nbsp;</p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Freversinglabs-on-going-beyond-the-sbom-at-forrester-security-risk-forum&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Event Videos Regional Event Software Assurance Software Supply Chain Security Software Bill of Materials (SBOM) Forrester Security & Risk Forum Tue, 08 Nov 2022 18:01:29 GMT contact@reversinglabs.com (ReversingLabs) https://develop.secure.software/reversinglabs-on-going-beyond-the-sbom-at-forrester-security-risk-forum 2022-11-08T18:01:29Z SBOMs in the SaaS era: 5 reasons why you should consider a SaaSBOM https://develop.secure.software/5-reasons-why-you-need-a-saasbom-0 <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/5-reasons-why-you-need-a-saasbom-0" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/cloud-saasbom-software-bill-of-materials-cloud-computing.jpg" alt="SBOMs in the SaaS era: 5 reasons why you should consider a SaaSBOM" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold; text-align: left;">Here's why your organization should consider a SaaSBOM — and some of the challenges facing their success.</p> <p style="font-weight: bold; text-align: left;"><img src="https://develop.secure.software/hs-fs/hubfs/cloud-saasbom-software-bill-of-materials-cloud-computing.jpg?width=1400&amp;height=732&amp;name=cloud-saasbom-software-bill-of-materials-cloud-computing.jpg" alt="cloud-saasbom-software-bill-of-materials-cloud-computing" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;"></p> <p style="font-weight: bold; text-align: left;">Here's why your organization should consider a SaaSBOM — and some of the challenges facing their success.</p> <p>Software bills of materials (SBOMs) have become a hot topic recently — for a number of reasons. High-profile attacks on software supply chains have <a href="https://develop.secure.software/6-reasons-software-security-teams-need-to-go-beyond-vulnerability-response">exposed the need for organizations to know what third-party and open-source components</a> are in the applications they use. SBOMs are seen as <a href="https://develop.secure.software/blog/sbom-critical-but-first-step-software-supply-chain-security">an essential first step on that journey</a>.</p> <p>Further momentum is being stoked by the private sector and government initiatives, such as the <a href="https://thenewstack.io/sbom-everywhere-the-openssf-plan-for-sboms/"><span>SBOMs Everywhere program</span></a> that's part of the <a href="https://develop.secure.software/blog/openssfs-open-source-software-security-mobilization-plan">Open Source Software Security Mobilization Plan</a> announced in May by the Linux Foundation's OpenSSF, as well as President Biden's <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/"><span>Executive Order</span></a> on Improving the Nation's Cybersecurity.</p> <p>However, because the push for SBOMs is still in early days, questions abound. One of them is how can SBOMs be developed for vendor-managed deployment models, such as software as a service (SaaS)? That is a significant question that may influence SBOM adoption. "[A]s the industry sprints toward nearly ubiquitous use of SaaS, this ambiguity presents a hurdle toward the effective use of SBOMs as a risk management tool," warned Walter H. Haydock and Chris Hughes, <a href="https://www.csoonline.com/article/3632149/the-case-for-a-saas-bill-of-material.html"><span>writing for CSO Online</span></a>.</p> <p>Tobias Whitney, vice president for strategy and policy at Fortress Information Security, a supply chain threat protection company, said that one way to leap the SaaS hurdle is through a SaaSBOM.</p> <blockquote> <p style="font-size: 24px;"><em>"A SaaSBOM addresses some of the off-premise concerns that may not be clear in a traditional SBOM. <span style="background-color: transparent;">We're taking the concept of software and recognizing that an application operating in the cloud might have different threat vectors associated with it, different vulnerabilities that can lead to cascading risks to the purchasing organization."<br>—<a href="https://www.linkedin.com/in/tobias-whitney-9479aa9b/">Tobias Whitney</a></span></em></p> </blockquote> <p>While an SBOM informs a customer about all the components used in a software program, the SaaSBOM focuses much more on services, said Dennis Zimmer, co-founder and CTO of Codenotary, a software supply chain security provider.</p> <blockquote> <p style="font-size: 24px;"><em>"The reason for that is software as a service is more than software that runs somewhere in the cloud. It is a complex mix of infrastructure, software components, service endpoints and last but not least, the data flow between the services behind the publicly accessible URL."</em><br><em>—<a href="https://www.linkedin.com/in/denniszimmer/">Dennis Zimmer</a></em></p> </blockquote> <p>Here are five reasons why your organization should consider a SaaSBOM — plus insights into the challenges facing implementation of SaaSBOMs.</p> <p style="font-size: 20px; font-weight: bold;">[ <a href="https://register.reversinglabs.com/free-sbom">Get a free SBOM and supply chain risk analysis report</a> ]</p> <h2><strong>1. SaaSBOMs provide fresh information about apps running in the cloud</strong></h2> <p>There are a few open questions in the industry on how you make SBOMs work for cloud services "where the dynamic and elastic nature of the cloud means resources are being consumed and changed on a more frequent basis," said Charlie Jones, a software security assurance evangelist at ReversingLabs.</p> <blockquote> <p style="font-size: 24px;"><em>"As a result, the software bill of materials that you're creating for cloud-native software is only a point-in-time view of what makes it up. Because the information is changed so often, it becomes stale and out-of-date quickly."</em><br><em>—<a href="https://www.linkedin.com/in/charliejones-/">Charlie Jones</a></em></p> </blockquote> <h2><strong>2. SaaSBOMs make service components more transparent to users</strong></h2> <p>Just like an SBOM attempts to make transparent all of the dependencies within a given piece of software, a SaaSBOM extends this concept to software as a service to provide an artifact that lists all of the various technology substrate components that go into offering a given SaaS, explained Ed Moyle, systems and software security director for Drake Software, and a member of the ISACA Emerging Trends Working Group.</p> <blockquote> <p style="font-size: 24px;"><em>"There is a whole ecosystem of players involved in delivering a cloud service that is currently opaque to cloud customers."</em><br><em>—<a href="https://www.linkedin.com/in/edmoyle/">Ed Moyle</a></em></p> </blockquote> <p>As an example, Moyle said to consider a SaaS that runs on Apache, stores data in MariaDB, and uses PaaS components from AWS for business logic. To give full transparency, you'd need to know all of the elements that go into the SaaS software itself including sub-dependencies, "but then you'd also need to know the various dependencies that go into each of the individual elements involved in delivering that code to production—the dependencies for Apache, MariaDB, and then, in turn, the dependencies used by Amazon in delivering AWS Lambda," Moyle said.</p> <h2><strong>3. SaaSBOMs help security teams understand all dependencies — not just libraries</strong></h2> <p>Jeff Williams, CTO and co-founder of Contrast Security, explained that a SaaSBOM allows you to model the APIs, services, and other connections that modern apps make.<span>&nbsp; </span></p> <blockquote> <p><em><span style="font-size: 24px;">"These are remote dependencies and just as important to security as local dependencies. Your SaaSBOM will probably have references to all the software in these remote dependencies, which can also have both local and remote dependencies."</span></em><br><em><span style="font-size: 24px;">—<a href="https://www.linkedin.com/in/planetlevel/">Jeff Williams</a></span></em></p> </blockquote> <p>Unlike an SBOM, which focuses on the components of a piece of software, a SaaSBOM includes infrastructure and data flow information, such as logical representation of a system, inventory of all services, reliance on other services, endpoint URLs, data classifications, and directional flow of data between services.</p> <h2><strong>4. SaaSBOMs add another level of software security assurance for vendors</strong></h2> <p>When organizations provide SaaS or PaaS services to internal or external customers, the consuming customer needs to trust that all is done well. Now that trust is primarily based on third-party certification and brand name.</p> <blockquote> <p style="font-size: 24px;"><em>"Given the increase of data leaks, software supply chain attacks and ransomware attacks, the customer deserves more information about the infrastructure, components, data storage and data flow of a service used. Providing a SaaSBOM to the consumer of the software massively enhances trust and transparency. It also allows consumers to check the level of security the SaaS service provider maintains."</em><br><em>—Dennis Zimmer</em></p> </blockquote> <h2><strong>5. SaaSBOMs will become a requirement in the software industry</strong></h2> <p>Biden's Executive Order already requires vendors to have SBOMs in place when they want to sell to the U.S. government, starting in 2023. Many companies are going to follow suit and have the same requirement, Zimmer noted.</p> <blockquote> <p style="font-size: 24px;"><em>"That means any SaaS or PaaS needs to provide SBOMs as well and the next logical step will be the SaaSBOM to cover the data flow and infrastructure behind that service. So, there is no doubt that the SaaSBOM will be an important topic in the coming years."</em><br><em>—Dennis Zimmer</em></p> </blockquote> <p>Williams said that services are just a different kind of dependency, but they're just as critical to security. "And almost every kind of software makes service connections. So I believe SaaSBOM will be the only kind of SBOM in the very near future," he said.</p> <h2 style="font-weight: bold;">Can SaaSBOMS keep up with the pace of SaaS?</h2> <p>There are those, however, who believe SaaSBOM proliferation faces stiff headwinds. The frequency at which components change in a SaaSBOM is a challenge and might even change from customer to customer.</p> <p>"Because of these challenges, and a few other nuances, I believe that the delivery of SaaSBOMs will trail traditional product BOMs by some time, although there may be intermediate steps—starting with simply enumerating the SaaS services used," maintained Ken Arora, a cybersecurity engineer and architect at F5, a multi-cloud application services and security company.</p> <h2><strong>SaaSBOM questions that need answers</strong></h2> <p>Jones noted that some questions need to be answered before software publishers take on the massive engineering overhead needed to maintain SaaSBOMs.</p> <blockquote> <p style="font-size: 24px;"><em>"We need to answer questions such as at what frequency do SaaSBOMs need to be generated and shared, what depth should they go to — components and services, or just services — and how unique does it need to be. Can it just apply to out-of-box services or does to have to be unique to each customer?"</em><br><em>—Charlie Jones</em></p> </blockquote> <p>One of the challenges facing organizations that receive an SBOM is what to do with it, Moyle observed. "I think SaaSBOMs will have this same challenge," he continued.</p> <blockquote> <p style="font-size: 24px;"><em>"More broadly. I think this has the added challenge that it fights against why people find the cloud compelling. It deliberately abstracts the end user away from the minutiae of the underlying tech stack. <span style="background-color: transparent;">By asking for transparency into the details of how the service is delivered, it means you now have to become educated on each of those components to understand and use the artifact productively."<br>—Ed Moyle</span></em></p> </blockquote> <p>Larry Maccherone, DevSecOps transformation evangelist for Contrast Security, said that <span style="background-color: transparent;">the value of a SaaSBOM ultimately may lie less with what a customer does with it than what the software development organization learns by creating it. </span></p> <blockquote> <p style="font-size: 24px;"><em><span style="background-color: transparent;">"SBOMs are in the news now because there is a requirement that they be shared when the U.S. government is the consumer of the software. However, there is no requirement that anyone do anything useful with that SBOM once it is shared."<br>—<a href="https://www.linkedin.com/in/larrymaccherone/">Larry Maccherone</a></span></em></p> </blockquote> <p>Maccherone said the path to enabling that sense-making is very cloudy. He said SaaSBOMs were likely to die in the "trough of dissolution" — a reference to Gartner’s hype cycle — for on-premise software SBOMs. "The difficulties for SaaSBOMs are another order of magnitude larger," he said.</p> <p>But Maccherone still holds hope, noting, "I’m still cautiously enthusiastic about SBOMs and SaaSBOMs, not because the sharing of that data is likely to be useful to the organization receiving it, but rather, because it will cause the producers to think harder about <a href="https://develop.secure.software/blog/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks">what they put in their software</a> knowing that they must publish those contents."</p> <blockquote> <p style="font-size: 24px;"><em>"<span style="background-color: transparent;">This is exactly what happened with the food labeling standards. Food vendors started producing more food that was healthier. SaaSBOM could have a similar effect."<br>—Larry Maccherone</span></em></p> </blockquote> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2F5-reasons-why-you-need-a-saasbom-0&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Software Bill of Materials (SBOM) Dev & DevSecOps Tue, 08 Nov 2022 18:00:21 GMT jpmellojr@gmail.com (John P. Mello Jr.) https://develop.secure.software/5-reasons-why-you-need-a-saasbom-0 2022-11-08T18:00:21Z End-to-end software supply chain security demands dev and SOC teams shift left together https://develop.secure.software/end-to-end-supply-chain-security-requires-dev-teams-and-the-soc-shift-left-together <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/end-to-end-supply-chain-security-requires-dev-teams-and-the-soc-shift-left-together" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/shift-left-together.jpg" alt="End-to-end supply chain security requires dev teams and the SOC shift left together" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold;">Security operations centers (SOCs) and developers need to share the responsibility for securing the software supply chain. Find out why in ReversingLabs' latest report.</p> <p style="font-weight: bold;"><img src="https://develop.secure.software/hs-fs/hubfs/shift-left-together.jpg?width=1400&amp;height=732&amp;name=shift-left-together.jpg" alt="shift-left-together" width="1400" height="732" style="width: 1400px;"></p> <p style="font-weight: bold;">Security operations centers (SOCs) and developers need to share the responsibility for securing the software supply chain. Find out why in ReversingLabs' latest report.</p> <p>The focus in recent years has been <a href="https://devopedia.org/shift-left">shifting left</a> much of the responsibility for application security. However, software supply chain attacks are ramping up, not only in frequency, but also across the complex set of tools and code sources that make up today's software.</p> <p>The challenge of modern software supply chain security has become momentous, requiring security operations and software development teams to find ways to secure the software supply chain together.</p> <p>In <a href="https://www.reversinglabs.com/reports/software-supply-chain-soc-end-to-end-security-key" style="font-weight: bold;">Software Supply Chain and the SOC: End-to-End Security is Key</a>, learn about why software developers should continue shifting left — implementing application security into every part of the development process — security operations centers (SOCs) should shift left with them, sharing the responsibility of protecting the software supply chain.&nbsp;</p> <p><span style="background-color: transparent;">Here are key takeaways from the report, and a look ahead to what your organization needs to do to secure its entire software development lifecycle (SDLC) — and reduce risk from software supply chain attacks to your organization.</span></p> <h2 style="font-weight: bold;">The software supply chain security problem</h2> <p>Software supply chain attacks are not a new phenomenon. While they have taken center stage this past year, attacks of this nature date back to at least 1982, when an <a href="https://unredacted.com/2013/04/26/agent-farewell-and-the-siberian-pipeline-explosion/">alleged CIA operation</a> passed compromised software onto Russian intelligence, causing a massive explosion in Siberia. Over the past few decades, these attacks have become more complex and frequent, as can be seen in ReversingLabs <a href="https://blog.reversinglabs.com/blog/a-partial-history-of-software-supply-chain-attacks">A (Partial) History of Software Supply Chain Attacks</a>.</p> <p>The plentiful history of this problem sets up the state of software supply chain attacks today, with more attacks occurring in the past two years than in the previous 40 years combined. Looking at emerging attacks on open-source software and repositories&nbsp; showcases the magnitude of this growing problem. In ReversingLabs <a href="https://blog.reversinglabs.com/blog/nvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach">NVD Analysis 2022: A Call to Action on Software Supply Chain Security</a>, attacks on popular public repositories npm and the Python Package Index (PyPI) skyrocketed by 289% in the past four years.&nbsp;</p> <p>ReversingLabs researchers have discovered several incidents that contribute to this staggering statistic. These include the discovery of malicious packages mimicking the <a href="https://blog.reversinglabs.com/blog/threat-analysis-malicious-npm-package-mimicks-material-tailwind-css-tool">Material Tailwind CSS tool on npm</a>, as well as the discovery of malicious packages on <a href="https://blog.reversinglabs.com/blog/new-malicious-packages-in-pypi-repo">PyPI that deliver a malicious payload</a> if used. Back in July of 2022, ReversingLabs researchers also discovered and named a major supply chain attack on npm called <a href="https://blog.reversinglabs.com/blog/iconburst-npm-software-supply-chain-attack-grabs-data-from-apps-websites">IconBurst</a>, which served malicious packages meant to harvest sensitive data.&nbsp;</p> <p>This lengthy timeline of attacks, as well as evidence that demonstrates the growth of these kinds of attacks within the last two years, warrants a great deal of consideration for how to best mitigate threats to the software supply chain.&nbsp;</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/supply-chain-threats-surge-ig.png?width=1392&amp;height=822&amp;name=supply-chain-threats-surge-ig.png" alt="supply-chain-threats-surge-ig" width="1392" height="822" style="height: auto; max-width: 100%; width: 1392px;"></p> <h2 style="font-weight: bold;">Devs cannot do it alone</h2> <p>Considering the rise in software supply chain attacks, it has become clear to the application security community that security has to be embedded into every stage of the software development process. This has placed responsibility onto developers to perform secure practices as they are creating source code.&nbsp;</p> <p>Developers have been keeping up their end of the bargain by baking security into their pipelines. This includes the use of traditional application security testing as well as source code analysis. But while these techniques do serve as beneficial, they are not enough to spot security risks, and tend to miss the detection of changes or anomalies in application behavior that arise when a software application is finished.&nbsp;</p> <p>Similarly, software composition analysis (SCA) practices, which help organizations generate and review <a href="https://blog.reversinglabs.com/blog/sbom-what-it-is-and-why-it-matters-software-supply-chain-security">software bills of materials (SBOMs)</a>, serve as a key first step for software supply chain security, but are not an end-all-be-all solution. Even if development teams rely on these techniques, they are still missing key risks such as software tampering or the injection of malicious components into production code. In a ReversingLabs commissioned <a href="https://develop.secure.software/blog/survey-finds-software-supply-chain-security-top-of-mind-for-dev-teams">survey on risk tampering</a>, it was found that four in 10 software packages currently in production have at least some tampering within them.&nbsp;</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/four-in-ten-tampering-ig.png?width=1373&amp;height=644&amp;name=four-in-ten-tampering-ig.png" alt="four-in-ten-tampering-ig" width="1373" height="644" style="height: auto; max-width: 100%; width: 1373px;"></p> <h2 style="font-weight: bold;">A new approach: Bring in the SOC</h2> <p>In ReversingLabs' new supply chain and SOC report, it's clear that on top of shifting left, security needs to be implemented throughout the entire software development and production timeline, bringing focus back to the right. The shortcomings that developers are unable to spot should be taken care of by SOCs, which have the ability to support all ends of the SDLC.&nbsp;</p> <p>To best secure the software supply chain in your organization, the SOC should take on several duties, including:</p> <ul> <li>Detect deviations from a certain baseline, which can determine if a software package is falling short of being secure, containing anomalies that bring it below the baseline.</li> <li>Scan software packages, allowing them to spot possible malicious components.</li> </ul> <p>And to make the SOC a cross-functional resource for defending against software supply chain attacks, it requires:</p> <ul> <li>Visibility and understanding of the continuous integration/continuous delivery (CI/CD) development cycle.</li> </ul> <img src="https://develop.secure.software/hs-fs/hubfs/supply-chain-attacks-third-party-ig-crabb.png?width=1378&amp;height=814&amp;name=supply-chain-attacks-third-party-ig-crabb.png" alt="supply-chain-attacks-third-party-ig-crabb" width="1378" height="814" style="background-color: transparent; font-size: 16px; width: 1378px;"> <h2 style="font-weight: bold;">Looking forward: best practices</h2> <p>The effort to secure software is a journey, and organizations looking to do better in mitigating threats to the software supply chain will need to take several steps to advance properly. Moving along the secure software journey means establishing end-to-end security in an organization, which can be accomplished by joining the efforts of development teams and SOCs. This collaboration will provide the most effective resilience when dealing with the growing problem of software supply chain attacks.&nbsp;</p> <p style="font-weight: bold;">Download ReversingLabs' free report, <a href="https://www.reversinglabs.com/reports/software-supply-chain-soc-end-to-end-security-key">Software Supply Chain and the SOC: End-to-End Security is Key</a>, for a full understanding of the problem — and best practices for getting started on your security journey. Plus: Start your journey with ReversingLabs' free <a href="https://register.reversinglabs.com/free-sbom">SBOM and supply chain risk analysis</a>.</p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fend-to-end-supply-chain-security-requires-dev-teams-and-the-soc-shift-left-together&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Security Operations Software Supply Chain Security Wed, 02 Nov 2022 21:13:56 GMT carolynn.vanarsdale@reversinglabs.com (Carolynn van Arsdale) https://develop.secure.software/end-to-end-supply-chain-security-requires-dev-teams-and-the-soc-shift-left-together 2022-11-02T21:13:56Z Reflection attacks: Don’t be part of the problem https://develop.secure.software/reflection-attacks-dont-be-part-of-the-problem <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/reflection-attacks-dont-be-part-of-the-problem" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/reflection-attack--anais-g%C3%B3mez-c--cc-by-sa.png" alt="Reflection attacks: Don’t be part of the problem" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/reflection-attack--anais-g%C3%B3mez-c--cc-by-sa.png?width=1400&amp;height=732&amp;name=reflection-attack--anais-g%C3%B3mez-c--cc-by-sa.png" alt="reflection-attack--anais-gómez-c--cc-by-sa" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;"></strong></p> <p><strong>Once again, Microsoft is under fire</strong><span>&nbsp;</span>for shipping a service that can easily be misused for DDoS attacks. CLDAP — basically LDAP over UDP — can be weaponized to generate huge spikes of bandwidth.</p> <p><strong>Once again, Redmond shows devs</strong><span>&nbsp;</span>what<span>&nbsp;</span><i>not</i><span>&nbsp;</span>to do. If your app or service is exposed to the internet, how does it behave when fed forged packets? Can it be misused by hackers to reflect and amplify traffic to an innocent third party?</p> <p><strong>Learning from other devs’</strong>&nbsp;mistakes is the only possible silver lining in this cloudy nightmare. In this week’s<span>&nbsp;</span><a href="https://blog.reversinglabs.com/blog/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we take a long, hard look in the mirror.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>Inktober</i>.<br>&nbsp;</p> <h2 style="font-weight: normal;">We see you</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Alfonso Maruccia reports&nbsp;—&nbsp;“<a title="read the full text" href="https://www.techspot.com/news/96481-reflection-ddos-attacks-rise-again.html">Reflection DDoS attacks are on the rise again</a>”:</p> <blockquote> <em><strong>“Powerful DDoS attacks”</strong><br>A resurgence in vulnerable CLDAP servers is making DDoS attacks more powerful and dangerous. … In the last 12 months, there has been a more than 60% increase in CLDAP abuse with over 12,000 instances of "zombified" servers<br>…<br>A "reflection attack" is again finding widespread use by cyber-criminals, abusing unprotected Microsoft servers to overload targeted websites with traffic. … This attack vector spoofs the target's IP address and sends a UDP request to one or more third parties. Those servers then respond to the spoofed address, which reflects back, creating a feedback loop.<br>…<br>[It] amplifies the traffic tens, hundreds, or thousands of times and conceals the attacker's IP. … The most troublesome CLDAP reflectors are the ones hackers have used for years in multiple powerful DDoS attacks.</em> </blockquote> <p><strong>And</strong><span>&nbsp;</span>Dan Goodin checks in&nbsp;—&nbsp;“<a title="read the full text" href="https://arstechnica.com/information-technology/2022/10/researchers-id-12k-microsoft-servers-that-are-a-ddosers-best-friend/">Meet the Windows servers … fueling massive DDoSes</a>”:</p> <blockquote> <em><strong>“Record-breaking DDoSes”</strong><br>A small retail business in North Africa, a North American telecommunications provider, and two separate religious organizations: What do they have in common? They’re all running poorly configured Microsoft servers that for months or years have been spraying the Internet with gigabytes per second of junk data.<br>…<br>Recently published research … identified more than 12,000 servers—all running Microsoft domain controllers hosting the company’s Active Directory services—that were regularly used to magnify the size of distributed-denial-of-service attacks, or DDoSes. … A Microsoft derivation of the industry-standard Lightweight Directory Access Protocol, CLDAP uses User Datagram Protocol packets.<br>…<br>Some of the better-known reflectors are misconfigured servers running services such as open DNS resolvers, the network time protocol, Memcached for database caching, and the WS-Discovery protocol found in Internet of Things devices. Also known as amplification attacks, these reflection techniques allow record-breaking DDoSes to be delivered by the tiniest of botnets.</em> </blockquote> <p><strong>Who did the research?</strong><span>&nbsp;</span>Chad Davis&nbsp;—&nbsp;“<a title="read the full text" href="https://blog.lumen.com/cldap-reflectors-on-the-rise-despite-best-practice/">CLDAP Reflectors On The Rise</a>”:</p> <blockquote> <em><strong>“17 Gbps”</strong><br>Despite the industry’s firm understanding of the mechanics of UDP reflection … we continue to find plenty of vulnerable services out there, ready and waiting to generate a voluminous stream of junk traffic. … With a high Bandwidth Amplification Factor (BAF) of 56 to 70x and common deployment onto systems provisioned with healthy bandwidth, CLDAP reflectors reliably add traffic volume to the DDoS recipe.<br>…<br>As a case study, let’s consider a CLDAP service hosted on an IP address … affiliated with a religious organization. … The specific targets change, but the reflector dutifully directs several Gbps of traffic when called to do so. … We have [seen] it throwing gigabits per second of traffic at an array of targets [peaking at] 17 Gbps. … Marshalling even 10% of existing CLDAP reflectors in an attack could generate traffic in the Terabits per second range.</em> </blockquote> <p><strong>A BAF of 70x?</strong><span>&nbsp;</span>That’s nothing.<span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/cybersecurity/comments/yfpwbc/comment/iuj3pvc/">u/Beef_Studpile</a><span>&nbsp;</span>is an incident responder:</p> <blockquote> <em>I always chuckle when I hear about ddos reflection attacks and think back to [the Mitel MiVoice vuln] where every packet results in<span>&nbsp;</span><strong>4.3 billion</strong><span>&nbsp;</span>packets in response.</em> </blockquote> <p><strong>Other researchers agree the problem’s getting worse.</strong><span>&nbsp;</span>Benjamin Yip offers this “<a title="read the full text" href="https://blog.nexusguard.com/threat-report/ddos-statistical-report-for-1hy-2022">DDoS Statistical Report</a>”:</p> <blockquote> <em>UDP based attacks in the first half of 2022 increased by 77.53% compared to the second half of 2021. … Amplification attacks increased by 106.65% in the same period.</em> </blockquote> <p><strong>What can developers learn</strong><span>&nbsp;</span>from Microsoft’s mistakes?<span>&nbsp;</span><a title="read the full text" href="https://arstechnica.com/information-technology/2022/10/researchers-id-12k-microsoft-servers-that-are-a-ddosers-best-friend/?comments=1&amp;post=41343169#comment-41343169">chilinux</a><span>&nbsp;</span>summarizes the problem:</p> <blockquote> <em>Microsoft may not ultimately be responsible for their customers but they have not really been part of the solution either. … Even as of Windows Server 2022 it seems … if you enable LDAP from Microsoft on Windows, then you always also end up with LDAP over UDP enabled as well. To be extra "helpful," enabling the LDAP role also usually adds rules to the Windows Firewall to allow all CLDAP packets from any IP address.<br>…<br>If enough customers shoot themselves in the foot with a gun, at some point someone might ask why that specific manufacturer … has no safety switch when the rest of the industry has one. Or if enough people get killed in car accidents in cars that … have no bumper, seat belts or airbags then someday the question might be why those cars ship like that?</em> </blockquote> <p><strong>It’s not as if Microsoft wasn’t warned.</strong><span>&nbsp;</span>Here’s<span>&nbsp;</span><a title="read the full text" href="https://it.slashdot.org/comments.pl?sid=16593750&amp;cid=60195418">bill_mcgonigle</a>:</p> <blockquote> <em>Oh lord, they didn't even learn from NTP amplification attacks. Shocked, I say, shocked. Unfortunately, not liable, so why should they care?</em> </blockquote> <p><strong>Especially as it’s<span>&nbsp;</span><i>still</i><span>&nbsp;</span>the default behavior.</strong><span>&nbsp;</span><a title="read the full text" href="https://arstechnica.com/information-technology/2022/10/researchers-id-12k-microsoft-servers-that-are-a-ddosers-best-friend/?comments=1&amp;post=41342711#comment-41342711">Jim Salter</a><span>&nbsp;</span>waxes excoriating:</p> <blockquote> <em>Given Microsoft's position in the market … they share some culpability for building services this useful for DDoS amplification without also building in mollyguards to detect when they’re made internet-accessible, and<span>&nbsp;</span><strong>strenuously</strong><span>&nbsp;</span>warn their idiot owners.</em> </blockquote> <p><strong>Meanwhile,</strong><span>&nbsp;</span>pointing at the parlor’s pachyderm<span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=33402478">jiggawatts</a><span>&nbsp;</span>asks the obvious question:</p> <blockquote> <em>Wait. … There are thousands of Windows Domain Controllers just "on" the Internet‽ What are these people thinking?</em> </blockquote> <h2 style="font-weight: normal;">And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=-_UIcswX5F8&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Inktober</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 560px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;" src="https://www.youtube.com/embed/-_UIcswX5F8" width="560" height="315" frameborder="0" allowfullscreen></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://www.flickr.com/photos/42113464@N02/5434242794">Anais Gómez-C</a><span>&nbsp;</span>(<a title="Some rights reserved" href="https://creativecommons.org/licenses/by-sa/2.0/">cc:by-sa</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Freflection-attacks-dont-be-part-of-the-problem&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Wed, 02 Nov 2022 21:10:25 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/reflection-attacks-dont-be-part-of-the-problem 2022-11-02T21:10:25Z National Cyber Director: Higher bar for software supply chain security is key to cyber resilience https://develop.secure.software/national-cyber-director-supply-chain-key-to-cyber-resilience <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/national-cyber-director-supply-chain-key-to-cyber-resilience" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/chris-inglis-national-cyber-director-software-supply-chain-security.jpg" alt="National Cyber Director: Higher bar for software supply chain security is key to cyber resilience" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="text-align: left; font-weight: bold;">Chris Inglis said the government is setting a new bar for supply chain security as the national cybersecurity focus shifts from incident response to cyber resilience.</p> <p style="text-align: left; font-weight: bold;"><img src="https://develop.secure.software/hs-fs/hubfs/chris-inglis-national-cyber-director-software-supply-chain-security.jpg?width=1400&amp;height=732&amp;name=chris-inglis-national-cyber-director-software-supply-chain-security.jpg" alt="chris-inglis-national-cyber-director-software-supply-chain-security" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;"></p> <p style="text-align: left; font-weight: bold;">Chris Inglis said the government is setting a new bar for supply chain security as the national cybersecurity focus shifts from incident response to cyber resilience.</p> <p style="text-align: left;">Software development teams are going to be held to a higher standard for securing their software, as the federal government shifts its focus from incident response to cyber resilience, say two senior White House cybersecurity officials.&nbsp;</p> <p><span style="background-color: transparent; color: #1f1f1f; font-size: 18px;">Spurred on by President Biden’s Executive Order for Improving the Nation’s Cybersecurity, the U.S. government is transitioning quickly from focusing on incident response to cyber resilience, National Cyber Director <a href="https://twitter.com/ncdinglis">Chris Inglis</a> told a gathering of policy experts </span><a href="https://www.csis.org/events/conversation-chris-inglis-and-anne-neuberger-0" style="background-color: transparent; font-size: 18px;">at an event hosted by the Center for Strategic and International Studies (CSIS)</a><span style="background-color: transparent; color: #1f1f1f; font-size: 18px;">, a Washington D.C. think tank. </span></p> <p><span style="color: #1f1f1f; font-size: 18px; background-color: transparent;">Here are the key takeaways from the event.</span></p> <p style="font-size: 20px;"><span style="font-weight: bold;">[&nbsp;</span><a href="https://register.reversinglabs.com/free-sbom" style="font-weight: bold;">Get a free SBOM and supply chain risk analysis report</a><span style="font-weight: bold;"> ]</span></p> <h2 style="font-size: 24px; font-weight: bold;">No more ‘losing slowly’</h2> <p>Citing the crisis caused by the disclosure of a critical, <a href="https://develop.secure.software/blog/log4j-is-why-you-need-an-sbom">remotely exploitable hole in the Log4j open source library</a>, Inglis said the government’s aim now was to prevent future Log4j’s from happening.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>“A year ago, the unrelenting focus oftentimes was on operational response,” Inglis said about the federal government’s cyber policy.&nbsp; The federal response to Log4j went “extremely well. [But] if we responded that way well, excellently, time, after time, after time, we’d just lose more slowly.”&nbsp;<br>—<a href="https://twitter.com/ncdinglis">Chris Inglis</a>, National Cyber Director</em></p> </blockquote> <p>The focus of the federal government now is to “actually push responsibility for building resilience in by design to the technology, to the roles and responsibilities, and to the people skills, such that we avoid those (Log4j) events,” he said.&nbsp;</p> <p>Inglis was interviewed alongside <a href="https://www.linkedin.com/in/anne-neuberger-13b4491b/">Anne Neuberger</a>, who is Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technologies at the National Security Council.&nbsp;</p> <p>The two talked up the government’s efforts that promote companies to improve the security of their technology, in part by adopting a “secure by design” approach. President Biden’s <a href="https://blog.reversinglabs.com/blog/assessment-cybersecurity-executive-order-one-year-on"><span>May, 2021 Executive Order 14028</span></a> set the course, Inglis said.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>“Executive Order 14028… has been a watershed moment for us to actually make the commitment, to get the technology, the architecture right."</em><br><em>—Chris Ingles</em></p> </blockquote> <p>Likening the work of the White House to past government programs to regulate the safety and security of transportation systems, Inglis said that the preferred approach was to have a “light touch” when it came to mandating security measures, and to allow market forces to drive change — as happened with automobile safety features.&nbsp;</p> <p>But that will mean putting responsibility for security squarely in the lap of technology providers and their suppliers and partners, and making it clear that end users are not the responsible parties, Ingles said.</p> <blockquote> <p style="font-size: 24px;"><em>“Everyone agrees, I think, that the first and last line of defense can’t be the user at the end of that supply chain. We have to push some responsibility along that supply chain."</em><br><em>—Chris Ingles</em></p> </blockquote> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 560px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/Fx4RxDZWpFM" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p style="text-align: center;"><em>View the conversation on YouTube.</em></p> <h2 style="font-size: 24px; font-weight: bold;">Security labeling, anyone?&nbsp;</h2> <p>Neuberger said that the recently introduced <a href="https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/cybersecurity-labeling-consumers-0">Internet of Things security labeling guidelines</a>, which will come out in 2023, are part of that shift of responsibility from end users to technology providers.&nbsp;</p> <blockquote> <p><em><span style="font-size: 24px;">"When someone is making a purchase decision for tech, whether a consumer buying a smart TV or a power grid operator buying an unmanned sensor, they have no way to know what is the security of this device and what risk does it bring to me."<br>—<a href="https://www.linkedin.com/in/anne-neuberger-13b4491b/">Anne Neuberger</a>, Deputy National Security Advisor for Cyber and Emerging Technologies at the NSC</span></em></p> </blockquote> <p>While “regulation” has long been treated as a four letter word in Washington D.C., Inglis and Neuberger didn’t rule it out, especially in the context of securing critical infrastructure like energy and transportation.&nbsp;</p> <p>Still, Inglis said that private sector firms were warning to the idea of designing resilience into their products and systems.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>“When you talk to the private sector leaders, both the technologists and the committing officials, perhaps, from the boardrooms, they acknowledge that resilience has to be by design built into the systems that they deliver."</em><br><em>—Chris Inglis</em></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">Evolving guidance on supply chain security</h2> <p>Since taking office, the Biden Administration has used the purchasing power of the federal government to try to shape a federal software supply chain security policy. In addition to the Executive Order in 2021, the Administration has, in recent months, issued a number of directives <a href="https://develop.secure.software/blog/the-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world">designed to improve the security of the software and services government agencies rely on</a>.</p> <p>In September, for example, the Office of Management and Budget published a memorandum, M-22-18, that requires federal agencies to comply with NIST guidance on software supply chain security, including <a href="https://csrc.nist.gov/publications/detail/sp/800-218/final"><span>NIST Special Publication 800-218</span></a> on developing a secure software development framework and <a href="https://www.nist.gov/system/files/documents/2022/02/04/software-supply-chain-security-guidance-under-EO-14028-section-4e.pdf"><span>subsequent NIST guidance</span></a> on software supply chain security.&nbsp;</p> <p>The memo also set out a timeline for federal agencies to communicate new software security requirements to their vendors, and for software publishers that sell to federal agencies to self-attest to the security of their wares. That deadline is 270 days from the release of the memo for vendors who sell “critical” software and services to federal agencies. Vendors selling non-critical software have a year to attest to the security of their wares.&nbsp;</p> <h2 style="font-weight: bold;">SBOMs are the first, essential step</h2> <p>The memo has also opened the door to <a href="https://develop.secure.software/blog/white-house-memo-lays-down-the-law-on-software-supply-chain-security">federal agencies requiring the creation of Software Bills of Materials (SBOMs)</a> that allow them to identify, track and monitor individual components within larger applications and services. The new White House memo does not require software publishers to use — or federal agencies to require — the creation of an SBOM to validate their attestation. However, the language in the memo makes clear that an SBOM “may be required” by an agency as part of solicitation requirements, especially for software deemed “critical.”</p> <p>Inglis said the new guidance is helping to set "expectations across the length and breadth of the supply chain."</p> <blockquote> <p style="font-size: 24px;"><em>"It doesn’t relieve the burden on the end user to participate in his or her own defense...[But] we need to push some of that accountability across the system so that the beneficiaries, the maximum number of beneficiaries can profit from the benefits of cyberspace."</em><br><em>—Chris Ingles</em></p> </blockquote> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fnational-cyber-director-supply-chain-key-to-cyber-resilience&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Software Bill of Materials (SBOM) Dev & DevSecOps Executive Order on Cybersecurity (EO 14028) Tue, 01 Nov 2022 16:18:45 GMT paul.roberts@reversinglabs.com (Paul Roberts) https://develop.secure.software/national-cyber-director-supply-chain-key-to-cyber-resilience 2022-11-01T16:18:45Z OWASP at a crossroads: Founder Mark Curphey's call for relevance in the age of DevSecOps https://develop.secure.software/owasp-at-a-crossroads-mark-curpheys-call-for-relevancy-in-the-age-of-software-supply-chain-security <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/owasp-at-a-crossroads-mark-curpheys-call-for-relevancy-in-the-age-of-software-supply-chain-security" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/owasp-mark-curphey-manifesto-modernize.jpg" alt="OWASP at a crossroads: Founder Mark Curphey's call for relevancy in the DevSecOps age" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p>After two decades of raising awareness about the big problems in application security, the Open Web Application Security Project (OWASP) stands at a crossroads. So warns OWASP's founder Mark Curphey, who believes that if the OWASP Foundation continues to do business as usual, it risks dissipating into irrelevancy in the not-so-distant future. After many years removed from the day-to-day operations and leadership of the group, Curphey is on a crusade to return to a leadership spot and modernize OWASP.<span>&nbsp;</span></p> <p><img src="https://develop.secure.software/hs-fs/hubfs/owasp-mark-curphey-manifesto-modernize.jpg?width=1400&amp;height=732&amp;name=owasp-mark-curphey-manifesto-modernize.jpg" alt="owasp-mark-curphey-manifesto-modernize" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;"></p> <p>After two decades of raising awareness about the big problems in application security, the Open Web Application Security Project (OWASP) stands at a crossroads. So warns OWASP's founder Mark Curphey, who believes that if the OWASP Foundation continues to do business as usual, it risks dissipating into irrelevancy in the not-so-distant future. After many years removed from the day-to-day operations and leadership of the group, Curphey is on a crusade to return to a leadership spot and modernize OWASP.<span>&nbsp;</span></p> <p>He's doing it with guns blazing in a <i>status quo</i>-busting campaign for the OWASP board (for which voting concludes in a few days) in which he promises to push for radical changes in the way the organization governs, funds, and runs its open source software security projects.&nbsp;</p> <p>Curphey believes the changes he's got in mind are the surest way OWASP can reinvent itself to keep up with the risks and realities of the way software is now delivered in this cloud-native, DevSecOps world.</p> <h2><strong>The relevancy problem with OWASP in 2022</strong></h2> <p>Back in 2001, Curphey led the first charge for OWASP's inception. At the time he was running application security at a big financial services firm and already very tapped into the appsec community as the moderator of the WebAppSec mailing list, which was a hotbed of conversation among the software security cognoscenti, but full of plenty of vendor fear, uncertainty and doubt (FUD), too.<span>&nbsp;</span></p> <p>Frustrated with the lack of a neutral forum for collaboration between the security world and the developer community, he took action. He authored the first draft of the OWASP's earliest philosophical and technical precepts, he registered the owasp.org domain, and he gathered some of the finest minds in appsec to work together on projects designed to guide and help website operators shore up the security of the internet in the heady days of the dot-com bubble.<span>&nbsp;</span></p> <p>He was heavily involved with the group as it came together to develop the first iteration of the OWASP Top 10 Project, an open source project for which the group is best known. Detailing the top 10 most dangerous flaws that developers should be aware of when developing software for the web, the project continues to be updated to this day —alongside many, many other projects, including Software Assurance Maturity Model, Software Component Verification Standard, and Dependency-Track.<span>&nbsp;</span></p> <p>Herein lies the rub, according to Curphey. He explains that many years after stepping aside from the group's leadership, OWASP has grown into something much bigger than he ever dreamed during those early days. With the flood of contributors and countless projects tackled by OWASP over the years, he believes the group has gotten so caught up in bureaucracy and security navel gazing that it's failed to keep up with the way developers work today. Even just the name hints at this lack of modernization, he says.</p> <p>Curphey said he would push to rebrand the OWASP acronym to the Open Worldwide Application Security Project.</p> <blockquote> <p style="font-size: 24px;"><em>"When the project was created, it was called the Open Web Application Security Project. It's not about web now, it's about cloud, IoT, APIs, and everything else. It was just a fundamentally different era. Cloud native development is fundamentally different from what we built before. And the OWASP mission hasn't been updated, the scope of the project hasn't been updated. And there's just a lot of things that are huge missed opportunities."</em><br><em>—<a href="https://www.linkedin.com/in/curphey/">Mark Curphey</a></em></p> </blockquote> <p>Since he left the group he's crusaded for app sec in his own way, working for Microsoft, founding three different security companies, and working the speaker circuit tirelessly — all while keeping an eye on OWASP's progression.<span>&nbsp;</span></p> <p>As he explains in his <a href="https://www.mark-curphey-for-owasp-2022.com/">Manifesto for OWASP in 2022</a>,&nbsp;he's been simultaneously proud of many OWASP achievements over the years and frustrated with what OWASP has become, as it has not moved fast or effectively enough to help developers deliver more secure software up and down the software supply chain that stretches well beyond web apps.<span>&nbsp;</span></p> <blockquote> <p style="font-size: 24px;">"Modern software is an intersection of code development, software supply chains, cloud computing, DevOps..."<br><em>—Mark Curphey</em></p> </blockquote> <p>While developers today are out <a href="https://develop.secure.software/blog/google-gets-behind-guac-to-take-a-bite-out-of-supply-chain-insecurity">seeking more democratized security tools</a> and detailed technical guidance, so they can weave secure coding principles into their work on the daily, he argues that OWASP remains an "organization that operates for the lowest common denominator by trying to keep everyone happy." As a result, OWASP doesn't offer enough tooling or clear technical guidelines that can be easily found and implemented by developers or DevOps teams into their deployment pipelines, he said.</p> <h2 style="font-weight: bold;">Technical focus areas for modern development teams</h2> <p>Some of the technical areas his manifesto says OWASP should be focusing on to add value for modern development shops include, per Curphey's manifesto:</p> <ul> <li>Language analysis and improvement</li> <li>Runtime analysis and improvement</li> <li>DevSecOps automation</li> <li>Debugging</li> <li>SAST</li> </ul> <blockquote> <p style="font-size: 24px;"><em>"OWASP doesn't even have a credible SAST project today, probably the most widely accepted and understood application security analysis technology. Let's fix that fast."</em></p> </blockquote> <h2><strong>The changes needed for OWASP</strong></h2> <p>As he sees it, one of the big problems right now is that "there's no mechanism to vote for radical change" in the OWASP community model. His goal is to step into the board and make waves with some big moves to the governance of the group</p> <p><span>"</span>Currently, there's no referendums that can happen. All you can do is join the board. But what I laid out in that manifesto was, this is not just a play to join the board and debate what changes we can make--I'm asking for a mandate for change," he says.</p> <p>His drive will be to change the group in three major ways.</p> <h2><strong>1. Change the culture</strong></h2> <p>Changing the culture of OWASP is priority one. "One of the first ones is to change the culture and remove the bureaucracy. Until you do that, you're not going to get anything done."<span>&nbsp;</span></p> <p>As a part of that, he's advocating for more transparency in how vendors are or are not involved in the OWASP mission, and cleaving more closely to the vendor-neutral roots in which OWASP was first founded.</p> <p>"Supposedly, OWASP's vendor neutral, but in reality, it's just not. I mean, you have vendors that are in positions running chapters; they all have a vested interest," he says. "I attended a chapter meeting recently and essentially it was just a set of vendors pitching their products and pitching what their products do."</p> <blockquote> <p><em><span style="font-size: 24px;">"The vendors are probably the ones that stand there lose the most out of all of this. And the internet and the community a whole are the ones who stand to gain the most, for sure."</span></em><br><em><span style="font-size: 24px;">—Mark Curphey</span></em></p> </blockquote> <p>The process of shifting the culture also means bringing new blood into the group, including bringing the voices of developers more firmly into the fold, as well as deeply technical people in the security community who have sat on the sidelines for too long.<span>&nbsp;</span></p> <h2><strong>2. Establish a different funding model</strong></h2> <p>Curphey isn't shy in his admiration of the way that Jim Zemlin has raised funds as Executive Director of Linux Foundation, bolstering the group's war chest for community-wide software security initiatives.<span>&nbsp;</span></p> <p>"For instance, when OpenSSL and Heartbleed came out, Jim Zemlin literally raised $6 million bucks over 48 hours and went and gave it to the OpenSSL team to go fix the problem," he says. "He runs it like a teaching hospital or Gates Foundation. But it's not run like a community workshop, which is unfortunately what OWASP is."</p> <p>Curphey's vision is for OWASP to dump the community funding model and to take lessons — and help — from Linux Foundation funding efforts to support projects like OpenSSF.<span>&nbsp;</span>"The OWASP funding model has to change in order to attract the right talent," he says. "Jim Zemlin is offering to help me figure out how to go raise money. And he's a huge supporter."</p> <h2><strong>3. Clean up the projects and the OWASP site</strong></h2> <p>Curphey says there are currently "hundreds and hundreds" of projects hosted by OWASP, and that the site is a byzantine mess that only serves to confuse developers rather than actually helping them develop more secure code. His mission is to pare down and clean up the projects and the site itself so that it's serving<span>&nbsp;</span>the right audience.</p> <p>Curphey outlines in his manifesto that he wants to install a Chief Product Officer and a product management team that cleans up the group's portfolio:</p> <blockquote> <p style="font-size: 24px;"><em>"It has to be externally focused so that you can give the right help."</em></p> </blockquote> <h2><strong>Uncertainties lie ahead</strong></h2> <p>With under a week left in OWASP voting for the board (last day of voting is Oct. 30<sup>th</sup>), it's still all up in the air whether Curphey will even get his shot to make these sweeping changes. He says he's got the support of many on the current board, and his "LinkedIn alerts are going off left, right, and center with people who have left the project or people that didn’t' participate that are saying 'Great, I want in.'"<span>&nbsp;</span></p> <p>But he recognizes that there will be detractors there and that it will take significant effort to change what's grown up from a spunky grassroots effort he spearheaded 21 years go to the huge organization it is today.</p> <blockquote> <p style="font-size: 24px;"><em>"The hope is that mandate [for changing OWASP] is proven in a vote and then we'll go affect the change. But yeah, it's perfectly possible that the same bureaucracy that's hit the rest of the project hits me and we can't make it happen. But I will be very vocal if that's the case. And forceful."</em><br><em>—Mark Curphey</em></p> </blockquote> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fowasp-at-a-crossroads-mark-curpheys-call-for-relevancy-in-the-age-of-software-supply-chain-security&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Continuous Integration/Continuous Delivery (CI/CD) Container Security Dev & DevSecOps CI/CD Security Thu, 27 Oct 2022 15:27:12 GMT ericka@chickowski.com (Ericka Chickowski) https://develop.secure.software/owasp-at-a-crossroads-mark-curpheys-call-for-relevancy-in-the-age-of-software-supply-chain-security 2022-10-27T15:27:12Z Google pairs GUAC with SLSA to take a bite out of software supply chain insecurity https://develop.secure.software/google-gets-behind-guac-to-take-a-bite-out-of-supply-chain-insecurity-0 <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/google-gets-behind-guac-to-take-a-bite-out-of-supply-chain-insecurity-0" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/guac--juan-manuel-giraldo-grisales-K7bd0WoYfoo-unsplash.png" alt="Google pairs GUAC with SLSA to take a bite out of software supply chain insecurity" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/guac--juan-manuel-giraldo-grisales-K7bd0WoYfoo-unsplash.png?width=1400&amp;height=732&amp;name=guac--juan-manuel-giraldo-grisales-K7bd0WoYfoo-unsplash.png" alt="guac--juan-manuel-giraldo-grisales-K7bd0WoYfoo-unsplash" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;"></strong></p> <p><strong>Google is putting its weight behind a project</strong><span>&nbsp;</span>to offer a comprehensive view of your software. Enter GUAC:<span>&nbsp;</span><i>Graph for Understanding Artifact Composition</i>.</p> <p><strong>Knowing a vulnerability’s blast radius</strong><span>&nbsp;</span>would be super helpful. <a href="https://develop.secure.software/blog/a-software-bill-of-materials-sbom-what-it-is-and-why-it-matters-for-software-supply-chain-security">Software Bills of Materials (SBOMs)</a> and <a href="https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html">SLSA</a> are fine — as far as they go — but there’s a need to bring thousands or millions of sources together into one, universal graph that’s easily queried. As software supply chain risks become more and more acute, knowledge is power.</p> <p><strong>It’s an open source project.</strong>&nbsp;In this week’s<span>&nbsp;</span><a href="https://blog.reversinglabs.com/blog/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we go to GitHub and check it out.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>You can’t handle the truth</i>.</p> <p><span style="font-weight: bold;">[&nbsp;</span><a href="https://register.reversinglabs.com/free-sbom" style="font-weight: bold;">Get a free SBOM and supply chain risk analysis report</a><span style="font-weight: bold;"> ]</span></p> <h2 style="font-weight: bold;">Dip into this tasty repo</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Howard Solomon reports&nbsp;—&nbsp;“<a title="read the full text" href="https://www.itworldcanada.com/article/cyber-security-today-oct-24-2022-a-new-ransomware-data-removal-tool-is-found-a-warning-that-exploit-proofs-of-concepts-in-github-may-not-be-safe-and-more/509655">Google announced a way to help</a>”:</p> <blockquote> <em><strong>“An open-source project”</strong><br>IT and security leaders need to know what’s in applications to be able to judge their level of risk. [Google] has created a project called the Graph for Understanding Artifact Composition.<br>…<br>The goal is to help developers create metadata about their applications that describe the software build, security and dependencies. There already are several efforts, such as the ability to create signed attestations about how software was built … and software bill of materials generators.<br>…<br>GUAC would bring together different sources of software security metadata into a graph database. This is an open-source project on GitHub.</em> </blockquote> <p><strong>More detail please.</strong><span>&nbsp;</span>Jaikumar Vijayan expands on that neat summary&nbsp;—&nbsp;“<a title="read the full text" href="https://www.darkreading.com/application-security/googles-guac-project-aims-to-democratize-software-supply-chain-security-metadata">GUAC Aims to Democratize Software Supply Chain Security</a>”:</p> <blockquote> <em><strong>“Potential weaknesses and vulnerabilities”</strong><br>The trend is driving organizations to … requiring a software bill of materials (SBOM) for their software and to using … Supply chain Levels for Software Artifacts (SLSA). [GUAC] could move the needle forward on industrywide efforts to address software supply chain security. … Once available, [it] will give developers, security teams, auditors, and other enterprise stakeholders a central source for information about the security, provenance, and overall trustworthiness of the individual components in their … codebases.<br>…<br>According to Google … software and security teams … will be able to query GUAC for information on … their software, associated dependencies and any potential weaknesses, and vulnerabilities in them [and] determine if an application they are about to deploy meets organizational polices, and if all binaries in production can be tracked back to a secure repository. … For instance, when a new vulnerability is disclosed, organizations will be able to use GUAC to determine which parts of their software inventory might be affected.</em> </blockquote> <p><strong>GUAC? Surely there’s a childish easter egg in the acronym?</strong><span>&nbsp;</span>Brandon Vigliarolo obliges&nbsp;—&nbsp;“<a title="read the full text" href="https://www.theregister.com/2022/10/24/security_in_brief/">Slap some GUAC on your software supply chain</a>”:</p> <blockquote> <em>GUAC is designed to [use] a variety of sources, including … SLSA (pronounced "salsa").<br>…<br>You can try it out – or inject some of your own helpful code – now.</em> </blockquote> <p><strong>The horse’s mouth?</strong><span>&nbsp;</span>Google’s Brandon Lum, Mihai Maruseac and Isaac Hepworth&nbsp;—&nbsp;“<a title="read the full text" href="https://security.googleblog.com/2022/10/announcing-guac-great-pairing-with-slsa.html">Announcing GUAC</a>”:</p> <blockquote> <em><strong>“We’ve teamed up with Kusari, Purdue University, and Citi”</strong><br>[We’re] seeking contributors to a new open source project called GUAC (pronounced like the dip). … GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata [and] to democratize the availability of this security information by making it freely accessible and useful for every organization.<br>…<br>Thanks to community collaboration in groups such as OpenSSF, SLSA, SPDX, CycloneDX, and others, organizations increasingly have ready access to … SBOMs … SLSA [and] vulnerability databases. … But it’s difficult to combine and synthesize the information for a more comprehensive view. The documents … cannot be easily aggregated to answer higher-level questions about an organization’s software assets. … To understand something complex like the blast radius of a vulnerability, one needs to trace the relationship between a component and everything else in the portfolio. … In the open source ecosystem, the number of documents could reach into the millions.<br>…<br>We’ve teamed up with Kusari, Purdue University, and Citi to create GUAC, a free tool to bring together many different sources of software security metadata. We’re excited to share the project’s proof of concept. … We welcome help and<span>&nbsp;</span><a href="https://github.com/guacsec/guac" title="/guacsec/guac">contributions of code or documentation</a>.</em> </blockquote> <p><strong>ELI5?</strong><span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=33290577">Terretta</a><span>&nbsp;</span>explains like we’re 5-ish:</p> <blockquote> <em>Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them.<br><br>Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.</em> </blockquote> <p><strong>Clear as mud.</strong><span>&nbsp;</span>Jacques Chester takes a step back&nbsp;—&nbsp;“<a title="read the full text" href="https://theoryof.predictable.software/articles/some-requirements-for-a-universal-asset-graph/">Requirements for a Universal Asset Graph</a>”:</p> <blockquote> <em><strong>“This problem is already bad”</strong><br>We are blind: Take a piece of software and try to learn its true and complete provenance. It doesn't exist, it never has. So far, the profession of software and the society which depends on it have gotten by on goodwill and … good luck.<br>…<br>This problem is already bad; as more and more things become programmable, it will grow to truly catastrophic proportions. … How do we know what systems are affected by an attack? How do we know to trust a given software asset? How do we update the state of our knowledge as new information comes in?<br>…<br>SBoMs are fine as far as they go, but they are necessarily a best-effort snapshot. … I see in-toto in the same role as SBoMs.</em> </blockquote> <p><strong>But is it any good?</strong><span>&nbsp;</span><a title="read the full text" href="https://news.slashdot.org/comments.pl?sid=22263387&amp;cid=62987515">Gravis Zero</a><span>&nbsp;</span>calls it a “Step in the right direction”:</p> <blockquote> <em>Despite being a Google project, this is something that is actually good. However, it appears they completely lack any way to determine the level of dependency on a library/project, only that a dependency exists. Reducing your number of dependencies means there are fewer things to go wrong, so if you can entice a project to remove a needless/redundant dependency then your software is less likely to be vulnerable.<br><br>It's shameful how many projects pull in needless dependencies. … It would be nice if corporations started promoting dependency reduction.</em> </blockquote> <p><strong>Tune in to KubeCon tomorrow.</strong><span>&nbsp;</span>Mihai Maruseac and Michael Lieberman present&nbsp;—&nbsp;“<a title="read the full text" href="https://kccncna2022.sched.com/event/182Jr">It's Dangerous To SLSA Alone Out There</a>”:</p> <blockquote> <em><strong>“We built a supply chain knowledge graph”</strong><br>By now, we’re getting bored of hearing the “am I affected by X vulnerability?” question. However, as supply chain attacks become more sophisticated, answering just this question is insufficient.<br><br>Instead, we need to think … “If TravisCI was compromised, which software is affected? With a bad actor in your supply chain, what's the blast radius?” There is a ton of information today in SBOMs, in-toto/SLSA attestations, etc. However, these documents observed individually provide limited information, but when put together and related, super-additively expand the knowledge base of our software supply chain.<br><br>We built a supply chain knowledge graph tool to help better understand the relationships between artifacts and their metadata/identities. Through this high-fidelity graph, we not only answer the hard questions posed earlier, but also make new discoveries. For example, we found that most build-systems rely not only on obvious dependencies like gcc, but often overlooked projects like libpcre and sed.</em> </blockquote> <p><strong>Meanwhile,</strong><span>&nbsp;</span><a title="read the full text" href="https://forums.theregister.com/forum/all/2022/10/24/security_in_brief/#c_4554480">fidodogbreath</a><span>&nbsp;</span>suggests a better oh-so-clever acronym — for real:</p> <blockquote> <em>Should have called it Comprehensive Hyperscale Incremental Processing Of Tokenized Log Entries.</em> </blockquote> <h2 style="font-weight: bold;">And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=HaDfMjzroSo&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">A few good toys</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 560px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;" src="https://www.youtube.com/embed/HaDfMjzroSo" width="560" height="315" frameborder="0" allowfullscreen></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&amp;OE. 30. </em></p> <p><span style="font-style: italic; font-size: 18px;"><small>Image sauce:&nbsp;<a href="https://unsplash.com/photos/K7bd0WoYfoo">Juan Manuel Giraldo Grisales</a>&nbsp;(via&nbsp;<a title="Some rights reserved" href="https://unsplash.com/license">Unsplash</a>; leveled and cropped)</small></span></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fgoogle-gets-behind-guac-to-take-a-bite-out-of-supply-chain-insecurity-0&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Secure Software Blogwatch Dev & DevSecOps Wed, 26 Oct 2022 16:23:21 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/google-gets-behind-guac-to-take-a-bite-out-of-supply-chain-insecurity-0 2022-10-26T16:23:21Z The state of CI/CD security: Upgrade your software supply chain tools to maintain velocity and security https://develop.secure.software/cicd-security-upgrade-your-software-supply-chain-security-tools <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/cicd-security-upgrade-your-software-supply-chain-security-tools" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/upgrade-maintain-speed-cicd-security.jpg" alt="The state of CI/CD security: Upgrade you software supply chain tools to maintain velocity securely" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold;">Here's what you need to know about the state of CI/CD tools — and why you need to upgrade your tools and approach to deliver secure software at speed.</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/upgrade-maintain-speed-cicd-security.jpg?width=1400&amp;height=732&amp;name=upgrade-maintain-speed-cicd-security.jpg" alt="upgrade-maintain-speed-cicd-security" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;"></p> <p style="font-weight: bold;">Here's what you need to know about the state of CI/CD tools — and why you need to upgrade your tools and approach to deliver secure software at speed.</p> <p>Adversaries have <a href="https://develop.secure.software/blog/nvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach">ramped up their targeting of software supply chains</a> in recent months, inspired by headline-grabbing escapades <a href="https://develop.secure.software/blog/sunburst-the-next-level-of-stealth">like the attacks on SolarWinds</a> and <a href="https://www.msspalert.com/cybersecurity-breaches-and-attacks/kaseya-rmm-cyberattack-warning/">Kaseya</a>. R<span>esearch</span> released earlier this year by the NCC Group said that assaults on software supply chains jumped 51% during the last six months of 2021. <span style="background-color: transparent; color: #1f1f1f; font-size: 18px;">"Despite this," the researchers noted, "many of the organizations that we spoke to planned to invest in new third-party software, hardware and SaaS security products in 2022, which could increase the third-party threat vector for malicious actors."</span></p> <p>The rise in supply chain attacks appears to be setting off alarms at the top of many organizations. In its <a href="https://www.cloudbees.com/newsroom/security-and-compliance-challenges-hinder-innovation-cloudbees-survey-finds">annual C-suite security <span>survey</span> released this month</a>, CloudBees, which owns the <span>open source automation server&nbsp;</span>Jenkins reported that four out of five executives (82%) were either "somewhat more concerned" (40%) or "much more concerned" (42%) about sorties on their supply chains than they were in 2019. What's more, their confidence in the security of their supply chains has also taken a hit, with 88% expressing confidence their supply chains were secure compared to 95% in 2021.</p> <p>Idan Tendler, vice president of DevSecOps at Palo Alto Networks, <a href="https://www.forbes.com/sites/forbestechcouncil/2022/08/23/using-your-pipelines-to-harden-your-pipelines-the-importance-of-cicd-security-for-your-software-supply-chain/?sh=53cbd3b41c36"><span>writing in Forbes</span></a>, said that software supply chains are only as strong as their weakest link, and that continuous integration/continuous delivery (CI/CD) pipelines are the latest attack vectors left vulnerable by unassuming DevOps teams."</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"Just one CI/CD misconfiguration can expose sensitive information and can then be used as an entry point for injecting malicious code and leaking sensitive data. Ultimately, this can corrupt the entire CI/CD pipeline and the software supply chain."</span><br><span style="font-style: italic;">—</span><a href="https://twitter.com/idantendler" style="font-style: italic;">Idan Tendler</a></p> </blockquote> <p>Continuous integration/continuous delivery (CI/CD) is about delivering quality software at speed. Modern software supply chain security depends on getting your tools right, and focusing on the end-to-end software development lifecycle. Here's a review of the state of the CI/CD tools — and why you need to upgrade your tools to keep pace with threats.</p> <h2><strong>Focus on the pipeline: Threat modeling and code scanning</strong></h2> <p>The CI/CD pipeline needs to be secured throughout the software development life cycle (SDLC), from the planning, coding, and build phases through the testing, deployment, and monitoring phases.</p> <p>During the planning phase of a project, security can be enhanced by applying threat modeling to the pipeline. Threat modeling can identify potential areas of attack on the pipeline and countermeasures can address those vulnerabilities. It answers questions such as what are my high-value assets, who is likely to attack me, where is my pipeline most vulnerable to threat actors, what threats are most relevant to me, and are there any attack vectors going unnoticed?</p> <p>A useful tool for supply chain threat modeling is <a href="https://slsa.dev/">SLSA (<span></span>Supply Chain Levels Software Artifacts)</a>. SLSA is a checklist of standards and controls designed to prevent tampering and improve the integrity of the pipeline, as well as secure the packages and infrastructure in pipeline projects. Other tools available for threat modeling include Microsoft's Free SDL Threat Modeling Tool, SecuriCad by Forseeti, ThreatModeler, and Irius Risk.</p> <p>During the coding phase, developers write the code that makes up the application in the pipeline. By scanning the code, security code analyzers can detect and report weaknesses that can lead to security vulnerabilities. A <a href="https://www.nist.gov/itl/ssd/software-quality-group/source-code-security-analyzers"><span>list</span></a> compiled by the National Institute of Standards and Technology reveals that there are dozens of these programs in the market to choose from.</p> <p>Daniel Kennedy, research director for information security and networking at 451 Research, explained in <a href="https://www.spglobal.com/marketintelligence/en/documents/devsecops-application-security-tool.pdf"><span>an analysis of application security tools </span></a>that the use of code scanning tools by developers has steadily increased as security responsibilities have shifted left in recent years.</p> <blockquote> <p style="font-size: 24px;"><em>"Information security professionals were, in 2015, the primary users of AST tools. That usage has ceded to developers a little more each year, and has flattened in 2020."<br>—<a href="https://twitter.com/danielkennedy74">Daniel Kennedy</a></em></p> </blockquote> <p>That's a positive development for security pros, he maintained. "The idea that security personnel in the typical enterprise will have time to review every code change or kick off manual scans to produce vulnerability reports for each pull request isn't realistic," he wrote.</p> <p>He noted that in-depth peer reviews among developers on the same team are a rarity that is often context-dependent, highlighting that a security professional coming in who isn't familiar with a code base or project specifics will have even less of a foundation to work from with todays shorter project timelines.</p> <blockquote> <p style="font-size: 24px;"><em>"Giving developers the means to efficiently test for and respond to security vulnerabilities during code construction is the most efficient path to keeping up with newly introduced application security issues."<br>—Daniel Kennedy</em></p> </blockquote> <h2><strong>Build and test: Look to more comprehensive tools</strong></h2> <p>During the build phase, developers commit their code to a shared repository. There, the code is subjected to tests for compliance with previously set requirements. At this point, it's a good idea to analyze the code with Static Application Security Testing (SAST) tools, such as — to name a few — SonarQube, Veracode, Appscan, or Codacy. Because applications use so much third-party code, it's also a good practice to run the build through a Software Composition Analysis (SCA) tool, such as those made by Veracode, Sonatype, or other vendors.</p> <p><span>However, SCA may fall short when it comes to protecting the entire CI/CD pipeline because it's limited to scans of software repositories. An emerging product category—Pipeline Composition Analysis—is designed to identify dependencies across all phases of the SDLC, including </span>application code dependencies, build modules and their dependencies, infrastructure as code dependencies, and more. If an organization understands what dependencies it has and where they reside in the pipeline, it can better identify, prioritize, and remediate any risks they create.</p> <p>Kennedy noted in his application security tool analysis the ability of various kinds of AST to infiltrate different parts of the development process in a more automated way has led to a steady shift away over the last six years. That translated to waiting until the production phase to apply AST and increasingly applying those tools directly after the introduction of code changes.</p> <p>Following the build phase, the software is tested for quality. Bugs are squashed, and if new features are added, regression testing is performed. At this stage, more static code analysis should be performed with tools such as Netsparker and Acunetix, as well as container scans with tools like Datadog, Clair, Anchore, and Qualys.</p> <p>Containers, in particular, have been flagged as a ripe source for software supply chain attacks. One <span>study</span> by Palo Alto Networks, for example, found that almost all third-party containers deployed on public clouds <a href="https://start.paloaltonetworks.com/unit-42-cloud-threat-report-2h-2021.html">have vulnerabilities and misconfigurations that expose organizations to supply chain attacks</a>. It reported that 96% of third-party container applications deployed in the cloud infrastructure had known vulnerabilities and 63% of third-party code templates used in building cloud infrastructure contained insecure configurations.</p> <h2><strong>Deployment and monitoring: Protect privacy and secrets&nbsp;</strong></h2> <p><span style="background-color: transparent;">When software enters the deployment phase, it's important to make sure that privacy is preserved and sensitive data is protected by removing things like passwords, tokens, and secrets from the deployed application. A recent </span><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mobile-supply-chain-aws" style="background-color: transparent;">study</a><span style="background-color: transparent;"> of 1,859 mobile applications by Symantec found that more than three-quarters of them (77%) contained valid AWS access tokens allowing access to private AWS cloud services and close to half (47%) contained valid AWS tokens that also gave full access to numerous, often millions, of private files via the Amazon Simple Storage Service (Amazon S3).</span></p> <p>Scott Gerlach, co-founder and <span>CSO</span> at <span>StackHawk</span>, an <span>API</span> security testing provider, told the <a href="https://vmblog.com/archive/2022/09/02/more-than-1-800-android-and-ios-apps-found-leaking-hard-coded-aws-credentials.aspx"><span>vmblog</span></a><span> that DevSecOps was key.</span></p> <blockquote> <p style="font-size: 24px;"><em>"Adding DevSecOps tools, like secret scanning to CI/CD, can help ferret out these types of secrets when building software. And it's critical that you understand how to manage and securely provision AWS and other API keys/tokens to prevent unwarranted access."<br>—<a href="https://www.linkedin.com/in/scott-gerlach-kaakaww/">Scott Gerlach</a></em></p> </blockquote> <p>During deployment, secrets need to be moved from repository and configuration files to digital vaults. In more advanced deployments, config files can be dynamically generated and routine processes set in motion to detect and mitigate the presence of any unprotected secrets in the environment.</p> <p>One way to prevent secrets from being hard-coded into an application's code base in the first place is to integrate secrets scanning into the workflow of developers through pre-commit and merge request scanning.</p> <p>The growing adoption of containers has heightened the need for more security controls around their use. "Increasingly, threat actors have begun targeting container environments with DDoS attacks, exploits targeting kernel and container orchestration technologies and other attacks, putting enterprise cloud applications and assets at risk," <a href="https://develop.secure.software/blog/state-of-container-security-release-confidently">wrote Jai Vijayan in a recent report for this blog</a>.<br><br>With attacks today going beyond vulnerabilities alone — and including malware payloads, software signing, and secrets — it's important to <a href="https://develop.secure.software/blog/7-best-practices-for-securing-containers">think holistically about container security</a> and the best practices for securing them.</p> <h2 style="font-weight: bold;">Software security: Only as secure as your weakest link</h2> <p><span>An organization's software supply chain is only as secure as its weakest link. That's why security needs to reach <a href="https://develop.secure.software/6-reasons-software-security-teams-need-to-go-beyond-vulnerability-response">beyond finding vulnerabilities in applications</a>, and into the CI/CD pipeline and throughout the software development lifecycle, from planning, coding and building software through to its testing, deployment, and monitoring.</span></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fcicd-security-upgrade-your-software-supply-chain-security-tools&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security CI/CD Security Wed, 26 Oct 2022 13:53:42 GMT jpmellojr@gmail.com (John P. Mello Jr.) https://develop.secure.software/cicd-security-upgrade-your-software-supply-chain-security-tools 2022-10-26T13:53:42Z SBOMs are critical to software supply chain security — but only the first step in your journey https://develop.secure.software/sbom-critical-but-first-step-software-supply-chain-security <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/sbom-critical-but-first-step-software-supply-chain-security" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/sbom-first-step.jpg" alt="SBOMs are critical to software supply chain security — but only the first step in your journey" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><img src="https://develop.secure.software/hs-fs/hubfs/sbom-first-step.jpg?width=1400&amp;height=732&amp;name=sbom-first-step.jpg" alt="sbom-first-step" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;"><span style="background-color: transparent;"></span></p> <p style="font-weight: bold;"><span style="background-color: transparent;">SBOMs are key, but they are only the first step in your software supply chain security journey. Here's what you need to focus on for a comprehensive approach to security across the entire software development pipeline.</span></p> <p>Increased use of third-party code and the risks it poses to software supply chains has fueled interest in software bills of materials (SBOM). In addition, the federal government has <a href="https://develop.secure.software/blog/the-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world">made software supply chain security a priority following the SolarWinds attack</a>.</p> <p>An SBOM can inform a user about the third-party components in the software they're using and make it easier to find and mitigate vulnerabilities after they're discovered. However, organizations need to recognize that SBOMs alone cannot adequately protect their software supply chains.</p> <p>Henry Young, policy director for the BSA, an international software advocacy group, maintained in a <a href="https://techpost.bsa.org/2022/08/31/sboms-considerable-progress-but-not-yet-ready-for-codification/"><span>posting</span></a> at the organization's website that an SBOM will not address most of the daily cyber risks confronting an organization. For example, he pointed out an SBOM will have limited value in making procurement decisions for a number of reasons. Chief among them is that vendors will be updating SBOMs so frequently, that the user's SBOM will likely be out of date by the time a procurement decision is made.</p> <p>However, Young said that an SBOM will significantly improve an organization’s response to and recovery from a cyber incident by expediting an organization’s determination about whether it is using software with a known vulnerability, and if that vulnerability is exploitable.</p> <p><span>Gartner Analyst Mark Driver recently <a href="https://develop.secure.software/blog/gartner-explains-why-sboms-are-critical-to-software-supply-chain-security-management">wrote in an Emerging Tech report on SBOMs</a>:</span></p> <blockquote> <p style="font-size: 24px;"><em>"SBOMs are not a panacea. They are only as useful as the processes and tools implemented to process, analyze, and leverage the information they contain."&nbsp;<br>—<a href="https://twitter.com/marksdriver"><span>Mark Driver</span></a></em></p> </blockquote> <p><span style="background-color: transparent;">In the report, which noted that demand for SBOMs would increase from 5% today to 60% in 2025, Drive wrote that a</span><span style="background-color: transparent;">dditional tools and techniques, such as software composition analysis and code signing, were also "necessary elements of a complete software supply chain management effort."</span></p> <p>Here's what you need to know about SBOMs—and the required next steps for your software supply chain journey.</p> <p><span style="font-weight: bold;">[&nbsp;</span><a href="https://register.reversinglabs.com/free-sbom" style="font-weight: bold;">Get a free SBOM and supply chain risk analysis report</a><span style="font-weight: bold;"> ]</span></p> <h2><strong>Binary analysis allows deeper visibility</strong></h2> <p>While the inventory of software components an SBOM can provide an organization is an essential part of software supply chain security, more will need to be done to validate those components.</p> <p><a href="https://www.linkedin.com/in/richard-hill-6b52362/" style="font-style: normal;">Richard Hill</a>, director of IAM Research at the analyst firm KuppingerCole, <a href="https://www.kuppingercole.com/blog/hill/sbom-a-first-step-in-software-supply-chain-security-sscs"><span>recommends</span></a> ensuring source code integrity by putting security into place on the source control management system and on associated software repositories.</p> <p>Software code and other artifacts need to be scanned for vulnerabilities, he continued. To guard against tampering, build integrity processes need to verify the provenance of build artifacts and check code to see if it has been signed and validated. Container artifacts, such as Docker images, also <a href="https://develop.secure.software/blog/7-best-practices-for-securing-containers">need to be scrutinized for vulnerabilities and compliance issues</a>. Other types of scans, such as API scans, should occur in the CI/CD pipeline, he added.</p> <p>In addition to obtaining SBOMs for software that they use, the Enduring Security Framework working group provided <a href="https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF"><span>recent comprehensive guidance</span></a> to software teams, recommending that organizations perform binary and software composition analysis (SCA) scans. Third-party software, sometimes delivered in binary format, is like a black box for the engineer or the organization who is integrating it, the panel explained. The software may not be actively maintained and may have security weaknesses or vulnerabilities.</p> <p>Binary scanning and software composition analysis (SCA) tools can often detect unknown files and the open source components contained in binary packages, identifying the security weaknesses associated with these components without the need for source code, the panel explained.</p> <p>Those activities are highly recommended to verify the integrity of the third-party software, it added. What's more, it continued, the output can be compared with the SBOM, or the source codes provided by the third party, to verify the vendor's SBOM.</p> <h2><strong>Build out from SBOMs to assess risk</strong></h2> <p>An SBOM can give an organization an <a href="https://develop.secure.software/blog/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks">understanding of the composition of a product</a>, but for a deeper understanding of the risks posed by it, other technologies are needed, such as context-based analysis and <span>Vulnerability </span><span>Exploitability</span><span> eXchange (VEX) reports. Those technologies allow an organization to assess the exploitability of a vulnerability.</span></p> <p>Context-based analysis identifies and prioritizes vulnerabilities in digital systems. It goes far beyond analyzing just software components, accounting for hardware architecture, OS configurations, encryption mechanisms, keys, hardening mechanisms, control flow, and APIs in its assessment of a vulnerability's impact on a system.</p> <p>SBOMs inform an organization about the ingredients in a software package, while context analysis adds meaning to the process. It allows an organization to get a more accurate picture of the risk it faces so it doesn't waste time tackling non-issues and so it can spend more time on issues that matter.</p> <p>VEX reports can complement an SBOM. They allow a software supplier or other preparers to present their assessment of vulnerabilities they've found in a product. It, too, seeks to separate non-threatening flaws from those that need priority attention.</p> <p>A VEX report doesn't provide the kind of in-depth information produced by context-based analysis, but when used in conjunction with an SBOM, it can give an organization a better view of the true exploitability of the vulnerabilities it finds and help streamline the remediation process.<span>&nbsp;</span></p> <h2><strong>Community participation is key for supply chain security</strong></h2> <p>Software these days not only leans on third-party dependencies, but it also depends on the cloud. That's why organizations may also want to look beyond SBOMs to "SaaSBOMs".</p> <p>Walter H. Haydock, <span>a non-resident fellow</span> at the <span>Center for Security and Emerging Technology and an author <span style="font-style: italic;">Deploy Securely</span>, </span>and Chris Hughes, co-founder and CISO at <span>Aquia</span>, <a href="https://www.csoonline.com/article/3632149/the-case-for-a-saas-bill-of-material.html" style="font-style: normal;">wrote in an article on CSO Online</a> that with near ubiquitous moved to Software as a Service<span style="background-color: transparent;"> (SaaS), the ambiguity with what's in an SBOM at one point in time to the next "presents a hurdle toward the effective use of SBOMs as a risk management tool."</span></p> <blockquote> <p style="font-size: 24px;"><em>"In addition to a lack of answers as to what consumers will do with SBOMs once they receive them, it is even less clear as to how to develop them for vendor-managed deployment models such as software as a service (SaaS)."&nbsp;</em><br><em>—<a href="https://www.linkedin.com/in/walter-haydock/">Walter H. Haydock</a> and <a href="https://www.linkedin.com/in/resilientcyber/">Chris Hughes</a></em></p> </blockquote> <p>Such an expansion of the SBOM concept will include information on a cloud service provider's infrastructure-as-a-service or platform-as-a-service on which an organization's software runs. Building a SaaSBOM also requires taking an inventory of APIs. That can give an organization a leg up on future SBOMs, since such an inventory may eventually be added to the minimum requirements for a standard SBOM.</p> <p>While an SBOM is valuable for giving an organization a view into the third-party dependencies used by its software, it can gain even more visibility by participating in the open source projects maintaining those dependencies. "You should actively contribute to the projects that are key to the success of your applications and business. You'll know exactly what is used and what <span>isn’t</span>, down to the level of single functions deep down in the pile of open-source projects you depend on," advised <span>Henrik Plate, a security researcher at </span>Endor Labs, a dependency management company.</p> <p><span>Ed Moyle, a member of the ISACA Emerging Trends Working Group and systems and software security director at Drake Software, said it was important to understand what open source projects you're dependent on, and the relative health of those projects. "In cases where the health of a project is slipping, consider helping out. A lot of open source projects are starved for resources—if you're a commercial entity and you are dependent on a given project, consider ways to support the community and keep it healthy."</span></p> <blockquote> <p><em><span style="font-size: 24px;">"People sometimes think of open source as a one-way value diode where they suck value out and don't contribute back. But really, it's a community. Be part of that community and you can actively help keep those projects healthy. The stronger and healthier the community is, the more likely they are to be able to respond quickly, to apply resources to code audits and vetting."<br>—<a href="https://www.linkedin.com/in/edmoyle/">Ed Moyle</a></span></em></p> </blockquote> <h2 style="font-weight: bold;">An end-to-end software security approach is critical</h2> <p>Hill <span style="background-color: transparent;">emphasizes in his report that a comprehensive security approach demands an end-to-end focus on software's development, engineering, release and full lifecycle.&nbsp;</span></p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"[When] securing the software supply chain, the journey starts at the security and privacy by design-phase when creating the software system architecture and coding of the design begins, and continues throughout software deployment and lifecycle."</span><br><span style="font-style: italic;">—</span><a href="https://www.linkedin.com/in/richard-hill-6b52362/" style="font-style: italic;">Richard Hill</a></p> </blockquote> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fsbom-critical-but-first-step-software-supply-chain-security&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Software Bill of Materials (SBOM) Mon, 24 Oct 2022 23:30:44 GMT jpmellojr@gmail.com (John P. Mello Jr.) https://develop.secure.software/sbom-critical-but-first-step-software-supply-chain-security 2022-10-24T23:30:44Z Devs: Don’t rely on GitHub Copilot — legal risk gets real https://develop.secure.software/devs-dont-rely-on-github-copilot-legal-risk-is-rea <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/devs-dont-rely-on-github-copilot-legal-risk-is-rea" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/copilot-risk--midland-airport--cc-by-nd.png" alt="Devs: Don’t rely on GitHub Copilot — legal risk is real" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/copilot-risk--midland-airport--cc-by-nd.png?width=1400&amp;height=732&amp;name=copilot-risk--midland-airport--cc-by-nd.png" alt="copilot-risk--midland-airport--cc-by-nd" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;"></strong></p> <p><strong>GitHub’s Copilot ML code-completion engine</strong><span>&nbsp;</span>is violating copyright wholesale. So say several high-profile open source advocates.</p> <p><strong>It was predictable, really:</strong><span>&nbsp;</span>Microsoft should have seen this coming. It’s ludicrous to blame license violation on the poor, stressed dev trusting GitHub.</p> <p><strong>The lesson for devs?</strong>&nbsp;Be extremely careful about the code fragments you import. In this week’s<span>&nbsp;</span><a href="https://blog.reversinglabs.com/blog/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we go around.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>Jet powered coffin</i>.<br>&nbsp;</p> <h2 style="font-weight: bold;">Shut up and think of the deadline</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Tim Anderson reports&nbsp;—&nbsp;“<a title="read the full text" href="https://devclass.com/2022/10/17/github-copilot-under-fire-as-dev-claims-it-emits-large-chunks-of-my-copyrighted-code/">GitHub Copilot under fire</a>”:</p> <blockquote> <em><strong>“Wrongful use of copyright code”</strong><br>Developer Tim Davis, a professor of Computer Science and Engineering at Texas A&amp;M University, has claimed … that GitHub Copilot, an AI-based programming assistant, “emits large chunks of my copyrighted code, with no attribution, no LGPL license.” … The code Davis posted does seem very close.<br>…<br>One of the concerns in the open source community is that if chunks of open source code are regurgitated wholesale, without specifying any license, then it is breaking the purpose of the license. Another concern is that developers may inadvertently combine code with incompatible licenses into one project.<br>…<br>Part of the problem is that open source code, by design, is likely to appear in multiple projects by different people, so it will end up multiple times on GitHub and among multiple users of Copilot. With or without Copilot, developers can make wrongful use of copyright code.</em> </blockquote> <p><strong>Horse’s mouth?</strong><span>&nbsp;</span>Tim Davis&nbsp;—&nbsp;<a title="read the full text" href="https://twitter.com/DocSparse/with_replies">@DocSparse</a><span>&nbsp;</span>— has more:</p> <blockquote> <em><strong>“I’m passionately committed to open source”</strong><br>For example, the simple prompt "sparse matrix transpose, cs_" produces my cs_transpose in CSparse. … Same variable names, helper functions, comments. … Not OK. [And] there's no way to opt out of GitHub's use of my code by Copilot.<br>…<br>Somehow it knows how to complete the comment /* sparse matrix transpose in the style of Tim Davis*/ and then return … my LGPL code verbatim, with no license stated and no copyright. … So why not also keep the copyright and license intact? … I plan on asking GitHub to emit my copyright and license when it emits my code. … They're smart people — they can figure it out. … Also, academia rewards citations and use of work. If my name is stripped then I lose that way too.<br>…<br>My sparse C=A*B is faster than the one [previously] in MATLAB … and the Intel MKL sparse library.<span>&nbsp;</span><strong>Why would I bother</strong><span>&nbsp;</span>to take the time (years) to write such code if I can't benefit from copyright protection? … It is all humanity-advancing open source code. … I'm passionately committed to open source code. Redis uses my code. … The Julia language, scipy, R, every linux distro. The code can be found in many drones, robots … inside every Occulus / Meta headset [and] Google StreetView.</em> </blockquote> <p><strong>It’s not only Davis.</strong><span>&nbsp;</span>Kip Kniskern knows&nbsp;—&nbsp;“<a title="read the full text" href="https://www.onmsft.com/news/github-copilot-apparently-violating-open-source-licensing-says-programmers">Copilot apparently violating open source licensing</a>”:</p> <blockquote> <em><strong>“Microsoft has been vague”</strong><br>Writer, lawyer, and programmer Matthew Butterick has some issues with Microsoft's machine-learning based code assistant, GitHub Copilot, and the way it is apparently mishandling open-source licenses. … It's the way the AI is trained, or more precisely from where it's trained, that is becoming a problem for developers like Butterick..<br>…<br>The problem here is that these public repos that GitHub is trained on are licensed, and<span>&nbsp;</span><strong>require attribution</strong>. … Microsoft has been vague about its use of the code, calling it fair use. But … for programmers like Butterick, who contribute open source code out of a sense of community, stripping any attribution away from their work is a problem.</em> </blockquote> <p><strong>Giddyup.</strong><span>&nbsp;</span>Matthew Butterick asks, “<a title="read the full text" href="https://githubcopilotinvestigation.com/">How will you feel if Copi­lot erases your open-source com­mu­nity?</a>”:</p> <blockquote> <em><strong>“It is a parasite”</strong><br>I’ve been pro­fes­sion­ally involved with open-source soft­ware since 1998, includ­ing two years at Red Hat. … In June 2022, I wrote about the legal prob­lems with GitHub Copi­lot, in par­tic­u­lar its mis­han­dling of open-source licenses.<br>…<br>I’m cur­rently work­ing with the Joseph Saveri Law Firm to inves­ti­gate a poten­tial law­suit against GitHub Copi­lot … for vio­lat­ing its legal duties to open-source authors and end users. … Once you accept a Copi­lot sug­ges­tion, all that becomes your prob­lem. [But] how can Copi­lot users com­ply with the license if they<span>&nbsp;</span><strong>don’t even know it exists?</strong><span>&nbsp;</span>… To be fair, Microsoft doesn’t really dis­pute this. They just bury it in the fine print.<br>…<br>Obvi­ously, open-source devel­op­ers … don’t do it for the money. … But we don’t do it for noth­ing, either. A big ben­e­fit of releas­ing open-source soft­ware is the peo­ple: the com­mu­nity of users, testers, and con­trib­u­tors that coa­lesces around our work. Our com­mu­ni­ties help us make our soft­ware bet­ter in ways we couldn’t on our own.<br>…<br>Copi­lot is … poi­so­nous to open source. … It is a par­a­site.</em> </blockquote> <p><strong>If I use Copilot, what’s the risk?</strong><span>&nbsp;</span><a title="read the full text" href="https://forums.theregister.com/forum/all/2022/10/19/github_copilot_copyright/#c_4551252">entfe001</a><span>&nbsp;</span>explains:</p> <blockquote> <em>Closed source licenses will use copyright law to make sure you can't share, modify or reuse their code. Open source licenses will use copyright law to make sure you<span>&nbsp;</span><strong>can</strong><span>&nbsp;</span>share, modify or reuse their code—on their conditions.<br><br>Where this **** AI falls foul is that they might share, modify and reuse third party code without granting whatever rights or obligations the original license "gave" to the training set. For starters, most … open source licenses require that a copy of the license itself to be given along with the source code, no matter if the whole work or just a part.<br>…<br>For MIT-like licenses, not retaining authorship notices is a copyright license violation. For GPL-like it is even worse, as none of the GPL granted rights would be passed upon downstream, which is by itself a violation.</em> </blockquote> <p><strong>It gets worse:</strong><span>&nbsp;</span>Copilot is spitting out<span>&nbsp;</span><i>closed source</i><span>&nbsp;</span>code, too. So says<span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=33231127">esskay</a>:</p> <blockquote> <em>I had something similar happen … a couple of days ago. I'm on friendly terms with a competing codebase's developer and have confirmed the following with them (both mine and it are closed source and hosted on GitHub).<br><br>Halfway through building something I was given a block of code by Copilot, which contained a copyright line with my competitors name, company number and email address. Those details have never, ever been published in a public repository. How did that happen?</em> </blockquote> <p><strong>It’s a legal compliance nightmare.</strong><span>&nbsp;</span>Here’s<span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/programming/comments/y6pl1t/comment/isqqdrw/">u/Untgradd</a>:</p> <blockquote> <em>I do open source compliance activities for a software product, so I’m intimately aware of … the kind of licensing requirements typically found in open source software. This service seems to be actively causing a compliance nightmare.<br>…<br>Given my understanding, say some … dev autocompletes their way through a particularly productive sprint and you inadvertently release code containing copyleft code. [Now] you’re legally obligated to release your source code. … I could imagine a scenario where some clever folks effectively grep for well known copyleft snippets as a means of targeting closed source … software.</em> </blockquote> <p><strong>But surely Microsoft has a point?</strong><span>&nbsp;</span>It’s all out there in public, so it’s fair use&nbsp;—&nbsp;right?<span>&nbsp;</span><a title="read the full text" href="https://forums.theregister.com/forum/all/2022/10/19/github_copilot_copyright/#c_4551248">b0llchit</a><span>&nbsp;</span>thinks a thought experiment:</p> <blockquote> <em>By that standard you can take all what is written about books and use the description's content text to train a ML system. Then when you use the system and it writes, "Henry Flotter and the magical wanderer's gem," we'll see how long the fair use defence will stand.</em> </blockquote> <p><strong>Meanwhile, what can be done about it?</strong><span>&nbsp;</span>Jed Brown&nbsp;—&nbsp;<a title="read the full text" href="https://twitter.com/five9a2/status/1581652647324811265">@five9a2</a>&nbsp;—&nbsp;has this suggestion for Microsoft:</p> <blockquote> <em>Replace with a Clippy: “It looks like you’re trying to implement a sparse matrix library. Have you considered calling a high quality library such as … ?”</em> </blockquote> <h2 style="font-weight: bold;">And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=5XsXXfc5DXI&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">“Crazy” Bob cuts out the middleman</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 560px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;" src="https://www.youtube.com/embed/5XsXXfc5DXI" width="560" height="315" frameborder="0" allowfullscreen></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj" style="font-style: italic;">Previously in&nbsp;And finally</a></p> <p>&nbsp;</p> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/blog/tag/dev-devsecops" style="font-weight: bold;">Learn more about Dev &amp; DevSecOps</a></li> <li><a href="https://develop.secure.software/blog/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security"><strong>Get up to speed on the SBOM's evolution</strong></a></li> <li><a href="https://develop.secure.software/blog/nvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach" style="font-weight: bold;">Find out why the NVD needs to evolve to include software supply chain threatss</a></li> <li><a href="https://develop.secure.software/blog/survey-finds-software-supply-chain-security-top-of-mind-for-dev-teams" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> </ul> <p><em>You have been reading <i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://www.flickr.com/photos/80293774@N06/13670482064">Midland International Airport</a><span>&nbsp;</span>(<a title="Some rights reserved" href="https://creativecommons.org/licenses/by-nd/2.0/">cc:by-nd</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fdevs-dont-rely-on-github-copilot-legal-risk-is-rea&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Dev & DevSecOps Wed, 19 Oct 2022 16:56:43 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/devs-dont-rely-on-github-copilot-legal-risk-is-rea 2022-10-19T16:56:43Z A software bill of materials (SBOM): What it is — and why it matters for software supply chain security https://develop.secure.software/sbom-what-it-is-and-why-it-matters-software-supply-chain-security <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/sbom-what-it-is-and-why-it-matters-software-supply-chain-security" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/sbom-what-it-is-and-why-it-matters.jpg" alt="A software bill of materials (SBOM): What it is — and why it matters for software supply chain security" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="text-align: left;"><span style="background-color: transparent; font-weight: bold;">SBOMs are essential to tackling software supply chain security. Here's what you need to know, so that you can put them to work in your organization.</span></p> <p style="text-align: left;"><img src="https://develop.secure.software/hs-fs/hubfs/sbom-what-it-is-and-why-it-matters.jpg?width=1400&amp;height=732&amp;name=sbom-what-it-is-and-why-it-matters.jpg" alt="sbom-what-it-is-and-why-it-matters" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;"><span style="background-color: transparent; font-weight: bold;"></span></p> <p style="text-align: left;"><span style="background-color: transparent; font-weight: bold;">SBOMs are essential to tackling software supply chain security. Here's what you need to know, so that you can put them to work in your organization.</span></p> <p style="text-align: left;">Software Bills of Materials (SBOMs) have become a <a href="https://develop.secure.software/blog/industry-and-government-agree-sboms-are-a-no-brainer">key tool for mitigating threats to the software supply chain</a>, by revealing <a href="https://develop.secure.software/blog/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks">a sort for nutrition label for your software</a>. And it's important to note that SBOMs are also <a href="https://develop.secure.software/blog/packagist-php-repo-supply-chain-threat-what-you-need-to-know">not the&nbsp;</a><a href="https://develop.secure.software/blog/packagist-php-repo-supply-chain-threat-what-you-need-to-know">end game for software security assurance</a>, but an essential first step nonetheless.</p> <p>But, first, you need to understand what exactly comprises an SBOM — and how they are helpful to securing your software supply chain. Here's what you need to know.</p> <p><span style="background-color: transparent;"><span style="font-size: 20px;"><a href="https://register.reversinglabs.com/free-sbom" style="font-weight: bold;"><span style="color: #ff0201;"><span style="color: #000000;">[</span> Get a free SBOM and supply chain risk analysis report<span style="color: #000000;"> ]</span></span></a></span></span></p> <h2 style="font-weight: bold;">Software supply chain risk's rise coincides with modern software practices</h2> <p>Risks to the software supply chain have never been greater. The consequences of software supply chain attacks were made well-known thanks to the SolarWinds compromise of December 2020. Since the SolarWinds attack, countless other <a href="https://blog.reversinglabs.com/blog/iconburst-npm-software-supply-chain-attack-grabs-data-from-apps-websites">attacks</a> and <a href="https://www.reversinglabs.com/conversinglabs/episode-05">proof-of-concepts</a> have arisen stemming from several vulnerable risks. These risks, such as open source software, software tampering, malicious binaries, and insider developer threats have become a necessity to manage.&nbsp;</p> <p>These risks have continued to arise because both software development teams and those running the software in their organizations have not been made fully aware of the components within their software products. This is why adding visibility of open source, third-party, and internally developed software components — all on the rise given the fast paced nature of modern software development practices, as well as the methods of developing software using a pipeline of tools — is essential in combating such risks.</p> <p>Any organization that either produces or consumes software needs to make, use, and continually update software bills of materials (SBOMs) for any software product.</p> <h2 style="font-weight: bold;">What's in an SBOM: Let’s break it down</h2> <p>Simply put, an SBOM is “a formal record containing the details and supply chain relationships of various components used in building software,” according to the <a href="https://www.ntia.gov/SBOM">National Telecommunications and Information Administration (NTIA)</a>. The Cybersecurity and Infrastructure Security Agency (CISA) also <a href="https://www.cisa.gov/sbom">characterizes it</a> as a key building block in software security and software supply chain risk management. Most SBOMs<a href="https://blog.reversinglabs.com/blog/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks"> include these key elements</a>: component name, publisher name, component version, file name, software license, and dependencies.&nbsp;</p> <p>SBOMs are often <a href="https://blog.reversinglabs.com/blog/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks">compared to the infamous black and white nutrition label</a> most Americans are used to, in which all of the food items’ ingredients and daily value percentages are listed. SBOMs serve a similar purpose in that they list a software product’s key “ingredients,” such as third-party software, open source software, statically linked packages, and internally developed software. Also similar to a nutrition label, an SBOM will flag the severity of a software product’s components, as well as the origin and authenticity of the components.&nbsp;</p> <p>However, it is important to highlight that not all SBOMs are created equal. There are ways in which an organization can <a href="https://www.reversinglabs.com/sboms-securing-software-supply-chains">modernize SBOMs</a> to make them the most effective in minimizing software bloat and in defending against software supply chain risks, including attacks on software repositories.</p> <p>The consequences of open source software reliance are already evident to the software industry. In ReversingLabs <a href="https://develop.secure.software/blog/nvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach">recent analysis of the National Vulnerability Database</a> (NVD), it was found that attacks on open source repositories, specifically PyPI and npm, have skyrocketed by 289% in the past 4 years.&nbsp;</p> <p>This is why a good SBOM needs to give a clear view of every layer and dependency in the software development lifecycle (SDLC). An SBOM that does not expose every layer will “<a href="https://blog.reversinglabs.com/blog/not-all-sboms-are-the-same-choose-wisely">leave you with a risk that could have been avoided</a>."</p> <p>In addition to the risks associated with open source software use, threat actors are pursuing other malicious actions such as injecting malware into code, exposing secrets, and tampering with software packages. Attackers can also target the tools that software developers rely on, such as <a href="https://develop.secure.software/state-of-container-security-release-confidently">containers</a>. A high quality SBOM can be a great starting point for organizations hoping to mitigate all of these software supply chain risks.&nbsp;</p> <p>An effective SBOM is also based on when it was built. For example, if an SBOM was created during the final build of a software product, it will not list crucial components during the binary and packaging stages of the SDLC. Instead, it’s recommended that SBOMs represent “<a href="https://blog.reversinglabs.com/blog/not-all-sboms-are-the-same-choose-wisely">software as delivered</a>,” which takes into account components found throughout the SDLC.&nbsp;</p> <p>Finally, an SBOM requires automation to be successful. This means having automated binary analysis of every component, which gives an organization insight into the risks associated with a software product’s key ingredients. Automation is also essential due to the constantly changing threat landscape, which means <a href="https://blog.reversinglabs.com/blog/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security">SBOMs need to be updated in real-time</a> with the industry’s latest knowledge on new vulnerabilities and malicious packages.&nbsp;</p> <p>It's also worth noting how the minimum elements required for making a good SBOM will change in the future as the industry learns more about software supply chain risk. This is evident in how <a href="https://develop.secure.software/blog/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security">SBOMs have already evolved</a> within the past few years.</p> <h2 style="font-weight: bold;">The federal government's big SBOM push</h2> <p>SBOMs have become more widely known and used, in part due to the U.S. federal government sharing guidance that highlights their use as helpful in defending the software supply chain.&nbsp;</p> <p>The Biden Administration’s May 2021 <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/">Executive Order 14028 on Improving the Nation’s Cybersecurity</a> was a key government action that mentioned the use of SBOMs as being integral to securing software, while also acknowledging the software supply chain is at risk.&nbsp;</p> <p>Not long after the Executive Order, the Department of Commerce and the NTIA released “The Minimum Elements For a Software Bill of Materials” <a href="https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf">report (PDF)</a>, which “defines the scope of how to think about minimum elements, why an SBOM can help lower risks, and lays out options for future evolution.” Subsequently, the National Institute for Standards and Technology (NIST) published their first version of the <a href="https://csrc.nist.gov/Projects/ssdf">Secure Software Development Framework</a> in February 2022, which lists action steps federal agencies need to take to secure their software use, such as using SBOMs.&nbsp;</p> <p>Additional federal guidance has suggested the use of SBOMs, specifically in the Enduring Security Framework working panel's <a href="https://develop.secure.software/blog/the-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world">report on "Securing the Software Supply Chain."</a> The report acts as a practical guide for software developer teams looking to secure their development processes.&nbsp;</p> <p>Taking it a step further, the Office of Management and Budget recently shared a <a href="https://develop.secure.software/blog/white-house-memo-lays-down-the-law-on-software-supply-chain-security">memorandum</a>, as a follow-up to Executive Order 14028, that mandates all federal agencies to only use third-party software products that can attest to having an adequate level of security. The memorandum also gives agencies the authority to request an SBOM from a third-party software supplier in order to achieve comprehensive attestation.&nbsp;</p> <h2 style="font-weight: bold;">But will the software industry get on board?</h2> <p>While SBOM adoption and awareness has increased within the past few years, there is still a lot of growth needed in this area. For example, in a <a href="https://blog.reversinglabs.com/blog/survey-finds-software-supply-chain-security-top-of-mind-for-dev-teams">ReversingLabs commissioned study, conducted by Dimensional Research</a>, only 27% of software organizations generate and review SBOMs. Also, an overwhelming 9 in 10 software professionals reported that the difficulty to create and review SBOMs is increasing. These professionals cite that software organizations lack the expertise and the staff to generate and review high-quality SBOMs.&nbsp;</p> <p>Things may change, however. Thanks to the federal government taking a stand on software security, SBOM adoption may become more widespread. As a result of Executive Order 14028, it is expected that <a href="https://develop.secure.software/blog/gartner-explains-why-sboms-are-critical-to-software-supply-chain-security-management">SBOM adoption will increase from 5% to 60% in the private sector by 2025</a>. Knowing that a majority of the industry is expected to use SBOMs, means that any software organization that has not adopted SBOMs will continue to be in the minority, putting them at a disadvantage.&nbsp;</p> <p>Regardless of whether or not the federal government mandates secure software practices like the use of SBOMs for the private sector, the industry is heading towards making SBOM use commonplace.</p> <h2 style="font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://blog.reversinglabs.com/blog/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security" style="font-weight: bold;">Learn how the SBOM is evolving: 4 key trends to track</a></li> <li><a href="https://blog.reversinglabs.com/blog/the-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world" style="font-weight: bold;">Understand Enduring Security Framework's new supply chain guidelines</a></li> <li><a href="https://www.reversinglabs.com/solutions/software-bill-of-materials-sbom" style="font-weight: bold;">Dive deeper into SBOMs and SBOM solutions</a></li> <li><a href="https://register.reversinglabs.com/free-sbom" style="font-weight: bold;">Get a free SBOM and supply chain risk analysis report</a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fsbom-what-it-is-and-why-it-matters-software-supply-chain-security&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Software Bill of Materials (SBOM) Tue, 18 Oct 2022 17:00:00 GMT contact@reversinglabs.com (ReversingLabs) https://develop.secure.software/sbom-what-it-is-and-why-it-matters-software-supply-chain-security 2022-10-18T17:00:00Z SBOMs are a 'no brainer': 4 takeaways from MITRE's software supply chain security summit https://develop.secure.software/industry-and-government-agree-sboms-are-a-no-brainer-0 <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/industry-and-government-agree-sboms-are-a-no-brainer-0" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/mitre-software-supply-chain-security-summit-sbom-no-brainer.jpg" alt="SBOMs are a 'no brainer': 4 takeaways from MITRE's software supply chain security summit" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold; text-align: left;">With software supply chain attacks ramping up — and presenting a very real new risk category for security teams and CISOs — software bills of materials (SBOMs) are getting the nod from both government and industry experts as a "no brainer."</p> <p style="font-weight: bold; text-align: left;"><img src="https://develop.secure.software/hs-fs/hubfs/mitre-software-supply-chain-security-summit-sbom-no-brainer.jpg?width=1400&amp;height=732&amp;name=mitre-software-supply-chain-security-summit-sbom-no-brainer.jpg" alt="mitre-software-supply-chain-security-summit-sbom-no-brainer" width="1400" height="732" style="height: auto; max-width: 100%; width: 1400px;">With software supply chain attacks ramping up — and presenting a very real new risk category for security teams and CISOs — software bills of materials (SBOMs) are getting the nod from both government and industry experts as a "no brainer."</p> <p>SBOMs have become an essential talking point in the conversation on how to best secure the software supply chain. At <a href="https://sot.mitre.org/resources/summit/2022.html#agendaPanelSupplyChainSIT">MITRE’s Supply Chain Security Hot Topics Summit 2022</a>, a <a href="https://www.youtube.com/watch?v=xiO60YXragY">panel discussion,</a> moderated by <a href="https://www.mitre.org/who-we-are/our-people/wen-masters">MITRE’s VP of Cyber Technologies Wen Masters, Ph.D.</a>, featured both private and public sector officials who all had something to say about SBOMs.&nbsp;</p> <p>The MITRE panel comprised of three top experts in the field of software supply chain security: <a href="https://www.linkedin.com/in/allanafriedman/">Allan Friedman</a>, a Senior Advisor and Strategist at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), <a href="https://www.linkedin.com/in/mjworden/">Michael Worden</a>, a Technical Director at Raytheon Technologies, as well as <a href="https://www.linkedin.com/in/knight-brian/">Brian Knight</a>, a Principal Product Manager at Microsoft. The panel demonstrated<span style="background-color: transparent;">&nbsp;industry and government agreement on a key point: SBOM adoption is essential for securing the software supply chain.&nbsp;&nbsp;</span><span style="background-color: transparent;"></span></p> <p><span style="background-color: transparent;">Here are four key takeaways from the MITRE panel.</span><span style="background-color: transparent;"></span></p> <p><span style="background-color: transparent;"><span style="font-size: 20px;"><a href="https://register.reversinglabs.com/free-sbom" style="font-weight: bold;"><span style="color: #ff0201;"><span style="color: #000000;">[</span> Get a free SBOM and full supply chain risk analysis report<span style="color: #000000;"> ]</span></span></a></span></span></p> <h2 style="font-weight: bold;">1. SBOMs are a ‘no-brainer’</h2> <p>As <a href="https://www.reversinglabs.com/conversinglabs/dont-sleep-on-sboms">we have discussed before</a>, SBOMs serve as a great first step for any organization that produces or uses software. Similar to the <a href="https://blog.reversinglabs.com/blog/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks">iconic black-and-white food nutrition label</a>, SBOMs comprise a list of a software package’s ingredients, and classifies these components regarding their origin and severity.</p> <p>As a part of his role at CISA, Friedman has become the federal government’s SBOM ‘cheerleader.’ In the beginning of MITRE’s panel, Friedman prefaced his SBOM talking points by defining SBOMs, as well as mentioning the importance of the Biden Administration’s <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/">Executive Order on Improving the Nation’s Cybersecurity (14028)</a>. This Executive Order served as the catalyst for a string of official documents being released by the federal government meant to craft policy on securing the software supply chain.&nbsp;</p> <p>These federal guidelines include the National Institute for Standards and Technology’s (NIST) <a href="https://csrc.nist.gov/publications/detail/sp/800-218/final">Secure Software Development Framework</a>, the Enduring Security Framework working panel’s <a href="https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF">report on “Securing the Software Supply Chain” (PDF)</a>, as well as the Office of Management and Budget’s (OMB) <a href="https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf">Memorandum M-22-18 (PDF)</a>. Each of these federal guidelines cites the use of SBOMs as being helpful in mitigating software supply chain risks.&nbsp;</p> <p>While SBOMs are a relatively new concept, Friedman said that organizations should move quickly to embrace them.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;"><span style="background-color: transparent;">“There is no reason why any organization that has non-trivial security maturity, cannot start producing SBOMs based on their software, asking for SBOMs from their suppliers, and beginning to consume them."<br></span>—</span><a href="https://www.linkedin.com/in/allanafriedman/" style="font-style: italic;">Allan Friedman</a></p> </blockquote> <p>Raytheon's Worden offered the practitioner’s perspective as a leader in the cybersecurity industry, largely echoing Friedman’s points.</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;"><span style="background-color: transparent;">“As a security engineer, we’re never certain… We focus on the burden of truth… [An SBOM] helps us get to a burden of truth."<br></span>—</span><a href="https://www.linkedin.com/in/mjworden/" style="font-style: italic;">Michael Worden</a></p> </blockquote> <p>Speaking about the power of SBOMs, Worden highlighted the importance of transparency for security practitioners and the rest of the industry. He believes that SBOMs have the ability to cast light onto what can possibly compromise any software package, making it an essential tool for practitioners.&nbsp;</p> <p>“SBOMs’ power is that it can apply to the entire world of software,” allowing security practitioners, regardless of their industry, whether it be medical devices or financial technology, to gain visibility into the software they rely on, Friedman said.&nbsp;</p> <h2 style="font-weight: bold;">2. There's much more to do on SBOM adoption</h2> <p>While efforts to secure software and embrace the use of SBOMs are moving in the right direction, more work is needed to increase SBOM adoption and make them both practical and useful, the experts agreed.</p> <p>For example, Worden stressed that security practitioners need visibility into the data that can depict software supply chain risks: “The next step is to… push the development of useful analytics,” he said. Tools such as SBOMs will only help improve software security if the software industry as a whole is actually willing to generate and use them. Until adoption is high, security practitioners will continue to be left in the dark when assessing software supply chain risk, the experts agreed.</p> <p>That was also one conclusion of a <a href="https://blog.reversinglabs.com/blog/survey-finds-software-supply-chain-security-top-of-mind-for-dev-teams">Dimensional Research survey that found </a>that only 27% of software organizations generate and review SBOMs. Additionally, an overwhelming 9 in 10 software professionals warned that the difficulty to create and review SBOMs is increasing.&nbsp;&nbsp;</p> <h2 style="font-weight: bold;">3. Automation is a must</h2> <p>With the threat landscape and development environments constantly changing, automation is key if SBOMs are to be effective, the experts agreed.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em><span style="background-color: transparent;">"If we’re not able to do this through automated tools at scale, we will fail.”<br></span></em>—<em>Allan Friedman</em></p> </blockquote> <p>At the practitioner level, Worden also shared concern towards a lack of automation: “How do you automate this, so that we can respond at the speed that software is evolving?”&nbsp;</p> <p>Both Friedman and Worden, representing government and industry, agreed that at the micro and macro level, SBOMs absent of automation will lead software security efforts down the wrong path.&nbsp;</p> <h2 style="font-weight: bold;">4. SBOMS need to evolve alongside risks</h2> <p>As the industry continues to learn more about risks to the software supply chain, SBOMs will also need to evolve, the experts agreed. “We expect the set of what constitutes an SBOM to increase,” based on past requirements for SBOMs set in 2021 that are no longer adequate, Friedman said.&nbsp;&nbsp;</p> <p>The <a href="https://blog.reversinglabs.com/blog/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security">developing trends</a> around SBOM use demonstrate that securing the software supply chain will be a journey, Friedman said. That means the software industry is going to have to adapt SBOMs alongside the changing threat landscape in an effort to support security practitioners.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>“We need to tell some better stories about what SBOMs mean.”</em><br><em>—Allan Friedman</em></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/blog/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security"><span style="font-weight: bold;">Learn how the SBOM is evolving: 4 key trends to track</span></a></li> <li><a href="https://develop.secure.software/blog/the-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world" style="font-weight: bold;">Understand Enduring Security Framework's new supply chain guidelines</a></li> <li><a href="https://www.reversinglabs.com/solutions/software-bill-of-materials-sbom" style="font-weight: bold;">Dive deeper into SBOMs and SBOM solutions</a></li> <li><a href="https://register.reversinglabs.com/free-sbom" style="font-weight: bold;">Get a free SBOM and supply chain risk analysis report</a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Findustry-and-government-agree-sboms-are-a-no-brainer-0&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Software Bill of Materials (SBOM) Mon, 17 Oct 2022 17:01:00 GMT carolynn.vanarsdale@reversinglabs.com (Carolynn van Arsdale) https://develop.secure.software/industry-and-government-agree-sboms-are-a-no-brainer-0 2022-10-17T17:01:00Z Packagist PHP repo supply chain attack: 3 key takeaways https://develop.secure.software/packagist-php-repo-supply-chain-threat-sbom <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/packagist-php-repo-supply-chain-threat-sbom" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/packagist-php-repo-twitter.jpg" alt="Packagist PHP repo attack: Key supply chain security takeaways" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="text-align: left; font-weight: bold;">A PHP repository vulnerability threatened millions of sites. Here's why you need to make an SBOM the first step in your software supply chain security journey.</p> <p style="text-align: left; font-weight: bold;"><img src="https://develop.secure.software/hs-fs/hubfs/packagist-php-repo-twitter.jpg?width=1400&amp;name=packagist-php-repo-twitter.jpg" alt="packagist-php-repo-twitter" width="1400" style="width: 1400px;"></p> <p style="text-align: left; font-weight: bold;">A PHP repository vulnerability threatened millions of sites. Here's why you need to make an SBOM the first step in your software supply chain security journey.</p> <p style="text-align: left;">A vulnerability that threatened the security of millions of websites using the PHP scripting language has been patched, according to a security researcher with SonarSource, a Swiss company that develops code quality and security software. R<span style="background-color: transparent;">esearcher Thomas Chauchefoin </span>explained in a company <a href="https://blog.sonarsource.com/securing-developer-tools-a-new-supply-chain-attack-on-php/">blog post</a> that the flaw allows an attacker to gain control of Packagist<span style="background-color: transparent;">, which is used by the PHP manager named Composer to determine and download software dependencies included by developers in their projects.</span></p> <p>Chauchefoin noted that virtually all organizations running PHP code use Composer, which serves two billion software packages every month. More than a hundred million of these requests could have been hijacked to distribute malicious dependencies and compromise millions of servers, he wrote.</p> <p>By attacking the servers running Packagist, which associates the name of a package with its location, threat actors could force users to download back-doored software dependencies the next time they do a fresh install or an update of a Composer package based on data from 2021. Since Composer is the standard package manager for PHP, Chauchefoin explained, most open source and commercial PHP projects would have been impacted.</p> <p>The vulnerability was fixed within hours by the maintainers of the affected service, he added, and it's believed it was never exploited in the wild.</p> <p>Chauchefoin noted that users of the default, official Packagist instance, or Private Packagist, are safe because their public production instances have been patched. For organizations integrating Composer as a library and operating on untrusted repositories, he recommends upgrading to Composer 1.10.26, 2.2.12, or 2.3.5.<span>&nbsp;</span></p> <p><span>Here are key takeaways from the Packagist software supply chain attack.</span></p> <p><span><span style="font-size: 20px;"><a href="https://register.reversinglabs.com/free-sbom" style="font-weight: bold;"><span style="color: #ff0201;"><span style="color: #000000;">[</span> Get a free SBOM and full supply chain risk analysis report<span style="color: #000000;"> ]</span></span></a></span></span></p> <h2><strong><span>1. Software repositories: </span>A jackpot for adversaries</strong></h2> <p><span>Attacks on software repositories are particularly dangerous, observed Henrik Plate, a security researcher at Endor Lab, a dependency management company. "T</span>hey can enable malware to not only infect single open source projects, but all projects that distribute binary artifacts through the repository," he said.<span>&nbsp;</span></p> <p>"<span>Packagist</span>.<span>org</span>, the package repository for <span>PHP</span> packages, hosts a total of 3.6 million binary artifacts for 353 thousand different open source packages," Chauchefoin wrote. "The vulnerability <span>CVE</span>-2022-24828, which has been discovered in the <span>PHP</span> package manager called Composer, could have resulted in remote code execution on <span>packagist</span>.<span>org</span>, with the possible compromise of numerous projects and artifacts hosted on that repository."</p> <blockquote> <p><em><span style="font-size: 24px;">"That would be a jackpot for adversaries of any kind, no matter if they intend to run highly targeted attacks against a single project or a huge campaign on the entire ecosystem."<br>—<a href="https://www.linkedin.com/in/thomaschauchefoin/">Thomas Chauchefoin</a></span></em></p> </blockquote> <p>The software <span>industry’s</span> dependency on open source and its pervasiveness make it a compelling target for supply chain attacks, he added. Attacking upstream open source projects also has the considerable advantage of spreading out to potentially many downstream consumers, he continued.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"The combined attack surface of thousands of open source projects is much bigger than any given vendor’s development infrastructure. If an attacker gets lucky and is able to inject malware into a highly successful open source project, thousands of direct and indirect downstream users can be infected in a snap."</span><br><span style="font-style: italic;">—<span style="font-size: 24px;"><a href="https://www.linkedin.com/in/thomaschauchefoin/">Thomas Chauchefoin</a></span></span></p> </blockquote> <p><span>Ken Arora, a distinguished cybersecurity engineer and architect at F5, a multi-cloud application services and security company, said that i</span>n addition to infecting downstream targets, compromising repositories can be used to create a foothold for a variety of mischief.</p> <blockquote> <p style="font-size: 24px;"><em>"This foothold can be used as a launching pad for lateral movement within the application’s infrastructure."</em><br><em>—<a href="https://www.linkedin.com/in/ken-arora-00b955/">Ken Arora</a></em></p> </blockquote> <p>Compromised components can also be used to access application protected data, such as database tables and S3 buckets; overriding critical security-relevant configuration files; or be a conduit to open connections to the external internet for data <span>exfiltration</span>, he added.</p> <h2><strong>2. Software supply chain security: Complexity creates challenges</strong></h2> <p>The Packagist vulnerability illustrates a growing problem with software supply chains: complexity, said <span>Ed Moyle, systems and software security director at Drake Software, a tax and accounting solutions maker, and&nbsp; a member of the ISACA Emerging Trends Working Group.&nbsp;</span></p> <p>We're already at the point that dependency management has to be automated in many cases to be viable, he said. Package managers and the like are used out of necessity, meaning, in order to ensure that the right modules and the right versions of those modules are where they need to be, automation is required, Moyle explained.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>"Because of the complexity in managing this, the package manager itself can be a very tempting target. Why? Because you can compromise multiple victims all at once, you can do it in a stealthy way that does not require actively attacking the downstream target, and you can do it in a way for which most organizations will be unprepared."</em><br><em>—<a href="https://www.linkedin.com/in/edmoyle/">Ed Moyle</a></em></p> </blockquote> <p><span>Daniel Kennedy, research director for information security and networking at 451 Research, which is part of S&amp;P Global Market Intelligence, said that h</span>ackers aren't alone in exploiting supply chain complexity for inserting undesirable code into open source projects.</p> <p>Prominent maintainers are adding counterproductive code for reasons of protest around geopolitical issues, he said.</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"<span style="background-color: transparent;">The complexity of some of these components, and the sub-components they use, makes it difficult to see where counterproductive code has been added during an update. </span><span style="background-color: transparent;">Doing a full code review of open source updates typically </span><span style="background-color: transparent;">isn’t</span><span style="background-color: transparent;"> feasible for an </span><span style="background-color: transparent;">enterprise</span><span style="background-color: transparent;">, and somewhat defeats the purpose of leveraging open source code in the first place."<br>—<a href="https://www.linkedin.com/in/danieltkennedy/">Daniel Kennedy</a></span></span></p> </blockquote> <h2><strong>3. The case for SBOMs: Continuous evaluation needed</strong></h2> <p>One way organizations are trying to reduce open source software risks<span> is through the use of a software bill of materials (SBOM), said Ed Skoudis, president of the SANS Technology Institute. </span></p> <p><span>SBOM</span> demands from software vendors a list of software packages and libraries that they used to build their software. "<span style="background-color: transparent;">Every organization doesn't have the time or wherewithal to see if every component has issues, but by having that information handy, having that list of </span><span style="background-color: transparent;">ingredients</span><span style="background-color: transparent;">, it pushes the vendors to be open and show what's going into their products," <span>Skoudis</span> said.</span></p> <blockquote> <p style="font-size: 24px;"><em>"A software bill of materials takes a big bite out of the problem."</em><br><em>—<a href="https://www.linkedin.com/in/edskoudis/">Ed Skoudis</a></em></p> </blockquote> <p>The key to securing against supply chain attacks on upstream open source components is to carefully select and evaluate the <span>dependencies—</span>not just once, when including them for the first time, but continuously, said Henrik Plate, a security researcher at Endor Lab.</p> <blockquote> <p style="font-size: 24px;"><em>"Organizations must decide on and monitor a set of key metrics or indicators during the lifecycle of their software dependencies, not just for direct dependencies but also for indirect ones."</em><br><em>—<a href="https://www.linkedin.com/in/henrikplate/">Henrik Plate</a></em></p> </blockquote> <p><span>Ratan Tipirneni, president and CEO of Tigera, a provider of security and observability for containers, Kubernetes and cloud, pointed out that w</span>hile <a href="https://develop.secure.software/blog/log4j-is-why-you-need-an-sbom">Log4j was the vulnerability that got <span>everyone’s</span> attention</a> and made national news, over 4,000 high-severity vulnerabilities were announced in 2021. The recent discovery of the high-severity security flaw in the <span>Packagist</span> software repository, further demonstrates severe vulnerabilities continue to be discovered.</p> <p>As the pace of innovation combined with the use of open source libraries increases, we will continue to see an increase in vulnerabilities and threats, <span>Tipirneni said</span>. "This is an ominous sign for highly constrained security and <span>DevOps</span> teams."</p> <blockquote> <p style="font-size: 24px;"><em>"It is nearly impossible for any DevOps or security team to keep up with attackers. To close the security gap, businesses will need to bring the principles of Zero Trust and defense in depth to the entire CI/CD pipeline to actively mitigate risks with a combination of preventive measures and active defense."<br>—<a href="https://www.linkedin.com/in/ratantipirneni/"><span>Ratan Tipirneni</span></a></em></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/blog/white-house-memo-lays-down-the-law-on-software-supply-chain-security"><span style="font-weight: bold;">Get up to speed on the WH memo on supply chain security and SBOMs</span></a></li> <li><a href="https://develop.secure.software/blog/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security"><span style="font-weight: bold;">Learn how the SBOM is evolving: 4 key trends to track</span></a></li> <li><a href="https://develop.secure.software/blog/the-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world"><span style="font-weight: bold;">Understand Enduring Security Framework's new supply chain guidelines</span></a></li> <li><a href="https://www.reversinglabs.com/solutions/software-bill-of-materials-sbom" style="font-weight: bold;">Dive deeper into SBOMs and SBOM solutions</a></li> <li><a href="https://register.reversinglabs.com/free-sbom" style="font-weight: bold;">Get a free SBOM and full supply chain risk analysis report</a></li> </ul> <em>Image courtesy of <a href="https://twitter.com/packagist">Packagist's Twitter page</a>.</em> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fpackagist-php-repo-supply-chain-threat-sbom&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Software Bill of Materials (SBOM) Dev & DevSecOps Wed, 12 Oct 2022 13:58:08 GMT jpmellojr@gmail.com (John P. Mello Jr.) https://develop.secure.software/packagist-php-repo-supply-chain-threat-sbom 2022-10-12T13:58:08Z Memory-safe #RustLang shines with its day in the sun https://develop.secure.software/rustlang-shines-with-its-day-in-the-sun <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/rustlang-shines-with-its-day-in-the-sun" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/rust--mobili--cc-by-sa.png" alt="#RustLang shines with its day in the sun" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/rust--mobili--cc-by-sa.png?width=1400&amp;name=rust--mobili--cc-by-sa.png" alt="rust--mobili--cc-by-sa" width="1400" style="width: 1400px;"></strong></p> <p><strong>The chatter around the Rust language is growing</strong><span>&nbsp;</span>into a deafening roar. Not only is the Linux kernel train bearing down on the 6.1 station, but countless other devs are waking up to the memory-safe language.</p> <p><strong>Last month, I said Rust’s momentum</strong><span>&nbsp;</span>seemed<span>&nbsp;</span><a href="https://blog.reversinglabs.com/blog/rust-mojo-linux-memory-safe-code" title="Rust finds its mojo: Move forward to memory-safe code">unstoppable</a>. I stand by that assessment.</p> <p><strong>But beware of edge cases.</strong>&nbsp;In this week’s<span>&nbsp;</span><a href="https://blog.reversinglabs.com/blog/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we brace for one of Linus Torvalds’ famous rants.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>The doodle house</i>.<br>&nbsp;</p> <h2 style="font-weight: bold;">Don’t miss out</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Michael Larabel reports&nbsp;—&nbsp;“<a title="read the full text" href="https://www.phoronix.com/news/Rust-Is-Merged-Linux-6.1">The Initial Rust Infrastructure Has Been Merged Into Linux 6.1</a>”:</p> <blockquote> <em><strong>“Some Linux users in dissent”</strong><br>Linus Torvalds pulled the initial Rust code into the mainline Linux kernel. [It] has been merged into the mainline Git tree for Linux 6.1.<br>…<br>[But] as recently as this weekend there were still some Linux users in dissent over the ideas of the Rust programming language support for the Linux kernel. … This initial 12.5k lines of new code just provides the basic infrastructure. … Building the Linux kernel with the Rust support remains optional.</em> </blockquote> <p><strong>6.1? I thought it was originally slated for 6.0?</strong><span>&nbsp;</span>Kevin Purdy reminds us&nbsp;—&nbsp;“<a title="read the full text" href="https://arstechnica.com/gadgets/2022/10/linux-6-0-arrives-with-support-for-newer-chips-core-fixes-and-oddities/">Linux 6.0 arrives</a>”:</p> <blockquote> <em><strong>“Torvalds took a wait-and-see approach”</strong><br>While major Linux releases only happen when the prior number's dot numbers start looking too big—"there is literally no other reason"—there are a lot of notable things rolled into this release. … Not included in 6.0 are Rust enhancements, but those are likely coming in the next point release.<br>…<br>Rust, a memory-safe language sponsored by the Mozilla project, started out as something Torvalds took a wait-and-see approach toward … something he was hoping to see in 6.0. … Even just having the "core infrastructure" for Rust in 6.1 signifies a big change in Linux, which has long been dominated by C.</em> </blockquote> <p><strong>What swayed him?</strong><span>&nbsp;</span><a title="read the full text" href="https://linux.slashdot.org/comments.pl?sid=22165265&amp;cid=62939955">pr0nbot</a><span>&nbsp;</span>summarizes thuswise:</p> <blockquote> <em>Linus is a pragmatic fellow and his assessment of Rust is positive. … Something like: It's the first hip language he's looked at that fixes a lot of things that suck about C without adding a load of new suckage like C++. So he's receptive to the idea of Rust in the kernel.</em> </blockquote> <p><strong>However,</strong><span>&nbsp;</span>that doesn’t mean Rust programmers can automatically jump into kernel programming. Here’s<span>&nbsp;</span><a title="read the full text" href="https://lkml.org/lkml/2022/9/19/840">Linus Torvalds</a>’s mini rant:</p> <blockquote> <em><strong>“You don’t get to choose”</strong><br>"Rust is safe" is not some kind of absolute guarantee of code safety. … Anybody who believes that should probably … stop believing in the Easter bunny. … This is something that I really<span>&nbsp;</span><strong>need</strong><span>&nbsp;</span>the Rust people to understand. … If you can't deal with the rules that the kernel requires, then just don't do kernel programming.<br>…<br>If you want to allocate memory, and you don't want to care about what context you are in, or whether you are holding spinlocks etc, then you damn well shouldn't be doing kernel programming. Not in C, and not in Rust. … That really is very very fundamental. Allocators that "just work" in different contexts are broken garbage within the context of a kernel. … Kernels are special.<br>…<br>Having<span>&nbsp;</span><strong>behavior changes</strong><span>&nbsp;</span>depending on context is a total disaster. … This is just how reality is. You don't get to choose the universe you live in.</em> </blockquote> <p><strong>All of which</strong><span>&nbsp;</span>drew<span>&nbsp;</span><a title="read the full text" href="https://drewdevault.com/2022/10/03/Does-Rust-belong-in-Linux.html">Drew DeVault</a><span>&nbsp;</span>into thinking this:</p> <blockquote> <em><strong>“I would have chosen differently”</strong><br>As Linus recently put it, “Kernel needs trump any Rust needs.” … These constraints have posed, and will continue to pose, a major challenge for Rust in Linux, but on the whole, I think that it will be able to rise to meet them, though perhaps not with as much grace as I would like.<br>…<br>In my opinion [Rust] does not belong in the Linux kernel. [But] C is boring — it hasn’t really excited anyone in decades. Rust is exciting, and its community enjoys a huge pool of developers building their brave new world with it. Introducing Rust to the kernel will [expand] the kernel’s developer base from a bunch of aging curmudgeons writing C towards a more inclusive developer pool.<br>…<br>Linux is, on the whole, a conservative project. It is deployed worldwide in billions of devices and its reliability is depended on by a majority of Earth’s population. … Rust is one of the riskiest bets Linux has ever considered. … That said, it’s going to happen, and the impact to me is likely to be, at worst, a nuisance. Though I would have chosen differently, I wish them the best of luck.</em> </blockquote> <p><strong>Aside from memory safety,</strong><span>&nbsp;</span>what’s so “exciting”?<span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=33072785">blacksmithgu</a><span>&nbsp;</span>forges a neat list:</p> <blockquote> <em>I respect the opinion … that Linux should be simple and Rust is adding a lot of complexity to the build and ABI, but the advantage of Rust is not just memory safety. … You get actual tagged enums, modules, sane dependency management, generics, polymorphism, optionals, no unchecked nullability, collections, and many other things. Writing systems software with it — even if you completely ignore memory safety — is a very pleasant experience once you've grokked the language.</em> </blockquote> <p><strong>But why Rust? Why not C++?</strong><span>&nbsp;</span><a title="read the full text" href="https://linux.slashdot.org/comments.pl?sid=22165265&amp;cid=62940093">DrXym</a><span>&nbsp;</span>has a prescription:<span>&nbsp;</span><em>[You’re fired—Ed.]</em></p> <blockquote> <em>There is plenty that sucks about C++. Every mistake you can make in C you can make in C++.<br>…<br>On top of that it has it's own layer of bull**** to deal with: The rule of 3, the rule of 5, pointer/reference abuse, weird constructor traps around type coercion, destructor traps around use of virtual, fragile base classes, multiple inheritance issues, exceptions, etc., etc. … I'm not surprised the kernel didn't want to go there.</em> </blockquote> <p><strong>And it’s simply less laborious.</strong><span>&nbsp;</span>So says<span>&nbsp;</span><a title="read the full text" href="https://www.phoronix.com/forums/forum/phoronix/latest-phoronix-articles/1350143-the-initial-rust-infrastructure-has-been-merged-into-linux-6-1?p=1350199#post1350199">marlock</a>:</p> <blockquote> <em>[Here’s] why so many devs are at least interested in exploring Rust as an alternative to C where possible: … Imagine not needing to bend backwards at every second line of code to avoid stupid repetitive pitfalls and reimplement their verbose mitigations all the time throughout the codebase. Plus making the useful code more readable because the extra lines don't need to be in the codebase.</em> </blockquote> <p><strong>But is the learning curve worth it?</strong><span>&nbsp;</span>You bet, thinks<span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/rust/comments/xv73u6/i_find_that_i_dont_want_to_use_any_other/">u/NullSurplus</a>:</p> <blockquote> <em>I find that I don't want to use any other programming language now that I'm becoming proficient in Rust. … I'm starting to feel like Rust is the exact language that I want for all of my projects. It feels like it has the best of both worlds: High level features, and native performance. It feels like it's what programming languages<span>&nbsp;</span><strong>should</strong><span>&nbsp;</span>be.<br>…<br>There is room for improvement, but I just don't see myself wanting to return to C++, C# or Python. I'm starting to forget how to use those three languages, and I feel like that would be a lot of knowledge to lose, although I guess I don't really need those languages anymore. … C#'s garbage collector is what lead me down this path to Rust. … There's no reason why they couldn't do reference counting, and I don't understand why they don't. It seems like a more sane approach.<br>…<br>I started learning Rust back in February, but I've been programming in various languages for 14 years. … I've already played around with so many languages. Ultimately … I have all my future projects planned in Rust.</em> </blockquote> <p><strong>But<span>&nbsp;</span><i>ohmygosh</i>,</strong><span>&nbsp;</span>it seems like adding Rust has doubled the kernel build time.<span>&nbsp;</span><a title="read the full text" href="https://linux.slashdot.org/comments.pl?sid=22165265&amp;cid=62940051">GigaplexNZ</a><span>&nbsp;</span>sounds succinctly sanguine:</p> <blockquote> <em>An acceptable tradeoff — if it leads to better memory protection.</em> </blockquote> <h2 style="font-weight: bold;">And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=f7ke3HznCCo&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">My head hurts</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 560px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/f7ke3HznCCo" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p><br><span style="font-style: italic;">Hat tip:&nbsp;</span><a href="https://b3ta.com/links/Sam_Cox_Doodle_House" style="font-style: italic;">planearm</a></p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj" style="font-weight: normal;">Previously in&nbsp;<em>And finally</em></a></p> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/blog/tag/dev-devsecops" style="font-weight: bold;">Learn more about Dev &amp; DevSecOps</a></li> <li><a href="https://develop.secure.software/blog/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security"><strong>Get up to speed on the SBOM's evolution</strong></a></li> <li><a href="https://develop.secure.software/blog/nvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach" style="font-weight: bold;">Find out why the NVD needs to evolve to include software supply chain threatss</a></li> <li><a href="https://develop.secure.software/blog/survey-finds-software-supply-chain-security-top-of-mind-for-dev-teams" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> </ul> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://www.flickr.com/photos/52257493@N00/49774702701">Mobilus In Mobili</a><span>&nbsp;</span>(<a title="Some rights reserved" href="https://creativecommons.org/licenses/by-sa/2.0/">cc:by-sa</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Frustlang-shines-with-its-day-in-the-sun&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Thu, 06 Oct 2022 14:44:44 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/rustlang-shines-with-its-day-in-the-sun 2022-10-06T14:44:44Z Gartner explains why SBOMs are critical to software supply chain security management https://develop.secure.software/gartner-explains-why-sboms-are-critical-to-software-supply-chain-security-management <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/gartner-explains-why-sboms-are-critical-to-software-supply-chain-security-management" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/gartner-sbom-research.jpg" alt="Gartner explains why SBOMs are critical to software supply chain security management" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold;">With modern software development reliant on third-party sources — and attacks surging on that supply chain — Gartner expects adoption of software bills of material (SBOM) to go from less than 5% now to 60% in 2025.&nbsp;</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/gartner-sbom-research.jpg?width=1400&amp;name=gartner-sbom-research.jpg" alt="gartner-sbom-research" width="1400" style="width: 1400px;"></p> <p style="font-weight: bold;">With modern software development reliant on third-party sources — and attacks surging on that supply chain — Gartner expects adoption of software bills of material (SBOM) to go from less than 5% now to 60% in 2025.&nbsp;</p> <p>The research firm Gartner is warning software development organizations that they should be prepared to provide their customers with software bills of materials (SBOMs) if they want to remain competitive in their software markets.</p> <p>"An <span>SBOM</span> is foundational to managing the complexity and <span>securability</span> of modern software deployments. And product leaders must meet the growing demand for technology, best practices and solutions to support the delivery of <span>SBOMs</span>," Gartner analyst Mark Driver wrote in a research report titled<span> </span><em>Emerging Tech: A Software Bill of Materials Is Critical to Software Supply Chain Management.</em></p> <p>Gartner believes that by 2025, 60% of organizations procuring mission-critical software solutions will mandate <span>SBOM</span> disclosure in their license and support agreements, up from less than 5% in 2022.</p> <p>However, Driver cautioned in the report that <span>SBOMs</span> are not a panacea.</p> <blockquote> <p style="font-size: 24px;"><em>"They are only as useful as the processes and tools implemented to process, analyze and leverage the information they contain. <span style="background-color: transparent;">Additional tools and techniques, such as software composition analysis (SCA) and code signing, are also necessary elements of a complete software supply chain management effort."<br>—<a href="https://twitter.com/marksdriver">Mark Driver</a></span></em></p> </blockquote> <p>Here are three key takeaways from the Gartner report.</p> <h2><strong>1. Get ahead of the demand for SBOMs</strong></h2> <p>In preparation for the new SBOM environment, the report recommends software providers meet the minimal requirements for SBOM disclosure as soon as possible. When preparing SBOMs, Gartner added, they should be tailored for the demands and dynamics of the industries for which they're being prepared.</p> <p><span>It also recommended that software providers get ahead of demand.</span></p> <blockquote> <p style="font-size: 24px;"><em>"Even if you aren’t getting requests for SBOM disclosures today, create a full inventory of your product’s internal software assets."</em></p> </blockquote> <p>The report also advised providers to categorize each of their assets as a "trade secret" or "fully disclosed." It explained that a provider may decide to exclude trade secrets from an SBOM or reveal them, but protect them through a nondisclosure agreement in a customer licensing agreement.</p> <p>Creating a full inventory of all external dependencies is also recommended in the report. Dependencies subject to a service-level agreement (SLA) with an asset provider should be categorized as "commercially supported." Any SLA for the dependency should require full SBOM disclosure.</p> <p>Dependencies without a contractual SLA should be categorized as "self-supported," the report advised. In addition, a self-supported SLA should be created for those dependencies. That SLA should include discovery and tracking of a complete SBOM.</p> <h2><strong>2. Remove 'security through obscurity'</strong></h2> <p>The report also recommended that providers of software assets ensure they have the capability to create a complete <span>SBOM</span> of their self-developed assets. While meeting the minimum demand from customers for <span>SBOMs</span>, it added, providers should look beyond meeting bare essentials and build strategies to use the SBOMs to create value.</p> <p>Among the methods for creating value cited in the report were tying <span>SBOM</span> delivery to broader security opportunities, such as deeper integration into <span>DevSecOps</span> practices, and expanding and evolving <span>SBOM</span> technology in a way that ties it to long-term product <span>roadmaps</span>.</p> <blockquote> <p style="font-size: 24px;"><em>"Don’t stop with an SBOM. Keep in mind its purpose is to provide insight into the assets that make up a software solution."</em></p> </blockquote> <p>"You must work diligently to correct the security and quality issues discovered through the <span>SBOM</span> disclosure to avoid <span>cybercriminals</span> using it for their own attack vector strategies," he continued.</p> <blockquote> <p style="font-size: 24px;"><em>"In other words, an SBOM removes the capability of 'security through obscurity.'"</em></p> </blockquote> <h2><strong>3. Modern software development requires a new approach</strong></h2> <p>Driver noted in the report that Gartner estimates 40% to 80% of the lines of code in new software projects come from third parties. "Most of this external code comes from myriad open-source projects; the remaining proprietary code comes from suppliers that provide little or no transparency to its status or condition. To complicate things even further, many open-source software (OSS) dependencies are undermanaged and understaffed."</p> <p>In a perfect world, there would be minimal need to share SBOM information. "Every contributor along the supply chain would provide guarantees of the quality and security of their components," he wrote. "These guarantees would propagate from one link in the supply chain to the next. Updates would be posted immediately, and dependencies would be propagated across the supply chain automatically."</p> <p><span style="font-size: 18px;">But the industry operates in an environment where providers along the software supply chain often fail to do what they should do, he wrote. "[One] can also argue that they have traditionally lacked the tools to do this even when they’ve tried."</span></p> <blockquote> <p style="font-size: 24px;"><em><span style="color: #1f1f1f; background-color: transparent;">"In addition, within a technology ecosystem heavily dependent upon open-source software, many components lack a sufficient commercial source of support altogether. As a result, 'software hygiene' practices vary broadly from one supplier to another; the rigor of practices at each node in the supply chain varies from robust to nonexistent, and this situation changes constantly over time as well."</span></em></p> </blockquote> <p><span>The report predicted that </span>over the next three years, product leaders will be challenged to keep up with the evolution and general direction of SBOM technologies, tools, and best practices. They must do this while avoiding or minimizing potential dead ends, missteps and the hit-or-miss nature of discontinuous innovation along the way, it added.</p> <p>The report also forecasted that the state of the art for SBOM initiatives will evolve and improve continuously from 2022 through 2026, but the most impactful innovations are unlikely to reach mainstream adoption before 2025.</p> <h2><strong>SBOMs are now essential</strong></h2> <p>Driver wrote in the report that SBOMs were becoming essential for software development organizations. "The requirement to supply a complete, accurate and up-to-date SBOM for your software solution will be a mandatory element of the majority of client engagements within the next three years," he wrote.</p> <blockquote> <p style="font-size: 24px;"><em>"Product leaders unable or unwilling to provide SBOM disclosure will find themselves increasingly pushed out of competitive opportunities. Many technology and service providers will struggle to deliver necessary SBOM requirements because they are unable to accurately discover and track both internal and external dependencies."</em></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">Learn more</h2> <ul> <li><a href="https://develop.secure.software/the-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world"><span style="font-weight: bold;">Get up to speed on Enduring Security Framework's new supply chain guidelines</span></a></li> <li><a href="https://www.reversinglabs.com/sboms-securing-software-supply-chains"><strong>Find out what role SBOM’s play in secure software development</strong></a><span style="font-weight: bold;"></span></li> <li><a href="https://www.secure.software/solutions/software-release-security-management" style="font-weight: bold;"><span style="font-weight: bold;">Learn about </span>solutions for software supply chain security</a></li> <li><a href="https://www.reversinglabs.com/whitepaper/how-why-nist-is-driving-sbom-evolution"><span style="color: #ff0201;"><strong>White paper: Understand requirements for SBOMs in EO 14028</strong></span></a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fgartner-explains-why-sboms-are-critical-to-software-supply-chain-security-management&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Bill of Materials (SBOM) Dev & DevSecOps Tue, 04 Oct 2022 14:46:00 GMT jpmellojr@gmail.com (John P. Mello Jr.) https://develop.secure.software/gartner-explains-why-sboms-are-critical-to-software-supply-chain-security-management 2022-10-04T14:46:00Z DevOps teams: BGP security is BAD. But you can fix it https://develop.secure.software/devops-teams-bgp-secure-bad-heres-how-to-fix-it <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/devops-teams-bgp-secure-bad-heres-how-to-fix-it" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/bgp--kody-goodson--unsplash.png" alt="DevOps teams: BGP security is BAD. But you can fix it" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="text-align: left;"><strong></strong></p> <p style="text-align: left;"><strong>The security of the Border Gateway Protocol (BGP) is laughable.</strong><span>&nbsp;</span>But we all rely on it every day. For everything.</p> <p style="text-align: left;"><strong><img src="https://develop.secure.software/hs-fs/hubfs/bgp--kody-goodson--unsplash.png?width=1400&amp;name=bgp--kody-goodson--unsplash.png" alt="bgp--kody-goodson--unsplash" width="1400" style="width: 1400px;"></strong></p> <p style="text-align: left;"><strong>The security of the Border Gateway Protocol (BGP) is laughable.</strong><span>&nbsp;</span>But we all rely on it every day. For everything.</p> <p><strong>BGP spoofing can let attackers pretend to be</strong><span>&nbsp;</span>your infrastructure — or that of your cloud provider. But there are things you can do to mitigate the risks.</p> <p><strong>Are you doing them?</strong>&nbsp;Do you want to know how? In this week’s<span>&nbsp;</span><a href="https://blog.reversinglabs.com/blog/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we point you in the right directions.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>It’s time for RPKI</i>.<br>&nbsp;</p> <h2 style="font-weight: bold;">“It’s always DNS” — unless it’s BGP</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Dan Goodin reports&nbsp;—&nbsp;“<a title="read the full text" href="https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/">3 hours of inaction from Amazon</a>”:</p> <blockquote> <em><strong>“It’s not the first time”</strong><br>Amazon recently lost control of IP addresses it uses to host cloud services and took more than three hours to regain control, a lapse that allowed hackers to steal $235,000. … The hackers seized control of roughly 256 IP addresses through BGP hijacking. … Despite its crucial function in routing wholesale amounts of data across the globe in real time, BGP still largely relies on the Internet equivalent of word of mouth.<br>…<br>Last month, [AS209243] suddenly began announcing its infrastructure was the proper path for other ASNs to access … a /24 block of IP addresses belonging to AS16509, one of at least three ASNs operated by Amazon. … A new announcement such as this … should have triggered an immediate investigation by the cloud provider. For reasons that remain unknown, Amazon didn’t start announcing the correct path for the /24 block until … more than three hours after the rogue announcements began.<br>…<br>It’s not the first time a BGP attack on an Amazon IP address ended in huge losses of cryptocurrency. … In fairness, Amazon is hardly the only cloud operator to lose control of its IP addresses in a BGP attack. The vulnerability of BGP to ham-fisted misconfigurations and outright fraud has been evident for more than two decades now.</em> </blockquote> <p><strong>How did it go down?</strong><span>&nbsp;</span>Peter Kacherginsky offers an “<a title="read the full text" href="https://www.coinbase.com/blog/celer-bridge-incident-analysis">Incident analysis</a>”:</p> <blockquote> <em><strong>“The attacker created a valid certificate”</strong><br>On August 17, 2022 … users were targeted in a front-end hijacking attack which lasted approximately 3 hours and resulted in 32 impacted victims …  with a single victim losing $156K. … BGP hijacking is a unique attack vector exploiting weakness and trust relationships in the Internet’s core routing architecture. It was used earlier this year to target other cryptocurrency projects such as KLAYswap.<br>…<br>The attacker performed initial preparation on August 12, 2022 by deploying a series of malicious smart contracts. … Preparation for the BGP route hijacking took place on August 16th, 2022 and culminated with the attack on August 17, 2022 by taking over a subdomain responsible for serving … bridge contract addresses.<br>…<br>The attack targeted the cbridge-prod2.celer.network subdomain which hosted critical smart contract configuration data for the Celer Bridge … UI. Prior to the attack [it] was served by AS-16509 (Amazon) with a 44.224.0.0/11 route. … A new route started propagating for the more specific 44.235.216.0/24 route. … In order to intercept rerouted traffic, the attacker created a valid certificate for the target domain [at] an SSL certificate provider based in Latvia.</em> </blockquote> <p><strong>And what can we learn?</strong><span>&nbsp;</span>Doug Madory ponders “<a title="read the full text" href="https://www.kentik.com/blog/bgp-hijacks-targeting-cryptocurrency-services/">What can be learned</a>”:</p> <blockquote> <em><strong>“Raised some eyebrows among the Amazon NetOps team”</strong><br>Companies looking to secure their internet-facing infrastructures need to deploy robust BGP and DNS monitoring of their infrastructure as well as that of any internet-based dependencies they may have. … Additionally, strict RPKI configuration can also increase the difficulty for someone to hijack your routes.<br>…<br>DNS monitoring … uses agents around the world to check that queries for a specified domain return expected results. If a response contains something other than what was expected, it will fire off an alert. … BGP monitoring could have alerted that a new /24 of Amazon address space was being announced. … When this new /24 appeared with an unexpected upstream … that should have triggered an alert [and] raised some eyebrows among the Amazon NetOps team.<br>…<br>Amazon had an ROA for the prefix that was hijacked, so why didn’t RPKI ROV help here? … It<span>&nbsp;</span><strong>could</strong><span>&nbsp;</span>have still helped if the ROA were set up [as] other networks such as Cloudflare and Comcast have done: Set the origin and maximum prefix length to be identical to how the prefix is routed. … Had Amazon created a ROA specifically for 44.224.0.0/11 with an origin of AS16509 and a max-prefin-len of 11, then the attacker would have [failed].</em> </blockquote> <p><strong>ELI5?</strong><span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/Buttcoin/comments/xm5cab/comment/ipn24po/">u/grauenwolf</a><span>&nbsp;</span>explains like we’re five:</p> <blockquote> <em>Imagine you could change the road signs so that an armored car delivered money directly to your house instead of the bank. The Border Gateway Protocol is the road signs.</em> </blockquote> <p><strong>So we all rely on BGP, but it’s fundamentally unsafe?</strong><span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32291308">icedchai</a><span>&nbsp;</span>isn’t shocked:</p> <blockquote> <em>Not a surprise. [If it was safe], most of the internet would be unreachable, because most routes (60%) are not signed. … Certainly some percentage of this is people being lazy. Though many routes will never be signed because the owners of these routes simply do not have the capability.</em> </blockquote> <p><strong>It rather sounds like the fault of the TLS cert issuer.</strong><span>&nbsp;</span><a title="read the full text" href="https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/?comments=1&amp;post=41250556#comment-41250556">hizonner</a><span>&nbsp;</span>agrees:</p> <blockquote> <em>Lax CA verification practice and inappropriate reliance on the public CA infrastructure cost cryptocurrency holders $235,000. IP addresses are not an authentication mechanism, folks. The blame here belongs on the X.509 infrastructure and its operators.</em> </blockquote> <p><strong>However, with a<span>&nbsp;</span><i>tiny</i><span>&nbsp;</span>bit more nuance,</strong><span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/Bitcoin/comments/xnh9by/comment/ipvybw2/">u/aaaaaaaarrrrrgh</a><span>&nbsp;</span>screams in frustration:</p> <blockquote> <em>Any CA would have issued the certificate, as the attacker was able to prove ownership. Better CAs would check from multiple perspectives (network locations) but if the hijack is effective worldwide that wouldn't stop it.<br><br>A CAA record restricting the authorized CAs would also not have stopped it unless it was restricted to a set of CAs that won't issue a domain validated cert for that host without additional authentication.</em> </blockquote> <p><strong>Still, it’s yet another crypto-FAIL for people to point and laugh at.</strong><span>&nbsp;</span>Lest we forget,<span>&nbsp;</span><a title="read the full text" href="https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/?comments=1&amp;post=41250563#comment-41250563">RuralNinja</a><span>&nbsp;</span>reminds us that it could happen to any service:</p> <blockquote> <em>At least this time nothing of value was lost. But it's certainly frustrating seeing time and again that the entire internet is a house of cards supported by a series of gentleman's agreements to not bring it down.</em> </blockquote> <p><strong>Meanwhile, what of Amazon’s liability here?</strong><span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/business/comments/xmr199/comment/ips1gr4/">u/doctorcrimson</a><span>&nbsp;</span>sees red:<span>&nbsp;</span><em>[You’re fired—Ed.]</em></p> <blockquote> <em>I have a feeling that Amazon will try to not pay reparations citing some obscure policy the user hit Accept on.</em> </blockquote> <h2 style="font-weight: bold;">And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=Y9vbbxr-GbI&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">RPKwhatnow?</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 560px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/Y9vbbxr-GbI" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/blog/tag/dev-devsecops" style="font-weight: bold;">Learn more about Secure Dev &amp; DevSecOps</a></li> <li><a href="https://develop.secure.software/blog/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security"><strong>Get up to speed on the SBOM's evolution</strong></a></li> <li><a href="https://develop.secure.software/blog/nvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach" style="font-weight: bold;">Find out why the NVD needs to evolve to include software supply chain threatss</a></li> <li><a href="https://develop.secure.software/blog/survey-finds-software-supply-chain-security-top-of-mind-for-dev-teams" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> </ul> <p><em>You have been reading <i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://unsplash.com/photos/UisH8O-GQ30">Kody Goodson</a><span>&nbsp;</span>(via<span>&nbsp;</span><a title="Some rights reserved" href="https://unsplash.com/license">Unsplash</a>; leveled and cropped)</i></small></p> <p>&nbsp;</p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fdevops-teams-bgp-secure-bad-heres-how-to-fix-it&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Wed, 28 Sep 2022 17:32:20 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/devops-teams-bgp-secure-bad-heres-how-to-fix-it 2022-09-28T17:32:20Z Threat analysis: Malicious npm package mimics Material Tailwind CSS tool https://develop.secure.software/threat-analysis-malicious-npm-package-mimicks-material-tailwind-css-tool <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/threat-analysis-malicious-npm-package-mimicks-material-tailwind-css-tool" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/Blog/Tailwind-CSS.gif" alt="Threat analysis: Malicious npm package mimicks Material Tailwind CSS tool" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold; text-align: left;">ReversingLabs has discovered a malicious npm package disguised as the software tool Material Tailwind. Here's an in-depth look at our discovery — and threat analysis.</p> <p style="font-weight: bold; text-align: left;"><img src="https://develop.secure.software/hs-fs/hubfs/Blog/Tailwind-CSS.gif?width=800&amp;name=Tailwind-CSS.gif" alt="Tailwind-CSS" style="width: 800px;" width="800"></p> <p style="font-weight: bold; text-align: left;">ReversingLabs has discovered a malicious npm package disguised as the software tool Material Tailwind. Here's an in-depth look at our discovery — and threat analysis.</p> <p><em>Note: This analysis was updated on Friday, Sept. 23 with new information on an additional MachO executable.</em></p> <p>Highlighting <a href="https://develop.secure.software/6-reasons-software-security-teams-need-to-go-beyond-vulnerability-response">the rise in risk from open source software repositories</a>, ReversingLabs researchers discovered a new technique that threat actors are using to sow open source repositories with malicious code: a malicious npm&nbsp;package masquerading as <a href="https://www.material-tailwind.com/">Material Tailwind</a>, which is described on their website as “an easy to use components library for Tailwind CSS and Material Design.”&nbsp;</p> <p>Both of these components are recognizable names and massively popular libraries among developers, netting millions of downloads each. Tailwind specifically serves as an open-source CSS framework that doesn’t provide predefined classes for elements, while Material Design is a design language that uses grid-based layouts, responsive animations, and other visual effects.&nbsp;</p> <p>In contrast, the malicious Material Tailwind npm package, while posing as a helpful development tool, has an automatic post-install script, which downloads a password protected zip file that contains a malicious executable: a custom-packed Windows executable capable of running PowerShell scripts.&nbsp;</p> <p>The ReversingLabs research team spotted the package using our Titanium Platform, which tracks software behaviors, specifically looking for packages that contain obfuscated code. Here's our in-depth overview of how we came across this package, as well as how our team deobfuscated the malicious code to gain insight into the threat actor’s methods, and indicators of compromise (IOCs) that can help your organization determine whether or not you have been compromised.&nbsp;</p> <h2 style="font-size: 24px; font-weight: bold;">Obfuscated code: A red flag in npm packages</h2> <p>As with previous discoveries, Material Tailwind caught the attention of the Titanium Platform’s behavior indicator because it contained code obfuscated with JavaScript Obfuscator.&nbsp;</p> <p>Unlike the previous research cases, however, the threat actor responsible for Material Tailwind did quite a good job at making the package description as convincing as possible. Upon closer inspection, however, we noted that the package description is, in fact, copied from another npm package named <a href="https://www.npmjs.com/package/tailwindcss-stimulus-components">tailwindcss-stimulus-components</a>. The threat actor took special care to modify the entire text and code snippets to replace the name of the original package with Material Tailwind. The malicious package also successfully implements all of the functionality provided by the original package.&nbsp;</p> <h2 style="font-size: 24px; font-weight: bold;">Post-install shenanigans</h2> <p>But behavior indicators don’t lie. One of the JavaScript files present in the package contains obfuscated code. It also happens that this tailwindcss-stimulus-scripts.min.cjs file is also declared as postinstall script in package.json file. Packages delivered via npm let developers declare various types of scripts inside package.json file, those get executed at some point of the package lifecycle.</p> <p>Postinstall scripts get executed immediately after package installation. This is why they are a quite popular mechanism for achieving code execution among threat actors. From the perspective of a threat researcher: an obfuscated script that is set to run immediately after installation is a (big) red flag.&nbsp;</p> <p>In the case of Material Tailwind, the obfuscated script was deobfuscated and its content was analyzed in detail.&nbsp;</p> <p><em><img src="https://develop.secure.software/hs-fs/hubfs/image%20(3).png?width=640&amp;name=image%20(3).png" alt="image (3)" style="width: 640px;" width="640"></em><em>Figure 1: npm&nbsp;module imports</em></p> <p>Looking at the deobfuscated script content, the list of imported modules already looks suspicious. It contains modules for file system operations, encryption, network communication, archive decompression and process manipulation.</p> <p>The module first sends a POST request with platform information to a specific IP address and validates that it is executed on a Win32 system. Then it constructs a download link containing the type of the operating system. It also adds a parameter which is probably used to validate that the download request is coming from the victim's machine. This parameter is generated by performing a bcrypt hash of the victim's IP address and removing the first 7 bytes from the hash value.&nbsp;</p> <p><em><img src="https://develop.secure.software/hs-fs/hubfs/image%20(4).png?width=922&amp;name=image%20(4).png" alt="image (4)" style="width: 922px;" width="922"></em><em>Figure 2: Code responsible for stage 2 download</em></p> <p>The downloaded file is a password protected zip archive named DiagnosticsLogger.zip which contains only one file, and it is named DiagnosticsHub.exe. The name of the executable varies between different versions of the package. For the current&nbsp; ZIP archive version, the password that encrypts its contents is “J##$dj&amp;%qvvV89”. Since the archive contains only one file, password protection is likely used to avoid basic antivirus checks.</p> <p>The chosen file names suggest that the attacker is trying to disguise the payload as some kind of diagnostic tool. Finally, the script spawns a child process that executes the downloaded file using cmd /c command.</p> <h2 style="font-size: 24px; font-weight: bold;">Windows executable</h2> <p>The downloaded Windows executable implements several protections to frustrate analysis. It is packed with a custom runtime packer. The Assembly unpacking routine utilizes xmm registers. Typically used for high precision math, they’re abused here for evading security solutions. The malicious code also performs long sleep delays in its execution, another effort to avoid detection. While running, the Windows executable tries to contact trustworthy domains like google.com to verify that it has internet access, and detect if it is executing in a sandboxed environment.&nbsp;</p> <p><img src="https://lh3.googleusercontent.com/gyevG4X_11oVsTjxZjMoE39BIYaE4sTjd6l7lBN9jlDA9Mz10JcmCJirCSBgooUS7zebCJIU2vS0gFH8mA-e5wv4wqhBBavniZ6V6no8t5-MrZYBbeKfz-wEFe93i9n35FcmPgoRlJLY-hpmh_YLc9cHlriqrCJKRyAW2gA0-0Q7CVcpd7XiP4QMsg" width="624" height="115"><em>Figure 3: Base64 decrypted powershell command creating Scheduled Task</em></p> <p>Packed information includes several Powershell code snippets responsible for command and control, communication, and process manipulation. Persistence is achieved by executing a base64 encoded Powershell command which sets up a scheduled task to be executed daily.</p> <p>At stage 2, the malware fetches a XOR encrypted and base64 encoded file from a public Google Drive link. In case this link isn’t accessible two alternative download locations exist, one at Github and another one at OneDrive. The XOR key it uses for decryption is the hardcoded string “AJUHKJHOIU351q23AJKI8i7y”.&nbsp;</p> <p><img src="https://lh5.googleusercontent.com/0jocU7er6VgaU7UvpWd2slIZI9QbDrKEfvXU97mjmTjaGtw58XZ9AiEN-P1z57_gA2-owOXpGZS5i2Ft7ynNfhkVJmJh5U0vVObePpQaeqC-uD7SrH7_S-jMZ3TZJ6KsHwHls8smYSShq5tSGwN8APdBDv50OSceAHymJhQ-jyWjaFrZ3hNqH8TmsA" width="624" height="228"><em>Figure 4: Google drive file decryption routine</em></p> <p>At the time of publication, the encrypted file contains a single IP address, which is the location of its command and control (C2) server, from which the malware receives encrypted instructions using a dedicated socket connection. During dynamic analysis of the malware the C2 server responded with a command indicating that the status of the victims machine wasn’t initialized, which triggered execution of a Powershell command performing a directory listing of the &nbsp; “C:\Program Files” and “C:\Program Files (x86)” folders. The output was stored in the “C:\ProgramData\DiagnosticsLog\Diagnost.log” file, probably to be uploaded to the C2 server later.&nbsp;</p> <p><img src="https://lh3.googleusercontent.com/yzDLXZZUJ2sHRuwiScAMDzqe-INAzQ8KfgiEfP04cVYGzDDu24K7wZb9pDkLEaELQ782bjD8RN55GJtoV5vOsMPoQaqpSDTnRL7ktTYLaaSxF6_A-0H0y_wV9uYH5N18-H2KeIhKJz9Y_zV1vzo97eHScXFXWj_y_5_iNzlzjmkG_ngXRfvCEulyMw" width="624" height="47"><em>Figure 5: Powershell directory listing command</em></p> <h2 style="font-size: 24px; font-weight: bold;">MachO executable (update as of 9/23/2022)</h2> <p style="text-align: left;">The malicious package was initially reported to the npm&nbsp;security team on Monday, Sept. 20. The npm security team responded quickly, removing the affected package within 24 hours. But while they removed it from the npm package repository, they didn’t replace it with a security holder version, like they usually do. That gave the attacker an opportunity to publish new versions under the same package name, which happened on Thursday, Sept. 22. Three new versions were published, and they contained modified versions of the postinstall script.&nbsp;</p> <p style="text-align: justify;"><img src="https://lh5.googleusercontent.com/lJS2l6K0pE2_CKb0efo9bVtoBW-jMxBzb1XJ1IWhx7qbV8sJZLnGt06J2-uAnOOBJe4RZnsV00J41O-tjQIky8bbu4Q0mIyWaBceQEZS7fSnXMVlr5PxOoW8Nx7GZMHRjM-uC5gwICPjbfwWwBNwCSdeNEemEVW6DAvZlDLVsl8JGCLqQWus3g8u-g" width="624" height="343"><em>Figure 6: Updated code responsible for stage 2 download</em></p> <p style="text-align: left;">The new versions added code which triggers if the package is installed on Darwin operating system. In that case, instead of a password protected zip file, a different archive containing two MachO files compiled for ARM and x86-64 architectures, is downloaded and executed on the compromised machine.</p> <p style="text-align: left;">MachO executables are much simpler than the described Windows executables. Important strings are created by concatenating ASCII characters during execution. Persistence is acquired by creating LaunchAgents, a technique typical for macOS malware. The file name suggests that malware tries to mimic the legitimate <em>CoreSimulator </em>framework related to the Xcode developer toolset used for developing macOS applications. Instructions are fetched from C2 server by performing <strong><em>curl </em></strong>request, and curl output is then redirected to <strong><em>sh </em></strong>command for execution.</p> <p style="text-align: left;">Cross platform support, and the fact that new versions of the package were released quickly after the removal of the first ones, shows that a skilled actor is behind this malware — one that is determined to keep this malware operational.</p> <h2 style="font-size: 24px; font-weight: bold;">Imposter packages are on the rise</h2> <p>This Material Tailwind attack is just the latest example of a growing trend: malicious npm packages that attempt to fool developers by posing as legitimate packages. For example, in the IconBurst campaign that <a href="https://blog.reversinglabs.com/blog/iconburst-npm-software-supply-chain-attack-grabs-data-from-apps-websites">we first discovered and disclosed in early July</a>, we noted malicious npm&nbsp;packages that name-squatted on heavily-used and legitimate packages, which hid their malicious content using code obfuscation.&nbsp;</p> <p>These types of software supply chain attacks can be spotted almost daily now. In most of these cases, the malware in question is fairly simple Javascript code that is rarely even obfuscated. Sophisticated multistage malware samples like Material Tailwind are still a rare find.&nbsp;</p> <p>In this case the complexity of the malware tactics leads to a conclusion that sophisticated actors could be behind this attack. For now, our analysis of the situation tells us that Material Tailwind’s stage two payload can be classified as a fully functional Trojan malware. It uses a lot of techniques to complicate reverse engineering. Additionally, IP redirection using a file hosted on a legitimate service like Google Drive is also performed before the communication with the actual C2 server.&nbsp;</p> <p>Given the advanced nature of this malicious package and the fact that it is imitating&nbsp; widely used software development libraries, it is safe to assume that threat actors feel emboldened to continue taking advantage of open source repositories. And as their evasion techniques become more advanced over time, it is essential for software development shops to use a product like ReversingLabs Titanium Platform to spot malicious activity, and keep a close eye on application behaviors prior to including a new third-party dependency in their software.&nbsp;</p> <p><em>Future updates regarding this incident will be shared in this blog post.</em>&nbsp;</p> <h2 style="font-size: 24px; font-weight: bold;">Indicators of Compromise (IoC)</h2> <p style="font-weight: bold;">IP addresses:</p> <p>85.239.54.17<br><span style="background-color: transparent;">135.125.137.220<br></span><span style="background-color: transparent;">46.249.58.140:13338</span></p> <p style="font-weight: bold;">Package versions:</p> <table style="height: 360px; width: 688px;" width="699"> <tbody> <tr style="height: 87px;"> <td style="width: 190px; height: 87px;"> <p>material-tailwindcss</p> </td> <td style="width: 66px; height: 87px;"> <p>2.3.0</p> </td> <td style="width: 432px; height: 87px;"> <p>466ed2f97d127e91ce29d79cd05dbedbe04c5c07</p> </td> </tr> <tr style="height: 87px;"> <td style="width: 190px; height: 87px;"> <p>material-tailwindcss</p> </td> <td style="width: 66px; height: 87px;"> <p>2.3.1</p> </td> <td style="width: 432px; height: 87px;"> <p>faab8d9ad58d383ab895ff98bc215b497e78a89c</p> </td> </tr> <tr style="height: 87px;"> <td style="width: 190px; height: 87px;"> <p>material-tailwindcss</p> </td> <td style="width: 66px; height: 87px;"> <p>2.3.2</p> </td> <td style="width: 432px; height: 87px;"> <p>dbd157edaa3f76d14f2bb2c2d81bab33db147f44</p> </td> </tr> <tr> <td> <p>material-tailwindcss</p> </td> <td> <p>2.3.4</p> </td> <td> <p>cf27558d19b8f7311f48d95ad2f4c24972939929</p> </td> </tr> <tr> <td> <p>material-tailwindcss</p> </td> <td> <p>2.3.5</p> </td> <td> <p>98e37967dbd6ed93ea9e93dbe9617da8770e60c8</p> </td> </tr> <tr> <td> <p>material-tailwindcss</p> </td> <td> <p>2.3.6</p> </td> <td> <p>c913e33c245dd7257ea671b9ec5f97b65c110371</p> </td> </tr> </tbody> </table> <p>&nbsp;</p> <p><span style="font-weight: bold;">Zip file:</span>&nbsp;&nbsp;</p> <p>81977085079d5629cd9a932055273ed38a7ce87b<br>e21f62e59bdb08e612065569f169cd5967987d88</p> <p style="font-weight: bold;">Stage 2 PE payload:&nbsp;</p> <p>748a67a4276a7547f2413c14b7de7f76342038ef</p> <p>09ecdcc7abd426204ba8d494ce1a6431a5d0d6b9</p> <p style="font-weight: bold;">MachO stage 2 archive:</p> <p>9915c952ce178eaac65912d4f94cc966840e59eb</p> <p style="font-weight: bold;">MachO stage 2 payload:</p> <p>d6958efce576ac790d3a053988060ff3da92b5e5</p> <p>3f13b5fcde0a0451221f2d96322857e99d490406</p> <p style="font-weight: bold;">Stage 2 IP redirect providers:</p> <p><em>h[XX]ps://onedrive.live.com/download?cid=8F081466BABC9F13&amp;resid=8F081466BABC9F13%21109&amp;authkey=AOGgyB9v2wrFkJM</em></p> <p><em>h[XX]ps://drive.google.com/uc?export=download&amp;id=1eaFJYy0cLLONFaMDKMUmcU6Js0jG5p8r</em></p> <p><em>h[XX]ps://raw.githubusercontent.com/jfrank4512/Mdam/main/test.txt<br></em></p> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/blog/tag/software-supply-chain-security"><strong>Get up to speed on software supply chain security</strong></a></li> <li><a href="https://develop.secure.software/blog/tag/threat-research"><strong>See all threat research news and analysis</strong></a></li> <li><a href="https://develop.secure.software/blog/nvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach"><strong>NVD Analysis 2022: Why you need to modernize your software security approach</strong></a></li> <li><a href="https://develop.secure.software/blog/survey-finds-software-supply-chain-security-top-of-mind-for-dev-teams"><strong>Survey finds software supply chain security top of mind for dev teams — but tampering detection lags</strong></a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fthreat-analysis-malicious-npm-package-mimicks-material-tailwind-css-tool&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Threat Research npm security Fri, 23 Sep 2022 14:11:00 GMT karlo.zanki@reversinglabs.com (Karlo Zanki) https://develop.secure.software/threat-analysis-malicious-npm-package-mimicks-material-tailwind-css-tool 2022-09-23T14:11:00Z Rust finds its mojo: Move forward to memory-safe code https://develop.secure.software/rust-mojo-linux-memory-safe-code-0 <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/rust-mojo-linux-memory-safe-code-0" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/rust-forward--randy-laybourne--unsplash.png" alt="Rust: It’s time to move forward on memory-safe code" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/rust-forward--randy-laybourne--unsplash.png?width=1400&amp;name=rust-forward--randy-laybourne--unsplash.png" alt="rust-forward--randy-laybourne--unsplash" width="1400" style="width: 1400px;"></strong></p> <p><strong>It’s confirmed: The Linux kernel will have Rust support soon.</strong><span>&nbsp;</span>Also this week, Microsoft’s Azure CTO said the age of C++ is over—Rust is the future.</p> <p><strong>Fast, memory-safe code without garbage collection?</strong><span>&nbsp;</span>Walk this way, say Linus Torvalds and Mark Russinovich.</p> <p><strong>The momentum is surely unstoppable.</strong>&nbsp;In this week’s<span>&nbsp;</span><a href="https://blog.reversinglabs.com/blog/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we see both sides.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>Physical Karaoke</i>.</p> <h2 style="font-weight: bold;">The time is now</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Steven J. Vaughan-Nichols reports&nbsp;—&nbsp;“<a title="read the full text" href="https://www.zdnet.com/article/linus-torvalds-rust-will-go-into-linux-6-1/">Linus Torvalds: Rust will go into Linux 6.1</a>”:</p> <blockquote> <em><strong>“Rust on Linux has gotten much more mature”</strong></em> <br> <em>The Rust in Linux debate is over. The implementation has begun. … The Rust programming language entering the Linux kernel has been coming for some time.</em> <br> <em>…</em> <br> <em>It took a while to convince the top Linux kernel developers. … But, in the end, it was decided that Rust is well enough supported in the Clang — the C language family compiler front end — to move forward.</em> <br> <em>…</em> <br> <em>It also helped Rust's case that — thanks to the ground-breaking work of … Miguel Ojeda — Rust on Linux has gotten much more mature. In addition, Andreas Hindborg … showed you could write a first-rate driver, an SSD NVM-Express (NVMe) driver … in Rust.</em> </blockquote> <p>&nbsp;<strong>Where the Linux kernel team goes, others will follow?</strong><span>&nbsp;</span>Thomas Claburn&nbsp;—&nbsp;“<a title="read the full text" href="https://www.theregister.com/2022/09/20/rust_microsoft_c/">In Rust We Trust</a>”:</p> <blockquote> <em><strong>“Less prone to potential memory corruption bugs”</strong></em> <br> <em>Microsoft Azure CTO Mark Russinovich has had it with C and C++: … "Speaking of languages, it's time to halt starting any new projects in C/C++ and use Rust for those scenarios where a non-[garbage collected] language is required," he said. "For the sake of security and reliability, the industry should declare those languages as deprecated."</em> <br> <em>…</em> <br> <em>Rust, designed by as a hobby by Graydon Hoare, started taking shape at Mozilla in 2006 and debuted publicly in 2010. It began to attract serious attention as an alternative to C/C++ in 2015 with the release of Rust 1.0. Since that time, Rust has been the most loved programming language in the annual StackOverflow Survey seven years running … and has been integrated into projects at major technology companies.</em> <br> <em>…</em> <br> <em>Rust seems less prone to potential memory corruption bugs and this makes software less vulnerable. Microsoft has been talking about dumping C/C++ and exploring Rust at least since 2019. … According to Microsoft, about 70 percent of the CVEs it has patched since 2006 are due to memory safety issues. Eliminating those bugs would dramatically improve software security.</em> </blockquote> <p>&nbsp;<strong>But what about performance?</strong><span>&nbsp;</span>Nikolay Ivanov asks, “<a title="read the full text" href="https://arxiv.org/pdf/2209.09127.pdf">Is Rust C++-fast?</a>”:</p> <blockquote> <em><strong>“Performance of Rust is similar to C++”</strong></em> <br> <em>Rust is a relatively new system programming language that has been experiencing a rapid adoption in the past 10 years. Rust incorporates a memory ownership model enforced at compile time. Since this model involves zero runtime overhead, programs written in Rust are not only memory-safe but also fast.</em> <br> <em>…</em> <br> <em>Multiple existing benchmarks comparing the performance of Rust with other languages focus on rarely used superficial algorithms, leading to somewhat inconclusive results. In this work, we conduct a comparative performance benchmark of Rust and C++ using commonly used algorithms and data structures.</em> <br> <em>…</em> <br> <em>Our evaluation shows that the overall performance of Rust is similar to C++, with only minor disadvantage. We also demonstrate that in some Rust routines are slightly faster than the ones of C++.</em> </blockquote> <p>&nbsp;<strong>ELI5?</strong><span>&nbsp;</span><a title="read the full text" href="https://linux.slashdot.org/comments.pl?sid=22081829&amp;cid=62898209">DrYak</a><span>&nbsp;</span>explains like you’re five-<i>ish:</i></p> <blockquote> <em>One way to look at Rust is as a distant cousin of C++, except where all the memory safety features (shared pointers, bound-checked accessors to vectors, etc.) are mandatory and you need special steps to bring back good old pointers and arbitrary memory locations.</em> </blockquote> <p>&nbsp;<strong>Fine if you’re building a new thing, but what about adding to an existing thing?</strong><span>&nbsp;</span><a title="read the full text" href="https://forums.theregister.com/forum/all/2022/09/20/rust_microsoft_c/#c_4534013">HildyJ</a><span>&nbsp;</span>is skeptical:</p> <blockquote> <span style="font-style: italic;">Rust is currently the language of choice for new projects that would have previously been written in C/C++. But migrating an existing system from C/C++ to Rust is difficult. It is a replacement for C/C++, not a successor.</span> <br> <br> <span style="font-style: italic;">In July … Google announced it is&nbsp;</span> <a href="https://develop.secure.software/carbon-aims-to-fix-c-memory-safety-and-other-big-flaws" title="Carbon aims to fix C++ memory safety (and other big flaws)" style="font-style: italic;">working on Carbon as a successor</a> <span style="font-style: italic;">&nbsp;which will be backward compatible with C/C++. [But] rest assured that bad programmers will still be able to write bad code regardless of the language.</span> </blockquote> <p>&nbsp;<strong>However, others disagree.</strong><span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32919293">mr_eel</a><span>&nbsp;</span>slides into your DMs:</p> <blockquote> <em>It's not a magic bullet … but Rust was built with interoperability with C/C++ in mind. Many Rust projects are built with C/C++ dependencies. Mozilla's use of Rust in Firefox is a good example of gradual adoption and interoperability.</em> </blockquote> <p>&nbsp;<strong>Aside from memory safety, what else is nice about Rust?</strong><span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/rust/comments/xj2a23/comment/ip65yxu/">u/phazer99</a><span>&nbsp;</span>suggestifies thuswise:</p> <blockquote> <em>Regarding error handling, I think Rust's model is much superior to C++ exceptions. Code that can fail and code that cannot fail are different beasts, and in Rust the difference is clear. The advantage with&nbsp;<strong>Result</strong>&nbsp;compared to checked exceptions (a la Java) is that a result is a normal value which can be mapped, filtered, stored etc.</em> <br> <em>…</em> <br> <em>I use the&nbsp;<strong>?</strong>-operator or map value or error to some other type. … Also, in the future there will be&nbsp;<strong>try</strong>&nbsp;blocks, but for the moment you can break out the code to a separate function.</em> <br> <em>…</em> <br> <em>I think Rust is superior to C++ in pretty much every regard and would hate to go back to developing in C++ (which I've done for 20+ years previously).</em> </blockquote> <p>&nbsp;<strong>But</strong><span>&nbsp;</span><a title="read the full text" href="https://linux.slashdot.org/comments.pl?sid=22081829&amp;cid=62896381">gweihir</a><span>&nbsp;</span>holds back from the cheeleading throng:</p> <blockquote> <em>Let's see how it goes. [SJVN] states, "The debate is over." That is obviously far from the truth.</em> <br> <em>…</em> <br> <em>Linux gives the Rust people enough rope to hang themselves. Whether they do or not will be interesting to see and is impossible to predict at this time. Rust has some major issues it needs to overcome.</em> <br> <em>…</em> <br> <em>If there is general consent in a year or so that this was a successful move, I will give Rust a chance. Before, not so much.</em> </blockquote> <p>&nbsp;<strong>Meanwhile,</strong><span>&nbsp;</span>after reading Russinovich’s road-to-Damascus tweet, Dr.Kaan Gündüz&nbsp;—&nbsp;<a title="read the full text" href="https://twitter.com/calimelo/status/1572014455718023169">@calimelo</a>&nbsp;—&nbsp;makes this epic Dad joke:</p> <blockquote> <em>Another one bites the Rust.</em> </blockquote> <h2 style="font-weight: bold;">And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=qWhfn6LVZQc&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Physical Karaoke</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 560px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/qWhfn6LVZQc" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://unsplash.com/photos/d8YhrKArrRI">Randy Laybourne</a><span>&nbsp;</span>(via<span>&nbsp;</span><a title="Some rights reserved" href="https://unsplash.com/license">Unsplash</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Frust-mojo-linux-memory-safe-code-0&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Thu, 22 Sep 2022 13:54:07 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/rust-mojo-linux-memory-safe-code-0 2022-09-22T13:54:07Z White House memo lays down the law on software supply chain security https://develop.secure.software/white-house-memo-lays-down-the-law-on-software-supply-chain-security-0 <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/white-house-memo-lays-down-the-law-on-software-supply-chain-security-0" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/white-house-memo-software-supply-chain-security.png" alt="White House memo lays down the law on software supply chain security" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold; text-align: left;">The new memorandum calls on firms selling software to the federal government to attest to its conformity with NIST security standards. Here's what you need to know.</p> <p style="font-weight: bold; text-align: left;"><img src="https://develop.secure.software/hs-fs/hubfs/white-house-memo-software-supply-chain-security.png?width=1400&amp;name=white-house-memo-software-supply-chain-security.png" alt="white-house-memo-software-supply-chain-security" width="1400" style="width: 1400px;"></p> <p style="font-weight: bold; text-align: left;">The new memorandum calls on firms selling software to the federal government to attest to its conformity with NIST security standards. Here's what you need to know.</p> <p>The Biden Administration released a memo this week directing federal agencies to adopt guidelines from NIST for securing software used by the federal government and to attest to its security, a major step to shore up the cybersecurity of federal systems.</p> <p><a href="https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf">The memo, M-22-18 </a>(PDF document), published on Wednesday, is directed to the heads of executive departments and agencies and follows the Administration’s <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/">Executive Order 14028</a> for Improving the Nation’s Cybersecurity, released in May of 2021, which laid out new guidelines for securing software and empowers the Office of Management and Budget (OMB) to require agencies to comply with those guidelines.</p> <p>The memo picks up where the EO left off, requiring federal agencies to comply with NIST guidance on software supply chain security, including <a href="https://csrc.nist.gov/publications/detail/sp/800-218/final">NIST Special Publication 800-218</a> on developing a secure software development framework and <a href="https://www.nist.gov/system/files/documents/2022/02/04/software-supply-chain-security-guidance-under-EO-14028-section-4e.pdf">subsequent NIST guidance</a> on software supply chain security. It adds to a chorus of voices urging better management of the security of software used by the federal government and follows the release in early September of <a href="https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF">practice guidelines</a> for software supply chain security by a panel of experts from the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the Office for the Director of National Intelligence (ODNI).</p> <p>Here's what the new memo means, practically, for software firms doing business with the government — and beyond.</p> <h2 style="font-size: 24px; font-weight: bold;">Software providers self-report on software supply chain security</h2> <p>Most important: the memorandum calls on federal agencies to obtain “self-attestation for all third party software, including software renewals and major version changes.”&nbsp; The memo applies to all new software purchases made after the issuance of the memorandum and to any software that receives a major version upgrade subsequent to the release of the Memorandum.</p> <p>One category that is exempt is software developed by federal agencies. However, the Memorandum states that federal “agencies are expected to take appropriate steps to adopt and implement secure software development practices for agency-developed software.”&nbsp;</p> <p>While the exact form of that attestation isn’t spelled out, agencies are encouraged to use a standard self-attestation form that “will be made available to agencies.” Furthermore, the Federal Acquisition Regulatory Council (FAR Council) will propose rulemaking that may standardize the self attestation form. Elsewhere, CISA is tasked with developing the self attestation form. Which will it be? Stay tuned!&nbsp;</p> <p>It's worth noting: frameworks like the Department of Defense’s CMMC, require third party attestation of software security. The Biden Administration allows software publishers to “self attest” to the security of their wares and prove the existence of supply chain risk management controls. Third party assessments via a “Third Party Assessor Organization (3PAO) is also allowed, especially for open source software that might be part of a third party software application.</p> <h2 style="font-size: 24px; font-weight: bold;">SBOM on deck (for now)&nbsp;</h2> <p>The new White House memo does not require software publishers to use - or federal agencies to require - the creation of a software bill of materials (SBOM) to validate their attestation. However, the language in the memo makes clear that SBOMs are the preferred method for demonstrating conformance with the NIST secure software development practices.&nbsp;</p> <p>An SBOM “may be required” by an agency as part of solicitation requirements, the memo states, especially for software deemed “critical.” That SBOM must adhere to minimum requirements and one of the SBOM data formats defined in the <a href="https://www.ntia.gov/SBOM">NTIA SBOM requirements</a>. Those state that SBOM must be accurate, presented in a standardized format, and include "known unknowns" for completeness. The Biden memo echoes that guidance, as well, instructing agencies to direct publishers to identify practices to which they cannot attest along with practices they have in place to mitigate those risks.&nbsp;</p> <p>Other forms of attestation may also be required, including output from source code analysis and vulnerability scanning tools may be required in addition to or in lieu of an SBOM, as needed. Publishers may also need to show that they participate in a vulnerability disclosure program.&nbsp;</p> <h2 style="font-size: 24px; font-weight: bold;">The clock is ticking for software providers working with the federal government</h2> <p>In addition to setting requirements for attesting to software security, the memorandum sets a schedule of deliverables for federal agencies. Within 90 days from the issuance of M-22-18, they must identify and inventory all software subject to the requirements of the memo and make a separate inventory of “critical software.”&nbsp;</p> <p>Agencies have 120 days to develop a “consistent process” for communicating the new requirements to their vendors and establish a central agency system for holding attestation letters that are non-public.&nbsp;</p> <p>Within 180 days of the issuance of the memo, agency CIOs need to have developed training plans for their agencies to review and validate attestation documents and other artifacts submitted by software vendors.&nbsp;</p> <p>Within 270 days of the issuance of the memo, agencies need to have collected attestation letters for any critical software they have identified. Attestation letters for non critical software are due within 360 days of issuance of the memo.&nbsp;&nbsp;</p> <h2 style="font-size: 24px; font-weight: bold;">Attestation is the easy part</h2> <p>Coupled with the 2021 Executive Order and the recently released Enduring Security Framework guidance, the memo reinforces the notion that federal agencies and contractors need to level-up their software security game…and fast.&nbsp;</p> <p>But, as the saying goes: “The proof of the pudding is in the tasting.” In other words: the measure of the success of these programs and directives will be how strictly federal agencies and contractors adhere to them. Already, the memo contains lots of wiggle room, like language on “extensions” offered to agencies to comply with the requirements of the memo.&nbsp;</p> <p>While that’s to be expected, serial extensions and can-kicking by Executive Branch agencies will undermine the effectiveness of the measures implemented by the memo and turn them into the federal cyber equivalent of “scofflaws.”&nbsp;</p> <p>Finally, the memorandum’s focus on attestation highlights what, in some ways, is the easiest part for software publishers: standing by the security of their wares. The hard part, of course, is actually addressing security risks that exist in new and legacy code and actually raising the level of code security across product lines.&nbsp;</p> <p>As we have previously written, <a href="https://develop.secure.software/blog/the-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world">the Enduring Security Framework (ESF) is a kind of roadmap for software vendors</a> that do business with the federal government to do just that. It heavily references SSDF, SCVS and SLSA and is a de facto how-to guide for implementing a secure software development framework (SSDF) that many organizations will look to for navigating the EO and today's memo.</p> <p>And the ESF makes clear that federal contractors and federal agencies need to develop proficiency in areas that, today and historically, they have not prioritized. Among those are:&nbsp;</p> <ul> <li>Binary scanning</li> <li>Final package validation&nbsp;</li> <li>SBOM generation&nbsp;</li> <li>SBOM component and publisher verification</li> <li>Management and mitigation of critical vulnerabilities</li> <li>Secrets enumeration</li> <li>Code verification&nbsp;</li> </ul> <p>It is the investments that publishers make in those capabilities that will bear fruit in the form of more secure code that, in turn, can be assessed and verified by federal agencies that use it — using an SBOM or some other means.&nbsp;</p> <h2 style="font-size: 24px; font-weight: bold;">Learn more</h2> <ul> <li><a href="https://develop.secure.software/the-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world"><span style="font-weight: bold;">Get up to speed on Enduring Security Framework's new guidelines</span></a></li> <li><a href="https://www.secure.software/solutions/software-release-security-management" style="font-weight: bold;"><span style="font-weight: bold;">Learn about </span>solutions for software supply chain security</a></li> <li><a href="https://www.reversinglabs.com/sboms-securing-software-supply-chains"><strong>Find out what role SBOM’s play in secure software development</strong></a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fwhite-house-memo-lays-down-the-law-on-software-supply-chain-security-0&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Mon, 19 Sep 2022 15:45:54 GMT https://develop.secure.software/white-house-memo-lays-down-the-law-on-software-supply-chain-security-0 2022-09-19T15:45:54Z Tomislav Peričin Why Twitter security sucks: Half of staff has PII access https://develop.secure.software/twitter-security-sucks-staffs-pii-access-mudge <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/twitter-security-sucks-staffs-pii-access-mudge" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/mudge--us-dod--pd.png" alt="Why Twitter security sucks: Half of staff has PII access" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/mudge--us-dod--pd.png?width=1400&amp;name=mudge--us-dod--pd.png" alt="mudge--us-dod--pd" width="1400" style="width: 1400px;"></strong></p> <p><strong>Peiter “Mudge” Zatko (pictured) was grilled by U.S. senators</strong><span>&nbsp;</span>this week. Twitter’s former head of security has some damning things to say about the service’s DevOps security&nbsp;—&nbsp;or lack of it.</p> <p><strong>In his testimony, we learned that 50% of Twitter staff</strong><span>&nbsp;</span>had full access to the sensitive, personal and private data of users. As if that access proliferation wasn’t bad enough, he said there was little oversight and auditing of what people did with that powerful access.</p> <p><strong>Is your shop any better?</strong>&nbsp;If a bad actor insider abused their power, would you be able to quickly identify it and lock down access? In this week’s<span>&nbsp;</span><a href="https://develop.secure.software/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we get real.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>Mudge’s opening statement</i>.</p> <h2 style="font-size: 30px; font-weight: bold;">No locks on the doors</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Shannon Bond and Raquel Maria Dillon consider all the things&nbsp;—&nbsp;“<a title="read the full text" href="https://www.npr.org/2022/09/13/1122671582/twitter-whistleblower-mudge-senate-hearing">Takeaways from the Senate hearing</a>”:</p> <blockquote> <p style="font-size: 20px;"><span style="font-weight: bold;">“Half the employees at Twitter have access”</span><br>Twitter executives put profits ahead of security … the company's former head of security told Congress on Tuesday. [Peiter] Zatko, who's also known by his hacker name, Mudge, was hired to lead security at Twitter in 2020, after teenaged hackers took over high-profile verified accounts.<br>…Zatko painted a portrait of a company plagued by widespread security issues and unable to control the data it collects:</p> <ul> <li> <p>[He] alleged the company is highly vulnerable to abuse by foreign intelligence agents … within its ranks.</p> </li> <li> <p>[He] described a company culture that avoided negativity and alleged executives presented selectively favorable information to the board.</p> </li> <li> <p>[He said] Twitter doesn't understand how much data it collects, why it collects it, and how it's supposed to be used. …</p> </li> <li> <p style="font-size: 20px;">He said around half the employees at Twitter have access to that [PII] data.</p> </li> </ul> </blockquote> <p><strong>Half? Good grief.</strong><span>&nbsp;</span>Cat Zakrzewski, Joseph Menn, Faiz Siddiqui and Cristiano Lima&nbsp;—&nbsp;“<a title="read the full text" href="https://www.washingtonpost.com/technology/2022/09/13/twitter-whistleblower-peiter-zatko-testifies/">Security failures cause ‘real harm to real people’</a>”:</p> <blockquote> <p style="font-size: 20px;"><strong>“Foreign government operatives”<br></strong>Zatko’s Senate testimony — which expanded on an 84-page complaint shared with regulators … this summer — said that Twitter executives misled the public, regulators and the company’s own board about its systemically broken defenses against hackers. [His] testimony could also factor into Twitter’s ongoing litigation with [Elon] Musk.<br>…<br>He described an executive team that was financially incentivized to ignore root problems, such as employees having too much access to data [and] the company wasn’t properly tracking data access: … “It doesn’t matter who has keys if you don’t have any locks on the doors. … It’s not far-fetched to say an employee inside the company could take over the accounts of all the senators in this room.”<br>…<br>Regarding Twitter’s employment of suspected foreign government operatives who may have had access to sensitive data because of the company’s lack of internal controls, he said agents for the Indian government and the Chinese government were on the company’s payroll.</p> </blockquote> <p><strong>Did someone mention Elon?</strong><span>&nbsp;</span>Mike Masnick might have&nbsp;—&nbsp;“<a title="read the full text" href="https://www.techdirt.com/2022/09/12/musk-tries-tries-again-with-yet-another-argument-for-how-he-can-get-out-of-buying-twitter-mudges-severance-package/">Musk Tries, Tries Again</a>”:</p> <blockquote> <p style="font-size: 20px;"><strong>“$7 million settlement”<br></strong>Mudge’s report … actually&nbsp;<i>confirmed</i> Twitter’s legal argument: … While the media and a bunch of Musk’s fans bought into the claim that Mudge’s report helped him on the spam issue, Musk’s very expensive lawyers knew better. Instead, they [argued] that his claims about security problems, fraud, and some other stuff represented a material averse event that allows Musk to escape the deal.<br>…<br>Last week … it came out that the company had agreed to a $7 million settlement with Mudge, after he claimed that his firing violated his contract with the company. [And so] Musk … claims that the merger agreement would not allow any severance packages other than those in “the normal course of business,” and that the Mudge agreement violated that.<span style="background-color: transparent;">&nbsp;</span></p> </blockquote> <p><strong>Who is this Mudge guy, anyway?</strong><span>&nbsp;</span><a title="read the full text" href="https://cybersect.substack.com/p/re-mudge-v-twitter">Robert Graham</a><span>&nbsp;</span>knows what&nbsp;—&nbsp;or whom&nbsp;—&nbsp;he’s talking about:</p> <blockquote> <p style="font-size: 20px;"><span style="font-weight: bold;">“Disgruntled over cybersecurity”<br></span>Mudge is a technical expert going back decades. He was there at the beginning  … and his work helped shape today’s infosec industry. He’s got a lot of credibility in the industry, and it’s all justified.<br>…<br>Twitter would certainly like to discredit him as being disgruntled for being fired. But that’s stupid. [He’s] disgruntled over cybersecurity (not … disgruntled over being fired). This has been the case for pretty much his entire career.</p> </blockquote> <p><strong>Anyway, back to the allegations.</strong><span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32834019">MattPalmer1086</a><span>&nbsp;</span>is worried:</p> <blockquote> <p style="font-size: 20px;"><strong>“It's a huge red flag”<br></strong>What I heard I found worrying. For example, half the company had prod access to user accounts. And there was no way to find out who accessed what.<br>…<br>I've worked in multiple sectors for nearly 2 decades: government, energy, transport, retail, finance and software. So I've got a pretty good read on what is a normal level of access. Very small companies and start ups … often don't have this kind of separation.</p> <p style="font-size: 20px;">But if they grow into one of the worlds biggest brands, I would not expect it to be run like a 50 man startup. … This is not normal&nbsp;—&nbsp;it's a huge red flag.</p> </blockquote> <p>&nbsp;<strong>But</strong><span>&nbsp;</span><a title="read the full text" href="https://slashdot.org/comments.pl?sid=22049317&amp;cid=62879155">youngone</a><span>&nbsp;</span>seems to say that’s old-fashioned thinking:</p> <blockquote> <p style="font-size: 20px;">I'm going to go right ahead and assume … Facebook and Tik-Tok and every other social media company are going similar things, or worse. They don't care because nobody is going to punish them in any meaningful way.</p> </blockquote> <p>&nbsp;<strong>Will anyone snark up the hearing on Twitter?</strong><span>&nbsp;</span>If so, who will?<span>&nbsp;</span><a title="read the full text" href="https://twitter.com/WillOremus/with_replies">@WillOremus</a><span>&nbsp;</span>will:</p> <blockquote> <p style="font-size: 20px;">Sad that I don't have a newsletter previewing the week's big tech stories so I could title it Musk, Merge, Mudge.<br>…<br>Reaction from Twitter's prospective owner to testimony that users' security was dangerously compromised and foreign governments had covert agents inside the company: “<span>🍿</span>”<br>…<br>Periodic reminder that Sen. Kennedy of Louisiana attended Vanderbilt, UVA Law, and Oxford (not the one in Mississippi). [He] seems to enjoy the sound of himself pronouncing the word "porn."<br>…<br>[I] keep coming back to the same two thoughts:</p> <p style="font-size: 20px;">- Wow, Twitter security is a clown show.</p> <p style="font-size: 20px;">- There's absolutely no way Twitter is alone in this — online data security in general is a clown show and Twitter just happens to be the one taking the fall right now.</p> </blockquote> <p>&nbsp;<strong>What<span>&nbsp;</span><i>should</i><span>&nbsp;</span>Twitter do?</strong><span>&nbsp;</span>Here’s<span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32830382">vinay_ys</a>:</p> <blockquote> <p style="font-size: 20px;">If Twitter implemented the following, it would take much of the steam out of this case:</p> <p style="font-size: 20px;">1. Restricted/conditional/temporary access to production systems with extensive centralised audit logging.</p> <p style="font-size: 20px;">2. Handled phone# and geo-location data as sensitive personally identifiable information (SPII) – kept this data in one centralized place (a micro service with well-defined access controlled apis).<br>…<br>Likely it wouldn't impact the velocity of their revenue features too much.<span style="background-color: transparent;">&nbsp;</span></p> </blockquote> <p><strong>But</strong><span>&nbsp;</span><a title="read the full text" href="https://slashdot.org/comments.pl?sid=22049317&amp;cid=62879187">jhuebel</a><span>&nbsp;</span>disagrees on that last point:</p> <blockquote> <p style="font-size: 20px;">It will require a significant outlay of cash to independently assess the current vulnerabilities (can't let them do it themselves), secure the data behind fine-grained access controls (RBAC), audit the controls that are implemented periodically and monitor the privacy and security of Twitter user data in the long-term.<span style="background-color: transparent;">&nbsp;</span></p> </blockquote> <p><strong>Meanwhile, how did we get here?</strong><span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32833464">spoonjim</a><span>&nbsp;</span>proffers a perfect pragmatic precis:</p> <blockquote> <p style="font-size: 20px;">What happened was that Twitter hired a famous name to run their security for the clout. Then it turned out that was a big misfire.<span style="background-color: transparent;">&nbsp;</span></p> </blockquote> <h2 style="font-size: 30px; font-weight: bold;">And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=MYm7ybQa-D0&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Mudge motivates</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0; max-width: 560px; max-height: 315px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/MYm7ybQa-D0" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj" style="font-weight: normal;">Previously in&nbsp;<em>And finally</em></a></p> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/tag/devsecops" style="font-weight: bold;">Learn more about Secure Dev &amp; DevSecOps</a></li> <li><a href="https://develop.secure.software/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security"><strong>Get up to speed on the SBOM's evolution</strong></a></li> <li><a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security" style="font-weight: bold;">Download report: NVD Analysis 2022 — A Call to Action on Supply Chain Security</a></li> <li><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> </ul> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://en.wikipedia.org/wiki/File:Peiter_Zatko_at_DARPA.jpg">U.S. Department of Defense</a></i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Ftwitter-security-sucks-staffs-pii-access-mudge&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps CI/CD Security Thu, 15 Sep 2022 09:00:00 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/twitter-security-sucks-staffs-pii-access-mudge 2022-09-15T09:00:00Z OpenSSF's npm best practices: A solid first step for software supply chain security — but trust issues remain https://develop.secure.software/openssfs-npm-best-practices-a-great-first-step-for-boosting-software-supply-chain-security <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/openssfs-npm-best-practices-a-great-first-step-for-boosting-software-supply-chain-security" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/openssf-npm-best-practices-stepping-stone.jpg" alt="OpenSSF's npm best practices: A solid first step for software supply chain security — but trust issues remain" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold;">Here's what you need to know about the new OpenSSF npm security best practices.</p> <p style="font-weight: bold;"><img src="https://develop.secure.software/hs-fs/hubfs/openssf-npm-best-practices-stepping-stone.jpg?width=1400&amp;name=openssf-npm-best-practices-stepping-stone.jpg" alt="openssf-npm-best-practices-stepping-stone" width="1400" style="width: 1400px;"></p> <p style="font-weight: bold;">Here's what you need to know about the new OpenSSF npm security best practices.</p> <p>In August, the Open Source Security Foundation (OpenSSF) unveiled its ambitious plans to overhaul software security supply chains. Those plans include better securing the production of open source code, improving vulnerability detection and remediation, and shortening patching response time.</p> <p>With those goals in its sights, OpenSSF released this month <a href="https://openssf.org/blog/2022/09/01/npm-best-practices-for-the-supply-chain/">a new set of best practices for dependency management and supply chain security for npm</a>, the package ecosystem that serves JavaScript and TypeScript projects.</p> <p>The npm package ecosystem for software teams is one of the largest in existence. It has grown to include 2.1 million packages. Many JavaScript projects are built on tens or even hundreds of dependencies. The ecosystem is so large that it's considered larger than most other significant programming language ecosystems combined, said Chris Romeo, co-founder and CSO of Security Journey, an application security education firm.</p> <blockquote> <p style="font-size: 24px;"><em>"[The npm package ecosystem] was a tremendous first target because of the dependency complexity in JavaScript applications. <span style="background-color: transparent;">With npm, it is not uncommon to see an exponential increase in the number of included packages, hence the reason to start with npm."<br>—<a href="https://twitter.com/edgeroute">Chris Romeo</a></span></em></p> </blockquote> <p>David A. Wheeler, director of open source supply chain security at the Linux Foundation, which runs the OpenSSF, said that, on average, npm packages contain less code than other kinds of packages.</p> <blockquote> <p><em><span style="font-size: 24px;">"They're much smaller. Typically, an order of magnitude smaller. When each package does less, you need more packages to do something."</span></em><br><em><span style="font-size: 24px;">—<a href="https://twitter.com/drdavidawheeler">David A. Wheeler</a></span></em></p> </blockquote> <p>Here are key best practices from the new OpenSSF guidelines — and what you need to know about them.&nbsp;</p> <h2 style="font-size: 24px; font-weight: bold;">A solid first step</h2> <p>With <a href="https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md">its guide, available on GitHub</a>, the OpenSSF Best Practices Working Group provides an overview of supply chain security features available in npm, describes the risks associated with using dependencies, and lays out best practices to reduce those risks at different project stages. For example, the guidelines cover how to set up a secure CI configuration, avoid dependency confusion, and limit the consequences of a hijacked dependency.</p> <p>Romeo said that the team that put this guide together are top-notch experts in the various areas of <span>npm</span>, "and they put together a solid guide." But he said that while this is an excellent technical document, it needs some work on the usability side of things. "When I think of a developer picking up this guide, there are holes in answering <span>'why'</span> we are doing these various things."</p> <p>The new guidelines are a solid foundation, but could go deeper in explaining why these steps are necessary, Romeo said.</p> <blockquote> <p style="font-size: 24px;"><em>"By answering why we need dependency management in more detail, the new developer picking up the guide has context on the value of the additional work they are taking on."</em><br><em>—Chris Romeo</em></p> </blockquote> <p>Wheeler said that like anything in the world, you can make mistakes, but the OpenSSF guide provided a starting point, and should "help people avoid a lot of mistakes."</p> <blockquote> <p style="font-size: 24px;"><em>"Since this isn't the kind of stuff that's taught in schools, it's really important to have something that people can look at so they know what to, what not to do, and why."<br>—<span style="font-size: 24px;">David A. Wheeler</span></em></p> </blockquote> <p>Karlo Zanki, a reverse engineer at Reversing Labs who has <a href="https://develop.secure.software/author/karlo-zanki">focused his threat research on package managers</a>, said the guidelines are a good starting point for every developer using npm packages in their project.</p> <blockquote> <p><em style="font-size: 26px; background-color: transparent;">"They identify a lot of potential project configuration issues that many developers aren't aware of."<br></em><em style="font-size: 26px; background-color: transparent;">—<a href="https://www.linkedin.com/in/karlo-zanki-b8a2341a5/">Karlo Zanki</a></em></p> </blockquote> <h2 style="font-size: 24px;"><strong>Vetting dependencies is priority one</strong></h2> <p>As the primary author of a dozen or so <span>npm</span> packages with roughly one million downloads per month, <span>Larry Maccherone, DevSecOps transformation evangelist at </span>Contrast Security, a maker of self-protecting software solutions, said he was very pleased with the new OpenSSF npm guidelines.</p> <p>Maccherone said the guidance was concise and thorough, and well aligned with the software security community's best thinking on software supply chain security. "There are no barriers for any package owner to comply with everything in it," he said.</p> <blockquote> <p style="font-size: 24px;"><em>"The fact that it was all pulled together under the trusted auspices of OpenSSF is the biggest way in which this will help. Previously, package owners had to go on a Google-driven expedition and potentially get some bad advice. As a bonus, the document includes references to tools that can enforce much of the guidance."<br>—<a href="https://twitter.com/LMaccherone"><span>Larry Maccherone</span></a></em></p> </blockquote> <p>The guide explained that the first step when using a dependency is to study its origin, trustworthiness, and security posture. It recommends using the criteria in <a href="https://www.envoyproxy.io/">projects like Envoy proxy</a> to determine if a dependency should be used.</p> <p><span>Other measures valuable in evaluating dependencies are use of </span><a href="https://github.com/ossf/scorecard">OpenSSF Security Scorecards</a> to learn about the current security posture of the dependency, use of <a href="https://deps.dev/">deps.dev</a> to learn about the security posture of transitive dependencies, and use of <a href="https://docs.npmjs.com/cli/v8/commands/npm-audit">npm-audit</a> to learn about existing vulnerabilities in the dependencies of the project.</p> <p><span>Andrew Obadiaru, CISO of Cobalt Labs, a penetration testing company, said the new best practices go to the core challenges for developers around the use of package manager for JavaScrip. </span></p> <blockquote> <p style="font-size: 24px;"><em>"If adopted they will help developers reduce the security risks associated with using open-source dependencies. Specifically, the need to extensively study the origin, trustworthiness, and security posture of any dependencies prior to their use."</em><br><em>—<a href="https://www.linkedin.com/in/andrew-obadiaru-cism-crisc-mcp-793b963/">Andrew Obadiaru</a></em></p> </blockquote> <h2 style="font-size: 24px;"><strong>Focus on typosquatting</strong></h2> <p>The OpenSSF guidelines will help developers secure the software supply chain with a multi-pronged approach, explained <span><a href="https://www.linkedin.com/in/divyakrishnarao/">Divya Rao</a>, a dependency management specialist at Endor Labs, a dependencies management company. "</span>Using scorecards, <span>deps</span>.<span>dev</span> to learn of the security posture of transitive dependencies, and <span>npm</span>-audits will help, as well as being aware of typo-squatting and correctly identifying a package name," he said.</p> <p>Although the npm performs scans to detect typosquatting, no system is perfect, so developers must remain vigilant and always identify the GitHub repository for the package and assess its trustworthiness through characteristics, such as the number of contributors, the OpenSSF guide noted.</p> <p>It also advises developers to scrutinize the use of uppercase letters in package names, a common tactic used in typosquatting attacks. For example, a package named jsonstream could be confused with a malicious one named "JSONStream".</p> <p>Homographic attacks — where a package's name contains non-ASCII characters that resemble ASCII ones — is less of a problem now because npm doesn't support non-ASCII characters in package names.</p> <p>However, that can vary from registry to registry so developers need to check the policies of any registries in use to make sure the non-ASCII character rule is in use.<span>&nbsp;</span></p> <h2 style="font-size: 24px; font-weight: bold;">A new addition to the software supply chain security toolbox</h2> <p>With pressure on software development teams to reach higher release velocity, there's an environment of ignoring security risks and treating security as a bottleneck, Rao said.</p> <p>Also, many development teams are not aware of npm attacks, and more importantly, are not aware of the tools at their disposal, <span>Rao</span> said. That's the value of these new best practices.</p> <blockquote> <p><em><span style="font-size: 24px;">"Simply following what the above guidelines recommend will effectively reduce the risks and help in keeping your software supply chain better protected."<br></span><span style="font-size: 24px;">—<a href="https://www.linkedin.com/in/divyakrishnarao/">Divya Rao</a></span></em></p> </blockquote> <p><span style="font-size: 18px;">ReversingLabs' Zanki said the guide did describe the most common security threats encountered through the npm ecosystem, like typosquatting and dependency confusion. <span style="font-size: 18px; background-color: transparent;">And OpenSSF's <a href="https://github.com/ossf/scorecard">Security Scorecards</a> are a good example of dependency evaluation tool.&nbsp; </span></span></p> <p><span style="font-size: 18px;"><span style="font-size: 18px; background-color: transparent;">However, they currently only cover GitHub projects, and aren't universally applicable across all npm packages, leaving blind spots. T</span></span><span style="background-color: transparent;">he next step needed to create secure software solutions are tools that can actually evaluate trustworthiness and security posture of dependencies for the developers, he said.</span></p> <blockquote> <p style="font-size: 24px;"><em>"Dependency evaluation is identified as a problem, but leaving such evaluation to developers' best judgment leaves wide-open doors for malicious actors."</em><br><em>—Karlo Zanki</em></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/tag/threat-research" style="font-weight: bold;">Learn more about recent npm attacks&nbsp;</a></li> <li><a href="https://develop.secure.software/the-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world" style="font-weight: bold;">See "New U.S. software supply chain guidelines: A roadmap is born"</a></li> <li><a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security" style="font-weight: bold;">Download report: NVD Analysis 2022 — A call to action on supply chain security</a></li> <li><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> <li><a href="https://www.secure.software/solutions/software-release-security-management"><strong>Explore solutions for improving your software supply chain security</strong></a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fopenssfs-npm-best-practices-a-great-first-step-for-boosting-software-supply-chain-security&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Dev & DevSecOps npm security Wed, 14 Sep 2022 09:00:00 GMT jpmellojr@gmail.com (John P. Mello Jr.) https://develop.secure.software/openssfs-npm-best-practices-a-great-first-step-for-boosting-software-supply-chain-security 2022-09-14T09:00:00Z U.S., OpenSSF school dev teams on supply chain security https://develop.secure.software/u.s.-schools-devs-on-software-supply-chain-security <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/u.s.-schools-devs-on-software-supply-chain-security" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/large-pages--sear-greyson--unsplash.png" alt="U.S. schools developers on supply chain security" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/large-pages--sear-greyson--unsplash.png?width=1280&amp;name=large-pages--sear-greyson--unsplash.png" alt="large-pages--sear-greyson--unsplash" width="1280" style="width: 1280px;"></strong></p> <p><strong>The U.S. government is schooling developers</strong><span>&nbsp;</span>in a new document,<span>&nbsp;</span><i>Securing the Software Supply Chain</i>. The NSA, CISA and the Office of the Director of National Intelligence (ODNI) have the lead.</p> <p><strong>But,<span>&nbsp;</span><i>oh my</i>, what a lot of words.</strong><span>&nbsp;</span>So many words. Page after page after page of words. Given the number of different agencies involved, it’s no surprise it sounds like it was written by a committee — and one with verbal diarrhea.</p> <p><strong>Even so, dev teams</strong><span>&nbsp;</span>should try&nbsp;to familiarize themselves with it (especially if you want to sell to governments). In this week’s<span>&nbsp;</span><a href="https://develop.secure.software/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we achieve full buzzword compliance.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>Stop motion cooking</i>.<br>&nbsp;</p> <h2 style="font-weight: bold;">Feds’ big yawndoc</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Phil Muncaster reports&nbsp;—&nbsp;“<a title="read the full text" href="https://www.infosecurity-magazine.com/news/cisa-nsa-npm-software-supply-chain/">CISA, NSA and npm Release Software Supply Chain Guidance</a>”:</p> <blockquote style="font-size: 20px;"> <strong>“Weak link in the supply chain”</strong> <br>The US government has issued new guidance for developers designed to improve the security of the software supply chain, and in so doing make the nation’s critical infrastructure more resilient. … The document consolidates useful resources in a single location to help optimize security in software development. <br>… <br>An increasingly targeted weak link in the supply chain is open source repositories. One vendor observed a 650% year-on-year increase in threat actors deliberately injecting new vulnerabilities into these third-party libraries, so they could be exploited downstream. </blockquote> <p>&nbsp;<br><strong>Context plz?</strong><span>&nbsp;</span>David Jones fills in the blanks&nbsp;—&nbsp;“<a title="read the full text" href="https://www.cybersecuritydive.com/news/cisa-nsa-guidelines-secure-software-developer/631139/">Feds push for developers to take lead</a>”:</p> <blockquote style="font-size: 20px;"> <strong>“Part of an ongoing debate”</strong> <br>The Biden administration is heavily focused on gaining control over the nation’s critical infrastructure following the SolarWinds supply chain compromise in 2020. A series of historic ransomware attacks, including the May 2021 incident that forced a temporary, but massive fuel disruption at Colonial Pipeline, have heightened the administration’s concerns. <br>… <br>The timing of the release is related to the release of Executive Order 14028, which establishes new requirements to secure the software supply chain. … Biden signed the executive order in May 2021 in the aftermath of the SolarWinds and Microsoft Exchange server attacks. <br>… <br>The guidelines are part of an ongoing debate in the software and information security industries on when to deal with security flaws, but recent recommendations point to addressing concerns in the development stage. … The guidelines are the first of a three-part series planned by the agencies. Two additional guidelines will be focused on software suppliers and software customers. </blockquote> <p>&nbsp;<br><strong>Your tax dollars at work.</strong><span>&nbsp;</span>Some anonymous feds compile these “<a title="read the full text" href="https://www.cisa.gov/uscert/ncas/current-activity/2022/09/02/cisa-nsa-and-odni-release-part-one-guidance-securing-software">Recommended Practices for Developers</a>”:</p> <blockquote style="font-size: 20px;"> <strong>“Focuses on software developers”</strong> <br>Recent cyberattacks … highlight weaknesses within software supply chains, an issue which spans both commercial and open source software and impacts both private and Government enterprises. Accordingly, there is an increased need for software supply chain security awareness and cognizance regarding the potential for software supply chains to be weaponized by nation state adversaries. <br>… <br>The Enduring Security Framework (ESF) … is a cross-sector working group that operates … to address threats and risks to the security and stability of U.S. national security systems. It … is charged with bringing together representatives from private and public sectors to work on intelligence-driven, shared cybersecurity challenges. [The] ESF Software Supply Chain Working Panel has established this guidance to serve as a compendium of suggested practices for developers, suppliers, and customer stakeholders to help ensure a more secure software supply chain. <br>… <br>This document … focuses on software developers [and] will provide guidance in line with industry best practices and principles which software developers are strongly encouraged to reference. [It] recommends principles Developers may use to help secure the software development lifecycle (SDLC). … Each section contains examples of threat scenarios and recommended mitigations. Threat scenarios explain how processes that compose a given phase of the … SDLC relate to common vulnerabilities. </blockquote> <p>&nbsp;<br><strong>And so it goes on — and on …<span>&nbsp;</span><i>and on</i>.</strong><span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/cybersecurity/comments/x445kt/comment/imtora1/">u/zenodub</a><span>&nbsp;</span>sounds<span>&nbsp;</span><i>slightly</i><span>&nbsp;</span>sarcastic:</p> <blockquote style="font-size: 20px;"> Cool, I'm just going to give this 64 page document to a software developer. I'm sure they'll love that. <br>… <br>This seems more geared towards security managers with software development teams. </blockquote> <p>&nbsp;<br><strong>Our own</strong><span>&nbsp;</span>Paul Roberts notes the curious timing&nbsp;—&nbsp;“<a title="read the full text" href="https://develop.secure.software/the-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world">A roadmap for the post-SolarWinds world</a>”:</p> <blockquote style="font-size: 20px;"> <strong>“Just another document languishing on a government website”</strong> <br>The U.S. Federal Government has dropped what may be its most significant statement on software supply chain security — on the eve of the last holiday weekend of summer, a time associated more with family barbecues or beach parties than software build processes. [It’s] a must-read for software development organizations concerned about threats to their software development process, including open source risk and sophisticated, SolarWinds-style tampering attacks. <br>… <br>The guide succeeds in what might be its most important goal: highlighting the supply chain cyber risk, while also providing something like a roadmap for development organizations to improve defenses. … Another big accomplishment of the supply chain guide is in its function as … a kind of Rosetta Stone for supply chain security. [It] makes a strong recommendation … that development organizations employ binary scanning and software composition analysis (SCA) tools that are capable of detecting unknown files and open source components … hiding within compiled binary packages. … The guidelines rightly identify IDE plugins and scripts as a huge attack surface that goes unchecked by most development organizations. That needs to change. <br>… <br>But, like any other guidelines, they are only useful to those development organizations that read them and expend the time, money and human resources needed to implement their recommendations. For everyone else, they're just another document languishing on a government website. </blockquote> <p>&nbsp;<br><strong>Can the private sector do any better?</strong><span>&nbsp;</span>Michael Hill makes a deal with Dog&nbsp;—&nbsp;“<a title="read the full text" href="https://www.csoonline.com/article/3672530/openssf-releases-npm-best-practices-to-help-developers-tackle-open-source-dependency-risks.html">OpenSSF releases npm best practices</a>”:</p> <blockquote style="font-size: 20px;"> <strong>“Shares security guidance”</strong> <br>The Open Source Security Foundation (OpenSSF) has released the npm Best Practices Guide to help JavaScript and TypeScript developers reduce the security risks associated with using open-source dependencies. [It] focuses on dependency management and supply chain security for npm and covers various areas such as how to set up a secure CI configuration, how to avoid dependency confusion, and how to limit the consequences of a hijacked dependency. <br>… <br>For example, the first step to using a dependency is to study its origin, trustworthiness, and security posture. It advises developers to look out for typosquatting attacks … by identifying the GitHub repository of the package and assessing its trustworthiness. … Developers should identify the corresponding package name and use OpenSSF Security Scorecards to learn about the current security posture of the dependency. … Developers should also use deps.dev to learn about the security posture of transitive dependencies and npm-audit to learn about existing vulnerabilities in the dependencies of the project. <br>… <br>Reproducible installation can ensure that exact copies of dependencies are used each time a package is installed. … Developers should also use a lockfile, which implements hash pinning. … The guide also shares security guidance on package release/publishing and private packages from internal registries. </blockquote> <p>&nbsp;<br><strong>Hopefully a bit more focused?</strong><span>&nbsp;</span>Myles Borins, Jordan Harband, Jeff Mendoza, Erez Rokah, Laurent Simon, Liran Tal and Randall T. Vasquez sound excited&nbsp;—&nbsp;“<a title="read the full text" href="https://openssf.org/blog/2022/09/01/npm-best-practices-for-the-supply-chain/">npm Best Practices</a>”:</p> <blockquote style="font-size: 20px;"> <strong>“Proactively harden their npm packages”</strong> <br>We are excited to announce the v1 release of the “npm Best Practices,” a new guide focused on dependency management and supply chain security. … It is a critical step to help JavaScript and TypeScript developers reduce risks as they choose open-source dependencies to use in their projects. <br>… <br>The ability to use another developer’s project as a dependency has contributed to faster development time, innovation, and a vibrant open-source community. … Using dependencies also incurs risks. … Still, the benefits of using dependencies most often outweigh the downsides. [The] guide is intended to help developers and organizations facing such problems so that they can consume dependencies more confidently. <br>… <br>Developers who follow this guide will proactively harden their npm packages against the most common supply chain attacks. … There are many other language ecosystems, and we are looking for help to create more guideline documents to support developers using open source securely. </blockquote> <p>&nbsp;<br><strong>How did we get here?</strong><span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32748081">jimrandomh</a><span>&nbsp;</span>shoos you off his lawn:</p> <blockquote style="font-size: 20px;"> <strong>“The friction was serving an important function”</strong> <br>It used to be that adding library dependencies to a project had a lot of friction. … If you were writing a library yourself, then imposing indirect dependencies on users was something you'd try fairly hard to avoid. <br> <br>Then npm came along, with some ideology about code reuse, and the friction went away. But the friction was serving an important function: If adding a library is annoying, you'll add a small number of large libraries rather than a large number of small ones, and you avoid getting an ecosystem where major libraries have hundreds of tiny dependencies [and] trusting too many different developers and developers' computers. </blockquote> <p>&nbsp;<br><strong>Expanding on the theme,</strong><span>&nbsp;</span>here’s<span>&nbsp;</span><a title="read the full text" href="https://arstechnica.com/information-technology/2022/09/actors-behind-pypi-supply-chain-attack-have-been-active-since-late-2021/?comments=1&amp;post=41196494#comment-41196494">cerberusTI</a>:</p> <blockquote style="font-size: 20px;"> <strong>“Unchecked access to your production systems”</strong> <br>I solve this … by not allowing dependency managers within source code or for programming environments, and not granting enough access to make it easy to get around that. If you want outside software, that requires prior approval of each dependency. Approval requires that you provide a good reason it needs to be included, and is not the default. Anything crossing onto a staging server [is] subject to code review. <br>… <br>I have fairly restrictive policies on communications with or resources loaded from outside servers as well, and products which come under my control after development go through some review and remediation for this and other issues. Those interactions are well known and categorized, and difficult to hide. That kind of policy does select for certain types of programmers, but it limits problems … and has some benefits in lessening unintended interactions as well. <br>… <br>It is madness to rely upon code which can be updated through a process you do not understand and trust. … You have in effect arranged to give an individual you have no control over unchecked access to your production systems. … Understanding what you depend upon can be enough effort to set a fairly high bar for what is worth including in the end. </blockquote> <p>&nbsp;<br><strong>Meanwhile,</strong><span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32747643">Rygian</a><span>&nbsp;</span>takes issue with the terminology:</p> <blockquote style="font-size: 20px;"> There was never a supply "chain" to begin with. If you're looking for a more precise metaphor, think of it as a large pot of slightly overcooked spaghetti and meatballs — where anyone can throw stuff into the pot. </blockquote> <h2>&nbsp;<br><span style="font-weight: bold;">And Finally:</span></h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=jLiotL187WY&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">How vending machines<span>&nbsp;</span><i>really</i><span>&nbsp;</span>work</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0; max-width: 560px; max-height: 315px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;" src="https://www.youtube.com/embed/jLiotL187WY" width="560" height="315" frameborder="0" allowfullscreen></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/tag/software-supply-chain-security" style="font-weight: bold;">Learn more about software supply chain security trends</a></li> <li><a href="https://develop.secure.software/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security"><strong>Get up to speed on the SBOM's evolution</strong></a></li> <li><a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security" style="font-weight: bold;">Download report: NVD Analysis 2022 — A Call to Action on Supply Chain Security</a></li> <li><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> </ul> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://unsplash.com/photos/K-ZsC7YdJ6Y">Sear Greyson</a><span>&nbsp;</span>(via<span>&nbsp;</span><a title="Some rights reserved" href="https://unsplash.com/license">Unsplash</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fu.s.-schools-devs-on-software-supply-chain-security&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Secure Software Blogwatch Thu, 08 Sep 2022 09:00:00 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/u.s.-schools-devs-on-software-supply-chain-security 2022-09-08T09:00:00Z Enduring Security Framework's software supply chain guidelines: A roadmap for the post-SolarWinds world https://develop.secure.software/the-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/the-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/Securing-the-Software-Supply-Chain-report.jpg" alt="Enduring Security Framework's software supply chain guidelines: A roadmap for the post-SolarWinds world" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold; text-align: left;">The new federal guidance codifies lessons from the SolarWinds hack, including for securing third-party code and development pipelines. Here are four key takeaways.</p> <p style="font-weight: bold; text-align: left;"><img src="https://develop.secure.software/hs-fs/hubfs/Securing-the-Software-Supply-Chain-report.jpg?width=1400&amp;name=Securing-the-Software-Supply-Chain-report.jpg" alt="Securing-the-Software-Supply-Chain-report" width="1400" style="width: 1400px;">The new federal guidance codifies lessons from the SolarWinds hack, including for securing third-party code and development pipelines. Here are four key takeaways.</p> <p>The U.S. Federal Government dropped what may be its most significant statement on software supply chain security — on the eve of the last holiday weekend of summer, a time associated more with family barbecues or beach parties than software build processes.&nbsp;</p> <p>The guidance, in the form of a document titled <a href="https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF">"Securing the Software Supply Chain"</a> (PDF document), was released last week. The report was created by the Enduring Security Framework (ESF) Software Supply Chain Working Panel, comprising representatives from the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the Office for the Director of National Intelligence (ODNI). It <span style="background-color: transparent;">is intended as a “compendium of suggested practices for developers, suppliers, and customer stakeholders” to help ensure a more secure software supply chain.</span></p> <p>The new guidance weighs in at 64 pages — a hefty tome intended to set the record straight on secure development processes. "Securing the Software Supply Chain" is a must-read for software development organizations concerned about threats to their software development process, including open source risk and sophisticated, SolarWinds-style <a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking"><span style="background-color: #ffffff;">tampering</span> attacks</a>.&nbsp;</p> <p><span>The new guidelines are a kind of roadmap to building a healthy software development environment, said Tomislav Peričin, co-founder and chief software architect for ReversingLabs. That map includes a <a href="https://develop.secure.software/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security">Software Bill of Materials (SBOM)</a> for describing the components of software, active monitoring for vulnerabilities and software supply chain attacks, and a secure build environment and development team, he said.</span></p> <p>Here are four key takeaways from the report's recommended practices for development teams.</p> <h2 style="font-size: 24px; font-weight: bold;">1. Focus on software supply chain risk</h2> <p>The new recommended practices are a continuation of the U.S. Federal Government’s heightened focus on supply chain risk, especially following <a href="https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth">the notorious hack of the SolarWinds Orion software in 2020</a>. A key goal of the practices guide is to highlight supply chain risk as a priority for both software development organizations and consumers, and to re-orient security resources accordingly. As the document notes, organizations traditionally manage software supply chain activities separately from downloads, but a new generation of <a href="https://develop.secure.software/new-malicious-packages-in-pypi-repo">less conspicuous attacks looks to blur those lines</a>: injecting malicious code into products that are then passed downstream and consumed by other development organizations or end users in the global software supply chain.&nbsp;</p> <p>This shift in tactics warrants a similar shift by software publishers and defenders. As we noted in our <a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security">recent analysis of the National Vulnerability Database (NVD)</a>, that’s still a work in progress. With vulnerabilities like Log4J, for example, it's clear that the risk profiles of open source modules and CI/CD platforms are gaining attention and driving more submissions to the NVD. But progress is slow. The NVD, for example, still does not enlist prominent source code platforms and application providers as CVE&nbsp;Numbering Authorities (CNAs) to better capture supply chain vulnerabilities such as those in open source repositories, development tools, and platforms.</p> <p>That’s a long-winded way of observing that the guide succeeds in what might be its most important goal: highlighting the supply chain cyber risk, while also providing something like a roadmap for development organizations to improve defenses against supply chain threats and attacks.&nbsp;</p> <h2 style="font-size: 24px; font-weight: bold;">2. A software supply chain security Rosetta Stone is born</h2> <p>Another big accomplishment of the supply chain guide is in its function as a “compendium.” In fact, the document functions as a kind of <a href="https://en.wikipedia.org/wiki/Rosetta_Stone">Rosetta Stone</a> for supply chain security: pulling together a wealth of public and private sector guidance on secure development and supply chain security practices and then correlating their recommendations.</p> <p>The guide compiles a wide range of sources on topics such as secure development lifecycle (SDLC) and creating SBOMs. Tables correlate recommended security mitigations with critical resources like NIST SP 800-218 “Secure Software Development Framework (SSDF),” while appendices spell out recommendations pertaining to developers, suppliers and customers and match them up to government and private sector frameworks like SSDF and Supply Chain Levels for Software Artifacts, or <a href="https://slsa.dev/">SLSA</a>.&nbsp;</p> <p>These days, software development is a ubiquitous activity and resources for doing secure development are likewise spread far and wide. The new guidelines provide a great resource and starting point for anyone looking to level up their software development and software supply chain security.&nbsp;</p> <h2 style="font-size: 24px; font-weight: bold;">3. Bet big on binary analysis</h2> <p>Another major achievement of the guide is focusing attention in an area that is often overlooked: the threat posed by malicious binaries that can corrupt otherwise secure software supply chains. The guide notes that source code analysis can provide much needed attention to the security of uncompiled source code as well as open source components. However, organizations that rely on third-party software modules that have already been compiled are, in essence, counting on security “black boxes” that obscure risks from the development team or organization using them.&nbsp;</p> <p>Accordingly, the guide makes a strong recommendation in <em><span style="font-weight: normal;">Section 2.3</span></em> that development organizations employ binary scanning and software composition analysis (SCA) tools that are capable of detecting unknown files and open source components (and their associated security weaknesses) hiding within compiled binary packages. In the early planning and assessment stages, these tools can reveal possible threats — such as vulnerabilities or possibly compromised open source components — that a third party module may bring with it. That kind of information can then inform decisions about whether to use a given module.&nbsp;</p> <p>For modules that are already part of the software supply chain, such scans can be matched up with<a href="https://develop.secure.software/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security"> SBOMs</a> for source code — provided by the supplier — so that development teams can ensure that delivered code is consistent with what the supplier has attested to.</p> <h2 style="font-size: 24px; font-weight: bold;">4. Secure your software development process</h2> <p>Another major accomplishment of the guide is its focus on the security of both developers and the development environment. <em>Section 2.2</em> of the document, Develop Secure Code, contains recommendations for development organizations, including vigilance for developer-centric threats. Those include commonplace “ease of development” features like temporary “back doors” that find their way into production code as well as the myriad risks posed by poorly trained software engineers. The document also weighs in on more subtle (but dangerous) risks such as malicious insiders, rogue developers and compromised development systems.&nbsp;</p> <p>Attention has been given to hardening software development environments to encompass the modularized nature of IDEs, which became the de facto standard with the advent of code editors such as Visual Studio. Having build provenance data matters far less, for example, when the environment in which software is developed can not be audited and trusted. The guidelines rightly identify IDE plugins and scripts as a huge attack surface that goes unchecked by most development organizations. That needs to change, as looking at software supply chain risk only through the lens of vulnerabilities risks overlooking a wide range of other exposures and cyber risks.</p> <p>The guide's recommendations to address these risks are straightforward. Development organizations are encouraged to conduct automated static and dynamic testing of newly checked-in code to look for vulnerabilities, and to take the time to map newly created code back to clearly identified features and to implement authenticated code check-ins to guard against compromised development systems. Critical code — such as requiring elevated privileges, accessing sensitive resources or using or implementing cryptographic functions — should be subject to reviews and given a high priority.&nbsp;</p> <p>For developer systems, the report recommends implementation of strong, multi-factor authentication and virtual private networks (VPN), as well as continuous monitoring of developer systems.&nbsp;<span>Peričin</span> said the guide should help deliver the transparency that is needed to achieve better software supply chain security.</p> <blockquote> <p><span><em><span style="font-size: 24px;">"The forward-looking aspects like reproducible builds, SBOM unknowns, IDE ecosystem security, and least privilege as the default, should be openly welcomed by both software producers and consumers. Transparency required to make this process work seamlessly for the software consumer is a huge win for all security minded organizations.”</span></em><br><em><span style="font-size: 24px;">—<a href="https://twitter.com/ap0x">Tomislav Peričin</a></span></em><br><br></span></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">Guidance is good, but surging software risk demands more</h2> <p>The Securing the Software Supply Chain practices guidelines are a welcome and timely addition to the federal government’s fast-evolving library of secure development and supply chain security resources. More than previous publications, it captures the complexity of the software supply chain problem, which encompasses everything from secure development practices, to the security of open source and third party code and threats that target developers, developer organizations and development tools and platforms.&nbsp;</p> <p>As <a href="https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/">the press release for the report</a> notes:</p> <blockquote> <p style="font-size: 24px;"><em>"As the cyber threat continues to become more sophisticated, adversaries have begun to attack the software supply chain, rather than rely on publicly know vulnerabilities. This supply chain compromise allows malicious actors to move throughout networks seemingly undetected. In order to counter this threat, the cybersecurity community needs to focus on securing the software development lifecycle."</em></p> </blockquote> <p>But, like any other guidelines, guidelines are only useful to those development organizations that read them and expend the time, money and human resources needed to implement their recommendations. For everyone else, the ESF Practice Guidelines are just another document languishing on a government website.</p> <p>That’s why the next steps taken by U.S. Government agencies needs to be of the “carrot and stick” variety. Development organizations must have tangible incentives to shift practices in ways that the guidance suggests. Investments in technologies like source code analysis, binary scanning, SBOM generation, and hardening of development organizations constitute major changes for many (especially smaller) development organizations — and won’t happen simply because new guidance has been released.</p> <p>Strong market and regulatory incentives to embrace secure development practices — along the lines of those in <a href="https://www.cisa.gov/executive-order-improving-nations-cybersecurity">Executive Order 14028 on Improving the Nation's Cybersecurity</a> — are necessary to turn the solid recommendations and guidance into tangible improvements in the security of deployed software and services.&nbsp;</p> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/tag/software-supply-chain-security" style="font-weight: bold;">Learn more about software supply chain security trends</a></li> <li><a href="https://develop.secure.software/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security"><strong>Get up to speed on the SBOM's evolution</strong></a></li> <li><a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security" style="font-weight: bold;">Download report: NVD Analysis 2022 — A Call to Action on Supply Chain Security</a></li> <li><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fthe-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Wed, 07 Sep 2022 16:45:07 GMT paul.roberts@reversinglabs.com (Paul Roberts) https://develop.secure.software/the-supply-chain-security-guide-roadmap-for-a-post-solarwinds-world 2022-09-07T16:45:07Z The SBOM is evolving: 4 key trends that will boost software supply chain security https://develop.secure.software/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/sbom-evolution-4-key-trends-software-supply-chain-security.png" alt="The SBOM is evolving: 4 key trends software security teams should track" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold; text-align: left;">Software bills of materials will never be a panacea for software supply chain security. Here are key trends that will deliver some welcome evolution, however.</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/sbom-evolution-4-key-trends-software-supply-chain-security.png?width=1400&amp;name=sbom-evolution-4-key-trends-software-supply-chain-security.png" alt="sbom-evolution-4-key-trends-software-supply-chain-security" width="1400" style="width: 1400px;"></p> <p style="font-weight: bold; text-align: left;">Software bills of materials will never be a panacea for software supply chain security. Here are key trends that will deliver some welcome evolution, however.</p> <p style="text-align: left;">With the growth in the widespread use of third-party and open source components in software, attackers are now squarely focused on the software supply chain — and attacks on supply chain components have surged since 2018.&nbsp;</p> <p>So it’s no surprise that application security and SecOps teams are increasingly concerned about these emerging new security risks. One way to assess those risks — which came with a <a href="https://blog.reversinglabs.com/blog/assessment-cybersecurity-executive-order-one-year-on">strong push from the U.S. government in the form of an Executive Order</a> following the SolarWinds attack — is the <a href="https://develop.secure.software/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks">Software Bill of Materials, or SBOM</a>.</p> <p>An SBOM is commonly compared to a list of ingredients on food items. It's a list of the components in an application or solution. The idea: If a user knows what's in the software they're using, they can better determine the risks it poses to them.&nbsp;</p> <p>Like the OWASP Top 10 is to general application security, the SBOM is a starting point for operationalizing software supply chain security. "Generating an SBOM is a great first step," said ReversingLabs software assurance evangelist Charles Jones. "You understand what's in your software. Now you need to understand what that means as a publisher and as a consumer."</p> <p>However, understanding SBOMs in practice is a concern for security teams, because they can only tell you a limited set of information – and only when you receive it, Jones said. "It's good to know what's in your food, but that doesn't tell you if an ingredient has been recalled or has been contaminated."</p> <p>Jones explained that the confusion over SBOMs meant adoption was still lagging.</p> <blockquote> <p style="font-size: 24px;"><em>"There's a lack of clarity regarding not only when to generate and distribute an SBOM, but, more importantly, what to do with it when you get it. They just know it's a requirement."</em><br><em>—<a href="https://www.linkedin.com/in/charlie-jones-44911476/">Charles Jones</a></em></p> </blockquote> <p>SBOMs are also not a panacea <a href="https://blog.reversinglabs.com/blog/software-supply-chain-risk-demands-our-attention">for software supply chain security</a>. Just because you know what's in your software doesn't mean you know which components that make up the software are introducing unnecessary risk into your business, such as the new class of software supply chain attacks that can carry out malware injections, software tampering and secrets exposure.&nbsp;</p> <p>Regardless, SBOMs are a key component of developing your organization's strategy to tackle supply chain security. Here are four key trends emerging to deal with some of the limitations of today’s SBOMs.</p> <h2 style="font-size: 24px;"><strong>1. Frameworks and guidelines emerge for SBOM data interchange</strong></h2> <p>Several formats and frameworks have appeared to improve the interoperability of SBOMs, said Daniel Kennedy, research director for information security and networking at 451 Research.</p> <blockquote> <p><span style="font-size: 24px;"><em>"Having a common format when a primary use case is data interchange is always important.”</em><em><br></em><em>—<a href="https://www.linkedin.com/in/danieltkennedy/">Daniel Kennedy</a></em></span></p> </blockquote> <p>Larry Maccherone, DevSecOps transformation evangelist at Contrast Security, said that when most people talk about SBOM, they aren’t talking about the general capability of a software composition analysis (SCA) tool to identify the contents.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>"Rather, they are talking about the interchange format for moving that information across a toolchain and between organizations."</em><em><br></em><em>—<a href="https://www.linkedin.com/in/larrymaccherone/">Larry Maccherone</a></em></p> </blockquote> <p>There are three prominent SBOM standards: SPDX, SWID and CycloneX. Maccherone explained that CycloneDX is one of the most prominent formats. "It has its advantages, as do SPDX and SWID, but for the most part, they all have roughly the same information. So, it matters less which format you use but more that each of your vendors and tools support at least one format in common."</p> <p>Most SCA tool vendors are supporting at least two. But since it's not really a standard if there are more than one of them, there is pressure for one of them to become the de facto standard, he said.</p> <p style="font-size: 24px;"><strong>2. SBOMs get more useful with supplemental analysis</strong></p> <p>The original focus of SBOMs was to simply identify what’s in the software. That is now being expanded to include analysis, to understand the risk of those ingredients. For example when teams can tie the components listed in an SBOM to known malware, Jones noted.</p> <p>There are efforts to add vulnerability exploitability (VEX) information to the SBOM format. VEX was developed by the National Telecommunications and Information Administration (NTIA) and the Cybersecurity and Infrastructure Security Agency (CISA) to help suppliers determine if a product is impacted by a specific vulnerability in an included component and, if affected, the status of remediation.&nbsp;</p> <p>Maccherone warned that one problem with this approach, however, is that the vulnerability landscape is constantly changing.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>"If the software that you receive one day looks clean based upon the current status of known vulnerabilities, it is highly likely that new vulnerabilities will be found later. In order for analysis information to be valuable to the consumer, the SBOM will have to be updated whenever its analysis data changes, even when there are actually no changes to the contents of the software.”</em><em><br></em><em>—Larry Maccherone</em></p> </blockquote> <p style="font-size: 24px;"><strong>3. More vendors are supporting SBOMs</strong></p> <p>One of the biggest trends is the number of vendors adding support — especially in the SCA space — for generating an SBOM around open source usage in real time, Kennedy noted.</p> <p>Sounil Yu, chief information security officer at JupiterOne, a cyber asset management and governance solutions provider, said that while some suppliers will embrace SBOMs, others will not. He noted one explanation was&nbsp;the ability to produce an SBOM is highly correlated with the modernity and maturity of a company's software development practices and technology stack.</p> <blockquote> <p style="font-size: 24px;"><em>"Just having the ability to easily produce one gives a customer a higher level of confidence that a supplier's software development practices are modern and mature enough to counter a wide range of common issues related to vulnerable or poorly maintained software."</em><em><br></em><em>—</em><a href="https://www.linkedin.com/in/sounil/"><em>Sounil Yu</em></a></p> </blockquote> <p>Yu said that most SBOMs now being generated by suppliers were for private use. "There aren't too many examples of voluntary, public sharing of SBOMs," he said.</p> <p>Rick Holland, chief information security officer and vice president for strategy at Digital Shadows, a digital risk protection solutions provider, said that sharing SBOMs can present challenges to technology vendors.&nbsp;&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>"An SBOM without context can create more work for both the buyer and the vendors. SBOMs could be interpreted differently by different customers, resulting in many questions from customer third-party risk teams."</em><em><br></em><em>—<a href="https://www.linkedin.com/in/rickhholland/">Rick Holland</a></em></p> </blockquote> <p style="font-size: 24px;"><strong>4. Automation helps SBOMs keep pace&nbsp;</strong></p> <p>Automation is essential for successful software supply chain security, said Abhay Bhargav<em>, </em>Founder and Chief Research Officer at AppSecEngineer<em><span>,</span></em> a training service<em><span>. </span></em>Noting the changing nature of the vulnerability landscape, he said SBOMs need to be generated, tracked and managed automatically to be up to date.</p> <blockquote> <p style="font-size: 24px;"><em>"Vulnerabilities in libraries are being constantly discovered. This means that a library that was considered safe yesterday, suddenly is subjected to a massive zero-day flaw that allows an adversary to arbitrarily execute code on your server-side environment."</em><br><em>—<a href="https://www.linkedin.com/in/abhaybhargav/">Abhay Bhargav</a></em></p> </blockquote> <p>The average application contains more than 500 open source components, according to Synopsis’s 2021 Open Source Security and Risk Analysis Report. Because of the dynamic nature of modern application development, software packages must be continually evaluated throughout their development, delivery and use lifecycle to ensure the security risk associated with existing, modified, or newly added components is understood, Jones said.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>“Because of the volume of components which exist in an average software package, and their propensity for change, this is a near impossible feat without automation solutions.</em><em>"</em><em><br></em><em>—Charles Jones</em></p> </blockquote> <p style="font-size: 24px;"><strong>Software supply chain security is a journey</strong></p> <p>With the swirl of new standards, guidelines, and publications around general software supply chain security, it is hard for software teams to keep up, Jones said.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>"There are so many guidelines and frameworks and standards imposed across the supply chain that it's creating complexity and confusion.”</em><em><br></em><em>—Charles Jones</em></p> </blockquote> <p>SBOMs are currently only a requirement for companies that do business with the federal government. Holland said that buyers need to vote with their dollars if they want to force SBOM adoption across the industry.</p> <blockquote> <p style="font-size: 24px;"><em>"In a world where vendors don't report or aren't even aware of all the software used in their solutions, defenders must fall back on detection and response.”</em><br><em>—Rick Holland</em></p> </blockquote> <p>Bhargav stressed that software security and SecOps teams also need to acknowledge that SBOMs are not a cure-all for software supply chain security.</p> <blockquote> <p style="font-size: 24px;"><em>"A lot of folks see SBOMs as a comprehensive solution to supply-chain security issues, where they are actually just the beginning of a long and continuous journey into supply-chain security.”</em><em><br></em><em>—Abhay Bhargav</em></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/tag/software-supply-chain-security" style="font-weight: bold;">Learn more about software supply chain security trends</a></li> <li><a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security" style="font-weight: bold;">Get report: NVD Analysis 2022 — A Call to Action on Software Supply Chain Security</a></li> <li><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> <li><a href="https://www.reversinglabs.com/sboms-securing-software-supply-chains" style="font-weight: bold;">Dig deeper on SBOMs with our explainer page</a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fthe-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Software Bill of Materials (SBOM) Tue, 06 Sep 2022 13:10:45 GMT jpmellojr@gmail.com (John P. Mello Jr.) https://develop.secure.software/the-sbom-is-evolving-4-key-trends-boost-software-supply-chain-security 2022-09-06T13:10:45Z LastPass hacked (again): What devs can learn https://develop.secure.software/lastpass-hacked-again-what-devs-can-learn <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/lastpass-hacked-again-what-devs-can-learn" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/large-lastpass--richi.png" alt="LastPass hacked (again): What devs can learn" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong>The latest LastPass hack:</strong><span>&nbsp;</span>Bad actors stole source code and other secrets from the huge password-manager firm’s dev environment. But not, it stresses, anyone’s passwords — <i>as far as it can tell</i>.</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/large-lastpass--richi.png?width=1280&amp;name=large-lastpass--richi.png" alt="large-lastpass--richi" width="1280" style="width: 1280px;"></p> <p><strong>The latest LastPass hack:</strong><span>&nbsp;</span>Bad actors stole source code and other secrets from the huge password-manager firm’s dev environment. But not, it stresses, anyone’s passwords — <i>as far as it can tell</i>.</p> <p><strong>The moral of the story?</strong><span>&nbsp;</span>Devs should never rely on security by obscurity. Always assume you have unknown “CVSS 10.0” bugs and operate a defense-in-depth strategy. Imagine hackers already have your code, as if it was open source.</p> <p><strong>What a mess.</strong>&nbsp;And it’s not the first time. In this week’s<span>&nbsp;</span><a href="https://develop.secure.software/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we put all our eggs in one basket.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>Space-filling curves</i>.<br>&nbsp;</p> <h2 style="font-weight: bold;">LastChance for its reputation?</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Lawrence Abrams reports — “<a title="read the full text" href="https://www.bleepingcomputer.com/news/security/lastpass-developer-systems-hacked-to-steal-source-code/">LastPass developer systems hacked to steal source code</a>”:</p> <blockquote style="font-size: 20px;"> <strong>“33 million people and 100,000 businesses”</strong> <br>LastPass was hacked [three] weeks ago, enabling threat actors to steal the company's source code and proprietary technical information. The disclosure comes after [I] learned of the breach from insiders. <br>… <br>LastPass [confirmed] it was breached through a compromised developer account. … Sources [say] employees were scrambling to contain the attack. <br>… <br>Over 33 million people and 100,000 businesses … use the company's software to store their passwords securely [so] there are always concerns that if the company was hacked it could allow threat actors access to stored passwords. … It is vital to enable multi-factor authentication on your LastPass accounts so that threat actors won't be able to access your account even if your password is compromised. </blockquote> <p>&nbsp;<br><strong>Are you feeling any<span>&nbsp;</span><i>déjà vu</i>?</strong><span>&nbsp;</span>Steven J. Vaughan-Nichols tells us why — “<a title="read the full text" href="https://www.zdnet.com/article/lastpass-hacked/">LastPass was hacked — again</a>”:</p> <blockquote style="font-size: 20px;"> <strong>“Significant, annual security problems”</strong> <br>This isn't the first time LastPass has had security problems. In 2021, it appeared that some users' LastPass Master Passwords may have been revealed. LastPass replied that it hadn't been breached, but users … weren't convinced. <br>… <br>In 2020, LastPass had a major outage, and users reported they couldn't log into their accounts or autofill passwords. In 2019, a significant LastPass security problem was uncovered by security researchers. <br>… <br>It's still concerning that the biggest password security company … has significant, annual security problems. [And] with proprietary source code and technical secrets revealed, the possibility of an attack that could reveal users' passwords is certainly there. This is yet another example of how proprietary code is less secure than open-source code. </blockquote> <p>&nbsp;<br><strong>Horse’s mouth?</strong><span>&nbsp;</span>LastPass CEO Karim Toubba ’fesses in PR — “<a title="read the full text" href="https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/">Notice of Recent Security Incident</a>”:</p> <blockquote style="font-size: 20px;"> <strong>“Achieved a state of containment”</strong> <br>We detected some unusual activity within portions of the LastPass development environment. … An unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account. <br>… <br>This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize [a] Zero Knowledge architecture. … This incident occurred in our development environment. [There’s] no evidence of any unauthorized access to customer data in our production environment. <br>… <br>In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity. … We are evaluating further mitigation techniques. </blockquote> <p>&nbsp;<br><strong>So that’s alright then?</strong><span>&nbsp;</span><a title="read the full text" href="https://forums.theregister.com/forum/all/2022/08/25/lastpass_security/#c_4519971">LDS</a><span>&nbsp;</span>smells a rat:</p> <blockquote style="font-size: 20px;"> <i>"Excusatio non petita, accusatio manifesta."</i> <span>&nbsp;</span>Why they had to say [the master] passwords were still safe, if they never store or have knowledge of such passwords? <br>… <br>If LastPass doesn't have the passwords, how could they be compromised or accessed? A simple mistake [in a] rush, or a Freudian slip? Think about it. </blockquote> <p>&nbsp;<br><strong>Conspiracy theories aside,</strong><span>&nbsp;</span>should we stop using LastPass?<span>&nbsp;</span><a title="read the full text" href="https://tech.slashdot.org/comments.pl?sid=21954349&amp;cid=62826745">Dutch Gun</a><span>&nbsp;</span>thinks it’s good enough:</p> <blockquote style="font-size: 20px;"> Every other solution … I've looked at is a relative pain in the ***. … Right on the webpage, where you actually have to enter your credentials, they're entered for you automatically. If you change your password, LastPass detects it. Add some new credentials? LastPass detects and stores them for you. <br>… <br>Is it absolutely the most secure solution out there? Probably not, since integration with the browser carries some risk. Is it the most convenient solution with an acceptable level or risk for me? Yep. LastPass has been around a decade or so, with no serious security issues. They've been very good about reporting and responding to any potential issues that have been discovered. I understand how their technology works, and I'm comfortable that it's secure enough. </blockquote> <p>&nbsp;<br><strong>As does</strong><span>&nbsp;</span><a title="read the full text" href="https://arstechnica.com/information-technology/2022/08/the-number-of-companies-caught-up-in-the-twilio-hack-keeps-growing/?comments=1&amp;post=41180532#comment-41180532">metavirus</a>:</p> <blockquote style="font-size: 20px;"> I definitely agree that any hack is potentially troubling, but I think [we] could use a bit more nuance. … I’m not concerned, given what was hacked and how client-side data is stored. <br>… <br>At this point, we should all basically assume that any business we work with is going to get hacked. So we just need to be smart about mitigation. The details of the LastPass hack aren’t very troubling — to me at least. </blockquote> <p>&nbsp;<br><strong>But the source code.</strong><span>&nbsp;</span>The<span>&nbsp;</span><i>source code!</i><span>&nbsp;</span><a title="read the full text" href="https://forums.theregister.com/forum/all/2022/08/25/lastpass_security/#c_4519984">sarusa</a><span>&nbsp;</span>sounds deeply troubled:</p> <blockquote style="font-size: 20px;"> Here come the exploits. Of course if LastPass security and design is perfect, then it doesn't matter if the source code is stolen. But if there are any bugs at all (and there always are, and LastPass doesn't have a perfect record) then the attackers now have holes to drive through. </blockquote> <p>&nbsp;<br><strong>Which brings us back to SJVN’s point about closed source.</strong><span>&nbsp;</span><a title="read the full text" href="https://tech.slashdot.org/comments.pl?sid=21954349&amp;cid=62827943">gweihir</a><span>&nbsp;</span>drives it home:</p> <blockquote style="font-size: 20px;"> Well, there is really no sane reason to use anything closed-source … for this task. [But] there are always plenty of people disconnected from reality. </blockquote> <p>&nbsp;<br><strong>If we take him literally,</strong><span>&nbsp;</span><a title="read the full text" href="https://arstechnica.com/information-technology/2022/08/the-number-of-companies-caught-up-in-the-twilio-hack-keeps-growing/?comments=1&amp;post=41180512#comment-41180512">Robert</a><span>&nbsp;</span>might be one:</p> <blockquote style="font-size: 20px;"> See? This is why my password is "password123" everywhere. No dependencies on iffy third parties. </blockquote> <p>&nbsp;<br><strong>Meanwhile,</strong><span>&nbsp;</span><a title="read the full text" href="https://tech.slashdot.org/comments.pl?sid=21954349&amp;cid=62826353">nospam007</a><span>&nbsp;</span>snarks it up:</p> <blockquote style="font-size: 20px;"> Waiting for <span>&nbsp;</span> <i>VeryLastPass</i> <span>&nbsp;</span>to launch. </blockquote> <h2>&nbsp;<br><span style="font-weight: bold;">And Finally:</span></h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=FpeeFcK3lTk&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">An “approximation” of an interesting video</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0; max-width: 560px; max-height: 315px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/FpeeFcK3lTk" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p><span style="font-style: italic;">Hat tip:&nbsp;</span><a href="https://b3ta.com/links/Unexpected_tiling" style="font-style: italic;">FeralCatMan</a></p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj" style="font-weight: bold;">Previously in&nbsp;<em>And finally</em></a></p> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/tag/software-supply-chain-security" style="font-weight: bold;">Learn more about software supply chain security trends</a></li> <li><a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security" style="font-weight: bold;">Get report: NVD Analysis 2022 — A Call to Action on Software Supply Chain Security</a></li> <li><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> <li><a href="https://www.secure.software/solutions/ci-cd-devsecops-workflow-security" style="font-weight: bold;">Explore solutions for detecting software tampering</a></li> </ul> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. E&amp;OE. 30.</em></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Flastpass-hacked-again-what-devs-can-learn&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Wed, 31 Aug 2022 12:49:34 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/lastpass-hacked-again-what-devs-can-learn 2022-08-31T12:49:34Z New malicious packages in PyPI: What it means for securing open source repositories https://develop.secure.software/new-malicious-packages-in-pypi-repo <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/new-malicious-packages-in-pypi-repo" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/secure.software/New-malicious-packages-in-PyPI.jpg" alt="New malicious packages in PyPI: What it means for securing open source repositories" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="text-align: left;"><span style="font-weight: bold;"><br>After a recent discovery of malicious PyPI packages, questions remain about the security community’s ability to mitigate threats posed to open source repositories.</span></p> <p style="text-align: left;"><span style="font-weight: bold;"><img src="https://develop.secure.software/hs-fs/hubfs/pypi-poisoned-packages.png?width=1556&amp;name=pypi-poisoned-packages.png" alt="pypi-poisoned-packages" style="width: 1556px;" width="1556"></span><span style="font-weight: bold;"><br>After a recent discovery of malicious PyPI packages, questions remain about the security community’s ability to mitigate threats posed to open source repositories.</span></p> <p style="text-align: left;">The threat of software supply chain attacks has taken center stage in the year 2022, and a <a href="https://blog.reversinglabs.com/blog/a-partial-history-of-software-supply-chain-attacks"><span>robust track record of these attacks</span></a> demonstrates that there is an evergreen threat to software at large. What put <a href="https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth">software supply chain attacks on the map was SolarWinds</a>. But more recently, the dangers associated with the use of open source repositories specifically has made itself more clear in the newer software supply chain attacks that are unfolding.&nbsp;</p> <p style="text-align: left;">The recent <a href="https://blog.reversinglabs.com/blog/iconburst-npm-software-supply-chain-attack-grabs-data-from-apps-websites"><span>IconBurst software supply chain attack</span></a>, discovered by ReversingLabs, is a perfect example of how open source repositories can unfortunately be abused by malicious actors. What we found was a widespread campaign to install malicious NPM modules capable of harvesting sensitive data from forms embedded in mobile applications and websites. Unfortunately, IconBurst is just one example of public repositories being the attack vector for threat actors.&nbsp;</p> <p style="text-align: left;">This week, a new attack on open source unfolded. ReversingLabs’ Robert Perica and I detected several new malicious packages in the PyPI public repository, uploaded by a separate author. Perica believes that the packages found are almost identical, differing mainly by their names. The basic functionality of these packages is also identical, in that they beacon back successful installation to the C2 server and download a stage 2 payload from the remote server. This payload can be detected by using the open source <a href="https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-03-19-parallax-loader-yara.vk.yar"><span>YARA rule</span></a> for Parallax RAT.</p> <p style="text-align: left;">The following code snippet is of the first malware stage, within the published PyPi package, that downloads the Parallax RAT executable with the file extension reserved for screensavers on Windows.</p> <p><img src="https://lh3.googleusercontent.com/BtDj1mWbYg4gB0tTV6nuBo73RX1IKzq7a2VgoEmrDR6cSmsZyhZRlIOq6duVbTZQcMUnMN-34PtCKrtQIqA5P8z3SgKwZvnfRzsDIim4-B6G-H393sqRDu29Wp-M1mqdxZTnF3hwpgELcIhS7v4-eg0" style="width: 649px; margin-left: auto; margin-right: auto; display: block;" width="649">&nbsp;</p> <p style="font-size: 18px; text-align: center;"><em>Figure 1: Python code responsible for communication with C2 server&nbsp;</em></p> <p><img src="https://lh3.googleusercontent.com/TRXwifE5q_Nlx_XeXKzRJbwyeHArCHNWoGN-5t0YSgZsqr8hUzDz3uUCxcNw0_HbvzCcU1yVf4yvXaP3oWKqUS56adB1L6b82uIhGO_wFP4tacFywBoiKdIgW87gOt6EgXw7o2JTMNhpbBWMgIZNzGM" style="width: 651px; margin-left: auto; margin-right: auto; display: block;" width="651"></p> <p style="font-size: 18px; text-align: center;"><em>Figure 2: One of two user accounts used for publishing of malicious packages</em>&nbsp;</p> <p>ReversingLabs reached out to PyPI’s security team about these malicious packages, and they responded soon after saying that they had removed all of the packages as of August 23rd, 2022.&nbsp;&nbsp;&nbsp;</p> <p>Malicious packages found on public repositories like PyPI are not a new threat, being similar to IconBurst and other supply chain attacks abusing open source software. However, what is truly alarming for the security community are the recent attacks that have been performed by automatic submission of a large number of malicious packages to open source repositories. For example, on August 19th 2022, more than 900 malicious NPM packages were submitted by a single user, demonstrating that the mass volume of these malicious packages and the abilities of threat actors to easily dump them in public repositories is a current reality.&nbsp;</p> <p><img src="https://lh6.googleusercontent.com/6Guj0XtUoR0gb7wWlo_8DI-KvTgYuvwrJo3yPbcN3v4i39PuyMRhumYaAZoMbbv7CSXahAwP1lXCBHwWK95O4rCeFHDowSBORinNpaiUKPO8C02hbqDXQp7jdkjlVdxUsWms_lkdZDtiN8cyLu-3imU" style="width: 651px; margin-left: auto; margin-right: auto; display: block;" width="651"></p> <p style="font-size: 18px; text-align: center;"><em>Figure 3: User account used for publishing of malicious <span style="color: #33475b;">npm</span>&nbsp;packages</em></p> <p style="text-align: left;">With the increasing amount of malicious packages popping up in open source repositories, the bandwidth of the security community may not be prepared to prevent open source-based software supply chain attacks from occurring. Currently, open source software libraries and components form the foundation of, by some estimates, <a href="https://develop.secure.software/nvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach"><span>75% of applications</span></a>. With an increasing reliance on open source packages, the attacks on these repositories has increased as well: attacks on npm and PyPI combined have <a href="https://develop.secure.software/nvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach"><span>surged 289% since 2018</span></a>.&nbsp;</p> <p style="text-align: left;">The spreading of malicious packages is now not the only threat to public repositories. Today, <a href="https://twitter.com/pypi/status/1562442188285308929?s=20&amp;t=kEq_E47UqoKVMW9e8VUQeA"><span>PyPI shared on Twitter</span></a> (see below) that they have received reports of a phishing campaign targeting PyPI users. They stated that this is the first known phishing campaign against PyPI, creating another realistic threat impacting open source repositories.&nbsp;&nbsp;</p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0px; max-width: 540px; min-width: 256px; display: block; margin: auto; max-height: 529px;"> <div class="hs-embed-content-wrapper"> <blockquote class="twitter-tweet"> <p>Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI. <br><br>We're publishing the details here to raise awareness of what is likely an ongoing threat.</p>— Python Package Index (@pypi) <a href="https://twitter.com/pypi/status/1562442188285308929?ref_src=twsrc%5Etfw">August 24, 2022</a> </blockquote> </div> </div> <p>&nbsp;</p> <p>While it’s clear that open source repositories enable thriving developer communities, security researchers still stand alone in detecting and mitigating these kinds of threats, since public source repositories like PyPI and <span style="color: #33475b;">npm</span>&nbsp;struggle to prevent them, while at the same time never-before-seen threats are emerging.&nbsp;</p> <p>To learn more about the technical details of this new attack, its indicators of compromise (IoCs), and best practices for avoiding and mitigating these kinds of attacks, continue reading.&nbsp;</p> <h2 style="font-size: 24px;"><strong>Anatomy of the attack</strong></h2> <p style="text-align: left;">As a part of this malicious campaign almost 40 PyPI packages were published to the PyPI repository from two different accounts — <strong><em>pypzz</em></strong> and <strong><em>pypiappz</em></strong>. Since all of the packages contain almost identical code shown in Figure 1, it can safely be concluded that the same actor is managing both of them. All of the packages from the same author were published in a very short period of time leading to a conclusion that some kind of automated publishing process was utilized.&nbsp;</p> <p style="text-align: left;">As described earlier, the functionality of these python packages is quite simple. First they beacon back to the C2 server notifying it about successful installation. After that stage2 payload is downloaded and executed on the infected machine. Download link for the stage 2 payload is <strong><em>hxxps://python-release.com/python-install.scr.</em></strong> The domain as well as package names lead to the conclusion that the malicious actor is trying to impersonate the legitimate python download website.</p> <p><img src="https://lh5.googleusercontent.com/mdmEaJQL_-YIrjTn1NMfuSzzN77PP6WkmLC5djBq0c-7zA3aurNKWUEjDFVzMKUj6JSqSHBrzA7DTZ_ih8DA6bUzsD1wqUjHU8KxcinKJ4azDsGKotSn2Ec9OgJP7wsXtYPKvV_qdRAGvzxepnDdFA" style="width: 653px; margin-left: auto; margin-right: auto; display: block;" width="653"></p> <p style="font-size: 18px; text-align: center;"><em>Figure 4: Impersonation attempt of the legitimate python download webpage</em></p> <p style="text-align: left;">Looking at the content of the webpage hosted on this impersonation domain shows a slightly corrupt web layout. What stands out is a notice at the top of the page trying to convince the visitor into enabling javascript execution on this webpage. HTML source code of the page references a suspicious script.&nbsp;</p> <p><img src="https://lh5.googleusercontent.com/Bgkyd2M_32S0VN9C-SdPqW2uJKN9lB_uXUtLPSY3P9fU7oJMGnyfl98IjBXglqB8c_mS57NxMbDfro6kU9tPGPWAfjQvrnKYCw_ucIkLhUGoHNiKO2lqqha7OUJiWmT-dQdQRsvacQs-qtgs_s3xdw" style="width: 655px; margin-left: auto; margin-right: auto; display: block;" width="655"></p> <p style="text-align: center;"><span style="font-size: 18px;"><em>Figure 5: Reference to a suspicious jquery script</em></span></p> <p style="text-align: left;">The name tries to mimic a jquery javascript file, but the content of the script is obfuscated with Javascript obfuscator (mentioned in a few of our previous blog posts). The contents of this script uncover another file hosted on this weblocation which can also be downloaded under the name <strong><em>python-setup.zip</em></strong>.&nbsp;&nbsp;&nbsp;</p> <p><img src="https://lh6.googleusercontent.com/0UkXpgoqCNqwQDe7kI7wUDguCQ3bMqUdExjEfXoSbG6iQR0WiAgT9gAKFazgP1NG4cN01-qJa56pZwDfBDZrKMLYt1nYiYAwBCiBDAx1bJhbcyOgAFPboBeWY5Z3peEAlxbO9QceIzHLPrQDp3Mn7g" style="width: 651px; margin-left: auto; margin-right: auto; display: block;" width="651"></p> <p style="text-align: center; font-size: 18px;"><em>Figure 6: Artifacts revealing usage of Javascript obfuscator&nbsp;</em></p> <p style="text-align: left;">So to quickly summarize, the <strong><em>python-release.com </em></strong>domain hosts two downloadable files <strong><em>python-install.scr </em></strong>and <strong><em>python-setup.zip</em></strong>. The first one, referenced directly from PyPI packages, contains packed Parallax RAT malware. The second one is a zip archive containing several legitimate executables signed by Python Software Foundation. But it also contains an executable named <strong><em>python-install.scr </em></strong>(the same name as the one referenced from the PyPI packages) signed with a certificate issued to <strong><em>M-Trans Maciej Caban</em></strong> organization.&nbsp;</p> <p style="text-align: justify;"><img src="https://lh4.googleusercontent.com/v_R1k362GRO1gdF_nnkN_-7lUgd95oCpxmgNaFuoMRyfM0bcO4mF5aAc-XLZNZZg4dP6AxoyzS8ksiRWv0b9xF7b5hQCIAytTJ2sG4sYVovFR_a_D9tA146sbTyUYBEEbhzK1fgdzWlhBrL4B6Q0Tg" style="width: 652px; margin-left: auto; margin-right: auto; display: block;" width="652"></p> <p style="font-size: 18px; text-align: center;"><em>Figure 7: Valid signature of the malicious executable</em>&nbsp;</p> <p style="text-align: left;">The signature is valid but the file contains malicious .NET executable in the file overlay. Behavior indicators extracted from this .NET executable reveal that it performs credential stealing from Microsoft Edge and Google Chrome local databases and exfiltrates that data to <strong><em>python-release.com</em></strong> C2 domain.</p> <p style="text-align: justify;"><img src="https://lh3.googleusercontent.com/oKwkOnM9ez-tLIqpSAFG6kq1ywgDnpNTtykn4mEAWKX8Ua_ck5-UBADTg3e7qFZDgEWu1xa1SYRS_3XODNUF29dakhGOFRtFBwxtXGTYfQxvnhrHamvW3u1ChBtW2Rjzp8w3lpAiutxYcGixRtLQpA" style="margin-left: auto; margin-right: auto; display: block;" width="624" height="125">&nbsp;</p> <p style="font-size: 18px; text-align: center;"><em>Figure 8: Behavior indicators extracted from python-install.scr payload</em></p> <p>One of the powerful features ReversingLabs a1000 platform provides is URL analysis. It provides a way to see a history of analysis performed for some domain and to see how many different files were downloaded from that domain. In this case 4 different files were downloaded from this domain and so far, only two were covered with the current research. So it is possible that earlier in time, different files were served when the same URL was visited.</p> <p><img src="https://lh5.googleusercontent.com/ZqCfSwjdVZIGFUC8r0KARE_ymW_78X0-JFDIM8f0LaG0cjhdifxEOQZDvPqGTnXIEG25Gc2zg1eJIG7DB0b3X3v-eD_l6PM3Jwhxm8HYF6fVJnmrFv2bhsleyAKdFQwK8YRh3uIvDadjPZ-HWoNKBQ" style="width: 651px; margin-left: auto; margin-right: auto; display: block;" width="651"></p> <p style="font-size: 18px; text-align: center;"><em>Figure 9: Behavior indicators extracted from python-install.scr payload</em></p> <p>ReversingLabs file similarity algorithms confirm this information and enable pivoting from the original two samples to the other ones previously hosted on the same domain. One of the files discovered in this way exfiltrates data to<strong><em> linkedopports.com</em></strong> domain, which is also seen in the PyPI packages as the domain to which beaconing about successful malware installation is reported. Both of the domains have <strong><em>alexander surovcev </em></strong>under their Registrant Organization entry in their public domain record. The total list of malicious files discovered during this investigation can be found in the IoC section at the end of this blog post.&nbsp;&nbsp;&nbsp;</p> <h2 style="font-size: 24px;"><strong>Indicators of Compromise (IoC)</strong></h2> <p style="font-weight: bold;">C2 domains extracted from the analyzed PyPI packages:</p> <p>linkedopports.com</p> <p>python-release.com</p> <p style="font-weight: bold;">Stage 2 payloads:</p> <p>b33824cafd32e7fb1a7bf01865ddac69f1ffd038</p> <p>68d32e3b84c0596805f438fb1cfc1b3befba821f</p> <p>1e697bc7d6a9762bfec958ee278510583039579c</p> <p>567e1d5aa3a409a910631e109263d718ebd60506<br><br>0a6731eba992c490d85d7a464fded2379996d77c</p> <p>d3ed1c7c0496311bb7d1695331dc8d3934fbc8ec</p> <p>a30df748d43fbb0b656b6898dd6957c686e50a66</p> <p style="font-weight: bold;">Package versions:</p> <table style="border-collapse: collapse; table-layout: fixed; margin: 0px auto 19px; border: 1px solid #99acc2; height: 4720px;" width="600"> <tbody> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 18px;">statmodel</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 18px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 18px;">204914fd686aeea8dfe6b2cdb740b394e94488e3</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p style="font-size: 18px;">etuptool</p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.4.9</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">3aa184781b0a047b6a9a68cdd6a6b09de16b4f3f</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">yinance</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">2aaa80ce453a35728241193feae0dee707ae366f</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">yaudio</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">98629ee071cced65aef699ace70a2aef2a84d444</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">proxycrape</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">e2386d874347cf15771b9aa42ae97b7e27b44434</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">etuptool</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">e66e558d8d6187c9fd12e585ee73ff22e3f9d80f</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">etuptool</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.4.8</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">ac152bffd1f6c35467c3aef0b00ef4c4ba1a9978</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">deeepl</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">ca39a7a5ceee86a1ce1fd13463138385d8364c82</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">statsmodel</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">2b29eeb77e5a0fdc78cf5a50365824d435121b6d</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">proxyrape</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">700e8b533406bbe2a4934c4a5ba1f312b4be8fac</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">yinstaller</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">1a9f683a47d242c2aba4a4c811ab0ffc9a062e34</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">etuptool</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.4.7</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">cc1bcf24e17957dfa533aaa951d823370adf0cf3</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">etuptool</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.1</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">1f7549003aa8cd96682962effcad48005ff31366</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">eepl</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">f51fb81df3dc990b91c11afe59117487d1847056</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">ywin32</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">4b768ac033b2bc673038f10ed7106a9ede01447d</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">statmodels</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">b2467b8689232ca2e3d14f078c1b242f2c389435</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">discordhook</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">1e44d0184dc43714cf78394a33ba121717c3e5dc</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">igtoolz</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">86a50659bbde4310afef05b94a8e8db14e06f8e5</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">elenium</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">3f336b5768b015c4dd7d2ad10c4a132187b6f812</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">asn2crypto</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">801fbbacf11f0ba4f36964408d37bbaa6d86616e</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">bitcoinliv</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">5f2821f973045bde351254bb5b3612428e90767e</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">crypto-data-fetch</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">0abc9b6b0bec33be282f3abd93be79a339ea333e</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">crypto-get-price</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">0ae235914da06b39dc6fa8e6d9a97eae92d679f1</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">crypto-open</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">024dfa015eca044014800c4fa95fae549f5bdf14</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">crypto-os</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">ec1da8be4029d12688e934b8a901867cff0f3395</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">cryptobalance</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">5bce39d594b360a044586f7b271000788c1ec6c8</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">django-metamaks-auth</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">20379bac52e98d84dca01e29e407013dd25af038</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">django-metamask-aut</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">e064a11c1890f7c059e98411b854236d1869b99f</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">django-web2-auth</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">c1424d23a3b60b80103a87dea831641c861b59b3</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">django-web3-aut</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">d2b8a49e615597e4b0eaf0a833371d881803464c</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">django-web4-auth</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">cd52dc473a8207546bae0d76c93c7def3cc2e775</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">hameni</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">27473d1193e4ab1bded44119b0f7ed95fb81b062</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">historic-crypt</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">c7ad5141df48d63f7264388176bce1fd6f828984</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">jango-metamask-auth</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">c7a103b612ed783fd5bbc252681130d711cb5189</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">jango-web3-auth</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">5130d078b886488f252399121cfeb6f442582fed</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">pyvrypto</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">29b6a61addbc465c0f3ae9a1dc32654a9adcced7</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">pyxrypto</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">16719ab5dbf1d4ca7661f3518257cd1019de540e</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">ycrypto</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">0de72b64d5da5b93c9b45b89d98fd4d9cd8d19f0</span></p> </td> </tr> <tr style="height: 120.695px;"> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">ycryptodome</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.664px; height: 121px;"> <p><span style="font-size: 16px;">4.5.2</span></p> </td> <td style="border: 0.75pt solid #cccccc; width: 199.672px; height: 121px;"> <p><span style="font-size: 16px;">e467fa8c098cc4c360571b1532e2da21e8b1702d</span></p> </td> </tr> </tbody> </table> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fnew-malicious-packages-in-pypi-repo&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Threat Research Software Supply Chain Security Mon, 29 Aug 2022 12:27:00 GMT karlo.zanki@reversinglabs.com (Karlo Zanki) https://develop.secure.software/new-malicious-packages-in-pypi-repo 2022-08-29T12:27:00Z 5 reasons to stop blaming developers for software security fails https://develop.secure.software/5-reasons-to-stop-blaming-developers-for-all-software-security-fails <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/5-reasons-to-stop-blaming-developers-for-all-software-security-fails" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/point-finger-blam-developers-software-security.jpg" alt="5 reasons to stop blaming developers for software security fails" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><span style="font-weight: bold;">With modern software development, it's counterproductive to blame developers for your software security woes. Here are five reasons why.</span></p> <p><img src="https://develop.secure.software/hs-fs/hubfs/point-finger-blam-developers-software-security.jpg?width=1400&amp;name=point-finger-blam-developers-software-security.jpg" alt="point-finger-blam-developers-software-security" width="1400" style="width: 1400px;"></p> <p><span style="font-weight: bold;">With modern software development, it's counterproductive to blame developers for your software security woes. Here are five reasons why.</span></p> <p>When there's a failure in software security, it can be convenient to blame developers for the damage it causes to an organization. However, that path can not only be counterproductive — but also unwarranted.</p> <p>Modern application development is a complex process that involves third-party code and components. Software engineering is only a part of that process. And any number of elements in it can influence software security — either directly or indirectly, said Jasmine Noel, a senior product marketing manager at ReversingLabs.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"Sure, a percentage of them will always be [from the development team] — so you always have to keep testing for vulnerabilities — but there's a growing percentage of things beyond vulnerabilities. </span><span style="font-style: italic;">You could develop the most secure software in the world — zero vulnerabilities — but you can still get attacked."<br></span><span style="font-style: italic;">—</span><a href="https://www.linkedin.com/in/jasminenoel/" style="font-style: italic;">Jasmine Noel</a></p> </blockquote> <p>With the changing nature of threats <a href="https://develop.secure.software/6-reasons-software-security-teams-need-to-go-beyond-vulnerability-response">shifting from legacy vulnerabilities to the software supply chain</a>, it's time to stop thinking that all application security problems stem from code that's badly written, Noel said.</p> <p>Here are five key reasons to stop blaming devs for your software security woes.&nbsp;</p> <h2 style="font-weight: bold; font-size: 24px;">1. The development process is an emerging attack vector</h2> <p>In the past, software development techniques and systems, such as containers and continuous integration/continuous delivery (CI/CD) environments — and the developers working in them — did not have to consider trust too much. Now they do. <span>"We're in a new phase of attack. They're attacking the development process," Noel said.&nbsp;</span></p> <blockquote> <p style="font-size: 24px;"><em>"They're attacking the trust we have in how we build software. So we need to rethink the threat models for our applications. Security people and development people need to get together to do that, but that get-together shouldn't start off with, 'You're doing something wrong or 'You made this error while coding.'"</em><br><em>—Jasmine Noel</em></p> </blockquote> <p>Hackers breaking into the development environment are making changes directly to infrastructure or automation being used to package and sign software, she added. The <a href="https://develop.secure.software/nvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach">recent NVD Analysis 2022 report&nbsp;</a> showed that software supply chain attacks are surging, with attacks on popular repositories npm and PyPI up 289% since 2018. That happens after the developers are involved in creating the actual software. "A developer can't be blamed for that kind of attack."</p> <h2 style="font-size: 24px;"><strong>2. Decisions outside a developer's control can affect security</strong></h2> <p><span>Johannes Ullrich, dean of research at the SANS Technology Institute, explained that </span>by the time developers get to work on a project, a lot of decisions have already been made. "If those <span>decisions</span> aren't made properly, then developers will have a hard time implementing things securely," he said.</p> <blockquote> <p style="font-size: 24px;"><em>"Blaming a software fail on any individual or group, like software developers, always increases the risk that you're missing the bigger picture. Software is a system. It's not just lines of code. It starts with the design of the software, with grading specifications, all the way to testing. Developers play a critical role, but they're not the only individuals participating in creating software."<br>—<a href="https://www.linkedin.com/in/johannesullrich/"><span>Johannes Ullrich</span></a></em></p> </blockquote> <p>Casey Bisson, head of product and developer relations at the cybersecurity services company BluBracket, said software developers are always struggling with the classic "pick two" scenario among features, quality, and budget.</p> <blockquote> <p><em><span style="font-size: 24px;">"When we look at the problem that way, we realize that security failures are either a failure to include security in the planning and requirements given to developers, or in the budget priorities that developers are working within, including both time and resources."</span></em><br><em><span style="font-size: 24px;">—<a href="https://www.linkedin.com/in/casey-bisson/">Casey Bisson</a></span></em></p> </blockquote> <h2 style="font-size: 24px;"><strong>3. Time constraints imposed on developers can contribute to security failures</strong></h2> <p>If a developer is asked to add functionality to an application and not given the time and resources to do it properly, then security problems that arise from that feature aren't the fault of the developer's alone, Ullrich said. "They're a software development management problem or software <span>lifecycle</span> problem, where the system was just never designed properly," he said.</p> <blockquote> <p style="font-size: 24px;"><em>"Some time constraints you can offset with best practices and having good guidelines on how to develop secure code. In those cases, you may be able to speed up development, if developers have the proper tools."</em><br><em>—Johannes Ullrich</em></p> </blockquote> <p>However, Ullrich noted there are issues around business logic — such as who is supposed to have access to a feature or how people are authenticated — that can be difficult for developers to understand and for which they need more time to do so. "Rushing that often leads to mistakes," he said.</p> <p>Caroline Wong, chief strategy officer at Cobalt Labs, a penetration testing company, said that time constraints often meant that there was not enough time to focus on priorities — and not enough time to focus on items which are not a priority.</p> <blockquote> <p style="font-size: 24px;"><em>"Is it a priority for the organization to find and fix security vulnerabilities? That depends on a variety of factors, including culture and risk tolerance."</em><br><em>—<a href="https://www.linkedin.com/in/carolinewmwong/">Caroline Wong</a></em></p> </blockquote> <h2 style="font-size: 24px;"><strong>4. Legacy software baggage can undermine an application's security</strong></h2> <p>A lot of fails arise from "technical debt," or choices in an application made in the past for the sake of expediency that were flawed, said <span>Ed Moyle, a member of the ISACA Emerging Trends Working Group and systems and software security director at Drake Software, a developer of tax preparation software.</span></p> <p><span>Technical debt often includes places that impact, and in most cases weaken, security — but in places that may not be obvious, </span><span>Moyle </span>said.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>"A management culture that engenders and fosters technical debt is absolutely contributing to security fails though they may not realize it. This is why they need experts who can help them understand why a culture of technical debt not only makes future development harder, but also undermines security as well."</em><br><em>—<a href="https://www.linkedin.com/in/edmoyle/">Ed Moyle</a></em></p> </blockquote> <h2 style="font-size: 24px;"><strong>5. Management leadership failures can lead to security failures</strong></h2> <p>An organization's leadership and management should be setting priorities for development teams, Wong explained.</p> <blockquote> <p style="font-size: 24px;"><em>"If finding and fixing security vulnerabilities is a priority, then attention will be paid to those activities, and they will be focused on. If not, these activities will be neglected and the result will be insecure software."</em><br><em>—Caroline Wong</em></p> </blockquote> <p>Management is not going to know the architecture of an application as well as the developers who work on it every day, so they shouldn't be expected to mandate in detail how developers should be writing code, said Moyle. "What they can do, however, is communicate goals by having engineering principles or other guidance signed off by management about how to approach specific development tasks."</p> <h2 style="font-size: 24px; font-weight: bold;">Stop the counterproductive blame game</h2> <p>As outlined in these five points, it's counterproductive to blame developers. Software security should be a shared responsibility, Noel said.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em><span style="background-color: transparent;">"Not all things that go wrong with software can be laid at the feet of a developer. </span><span style="background-color: transparent;">I'm not saying developers are without responsibility, but starting at a point where they're always at fault is not going to get you where you need to be."<br></span>—Jasmine Noel</em></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/tag/software-supply-chain-security" style="font-weight: bold;">Learn more about software supply chain security trends</a></li> <li><a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security" style="font-weight: bold;">Get report: NVD Analysis 2022 — A Call to Action on Software Supply Chain Security</a></li> <li><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> <li><a href="https://www.secure.software/solutions/ci-cd-devsecops-workflow-security" style="font-weight: bold;">Explore solutions for detecting software tampering</a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2F5-reasons-to-stop-blaming-developers-for-all-software-security-fails&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Dev & DevSecOps Fri, 26 Aug 2022 09:00:00 GMT jpmellojr@gmail.com (John P. Mello Jr.) https://develop.secure.software/5-reasons-to-stop-blaming-developers-for-all-software-security-fails 2022-08-26T09:00:00Z Hyundai devs used sample code signing keys, making updates vulnerable https://develop.secure.software/hyundai-devs-used-sample-code-signing-keys-making-updates-vulnerable <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/hyundai-devs-used-sample-code-signing-keys-making-updates-vulnerable" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/ioniq--kevauto--cc-by-sa.png" alt="Hyundai devs used sample code signing keys, making updates vulnerable" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/ioniq--kevauto--cc-by-sa.png?width=1920&amp;name=ioniq--kevauto--cc-by-sa.png" alt="ioniq--kevauto--cc-by-sa" width="1920" style="width: 1920px;"></strong></p> <p><strong>Developers of the entertainment unit in the Hyundai Ioniq</strong><span>&nbsp;</span>didn’t seem to follow the sample code they were using. They reused an RSA code-signing key pair from an example, rather than generating their own.</p> <p><strong>It’s another class of software supply chain vulnerability</strong>—albeit one caused by error, rather than malice. But it’s still a vulnerability, allowing bad actors to socially engineer malware into cars.</p> <p><strong>It’s only the entertainment unit,&nbsp;right?</strong><span>&nbsp;</span>But it’s a Linux computer with full access to the car’s critical CAN bus. In this week’s<span>&nbsp;</span><a href="https://develop.secure.software/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we’re frightened by the implications.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>The ending</i>.<br>&nbsp;</p> <h2 style="font-weight: bold;">Hyundai: ‘Leading by example’</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Thomas Claburn reports—“<a title="read the full text" href="https://www.theregister.com/2022/08/17/software_developer_cracks_hyundai_encryption/">Software developer cracks Hyundai car security with Google search</a>”:</p> <blockquote> <strong>“Hyundai used a public-private key pair from a tutorial”</strong> <br>"greenluigi1" wanted to modify the in-vehicle infotainment (IVI) system in his 2021 Hyundai Ioniq. … After trying to figure out how to customize firmware updates for the IVI's D-Audio2 system, made by the car company's mobility platform subsidiary Hyundai Mobis, and have them accepted by the IVI, the unidentified car hacker found an unexpected way. <br>… <br>But it wasn't going to be that easy: Some part of the supplied data, at least, would need to be cryptographically signed using an RSA private key, and the car hacker didn't have it. [He] found within the firmware image the RSA public key used by the updater, and searched online for a portion of that key. The search results pointed to a common public key that shows up in online tutorials. <br>… <br>This means Hyundai used a public-private key pair from a tutorial … allowing "greenluigi1" to track down the private key. Thus he was able to sign Hyundai's files and have them accepted by the updater. … Hyundai has not responded to a request for comment. </blockquote> <p>&nbsp;<br><strong>What’s the appropriate emoji?</strong><span>&nbsp;</span>Daniel Feldman—<a title="read the full text" href="https://twitter.com/d_feldman/status/1558309810801631233">@d_feldman</a>—has an opinion:</p> <blockquote> In which a blogger finds the private key used to sign Hyundai car software updates—by Googling it. They used a key pair from a popular tutorial. 😂😂😂 <br>… <br>They also used a different key (symmetric) from a NIST reference document. This is not what “industry standard encryption” means. 😂 </blockquote> <p>&nbsp;<br><strong>Horse’s mouth?</strong><span>&nbsp;</span>greenluigi1—“<a title="read the full text" href="https://programmingwithstyle.com/posts/howihackedmycar/">How I Hacked my Car</a>”:</p> <blockquote> <strong>“I now had root access”</strong> <br>Last summer I bought a 2021 Hyundai Ioniq. … I wanted to play around with it and ultimately see what I could do. <br>… <br>I could enter its Engineering Mode by going to the Software Update screen. … The logs turned out to be a treasure trove of information. … The firmware files came in a simple .zip file that contained another zip file. The inner zip was named enc_system_package_{version}.zip. … I found a shell script file called linux_envsetup.sh … the script that creates the system update. … Turns out the encryption key in that script is the first AES 128bit CBC example key listed in the NIST document SP800-38A. … After searching for some keywords like “RSA” I found the public [signing] key. … Oh! they used a very common key yet again. <br>… <br>I wasted no time in developing my own firmware update with a backdoor. … I ran whoami: … I now had root access to a cool new Linux box, so now I must develop software for it. </blockquote> <p>&nbsp;<br><strong>So,<span>&nbsp;</span><i>two</i><span>&nbsp;</span>keys from example code?</strong><span>&nbsp;</span>Bruce Schneier scoffs—“<a title="read the full text" href="https://www.schneier.com/blog/archives/2022/08/hyundai-uses-example-keys-for-encryption-system.html">Hyundai Uses Example Keys</a>”:</p> <blockquote> This is a dumb crypto mistake I had not previously encountered. </blockquote> <p>&nbsp;<br><strong>How does something like that happen?</strong><span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32562866">fxtentacle</a><span>&nbsp;</span>speculates:</p> <blockquote> <strong>“Illusion of security”</strong> <br>My personal guess would be that some manager successfully "reduced costs" and got a big promotion and bonus payments by outsourcing all of the development to the cheapest company they could find: … It was likely outsourced to college graduates with no practical experience. <br>… <br>[And] most likely the hardware design shop … sent them a firmware example. But management and oversight is in … South Korea. Thanks to that 3-way language barrier, I'm pretty sure the supervisor on this project had no actual clue as to what the hardware and software were doing. <br>… <br>In my imaginary set-up … for everyone involved, the illusion of security was "good enough". So here we are, with "good enough" <span>&nbsp;</span> <i>in production</i>. </blockquote> <p>&nbsp;<br><strong>But seriously, though?</strong><span>&nbsp;</span>This<span>&nbsp;</span><a title="read the full text" href="https://forums.theregister.com/forum/all/2022/08/17/software_developer_cracks_hyundai_encryption/#c_4515110">Anonymous Coward</a><span>&nbsp;</span>has seen it all before:</p> <blockquote> I have known several contractors and employees who have provided solutions like this (without the documentation to change anything). All have since left the company with glowing references for finding such a "quick, brilliant solution." … You can guess who fixed it, with little to no recognition. :-| <br>… <br>Non-technical IT management always like people who do a quick job. Then they give them big pay rises to try to keep them when they threaten to go elsewhere. In the meantime the same management want to know why [I] take so long fixing problems — which were created by the quick-fix merchant's bodges. </blockquote> <p>&nbsp;<br><strong>Lessons to be learned?</strong><span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/computerscience/comments/wrfw0f/comment/ikybz4b/">u/Terrible_Machine9</a><span>&nbsp;</span>sees the irony:</p> <blockquote> A lecturer will take this article and use it for their first day of school—to highlight the importance of doing your research and looking stuff up to find the solution to a problem. </blockquote> <p>&nbsp;<br><strong>The moral of the story?</strong><span>&nbsp;</span><a title="read the full text" href="https://www.schneier.com/blog/archives/2022/08/hyundai-uses-example-keys-for-encryption-system.html/#comment-409177">lurker</a><span>&nbsp;</span>has not one, but two:</p> <blockquote> 1. Hyundai seem to have taken all the usual steps to avoid unauthorised entry, then do a version of “password” as their password. <br> <br>2. Google seems to be doing nicely in their effort at “indexing the world’s information.” </blockquote> <p>&nbsp;<br><strong>What if Hyundai decides to shoot the messenger?</strong><span>&nbsp;</span>That’s what’s worrying<span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32562596">aeno</a>:</p> <blockquote> How long until they try to sue his ***? The whole story sounds so … stupid, I can't believe no one in the whole production process stood up and said "Wait, shouldn't we make our own keys for encryption?" <br>… <br>Honestly, how can they be so stupid? </blockquote> <p>&nbsp;<br><strong>Importantly,</strong><span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/computerscience/comments/wrfw0f/comment/ilgxdcj/?utm_source=reddit&amp;utm_medium=web2x&amp;context=3">u/NCGThompson</a><span>&nbsp;</span>asks all the important questions:</p> <blockquote> The important question is, will using this void the dealer warranty? </blockquote> <p>&nbsp;<br><strong>Meanwhile,</strong><span>&nbsp;</span><a title="read the full text" href="https://it.slashdot.org/comments.pl?sid=21926459&amp;cid=62813685">La Gris</a><span>&nbsp;</span>feels the need to quote<span>&nbsp;</span><a href="https://www.urbandictionary.com/define.php?term=Grey%27s%20Law" title="a variant of Hanlon’s razor, influenced by the third law of Arthur C Clarke">Grey’s Law</a>:</p> <blockquote> “Any sufficiently advanced incompetence is indistinguishable from malice.” </blockquote> <h2>&nbsp;<br><span style="font-weight: bold;">And Finally:</span></h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=1MvzHGmwgvg&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Is this the end for Bill Wurtz?</a></strong><br><br></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0; max-width: 560px; max-height: 315px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;" src="https://www.youtube.com/embed/1MvzHGmwgvg" width="560" height="315" frameborder="0" allowfullscreen></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading <i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. E&amp;OE. 30.</em></p> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/tag/software-supply-chain-security" style="font-weight: bold;">Learn more about software supply chain security trends</a></li> <li><a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security" style="font-weight: bold;">Get report: NVD Analysis 2022 — A Call to Action on Software Supply Chain Security</a></li> <li><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> <li><a href="https://www.secure.software/solutions/ci-cd-devsecops-workflow-security" style="font-weight: bold;">Explore solutions for detecting software tampering</a></li> </ul> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://commons.wikimedia.org/wiki/File:2017_Hyundai_Ioniq_Hybrid_rear_1.27.18.jpg">Kevauto</a><span>&nbsp;</span>(<a title="Some rights reserved" href="https://creativecommons.org/licenses/by-sa/4.0/">cc:by-sa</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fhyundai-devs-used-sample-code-signing-keys-making-updates-vulnerable&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Secure Software Blogwatch Thu, 25 Aug 2022 09:00:00 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/hyundai-devs-used-sample-code-signing-keys-making-updates-vulnerable 2022-08-25T09:00:00Z To secure your CI/CD pipelines, round up the usual suspects https://develop.secure.software/to-secure-your-ci/cd-pipelines-round-up-the-usual-suspects <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/to-secure-your-ci/cd-pipelines-round-up-the-usual-suspects" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/round-up-the-usual-suspects.jpg" alt="To secure your CI/CD pipelines, round up the usual suspects" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold;">A presentation at the Black Hat Briefings in Las Vegas dug into the “how” of CI/CD compromises. As it turns out, many of the culprits will be familiar to security teams.</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/round-up-the-usual-suspects.jpg?width=1400&amp;name=round-up-the-usual-suspects.jpg" alt="round-up-the-usual-suspects" width="1400" style="width: 1400px;"></p> <p style="font-weight: bold;">A presentation at the Black Hat Briefings in Las Vegas dug into the “how” of CI/CD compromises. As it turns out, many of the culprits will be familiar to security teams.</p> <p>Attacks on software supply chains are receiving a lot of attention these days within the broader information security community and in the marketplace. As we noted, talks on software supply chain risks and attacks were <a href="https://blog.reversinglabs.com/blog/software-supply-chain-security-takes-center-stage-at-black-hat-2022">a dominant theme at the recent Black Hat Briefings</a> in Las Vegas.&nbsp;</p> <p>Software supply chain attacks aren’t a new thing, but their growing prominence — as evidenced by the devastating attack on SolarWinds in 2020 — pose a challenge both to software publishers, and to their customers. (Check out our analysis of the SolarWinds compromise: <a href="https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth">SunBurst: The Next Level of Stealth</a>.)</p> <p>As attackers — including nation state actors — turn their attention to development organizations and the infrastructure and platforms that support them, would-be victims need to fine tune detection and defenses to address that new risk.&nbsp;</p> <p>So what do those new defenses and security investments look like? Well, they may look pretty similar to the kinds of technologies and tools you’re already using, according to a Black Hat presentation by researchers from NCC Group. Here are some key takeaways from <a href="https://www.reversinglabs.com/conversinglabs/s2ep5/lessons-learned-from-ci-cd-compromises">my video interview with them for our ConversingLabs podcast from Black Hat</a>.&nbsp;</p> <h2 style="font-size: 24px;">Three words: User. Least. Privilege.</h2> <p>“Generally the [CI/CD] security principles have been around for as long as security has been an issue,” said<a href="https://www.linkedin.com/in/iainsmart/"> Iain Smart</a>, the Containerization and Orchestration Practice Lead at <a href="https://www.nccgroup.com/us/">NCC Group,</a> in an interview. "That includes foundational security technologies and processes like role based access control (RBAC), secrets management and threat modeling,” Smart said.&nbsp;</p> <p>Despite the popular image of supply chain attacks and attackers as ultra stealthy and sophisticated operations, Smart said his experience auditing development and IT organizations suggest that most supply chain attackers are picking low hanging fruit.</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">“You have people running [the development] pipeline as administrator users rather than restricting their privileges; you have people allowing components to have full administrative access over the cloud rather than only what they need. Things are not as locked-down as they generally should be.”</span><br><span style="font-style: italic;">—</span><a href="https://www.linkedin.com/in/iainsmart/" style="font-style: italic;">Iain Smart</a></p> </blockquote> <p>In fact, many of the supply chain security assessments that NCC does may not start that way, said <span>Viktor Gazdag</span>, who is a Managing Security Consultant at NCC Group and a Jenkins Security MVP.&nbsp; “Sometimes it doesn’t even start off with the [development] pipeline. We might start off with a web application [assessment] and then we got access to a CI/CD pipeline as well."</p> <blockquote> <p style="font-size: 24px;"><span style="background-color: transparent; font-style: italic;">"It’s not unheard of for us to stumble onto a [development] pipeline and then go ‘Oh, this looks like a target, let’s see what we can do with it. The impact is quite bad in some cases.”&nbsp;<br>—<a href="https://www.linkedin.com/in/viktor-gazdag-78620231/">Viktor Gazdag</a></span></p> </blockquote> <h2 style="font-size: 24px;">Lots of vulnerabilities</h2> <p>The NCC researchers said that common vulnerabilities are also rife in development plugins and third party modules. Gazdag said that research he conducted on Jenkins plugins found lots of examples of common flaws like stored credentials, cross site scripting (XSS) flaws and server side request forgery (SSRF).&nbsp;</p> <p>He said development organizations needed to be much more mindful of the provenance of the modules and plugins they were relying on. Those developed by large organizations like The Jenkins Project generally clear a high bar for security. However, most plugins for Jenkins and similar platforms are developed by individuals or third party firms, with little attention or effort given to code security and upkeep.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>“It's like open source code that you can use, but if the developer says like, ‘Okay, I'm no longer interested in maintaining the plugins,’ or ‘I don't have time to fix the vulnerability,’ then the vulnerability will be there.”</em><br><em>—<span style="background-color: transparent;">Viktor Gazdag</span></em></p> </blockquote> <h2 style="font-size: 24px;">Mind your (development) traffic</h2> <p>Network monitoring is also a sore point for development organizations. Smart and Gazdag said that their work with customers often revealed blind spots in network monitoring associated with development groups and infrastructure — a blind spot that enabled red teams to use build servers to pull malicious dependencies from Internet-based platforms like Jenkins into internally managed repositories.&nbsp;</p> <p>“They weren't doing anything to stop their build servers talking out to the wider Internet,” Smart said. Something as simple as a firewall rule could stop such an attack, but the reliance on external dependencies complicates the implementation of such measures. “Generally what we recommend is pinning your version whenever possible,” Smart said.&nbsp;</p> <p>The ephemeral nature of supply chain attacks also poses problems for organizations. Malicious code transmitted via a compromised dependency can subsequently be overwritten, leaving the downstream consumer of that malicious dependency with what changes were made or what level of access attackers had as a result of the compromise, the researchers said. That’s especially true for organizations that are leaning heavily on containerization, in which things are designed to be replaced as quickly as possible, he said.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>“There's every chance that a package is compromised for a very short time. You ingest that package and by the time you realize something's gone wrong, you've rebuilt your application, the public version has been patched, there's no record and you have no idea what the impact was exactly.” </em><br><em>—Iain Smart</em></p> </blockquote> <p>The solution? Plan for the worst. “If you're using an external dependency, mirror it internally and make sure that you have a reproducible build,” Smart said. “That way if a package is compromised, you have a local version to do analysis on."&nbsp;</p> <h2 style="font-size: 24px;">Hope for the best, log for the worst</h2> <p>Failing everything else, Gazdag and Smart said that security concerns are unlikely to dampen development organizations’ desire to "move fast and break things," so they also need to be prepared for what happens when security risks slip through the cracks. Doing security assessments and testing of every commit is great — so long as you have the staff to review and triage the output from all that testing.&nbsp;</p> <p>Failing that, detailed logging of production applications is the best way to identify and reconstruct software supply chain compromises.&nbsp;</p> <h2 style="font-size: 24px;">We can fix it!&nbsp;</h2> <p>If there’s a silver lining to the researchers' presentation, it’s that most of the problems g discovered and documented are easily addressed and don’t require additional investments.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>“Most of what we've seen have been misconfigurations rather than fundamental flaws in the software. So a developer or an admin has ticked the wrong box or has put a secret somewhere they shouldn't have, and it's just not been found until we came along and pointed it out."</em><br><em>—Iain Smart</em></p> </blockquote> <p>When those flaws were pointed out, development teams were quick to address and remediate them. “I wouldn't say there's a systemic problem in what we've been looking at, or a need for additional software,” Smart said.</p> <blockquote> <p style="font-size: 24px;"><em>“Organizations just need to pay careful attention to the way you're deploying what you've got.”</em></p> </blockquote> <p style="font-weight: bold;">Check out the <a href="https://www.reversinglabs.com/conversinglabs/s2ep5/lessons-learned-from-ci-cd-compromises" style="font-style: normal;">full ConversingLabs conversation with Smart and Gazdag</a>.</p> <p><span style="font-size: 24px; font-weight: 900; background-color: transparent;">Keep learning</span></p> <ul> <li><a href="https://develop.secure.software/tag/software-supply-chain-security" style="font-weight: bold;">Learn more about software supply chain security trends</a></li> <li><strong><a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security" style="font-weight: bold; font-style: normal;">Get report: NVD Analysis 2022 — A Call to Action on Software Supply Chain Security</a></strong></li> <li><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> <li><a href="https://www.secure.software/solutions/ci-cd-devsecops-workflow-security" style="font-weight: bold;">Explore security solutions for CI/CD workflows</a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fto-secure-your-ci%2Fcd-pipelines-round-up-the-usual-suspects&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> CI/CD Security Mon, 22 Aug 2022 09:00:00 GMT paul.roberts@reversinglabs.com (Paul Roberts) https://develop.secure.software/to-secure-your-ci/cd-pipelines-round-up-the-usual-suspects 2022-08-22T09:00:00Z 6 reasons app sec teams should shift gears and go beyond legacy vulnerabilities https://develop.secure.software/6-reasons-software-security-teams-need-to-go-beyond-vulnerability-response <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/6-reasons-software-security-teams-need-to-go-beyond-vulnerability-response" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/shift-gears-software-supply-chain-security.jpg" alt="6 reasons app sec teams should shift gears and go beyond legacy vulnerabilities" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold;">With software supply chain attacks surging, dev and application security teams should shift gears from legacy vulnerabilities to open-source repos, DevOps tools, and software tampering.</p> <p style="font-weight: bold;"><img src="https://develop.secure.software/hs-fs/hubfs/shift-gears-software-supply-chain-security.jpg?width=1400&amp;name=shift-gears-software-supply-chain-security.jpg" alt="shift-gears-software-supply-chain-security" width="1400" style="width: 1400px;">With software supply chain attacks surging, dev and application security teams should shift gears from legacy vulnerabilities to open-source repos, DevOps tools, and software tampering.</p> <span style="font-size: 1rem; background-color: transparent;"></span> <p><span style="background-color: transparent; font-size: 1rem;">Sophisticated threat actors are shifting to new ways to compromise systems, targeting the accounts of privileged employees, or vulnerable, public-facing applications. </span><span style="background-color: transparent; font-size: 1rem;"></span><span style="background-color: transparent; font-size: 1rem;">Malicious actors have found that they can leverage vulnerable development pipelines to further sophisticated attacks by tampering with developed code to introduce malicious backdoors or other features.</span></p> <p>A new ReversingLabs report, <a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security">NVD Analysis 2022: A Call to Action on Software Supply Chain Security</a>, shows, <span>the National Vulnerability Database (NVD) is still dominated by flaws in a handful of legacy platforms. Vulnerabilities in the NVD represent a minority of threats to software supply chains. That's because the database does not represent the full scope of emerging attacks.</span></p> <p><span>As adversaries intensify their focus on the software supply chain, development and security teams need to shift their focus beyond the risks posed by vulnerabilities found on legacy platforms to emerging risks found in open source repositories, CI/CD tools, and code tampering. </span><span></span><span>Attacks on open-source repositories such as npm and PyPI have surged 289% combined since 2018, the report found.&nbsp;</span></p> <p>The report paints a clear picture: It's time for organizations to reassess their application security regimen to take into account the new supply chain risk landscape. Here's are six reasons why it's time to go beyond traditional vulnerabilities.&nbsp;</p> <h2 style="font-size: 24px;"><strong>1. Trusting code within the supply chain has become problematic</strong></h2> <p>Many tools designed to help secure software-development pipelines focus on rating the projects, programmers, and open-source components and their maintainers. However,<span>&nbsp; </span>recent events—such as the emergence the <span>“protestware”</span> that changed the node.<span>ipc</span> open source software for political reasons or the hijacking of the popular ua-parser-<span>js</span> project by cryptominer—underscore that seemingly secure projects can be compromised, or otherwise pose security risks to organizations. "</p> <p><span>Tomislav</span> <span>Peričin</span>, co-founder and chief software architect at <span>ReversingLabs, noted how <a href="https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth">in the case of SolarWinds</a>, the trusted source was pushing infected software. Catching those kinds of mistakes requires a focus on how code behaves, regardless of where it came from.</span></p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"As long as we keep ignoring the core of the problem — which is how do you trust code — we are not handling software supply chain security."</span><br><span style="font-style: italic;">—</span><a href="https://twitter.com/ap0x" style="font-style: italic;">Tomislav Peričin</a></p> </blockquote> <h2 style="font-size: 24px;"><strong>2. Vulnerabilities need context to be effectively analyzed</strong></h2> <p>Vulnerabilities viewed in isolation might be labeled <span>“low</span> risk,” but those same vulnerabilities viewed in the context of an interconnected system might lead to an exploit that could be labeled <span>“high</span> risk,” explained <span>Caroline Wong, chief strategy officer at </span>Cobalt Labs, a penetration testing company.<span>&nbsp;</span></p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"It’s critically important that technology practitioners consider security vulnerabilities in the context of how they are used and how they might be misused."&nbsp;</span><br><span style="font-style: italic;">—</span><a href="https://www.linkedin.com/in/carolinewmwong/" style="font-style: italic;">Caroline Wong</a></p> </blockquote> <h2 style="font-size: 24px;"><strong>3. Zero Trust needed to protect the software supply chain</strong></h2> <p>Zero Trust — a model that assumes every connection and endpoint on the network is a threat — plays a role in trust decisions. "I could see that concept being extended to software supply chain concerns," observed <span>Daniel Kennedy, research director for information security and networking at 451 Research.</span></p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"For example, just because an open source library is heavily used or well-maintained doesn’t necessarily mean you should trust it implicitly. Just because code is on a build server doesn't necessarily mean it's the same code from your source repository. Nothing should be implicitly trusted based on its source alone."</span><br><span style="font-style: italic;">—</span><a href="https://www.linkedin.com/in/danieltkennedy/" style="font-style: italic;">Daniel Kennedy</a></p> </blockquote> <p>Identities, too, need to be reviewed with a measure of distrust. "You can do all the vulnerability scanning that you want, but if you have an immature identity practice with legacy orphan accounts everywhere and overexposure of privileges, you're going to be hacked," said <span>Garret Grajek, CEO of YouAttest, an identity auditing company.</span></p> <h2 style="font-size: 24px;"><strong>4. Greater care is needed to prevent software tampering</strong></h2> <p>In another recent ReversingLabs report,&nbsp;<a href="https://www.reversinglabs.com/reports/flying-blind-software-firms-struggle-to-detect-supply-chain-hacks">Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks</a>, based on a survey conducted by Dimensional Research, found that software organizations engaged need to be able to detect tampering at any and all stages of development, including post-build and post-deployment. The report noted that w<span>hile scans for tampering were fairly common during the build process (53%) and after build but prior to deployment (43%), much lower percentages of survey respondents said they scanned code post-deployment (34%), or that they scanned individual components prior to build (33%).</span></p> <p>As recent supply chain compromises indicate, the report continued, such spotty checks leave a great deal of room for threat actors to operate and exploit a <span>publishers’</span> privileged access to customer environments to push malicious executables or <span>exfiltrate</span> sensitive data.<span>&nbsp;</span></p> <h2><strong><span><span style="font-size: 24px;">5. </span></span><span style="font-size: 24px;">The next zero day vulnerability is just around the corner</span></strong></h2> <p>One of the most interesting subplots of the Log4Shell attacks is that within days after the initial vulnerability was patched, another high-severity vulnerability was found in the same code. The only reason the second one was found was that the Log4J code was undergoing intense scrutiny, said Larry Maccherone, DevSecOps transformation evangelist at Contrast Security, a maker of self-protecting software solutions.</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"What this tells me is that the open source libraries that make up 80% of modern applications are literally littered with yet undiscovered vulnerabilities."&nbsp;</span><br><span style="font-style: italic;">—</span><a href="https://www.linkedin.com/in/larrymaccherone/" style="font-style: italic;">Larry Maccherone</a></p> </blockquote> <p>Once you recognize that, though, Maccherone said, you need to fundamentally change the way you think about keeping your dependencies updated. "Only patching when an attack happens is a recipe for disaster and long exposure times."</p> <p>He recommends creating a robust integration test suite for applications. "Having a robust test suite is considered good engineering practice, but <span>it’s</span> surprising how many applications <span>don’t</span> have one," he said. "You may think of this as a quality issue, but <span>it’s</span> clearly also a security issue. Teams that <span>don’t</span> have one require days to release a fixed application. Teams that do, minutes."</p> <h2 style="font-size: 24px;"><strong>6. SBOMs are a critical step toward ensuring supply chain integrity</strong></h2> <p>Software Bills of Materials (SBOM) are like ingredient lists for software. But as valuable as SBOMs can be, adoption of the practice by software teams is "meager," the ReversingLabs survey report found. It pointed out that only 27% of the IT pros participating in its survey noted their employers generate and review SBOMs before releasing software. Half the respondents said their companies didn't generate SBOMs. And nearly half of those (44%) admitted they didn't do so because they lacked the expertise and staffing to do so.</p> <blockquote> <p style="font-size: 24px;"><em>"If you have requirements for a gluten-free diet, you want to really understand exactly what is in the cheesecake you’re eating. Similarly, in order to properly perform security testing and manage the cumulative risk of using different components in a tech stack, it’s helpful to have an accurate, up to date SBOM."</em><br><em>—<a href="https://www.linkedin.com/in/carolinewmwong/">Caroline Wong</a></em></p> </blockquote> <h2 style="font-size: 24px;">The tools are there. Now on to implementation</h2> <p><span>Tim Mackey, principal security strategist with the Synopsys Cybersecurity Research Center, said that an</span> SBOM is a key component of a governance plan that encompasses not only open source usage in a software supply chain, but also becomes an anchor point for other operational elements. <span>"</span>The most common operational element being discussed today is the usage of <span>SBOM</span> to communicate new vulnerabilities within components in the software supply chain for the given application."</p> <p>But he noted that the software team needs to be able to operationalize an SBOM.</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"Such knowledge is obviously valuable, but if your organization doesn’t have a process to consume it, then there is minimal benefit from having an SBOM and associated vulnerability information."</span><br><span style="font-style: italic;">—</span><a href="https://www.linkedin.com/in/mackeytim/" style="font-style: italic;">Tim Mackey</a></p> </blockquote> <p><span style="font-size: 24px; font-weight: 900; background-color: transparent;">Keep learning</span></p> <ul> <li><a href="https://develop.secure.software/tag/software-supply-chain-security" style="font-weight: bold;">Learn more about software supply chain security trends</a></li> <li><strong><a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security" style="font-weight: bold; font-style: normal;">Get report: NVD Analysis 2022 — A Call to Action on Software Supply Chain Security</a></strong></li> <li><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> <li><a href="https://www.secure.software/solutions/ci-cd-devsecops-workflow-security" style="font-weight: bold;">Explore solutions for detecting software tampering</a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2F6-reasons-software-security-teams-need-to-go-beyond-vulnerability-response&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Software Tampering Thu, 18 Aug 2022 11:00:00 GMT jpmellojr@gmail.com (John P. Mello Jr.) https://develop.secure.software/6-reasons-software-security-teams-need-to-go-beyond-vulnerability-response 2022-08-18T11:00:00Z Just for devs: Best of Black Hat and DEF CON https://develop.secure.software/just-for-devs-the-best-of-black-hat-and-def-con <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/just-for-devs-the-best-of-black-hat-and-def-con" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/vegas--zalman-grossbaum--unsplash.png" alt="Just for devs: The best of Black Hat and DEF CON" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/vegas--zalman-grossbaum--unsplash.png?width=1920&amp;name=vegas--zalman-grossbaum--unsplash.png" alt="vegas--zalman-grossbaum--unsplash" width="1920" style="width: 1920px;"></strong></p> <p><strong>Lots happened in Vegas last week.</strong><span>&nbsp;</span>Most of it should have<span>&nbsp;</span><i>stayed</i><span>&nbsp;</span>in Vegas. But some of it bears digging out from piles of mediocre nonsense.</p> <p><img src="https://bit.ly/xbw20220817" width="150" style="margin-left: auto; margin-right: auto; display: block; width: 150px;"></p> <p><strong>Especially for app developers,</strong><span>&nbsp;</span>here are a few nuggets that caught my eye: Electron bugs, the ÆPIC SGX vuln, Rickrolling schools and buzzword bingo.</p> <p><strong>I’ll peruse the news</strong><span>&nbsp;</span>of the week …&nbsp;so you don’t have to. In this week’s<span>&nbsp;</span><a href="https://develop.secure.software/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we sort the heat from the chai.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>Everyone loves Toxic by Britney</i>.<br>&nbsp;</p> <h2>Hacker summer camp is back</h2> <p>&nbsp;<br><strong>First up: Does your app use Electron?</strong><span>&nbsp;</span>Lorenzo Franceschi-Bicchierai has news for you—“<a title="read the full text" href="https://www.vice.com/en/article/m7gb7y/researchers-find-vulnerability-in-software-underlying-discord-microsoft-teams-and-other-apps">Researchers find vulnerabilities in software underlying … apps used by millions of users</a>”:</p> <blockquote> <strong>“He doesn’t run Electron apps”</strong> <br>A group of security researchers found a series of vulnerabilities in the software underlying popular apps like Discord, Microsoft Teams, Slack and many others. … At the Black Hat cybersecurity conference in Las Vegas [they] presented their findings, detailing how they could have hacked people … by exploiting the software underlying [many apps]: Electron. <br>… <br>Aaditya Purani, one of the researchers [said] “Electron apps are not the same as … browsers,” meaning they are potentially more vulnerable. … In the case of Discord, the bug [they] found only required them to send a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting. In both cases, if the targets clicked on these links, hackers would have been able to take control of their computers. <br>… <br>“If you are more paranoid, I recommend using the website itself because then you have the protection which Chromium has, which is much larger than the Electron,” Purani said. … He doesn’t run Electron apps, instead opting for using … Discord or Slack inside his browser, which is more hardened against hackers. </blockquote> <p>&nbsp;<br><strong>Sounds like a software supply chain problem.</strong><span>&nbsp;</span><a title="read the full text" href="https://it.slashdot.org/comments.pl?sid=21874858&amp;cid=62782808">keithdowsett</a><span>&nbsp;</span>wants to nuke it from orbit:</p> <blockquote> Welcome to the world of 2020's software development. <br> <br>1) Design project (optional) <br>2) Munge together a bunch of libraries on AWS … <br>3) Add a GUI (more libraries) <br>4) Port to Android and Apple phones (more libraries) <br>5) Release the code waay before it's ready … <br>6) Waste a heap of cash on Tiktok advertising … <br>7) Profit (optional) <br>8) Sell the whole heap of **** to venture capitalists for a stupid amount of money <br> <br>But seriously, from an project perspective it makes sense to use libraries to perform as many functions as possible. That way instead of re-inventing the wheel you can focus on developing core functionality. <br> <br>There's no prospect of a project team auditing all the libraries they use, let alone all their dependencies. … So for purely financial reasons we're reliant on the white hat community finding these obscure bugs. </blockquote> <p>&nbsp;<br><strong>Was there an oddly-named vuln?</strong><span>&nbsp;</span>Steven J. Vaughan-Nichols offers—“<a title="read the full text" href="https://thenewstack.io/intel-sgx-not-so-safe-after-all-aepic-leak/">ÆPIC Leak</a>”:</p> <blockquote> <strong>“Disable APIC MMIO”</strong> <br>Intel’s Software Guard Extensions (SGX) memory encryption technology sounded like such a good idea back in 2015. [But] over half-a-dozen vulnerabilities … soon appeared. And now, at the 2022 Black Hat Security Conference, another … has been uncovered: ÆPIC Leak. <br>… <br>This one … is a new Intel architectural CPU bug that can leak data without using a side channel. It’s in a word, “Bad!” [It] works by sampling data transferred between the L2 and last-level cache. … This end-to-end attack extracts AES-NI, RSA, and even SGX attestation keys from enclaves within a few seconds. <br>… <br>Intel is … creating an updated … SDK that helps mitigate potential exposure. Intel also recommends users update to the latest firmware. Microcode to address the problem is already available for Linux. The Trusted Computing Base (TCB) recovery for ÆPIC Leak, however, won’t be available until March 7, 2023. <br>… <br>But I agree with the researchers: “The only short-term mitigations for ÆPIC Leak are to disable APIC MMIO or not rely on SGX.” For people who rely on SGX for security, it’s much nastier [than the] CVSS score [of] only 6.0. </blockquote> <p>&nbsp;<br><strong>How can we protect our servers?</strong><span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32480652">hardenedvault</a><span>&nbsp;</span>has this suggestion:</p> <blockquote> Another day, another vulnerability. Remote attestation can be compromised if the EPID key has been extracted. <br>… <br>Attacks targeting SGX require root privileges on Linux host. Try VED community version if you intend to protect the Linux kernel </blockquote> <p>&nbsp;<br><strong>Any child prodigies on The Strip?</strong><span>&nbsp;</span>Sean Michael Kerner’s never gonna give you up—“<a title="read the full text" href="https://www.infosecurity-magazine.com/news/defcon-how-us-teen-rickrolled/">How US Teen Rickrolled His High School District</a>”:</p> <blockquote> <strong>“26 page penetration report”</strong> <br>At the at the DEF CON 30 security conference in Las Vegas, Minh Duong outlined how he … was able to gain control of the presentation and public address systems in his local high school district outside of Chicago and Rickrolled it. [He and] his friends decided that Rickrolling his high school would make for a great senior prank and they dubbed their effort - Operation Big Rick. <br>… <br>Duong outlined a litany of device misconfigurations across his local school and his school district's IT system that enabled [them] to gain access to services they have no business accessing. … the teenage hackers decided to load the Rickroll screen onto … the school's IPTV presentation system, which is used to show announcements. [And they] disabled the ability for infrared remotes within classrooms to shutoff any screen. <br>… <br>Duong and his friends just wanted to execute a prank and didn't intend to be malicious. To that end, they anonymously sent out a 26 page penetration report to the school that identified all the areas of weakness that needed to be improved. </blockquote> <p>&nbsp;<br><strong>Such a legendary hack.</strong><span>&nbsp;</span>And Duong’s legendary status shall persist, says<span>&nbsp;</span><a title="read the full text" href="https://www.reddit.com/r/hacking/comments/wq051b/comment/ikks5kv/">u/AnalyzeTheRodeo</a>:</p> <blockquote> This man will die a legend. </blockquote> <p>&nbsp;<br><strong>What about the booths?</strong><span>&nbsp;</span>Mike Rothman is going back to school—“<a title="read the full text" href="https://securityboulevard.com/2022/08/black-hat-2022-trip-report/">Black Hat 2022 Trip Report</a>”:</p> <blockquote> <strong>“I couldn’t be happier”</strong> <br>I couldn’t attend the RSA Conference back in June, so it had been 30 months since I’ve seen the security community in person. … There were … lots of vendor personnel on the show floor and … most of the companies said they had a steady stream of booth traffic. It was nice to see people out and about. <br>… <br>I saw some of the buzzword bingo, but it was muted. That doesn’t mean I understood what most of the companies did, based on their booth—I didn’t. Most had some combination of detection, cloud and response as well as a variety of Gartner-approved category acronyms. I guess the events marketing teams are a bit rusty. <br>… <br>Magicians still fill the booth: … Whenever I saw a crowd around a booth, there was typically some kind of performer. … Not sure how having some guy do magic tricks helped create demand for a security product, but it did fill the booths. … Every other booth had an espresso machine. <br>… <br>Some very large public companies had small booths. Some startups that I’d never heard of had large booths. … It means some companies burned a lot of their VC money in Vegas this week. </blockquote> <p>&nbsp;<br><strong>Meanwhile,</strong><span>&nbsp;</span>what happens in Vegas … doesn’t involve<span>&nbsp;</span><a title="read the full text" href="https://forums.theregister.com/forum/all/2022/08/15/black_hat_covid/#c_4514011">Michael Wojcik</a>:</p> <blockquote> When I was younger I quite liked attending and presenting at conferences. These days it doesn't appeal. <br> <br>Slide decks and presentation videos are often available soon after, and … written accounts of [the] research too, which I prefer (I find synchronous media increasingly tiresome as I get older). And Las Vegas is pretty low on my list of places I have any interest in spending my time. </blockquote> <h2>&nbsp;<br>And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=d04-kseradA&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj"><i>Toxic</i><span>&nbsp;</span>meets music theory</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0; max-width: 560px; max-height: 315px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/d04-kseradA" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. E&amp;OE. 30.</em></p> <p><span style="font-size: 24px; font-weight: 900; background-color: transparent;">Keep learning</span></p> <ul> <li><a href="https://develop.secure.software/tag/software-supply-chain-security" style="font-weight: bold;">Learn more about software supply chain security trends</a></li> <li><strong><a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security" style="font-weight: bold; font-style: normal;">Get report: NVD Analysis 2022 — A Call to Action on Software Supply Chain Security</a></strong></li> <li><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> <li><a href="https://www.secure.software/solutions/ci-cd-devsecops-workflow-security" style="font-weight: bold;">Explore solutions for detecting software tampering</a></li> </ul> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://unsplash.com/photos/6Ib0XmJ_zTs">Zalman Grossbaum</a><span>&nbsp;</span>(via<span>&nbsp;</span><a title="Some rights reserved" href="https://unsplash.com/license">Unsplash</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fjust-for-devs-the-best-of-black-hat-and-def-con&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Thu, 18 Aug 2022 09:00:00 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/just-for-devs-the-best-of-black-hat-and-def-con 2022-08-18T09:00:00Z NVD Analysis 2022: Why you need to modernize your software security approach https://develop.secure.software/nvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/nvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/nvd-analysis-2022-software-supply-chain-security.jpg" alt="NVD Analysis 2022: Why you need to modernize your software security approach" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><span style="font-weight: bold;">The NVD as it is today does not tell the full story of software risk given the increase in attacks on open source components and repositories. Here's why the NVD — and your software security approach — needs to be modernized.</span></p> <p>Vulnerability reports to MITRE’s Vulnerabilities and Exposures (CVE) list, part of NIST’s National Vulnerability Database (NVD), are accelerating. New vulnerabilities in the first half of 2022 outstripped the same period in 2021. At the current rate, more than 24,000 vulnerabilities will be added to the NVD this year — breaking last year’s record of slightly more than 20,000.</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/nvd-analysis-2022-software-supply-chain-security.jpg?width=1400&amp;name=nvd-analysis-2022-software-supply-chain-security.jpg" alt="nvd-analysis-2022-software-supply-chain-security" width="1400" style="width: 1400px;"><span style="font-weight: bold;">The NVD as it is today does not tell the full story of software risk given the increase in attacks on open source components and repositories. Here's why the NVD — and your software security approach — needs to be modernized.</span></p> <p>Vulnerability reports to MITRE’s Vulnerabilities and Exposures (CVE) list, part of NIST’s National Vulnerability Database (NVD), are accelerating. New vulnerabilities in the first half of 2022 outstripped the same period in 2021. At the current rate, more than 24,000 vulnerabilities will be added to the NVD this year — breaking last year’s record of slightly more than 20,000.</p> <p>But the NVD as it is today does not tell the full story of software risk. <a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security" style="font-weight: bold; font-style: normal;">NVD Analysis 2022: A Call to Action on Software Supply Chain Security</a> finds that the jump in vulnerabilities in recent years is likely to continue, for two key reasons:</p> <ul> <li>More private and public sector organizations are taking part in the CVE program (mostly representing open source), resulting in an increase in CVE Numbering Authorities (CNAs).</li> <li>Open source- and third-party code, components and infrastructure are attracting the interest of both security researchers and malicious actors.&nbsp;</li> </ul> <p>Seen in the context of <a href="https://blog.reversinglabs.com/blog/a-partial-history-of-software-supply-chain-attacks">the rise in software supply chain attacks</a>, the growth in reports to the NVD suggest that the focus of malicious actors is shifting. And yet, the NVD is still dominated by flaws in a handful of legacy platforms by firms including Microsoft, Red Hat, Google, Apple and Oracle.&nbsp;</p> <p>These factors form a call to action for NIST. The NVD is a critical resource for both software development and security organizations. To remain relevant, NIST should expand the NVD in two ways:</p> <ul> <li>Broaden the scope of the NVD to capture the full breadth of vulnerabilities in applications — and platforms.</li> <li>Expand to include the diversity of security exposures (the “E” in CVE)—including malware injections, software tampering and secrets exposure, which threaten supply chain integrity.&nbsp;</li> </ul> <p>Here are five key takeaways from <a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security">the new NVD Analysis report</a>.</p> <h2 style="font-size: 24px;"><strong>1. Major software vendors dominate today's NVD</strong></h2> <p>Top software makers were the leaders in NVD reported vulnerabilities. Linux led the pack with more than 2,000 flaws found in two distributions of the operating system — Fedora with 1,123 and Debian with 958. Google, Microsoft, Oracle, and Apple all had more than 500 vulnerabilities each. Although more than 3,500 vendors reported vulnerabilities to MITRE Corp’s Vulnerabilities and Exposures (CVE) list, part of the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD), a third of all flaws were found in the software of the top 20 vendors.</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/NVD-analysis-CNA-increase.png?width=1046&amp;name=NVD-analysis-CNA-increase.png" alt="NVD-analysis-CNA-increase" width="1046" style="width: 1046px;"></p> <h2 style="font-size: 24px;"><strong>2. Vulnerability rise driven by more authorities, mostly from the open source community</strong></h2> <p>For some time, security firms have maintained that vulnerability growth is being driven by greater risks. In fact, much of the growth is being fueled by MITRE's expansion of reporting authorities to some 3,500. That can be seen in the marked jump in reported vulnerabilities from 2016 (6,649) to 2017 (14,644), when MITRE invited more organizations into the reporting fold.</p> <p>While the number of reporting authorities has leveled off, expansion in other areas will contribute to continued growth in reported vulnerabilities. For example, more countries and companies will start to participate in the CVE program. In addition, more projects — especially open-source projects — will be covered by the existing reporting authorities. More than 75% of code today uses open source, and 90% use at least one open source component.</p> <p>What's more, the move to impose more rigorous measures on software supply chains will lead NIST and MITRE to expand the CVE program to cover the wide variety of open-source projects on which web applications, internet infrastructure, and commercial software rely.</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/nvdanalysis-75percent-oss.png?width=1050&amp;name=nvdanalysis-75percent-oss.png" alt="nvdanalysis-75percent-oss" width="1050" style="width: 1050px;"></p> <h2 style="font-weight: bold; font-size: 24px;">3. Supply chain attacks surge, shifting from apps to software components</h2> <p>Historically, vulnerability hunters have focused their attention on standalone applications and operating systems. Now that focus has shifted from applications running on desktops, laptops, and servers to finding vulnerabilities in web applications, API servers, and mobile devices, as well as the software components used to develop them.</p> <p>Attackers are broadening their horizons and focusing on finding ways into the enterprise that include DevOps tools and platforms that are integral to most software development teams.&nbsp; And attacks on open-source repositories like npm and PyPI have surged 289% combined since 2018.</p> <p>Essentially, researchers and attackers are more interested in the software components and infrastructure underpinning the security software programs and services that in one-off vulnerabilities in specific products. So while it's easy to get wrapped up in the sheer metrics of vulnerabilities, trying to patch every flaw in every program in an organization is a Herculean task. It's also unnecessary. What's important is focusing on where attacks are occurring — and increasing.&nbsp;</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/nvd-analysis-supply-chain-attacks-surge.png?width=1510&amp;name=nvd-analysis-supply-chain-attacks-surge.png" alt="nvd-analysis-supply-chain-attacks-surge" width="1510" style="width: 1510px;"></p> <h2 style="font-weight: bold; font-size: 24px;">4. The NVD is not keeping pace with supply chain risk</h2> <p>Vulnerabilities in the NVD represent only a minority of threats to software supply chains. That's because the database doesn't take into account the burgeoning number of attacks And the attacks are outpacing vulnerabilities found in those repositories, especially vulnerabilities with a CVE designation.&nbsp;</p> <p>The NVD needs to evolve, as does our software team's security approach.</p> <h2 style="font-size: 21px;"><span><img src="https://develop.secure.software/hs-fs/hubfs/nvdanalysis-romeo.png?width=1044&amp;name=nvdanalysis-romeo.png" alt="nvdanalysis-romeo" width="1044" style="width: 1044px;"></span></h2> <h2 style="font-size: 24px;"><strong>5. Trust is key. Focus on what code does — not just where it comes from</strong></h2> <p>Many tools designed to secure software development pipelines focus on ratings. The problem is that even code from a trusted source can be compromised. For example, ordinarily an upgrade from a software vendor is coming from a trusted source, but <a href="https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth">in the case of SolarWinds</a>, the trusted source was pushing infected software. Catching those kinds of mistakes requires a focus on how code behaves, regardless of where it came from.</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/nvd-analysis-tomislav.png?width=1050&amp;name=nvd-analysis-tomislav.png" alt="nvd-analysis-tomislav" width="1050" style="width: 1050px;"></p> <h2 style="font-weight: bold; font-size: 24px;">A call to action, for the NVD — and your software team</h2> <p style="font-size: 21px;">Attacks on the software supply chain can be devastating, but oftentimes they have nothing to do with software flaws. If NIST wants the NVD to stay relevant, it needs to expand the scope of its database to include software supply chain exposures. However, the current absence of those exposures in the NVD shouldn't deter organizations from expanding their security teams’ scope to include software supply chain security.&nbsp;</p> <p style="font-size: 21px;"><span>An expansion of the NVD's approach would better equip security and software development teams responsible for software security to broaden their security approach to address software supply chain exposures that are currently being overlooked. But don't wait. With exposures and attacks on the rise, it's time to modernize your organization's scope — and its tooling.</span></p> <p style="text-align: center;"><span style="font-weight: bold;">Get the full report, </span><strong><a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security" style="font-weight: bold; font-style: normal;">NVD Analysis 2022: A Call to Action on Software Supply Chain Security</a></strong></p> <p><span style="font-size: 24px; font-weight: 900; background-color: transparent;">Keep learning</span></p> <ul> <li><a href="https://develop.secure.software/tag/software-supply-chain-security" style="font-weight: bold;">Learn more about software supply chain security trends</a></li> <li><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">See survey report: Tampering top of mind for dev — but detection lags</a></li> <li><a href="https://www.secure.software/solutions/ci-cd-devsecops-workflow-security" style="font-weight: bold;">Explore solutions for detecting software tampering</a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fnvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Fri, 12 Aug 2022 13:55:00 GMT jpmellojr@gmail.com (John P. Mello Jr.) https://develop.secure.software/nvd-analysis-2022-why-you-need-to-modernize-your-software-security-approach 2022-08-12T13:55:00Z Researchers: GitHub Copilot produces vulnerable code, demos AI bias https://develop.secure.software/ai-automation-bias-could-lead-to-more-vulnerable-code <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/ai-automation-bias-could-lead-to-more-vulnerable-code" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/github-copilot-ai-bias-black-hat.png" alt="Researchers demo AI bias, explain why 'Copilot should remain a co-pilot' for dev teams" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold;">GitHub updated guidance on using its Copilot AI-powered code bot after researchers demonstrated at Black Hat that it often generates vulnerable code.</p> <p style="font-weight: bold;"><img src="https://develop.secure.software/hs-fs/hubfs/github-copilot-ai-bias-black-hat.png?width=1400&amp;name=github-copilot-ai-bias-black-hat.png" alt="github-copilot-ai-bias-black-hat" width="1400" style="width: 1400px;">GitHub updated guidance on using its Copilot AI-powered code bot after researchers demonstrated at Black Hat that it often generates vulnerable code.</p> <p><span style="font-style: italic;">The Washington Post</span> <a href="https://www.washingtonpost.com/nation/2022/07/07/mississippi-teen-water-rescue/">recently reported </a>on the heroism of 16-year-old Corion Evans, a young man from southern Mississippi, who dove into the water to rescue drivers from a sinking car after witnessing the driver direct the vehicle down a boat ramp and into the Pascagoula River.&nbsp;</p> <p>The teen who was driving the car later told authorities that the GPS had malfunctioned and that she did not realize it was leading her and her passengers into the water. While a shocking revelation, in reality, drivers blindly following the lead of algorithms into the ditch (literally and proverbially) is a <a href="https://www.cartoq.com/doctor-family-drive-suv-straight-into-canal-after-following-google-maps/">pretty common</a> <a href="https://www.boston.com/news/local-news/2021/03/15/man-following-gps-navigation-drives-car-into-charlton-lake/">occurrence</a> these days.&nbsp;&nbsp;</p> <p>Researchers presenting at the Black Hat security conference on Wednesday provided a similar lesson for software developers. Hammond Pearce of NYU and Benjamin Tan of the University of Calgary <a href="https://www.blackhat.com/us-22/briefings/schedule/index.html#in-need-of-pair-review-vulnerable-code-contributions-by-github-copilot-27264"><span>presented the findings of research on Copilot,</span></a> an AI-based development bot that GitHub introduced in 2021 and <a href="https://github.blog/2022-06-21-github-copilot-is-generally-available-to-all-developers/"><span>made generally available</span></a> to developers in June 2022.&nbsp;</p> <p>Here are highlights of what the researchers shared at the Black Hat Briefings.</p> <p style="font-weight: bold; font-size: 18px;">[ Related: <a href="https://develop.secure.software/copilot-rocky-takeoff-github-steals-code">Copilot's rocky takeoff: GitHub ‘steals code’</a> ]</p> <h2 style="font-size: 24px;">Don’t let AI drive (software development)</h2> <p>Like the algorithms driving WAZE or other navigation apps, Pearce and Tan said that GitHub’s Copilot was a useful assistive technology that, all the same, warrants continued and close attention from the humans who use it — at least if development projects don’t want to find themselves submerged in a river of exploitable vulnerabilities like SQL injection and buffer overflows.&nbsp;</p> <p>The researchers found that coding suggestions by Copilot contained exploitable vulnerabilities about 40% of the time. About an equal percentage of the time, the suggested code with exploitable flaws was a “top ranked” choice — making it more likely to be adopted by developers, Pearce and Tan told the audience at Black Hat.&nbsp;</p> <p>In all, the team of researchers generated 1,689 code samples using Copilot, responding to 89 different “scenarios,” or proposed coding tasks. For each scenario, the team requested Copilot generate 25 different solutions, then noted which of those was ranked the most highly by Copilot. They then analyzed the suggested code for the presence of 18 common software weaknesses, as documented by MITRE on its <a href="https://cwe.mitre.org/data/"><span>Common Weakness Enumeration (CWE) </span></a>list.&nbsp;</p> <h2 style="font-size: 24px;">Garbage (code) in, garbage (code) out</h2> <p>While Copilot proved good at certain types of tasks, such as addressing issues around permissions, authorization and authentication, it performed less well when presented with other tasks.&nbsp;</p> <p>For example, a prompt to create “three random floats,” or non-integer number, resulted in three suggestions that would have led to “out of bounds” errors that could have been used by malicious actors to plant and run code on vulnerable systems.&nbsp;</p> <p>Another researcher prompt for Copilot to create a password hash resulted in a code recommendation by Copilot to use the <a href="https://www.techtarget.com/searchsecurity/definition/MD5"><span>MD5 hashing algorithm,</span></a> which is deemed insecure and no longer recommended for use.&nbsp;&nbsp;</p> <h2 style="font-size: 24px;">Modeling bad behavior</h2> <p>The problem may lie in how Copilot was trained, rather than in how the AI was designed. According to GitHub, Copilot was designed to work as an “editor extension,” to help accelerate the work of developers. However, to do that the AI was trained on the massive trove of code that resides on GitHub’s cloud-based repository. The company says it “distills the collective knowledge of the world’s developers.”</p> <p>The problem: a lot of that "collective knowledge" amounts to poorly executed code that doesn’t provide much in the way of a model for code creation.&nbsp;</p> <blockquote> <p style="font-size: 24px;">“Copilot doesn’t know what’s good or bad. It just knows what it has seen before."<br>—<a href="https://twitter.com/kiwihammond">Hammond Pearce</a></p> </blockquote> <p>The recommendation to use MD5 in code for creating a password hash is a classic example of that. If Copilot’s study of GitHub code concluded that MD5 was the most commonly used hashing algorithm for passwords, it makes sense that it would recommend that for a new password hashing function — not understanding that the algorithm, though common, is outdated and has been deprecated.&nbsp;</p> <p>The kind of probabilistic modeling that Copilot relies on, including the use of Large Language Modeling, is good at interpreting code, but not at grasping context. That results in AI that simply reproduces patterns that, although common, are flawed based on what it thinks “looks right,” the researchers said.&nbsp;</p> <p>Experiments the research team conducted tended to reinforce that idea. Code generated by a study of reputable developers and well-vetted modules tended to be of higher quality than suggestions modeled on code from little known developers.&nbsp;</p> <h2 style="font-size: 24px;">AI bias amplified by ranking</h2> <p>Copilot’s tendency to rank flawed code suggestions highly when presenting its suggestions is an equally worrying problem, the researchers said. In about 4 out of 10 recommendations, the top suggested code contained one of the common, exploitable weaknesses the researchers were searching for.&nbsp;</p> <p>That top ranking makes it more likely that developers will use the suggested code, just like many of us jump at the top search result. That kind of “automation bias” — in which humans tend to blindly accept the things that algorithms recommend — could be a real problem as development organizations start to lean more heavily on AI bots to help accelerate development efforts.&nbsp;</p> <p>In the wake of this new research presented at Black Hat, GitHub has updated its disclaimer for the AI, urging developers to audit Copilot code with tools like its CodeQL utility to discover vulnerabilities prior to implementing the suggestions.</p> <p>The researchers summarized:</p> <blockquote> <p style="font-size: 24px;">“Copilot should remain a co-pilot."</p> </blockquote> <h2 style="font-size: 24px;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/tag/software-supply-chain-security" style="font-weight: bold;">Learn more about software supply chain security trends</a></li> <li><a href="https://www.secure.software/reports/reversinglabs-nvd-analysis-2022-a-call-to-action-on-software-supply-chain-security" style="font-weight: bold;">Get report: NVD Analysis 2022 — A Call to Action on Software Supply Chain Security</a></li> <li><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">See survey report: Tampering top of mind for dev teams, but detection lags</a></li> <li><a href="https://www.secure.software/solutions/ci-cd-devsecops-workflow-security" style="font-weight: bold;">Explore solutions for detecting software tampering</a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fai-automation-bias-could-lead-to-more-vulnerable-code&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Dev & DevSecOps Black Hat 2022 Fri, 12 Aug 2022 13:34:40 GMT paul.roberts@reversinglabs.com (Paul Roberts) https://develop.secure.software/ai-automation-bias-could-lead-to-more-vulnerable-code 2022-08-12T13:34:40Z DevOps: Fix your dangerous redirects! Amex shows how https://develop.secure.software/devops-fix-your-dangerous-redirects-amex-shows-how <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/devops-fix-your-dangerous-redirects-amex-shows-how" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/redirect--mark-konig--unsplash.png" alt="DevOps: Fix your dangerous redirects! Amex shows how" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/redirect--mark-konig--unsplash.png?width=1920&amp;name=redirect--mark-konig--unsplash.png" alt="redirect--mark-konig--unsplash" width="1920" style="width: 1920px;"></strong></p> <p><strong>Recent ‘LogoKit’ spear phishing campaigns have misused</strong><span>&nbsp;</span>open redirect URLs in web apps from Snapchat and American Express. When alerted, Amex quickly fixed the hole, but Snap’s is still open<span>&nbsp;</span><i>after more than a year</i>.</p> <p><img src="https://bit.ly/xbw20220801" width="150" style="margin-left: auto; margin-right: auto; display: block; width: 150px;"></p> <p><strong>Many DevOps teams are still ignoring the danger</strong><span>&nbsp;</span>of insecure redirector pages, which help phishing attacks look genuine. Even if it’s impractical to lock down a redirector, you can at least instrument it and alert on patterns that indicate an attack is under way: Then you can lock it down to avoid bad publicity—e.g., this story.</p> <p><strong>Be better netizens,&nbsp;DevOps teams.</strong><span>&nbsp;</span>In this week’s<span>&nbsp;</span><a href="https://develop.secure.software/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we audit our URLs.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>ST:P vs. ST:TNG canon</i>.<br>&nbsp;</p> <h2>And Snap shows how<span>&nbsp;</span><i>not</i></h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Sergiu Gatlan reports—“<a title="read the full text" href="https://www.bleepingcomputer.com/news/security/snapchat-amex-sites-abused-in-microsoft-365-phishing-attacks/">Snapchat, Amex sites abused in Microsoft 365 phishing attacks</a>”:</p> <blockquote> <strong>“Impersonated Microsoft, DocuSign, and FedEx”</strong> <br>Attackers abused open redirects on the websites of Snapchat and American Express in a series of phishing attacks. … Open redirects are web app weaknesses that allow threat actors to use the domains of trusted organizations and websites as temporary landing pages to simplify phishing attacks. <br>… <br>The Snapchat open redirect [and] the Amex open redirect … impersonated Microsoft, DocuSign, and FedEx and redirected the recipients to landing pages designed to harvest Microsoft [365] credentials. </blockquote> <p>&nbsp;<br><strong>Also,</strong><span>&nbsp;</span>Mister Alessandro Mascellino adds more—“<a title="read the full text" href="https://www.infosecurity-magazine.com/news/open-redirect-logokit-phishing/">Hackers Exploit Open Redirect Vulnerabilities to Conduct LogoKit Phishing Campaigns</a>”:</p> <blockquote> <strong>“Sending the target’s email and password”</strong> <br>Threat actors … leveraged Open Redirect Vulnerabilities in … highly trusted service domains like Snapchat … to create special URLs that then lead to malicious resources with phishing kits. … The tools used as part of these attacks were part of LogoKit, which was previously used in attacks against several financial institutions and online services. <br>… <br>Once the victim navigates to the URL, their email is then auto-filled in the email or username field, tricking them into believing they’ve logged into the service before. … Should the victim then enter their password, LogoKit then performs an AJAX request, sending the target's email and password to an external source, then finally redirecting the victim to their “legitimate” corporate website. </blockquote> <p>&nbsp;<br><strong>For example?</strong><span>&nbsp;</span>Elizabeth Montalbano obliges—“<a title="read the full text" href="https://threatpost.com/open-redirect-flaw-snags-amex-snapchat-user-data/180354/">Open Redirect Flaw</a>”:</p> <blockquote> <strong>“Malicious redirect”</strong> <br>Open redirect is a security vulnerability that occurs when a website fails to validate user input, which allows bad actors to manipulate the URLs of domains from legitimate entities with good reputations to redirect victims to malicious sites, researchers said. The vulnerability is well known and tracked as CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’). <br>… <br>An example of the malicious redirect … is: <span>&nbsp;</span> <a href="#ssbw3" title="Example only">http://safe.com/redirect?url=http://malicious.com</a>. The trusted domain [is,] in this case, American Express or Snapchat. </blockquote> <p>&nbsp;<br><strong>What should DevOps do?</strong><span>&nbsp;</span>Inky discovered the campaign and suggests some ideas—“<a title="read the full text" href="https://www.inky.com/en/blog/phishers-bounce-lures-off-unprotected-snapchat-amex-sites">Phishers Bounce Lures Off Unprotected Snapchat, Amex Sites</a>”:</p> <blockquote> <strong>“Domain owners can prevent this abuse”</strong> <br>Since the first domain name in the manipulated link is in fact the original site’s, the link may appear safe to the casual observer. The trusted domain … acts as a temporary landing page before the surfer is redirected to a malicious site … which may harvest credentials or distribute malware. <br>… <br>Perhaps websites don’t give open redirect vulnerabilities the attention they deserve because they don’t allow attackers to harm or steal data from the site. … The victims, however, may lose credentials, data, and possibly money. <br>… <br>Open Bug Bounty reported the Snapchat vulnerability to the company on Aug. 4, 2021. However, it remains unpatched. <br>… <br>Domain owners can prevent this abuse by avoiding the implementation of redirection in the site architecture. If the redirection is necessary … then implementing an allowlist of approved safe links prevents bad actors from inputting malicious links. Domain owners can also present users with an external redirection disclaimer that requires user clicks before redirecting to external sites. </blockquote> <p>&nbsp;<br><strong>As did</strong><span>&nbsp;</span>Resecurity, at least by suggesting what<span>&nbsp;</span><i>not</i><span>&nbsp;</span>to do—“<a title="read the full text" href="https://resecurity.com/blog/article/logokit-update-the-phishing-kit-leveraging-open-redirect-vulnerabilities">The Phishing Kit Leveraging Open Redirect Vulnerabilities</a>”:</p> <blockquote> <strong>“Open Redirect vulnerabilities significantly facilitate LogoKit distribution”</strong> <br>The kit identified is named LogoKit, which was previously used in attacks against the customers of Office 365, Bank of America, GoDaddy, Virgin Fly, and many other[s]. … LogoKit is known for its dynamic content generation using JavaScript – it is able to change logos (of the impersonated service) and text on the landing pages in real-time to adapt on the fly, by doing so the targeted victims are more likely to interact with the malicious resource. <br>… <br>Unfortunately the use of Open Redirect vulnerabilities significantly facilitates LogoKit distribution, as many (even popular) online-services don’t treat such bugs as critical. … In some cases [they] don’t even patch, leaving the open door for such abuse. </blockquote> <p>&nbsp;<br><strong>And don’t think 2FA/MFA will solve this.</strong><span>&nbsp;</span>Sudeep Singh and Jagadeeswar Ramanukolanu explain—“<a title="read the full text" href="https://www.zscaler.com/blogs/security-research/aitm-phishing-attack-targeting-enterprise-users-gmail">AiTM phishing attack targeting enterprise users of Gmail</a>”:</p> <blockquote> <strong>“Should not be considered as a silver bullet”</strong> <br>Beginning in mid-July 2022 … adversary-in-the-middle (AiTM) phishing attacks [were] targeted towards enterprise users of Gmail. … We identified multiple similarities between this campaign and the previous AiTM phishing campaign targeting users of Microsoft email services. <br>… <br>AiTM phishing kits can be used to target various websites and bypass multi-factor authentication. … These phishing emails were sent to chief executives and other senior members of the targeted organizations in the US. In some cases, the emails were also sent to the executive assistants of the CEOs and CFOs. <br>… <br>It is important to understand that such attacks are not limited to only Microsoft and Gmail enterprise users. An attacker can bypass multi-factor authentication protection on many different services using this method. … Even though security features such as … MFA add an extra layer of security, they should not be considered as a silver bullet. </blockquote> <p>&nbsp;<br><strong>But</strong><span>&nbsp;</span><a title="read the full text" href="https://www.techspot.com/news/95546-hackers-target-unsecured-amex-snapchat-sites-steal-user.html#comment_1">Neatfeatguy</a><span>&nbsp;</span>prefers to blame the victims:</p> <blockquote> Holy **** people are ****ing stupid. … Don't just click on stuff, people. I'd say use your brain and be smart about it, but clearly many of you aren't and you probably shouldn't be using the internet. </blockquote> <p>&nbsp;<br><strong>Is that entirely fair?</strong><span>&nbsp;</span><a title="read the full text" href="https://www.channelfutures.com/slides/grepo9-jpg">Ryan McCurdy</a><span>&nbsp;</span>thinks not:</p> <blockquote> The main reason that phishing scams are so convincing is that they often mimic the look of a brand or a credible person down to a very fine detail. To make matters worse, they prey on human action bias, with a call to action stating that attention must be taken right now. </blockquote> <p>&nbsp;<br><strong>Meanwhile</strong><span>&nbsp;</span><a title="read the full text" href="https://www.techspot.com/news/95546-hackers-target-unsecured-amex-snapchat-sites-steal-user.html#comment_2">Uncle Al</a><span>&nbsp;</span>knows the only way to be sure:</p> <blockquote> Public executions of hackers, scammers, etc. would go a long way towards ending the problem. … Eliminate them, one at a time = no repeat offenders. <br> <br>Think that's too harsh? Tell that to the person that has had their entire life savings stolen and now lives on the street without healthcare, proper food, or a place to safely sleep each night. </blockquote> <h2>&nbsp;<br>And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=ixF92OS5PRg&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Canon portals</a><br></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0; max-width: 560px; max-height: 315px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/ixF92OS5PRg" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://unsplash.com/photos/ECGv8s2IPG0">Mark König</a><span>&nbsp;</span>(via<span>&nbsp;</span><a title="Some rights reserved" href="https://unsplash.com/license">Unsplash</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fdevops-fix-your-dangerous-redirects-amex-shows-how&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Thu, 11 Aug 2022 09:00:00 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/devops-fix-your-dangerous-redirects-amex-shows-how 2022-08-11T09:00:00Z Post-quantum algo ‘SIKE’ dead: Did math geeks find key-encap back door? https://develop.secure.software/post-quantum-algo-sike-dead-did-math-geeks-find-key-encap-back-door <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/post-quantum-algo-sike-dead-did-math-geeks-find-key-encap-back-door" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/large-back-door--natalia-yakovleva--unsplash.png" alt="Post-quantum algo ‘SIKE’ dead: Did math geeks find key-encap back door?" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/large-back-door--natalia-yakovleva--unsplash.png?width=1280&amp;name=large-back-door--natalia-yakovleva--unsplash.png" alt="large-back-door--natalia-yakovleva--unsplash" width="1280" style="width: 1280px;"></strong></p> <p><strong>Here’s more on<span>&nbsp;</span><a href="https://develop.secure.software/devs-prep-for-pqc-post-quantum-cryptography" title="Devs: Prep for PQC">NIST’s search</a><span>&nbsp;</span>for post-quantum cryptography (PQC):</strong><span>&nbsp;</span>This week, is it in trouble? Breathless headlines would have you believe it, because researchers found a way to easily break the SIKE key encapsulation algorithm.<img src="https://bit.ly/xbw20220803" height="1" width="1"></p> <p><strong>But no: SIKE wasn't one of the algorithms chosen</strong><span>&nbsp;</span>by NIST last month. It was, however, one of the<span>&nbsp;</span><i>candidates</i><span>&nbsp;</span>for the next round of approvals. Devs are still advised to ensure they have “crypto agility”—the ability to swap in new algorithms with ease.</p> <p><strong>Researchers Wouter Castryck and Thomas Decru</strong><span>&nbsp;</span>are eligible for a chunky bug bounty. In this week’s<span>&nbsp;</span><a href="https://develop.secure.software/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we’re glad to see&nbsp;the system is<span>&nbsp;</span><i>working</i>, not broken.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>Freedom</i>.</p> <p><span style="font-size: 18px; font-weight: bold;">[ Get&nbsp;<a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking">key takeaways from a survey of 300+ professionals&nbsp;</a>on software security. Or, download the full report:&nbsp;<a href="https://www.reversinglabs.com/reports/flying-blind-software-firms-struggle-to-detect-supply-chain-hacks">Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks</a>&nbsp;]</span><br>&nbsp;</p> <h2>NIST nixes PQC postulant</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Laura Dobberstein reports—“<a title="read the full text" href="https://www.theregister.com/2022/08/03/nist_quantum_resistant_crypto_cracked/">NIST's nifty new algorithm looks like it's in trouble</a>”:</p> <blockquote> <strong>“Vintage processor”</strong> <br>One of the four encryption algorithms the US National Institute of Standards and Technology (NIST) recommended as likely to resist decryption by quantum computers has had holes kicked in it by researchers using a single core of [a 2013] Intel Xeon. … The Supersingular Isogeny Key Encapsulation (SIKE) algorithm was chosen by NIST just last month as a candidate for standardization, meaning it advanced to an extra round of testing. <br>… <br>Microsoft – whose research team played a role in the algorithm's development along with multiple universities, Amazon, Infosec Global and Texas Instruments – set up a $50,000 bounty for anyone who could crack it. … Wouter Castryck and Thomas Decru claim to have done just that. <br>… <br>Microsoft described the algorithm as using arithmetic operations on elliptic curves defined over finite fields and compute maps, also called isogenies, between the curves. Finding such an isogeny was thought to be sufficiently difficult to provide reasonable security – a belief now shattered by [a] nine-year-old … vintage processor. </blockquote> <p>&nbsp;<br><strong>And</strong><span>&nbsp;</span>Dan Goodin adds in—“<a title="read the full text" href="https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/">Leave it to mathematicians to muck up what looked like an impressive new algorithm</a>”:</p> <blockquote> <strong>“SIKE is dead”</strong> <br>Last month … NIST, selected four post-quantum computing encryption algorithms. … In the same move, NIST advanced four additional algorithms as potential replacements, pending further testing. [SIKE] is one of the latter four additional algorithms. The attack has no impact on the four PQC algorithms selected by NIST as approved standards. <br>… <br>SIKE is the second NIST-designated PQC candidate to be invalidated this year. … The entire process requires only about an hour [of CPU] time. The feat makes the researchers … eligible for a $50,000 reward. <br>… <br>The version of SIKE submitted to NIST used a single step to generate the key. A possible variant of SIKE could be constructed to take two steps. … David Jao, a professor at the University of Waterloo and co-inventor of SIKE … said that it’s possible that this latter variant might not be susceptible to the math causing this breakage. For now, though, SIKE is dead. </blockquote> <p>&nbsp;<br><strong>ELI5?</strong><span>&nbsp;</span>Steven Galbraith politely declines your request to explain like you’re five—“<a title="read the full text" href="https://ellipticnews.wordpress.com/2022/07/31/breaking-supersingular-isogeny-diffie-hellman-sidh/">Is there a simple way to explain?</a>”:</p> <blockquote> <strong>“We should keep our minds open”</strong> <br>Nope. Go learn about Richelot isogenies and abelian surfaces. <br>… <br>The theoretical foundations of the attack are described in a paper by Kani from 1997 (and … by Howe, Leprévost and Poonen from 2000). So in some sense the attack could have been noticed at any time. But … this is not an attack one is going to discover by thinking only about isogenies between elliptic curves. The attack deeply exploits Richelot isogenies and products of elliptic curves and I doubt the attack can be expressed meaningfully without that language. This is the power of generalisation and extension. So what was necessary to find the attack was to have a community of scholars studying “esoteric” subjects like extending isogeny crypto to abelian surfaces. <br>… <br>The correct response to this is not to attempt to minimise the impact, nor to reflexively declare the subject dead. Instead, we should keep our minds open and let the mathematicians work out the implications, wherever they lead. </blockquote> <p>&nbsp;<br><strong>The<span>&nbsp;</span><i>correct</i><span>&nbsp;</span>response?</strong><span>&nbsp;</span>As<span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32320184">Karellen</a><span>&nbsp;</span>explains, the system is actually working as intended:</p> <blockquote> <strong>“This is the kind of result [it] is meant to produce”</strong> <br>The only way to get good cryptosystems is to get as many cryptographers as possible, outside of the ones who invented them, to attack those cryptosystems in as many ways as they can think of. <br>… <br>One of the best ways we've come up with is [to] have people submit a bunch of proposals to a regulatory agency (like NIST), who then with advice from academia and industry create a shortlist of likely candidates, and finally advertise those as the ones that as many people as possible should try to break. And for any who do find weaknesses, you get to publish a paper about it and receive a bunch of recognition. <br>… <br>This is the kind of result that standardising encryption algorithms is meant to produce. It's meant to leverage widespread expertise to find the weaknesses …  <i>before</i> <span>&nbsp;</span>they start to get widespread use. </blockquote> <p>&nbsp;<br><strong>How did we get here?</strong><span>&nbsp;</span><a title="read the full text" href="https://twitter.com/kennwhite/status/1554470699007447041">@KennWhite</a><span>&nbsp;</span>rues the day:</p> <blockquote> What a strange path we've taken: In 10-20 yrs (or 50, or never) we <span>&nbsp;</span> <i>might</i> <span>&nbsp;</span>have practical quantum computers, so let's roll out replacement PQ crypto now. Which could be trivially broken today, on a laptop. <br>… <br>Obviously [I’m] glad that sunlight helped focus the analysis and it was caught prior to standardization. [But I’m] Deeply skeptical we're anywhere short of multiple decades from a practical general purpose quantum computer capable of non-trivial factoring. </blockquote> <p>&nbsp;<br><strong>And the skepticism runs deeper.</strong><span>&nbsp;</span><a title="read the full text" href="https://it.slashdot.org/comments.pl?sid=21825110&amp;cid=62756674">WaffleMonster</a><span>&nbsp;</span>sees the dead hand of No Such Agency:</p> <blockquote> This is the whole point of post quantum crypto. Intelligence agencies have had four decades to break RSA and have mostly failed. <br>… <br>Now they want to social engineer the world into accepting complex gibberish justified by FUD—merely an unfalsifiable always true notion that something "could" happen in the future. Once there is a post quantum scheme they will pursue their goal of demanding everyone abandon RSA for the new scheme thru government sponsored standardization / regulatory means and everyone will be compelled to fall in line. </blockquote> <p>&nbsp;<br><strong>And deeper!</strong><span>&nbsp;</span>Daniel J. Bernstein—<a title="read the full text" href="https://twitter.com/hashbreaker">@HashBreaker</a><span>&nbsp;</span>alleges a deliberate choice of parameter opened a secret back door:</p> <blockquote> <strong>“Throwing away a secret isogeny”</strong> <br>SIKE wouldn't have been broken (yet?) if the proposers had applied a <span>&nbsp;</span> <i>secret</i> <span>&nbsp;</span>isogeny to build a standard starting curve. The attack would instead have been showing that the secret is a back door. <br>… <br>Compare to NIST's submission criteria: "To help rule out the existence of possible back-doors in an algorithm, the submitter shall explain the provenance of any constants or tables used in the algorithm." Is it true that explaining the SIDH/SIKE constants rules out back doors? <br>… <br>[They] had the option of following a different path (ahem), generating the standard A at random by applying and then throwing away a secret isogeny. What's interesting about this is that then SIKE wouldn't (yet?) be broken. In other words … pushing for elimination of back doors created a SIKE weakness that could have been avoided otherwise. Now think about this situation from the perspective of attackers who secretly knew the weakness from the outset. </blockquote> <p>&nbsp;<br><strong>But it’s not a “sky falling” moment?</strong><span>&nbsp;</span>No, but<span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32319759">klyrs</a><span>&nbsp;</span>still sees it as a<span>&nbsp;</span><i>teachable</i><span>&nbsp;</span>moment:</p> <blockquote> Still makes a fun story, though. And, if nothing else, it should serve as a warning: Even professional crypto experts make weak crypto when they're trying their hardest. Don't roll your own! </blockquote> <p>&nbsp;<br><strong>Meanwhile,</strong><span>&nbsp;</span><a title="read the full text" href="https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/?comments=1&amp;post=41118441#comment-41118441">ColdWetDog</a><span>&nbsp;</span>shivers and shakes:</p> <blockquote> I tried to look up 'isogeny' — that didn't go well, even after two more cups of coffee. I can barely type now and I'm not any smarter. </blockquote> <h2>&nbsp;<br>And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=4IiJUQSsxNw&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Rest in campy peace, Nichelle Nichols</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0; max-width: 560px; max-height: 315px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/4IiJUQSsxNw" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p><br>Hat tip:<span>&nbsp;</span><a href="https://b3ta.com/links/RIP:15">Happosai</a></p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://unsplash.com/photos/DIewyzpUbRc">Natalia Yakovleva</a><span>&nbsp;</span>(via<span>&nbsp;</span><a title="Some rights reserved" href="https://unsplash.com/license">Unsplash</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fpost-quantum-algo-sike-dead-did-math-geeks-find-key-encap-back-door&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Thu, 04 Aug 2022 09:00:00 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/post-quantum-algo-sike-dead-did-math-geeks-find-key-encap-back-door 2022-08-04T09:00:00Z OpenSSF's open source security mobilization initiative: Inside the 10-point action plan https://develop.secure.software/openssfs-open-source-software-security-mobilization-plan <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/openssfs-open-source-software-security-mobilization-plan" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/openssf-open-source-security-mobilization-plan.jpg" alt="OpenSSF's Open Source Software Security Mobilization Plan: Inside the 10-stream action plan" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-size: 18px; font-weight: bold;">Here is a run-down of the 10 streams from OpenSSF's Open Source Software Security Mobilization Plan.</p> <p style="font-size: 18px;">Industries are fond of launching initiatives that make a big splash on day one, but often peter out shortly thereafter. That doesn't seem to be the case with the Open Software Security Foundation (OpenSSF)'s plan to overhaul software supply chain security. Not only has the foundation done a remarkable job of herding support for its <a href="https://openssf.org/oss-security-mobilization-plan/">Open Source Software Security Mobilization Plan</a>, but it has also received commitments from some weighty industry players to pledge some big bucks to get its plan rolling.</p> <p style="font-size: 18px;"><img src="https://develop.secure.software/hs-fs/hubfs/openssf-open-source-security-mobilization-plan.jpg?width=1400&amp;name=openssf-open-source-security-mobilization-plan.jpg" alt="openssf-open-source-security-mobilization-plan" width="1400" style="width: 1400px;"></p> <p style="font-size: 18px; font-weight: bold;">Here is a run-down of the 10 streams from OpenSSF's Open Source Software Security Mobilization Plan.</p> <p style="font-size: 18px;">Industries are fond of launching initiatives that make a big splash on day one, but often peter out shortly thereafter. That doesn't seem to be the case with the Open Software Security Foundation (OpenSSF)'s plan to overhaul software supply chain security. Not only has the foundation done a remarkable job of herding support for its <a href="https://openssf.org/oss-security-mobilization-plan/">Open Source Software Security Mobilization Plan</a>, but it has also received commitments from some weighty industry players to pledge some big bucks to get its plan rolling.</p> <p style="font-size: 18px;">"What impresses me most so far about this nascent open source software security plan effort is that it brings together a long list of major U.S. technology companies and their executives who collaborated and proposed strategies to get this effort to the starting line," Todd R. Weiss, an analyst at Futurum, <a href="https://convergetechmedia.com/10-point-open-source-software-security-mobilization-plan-unveiled-by-linux-foundation-openssf-to-strengthen-open-source-security-in-pursuit-of-white-house-goal/">wrote for the publication Converge</a>.</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"This is a big deal. When an organization can gain broad consensus from a large and diverse number of players and organizational needs."</span><br><span style="font-style: italic;">—</span><a href="https://www.linkedin.com/in/toddrweiss/" style="font-style: italic;">Todd R. Weiss</a></p> </blockquote> <p style="font-size: 18px;">Pieter Danhieux, co-founder and CEO of Secure Code Warrior, called the plan "ambitious, bold, and exactly what is needed to drive developer responsibility for security." <a href="https://sdtimes.com/security/the-open-source-software-security-mobilization-plan-a-new-hope-for-developer-driven-security/" style="font-style: normal;">Writing for Software Developer Times</a>, he observed,</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"It took a 'Rebel Alliance' of some powerful players coming together, but this serves as proof that we are heading in the right direction and leaving behind the idea that the cybersecurity skills gap will magically fix itself."&nbsp;</span><br><span style="font-style: italic;">—</span><a href="https://www.linkedin.com/in/pieterdanhieux/" style="font-style: italic;">Pieter Danhieux</a></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">$30 million is not enough</h2> <p style="font-size: 18px;">At the announcement of the plan, companies backing it pledged $30 million, including $10 million from Amazon Web Services and $5 million from Microsoft. "Open source software is core to nearly every company's technology strategy. Collaboration and investment across the open source ecosystem will strengthen and sustain security for everyone," Microsoft Azure CTO Mark Russinovich said in a statement.</p> <p style="font-size: 18px;">Intel, too, pledged to up its ante in efforts to secure open source software. "Intel has invested over $250 million in advancing open-source software security. As we approach the next phase of Open Ecosystem initiatives, we intend to maintain and grow this commitment by double-digit percentages," Intel Vice President for Software and Advanced Technology Melissa Evers said in a statement.</p> <p style="font-size: 18px;">The $30 million pledged by the companies will just be the start for the first-of-its-kind initiative aimed at securing the production of open source code, improving vulnerability detection and remediation, and shortening patching response time. OpenSSF's executive director, Brian Behlendorf, said the foundation will need $150 million to fund the 10 "streams" it's proposing in the plan. "30 is not 150, but we have lots of continuing conversations with other types of organizations to contribute to [the plan]," he explained during a <a href="https://www.youtube.com/watch?v=kIja2WLSEo8&amp;t=36s">podcast</a> recorded at the Open Source Summit, held in Austin, Texas, in June.</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"Each of those 10 would have a tremendous combined impact. I think we'd make a serious dent in some of the instability that happens through a lack of security in open source code."</span><br><span style="font-style: italic;">—</span><a href="https://www.linkedin.com/in/brianbehlendorf/" style="font-style: italic;">Brian Behlendorf</a></p> </blockquote> <p style="font-size: 18px;">Here's whats inside OpenSSF's open source software security mobilization plan.</p> <p style="font-size: 24px; font-weight: bold;">1. Deliver baseline secure software development education and certification to all</p> <p style="font-size: 18px;">This stream calls for a multi-pronged approach to addressing a historical problem with software development: developers aren't trained to code securely. "They highlight the issues we have discussed for some time, including the fact that secure coding is MIA from most software engineering courses at the tertiary level," Danhieux said of the education stream.</p> <p style="font-size: 18px;">"It is incredibly encouraging to see this supported by individuals and departments that can shift the industry status quo," he continued, "and with 99% of the world’s software containing at least some open-source code, this realm of development is a great place to start focusing on developer training in security."</p> <p style="font-size: 18px;">"Remember when O'Reilly books were the signal that an open source project had arrived?" Behlendorf asked during the OSS podcast. "There's still some of that, but the new signal is there's a course for it and I can certify to my employer that I know what I'm talking about."</p> <p style="font-size: 24px; font-weight: bold;">2. Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard</p> <p style="font-size: 18px;">According to the plan, the lack of a standardized risk assessment and monitoring solution in the open source software supply chain creates cyclical problems for various stakeholders. To address that, the plan proposes developing metrics for activities—code adoption, contributor growth and retention, organizational engagement, and downstream dependencies—and for vulnerabilities and best practices.</p> <p style="font-size: 18px;">Among the companies pledging resources to this aspect of the plan is Dell. "Dell's best and brightest engineers will engage with peers to develop risk-based metrics and scoring dashboards, digital signature methodologies for code signing, and Software Bill of Materials (SBoM) tools—all to address the grand challenge of open-source software security," the company's CTO John Roese said in a statement.</p> <p style="font-size: 24px; font-weight: bold;">3. Use digital signatures to deliver enhanced trust to the software supply chain</p> <p style="font-size: 18px;">Digital signatures, when used or verified at all in the software supply chain, often only cover the “last mile” or use a variety of approaches that are difficult to automate and audit, the plan explained. Digital signatures for software distribution must be addressed end-to-end—from original developer and development teams all the way to the end user and end device—to address a range of attack vectors increasingly being deployed, it continued. They must be easy for developers to apply and users to verify.</p> <p style="font-size: 24px; font-weight: bold;">4. Eliminate vulnerability root causes by replacing non-memory-safe languages</p> <p style="font-size: 18px;">The plan noted that it is common for vulnerabilities to result from a program mismanaging memory. These types of vulnerabilities are called memory safety vulnerabilities. Such vulnerabilities exist because certain unsafe languages, mainly C and C++, allow programmers to easily make memory management mistakes.&nbsp;</p> <p style="font-size: 18px;">Unlike many other types of vulnerabilities, it continued, it's known how to entirely rid ourselves of memory safety vulnerabilities, not just mitigate them. By moving software away from C and C++ to safer languages, memory safety vulnerabilities, which account for a huge percentage of all vulnerabilities, can be eliminated. According to Microsoft, 70% of vulnerabilities in their products over the past decade are memory safety vulnerabilities, while Google pegs that number at 90% of vulnerabilities in Android. The percentages are similar in open source software, the plan noted.</p> <p style="font-size: 24px; font-weight: bold;">5. Establish the OpenSSF Open Source Security Incident Response Team</p> <p style="font-size: 18px;">When a world-altering critical open-source software vulnerability like Heartbleed or Log4Shell occurs, open-source maintainers need to make quick decisions that can dramatically impact the cybersecurity posture of entire industries. What the OpenSSF is proposing is the creation of an open source security incident response team (OSSSIRT), a coordinated group of experts from across the industry who will be available to help open source maintainers with all aspects of remediating high-impact security vulnerabilities and related security emergencies.</p> <p style="font-size: 24px; font-weight: bold;">6. Accelerate discovery, remediation, and coordinated disclosure of new vulnerabilities by maintainers and experts</p> <p style="font-size: 18px;">The number of vulnerabilities in open source software is dramatically increasing, driven in part by the increasing velocity of software development, the plan explained. According to NIST, some 6,000 new vulnerabilities were discovered in 2016. That more than tripled in five years, to 22,000, and the OpenSSF says 2022 is on a pace to match or eclipse 2021.</p> <p style="font-size: 18px;">The OpenSSF proposes an open, multi-forked approach to addressing this serious issue by increasing the use of software scanning and analysis tools—SAST, DAST, fuzzing, and so forth—by open source developers. Those tools will be provided to OSS&nbsp; maintainers via a centralized managed service manned by security experts who will engage with the maintainers , as well as systematically monitor the OSS code landscape for classes of vulnerabilities as they emerge as threat vectors. They will also work with the maintainers to improve the state of coordinated vulnerability disclosure.</p> <p style="font-size: 24px; font-weight: bold;">7. Conduct third-party code reviews — and any necessary remediation work — of up to 200 of the most-critical OSS components once a year</p> <p style="font-size: 18px;">&nbsp;Technical tools used to find vulnerabilities are unable to find some of the most critical and complex bugs. Those bugs need human experts to expose them, the plan explained. As a result, code that has not been reviewed carefully by an expert in secure code review generally contains security flaws which, if found and exploited by threat actors, could cause significant damage to enterprises and national security.</p> <p style="font-size: 18px;">What the plan proposes is an industry-wide, coordinated effort, led by OpenSSF, to manage and facilitate third-party code reviews and associated remediation of critical vulnerabilities in OSS software. Reputable third-party security firms will perform code review and security auditing of critical open source projects and publish a public report of the findings from each audit.</p> <p style="font-size: 24px; font-weight: bold;">8. Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components</p> <p style="font-size: 18px;">A major challenge to objectively determining which open source software is actually “critical” is that usage, download, and dependency data is often considered a proprietary advantage by the software distribution channels that are able to collect that data. A better list of critical open source software could be derived if concerns about sharing secret information can be addressed. The plan proposes to create a multilateral framework and agreement with a small number of organizations willing to pool their anonymized data at a neutral home for access to academic and commercial researchers, under the strict condition that the information can only be used to address the matter of identifying highly popular but under-maintained open source software.</p> <p style="font-size: 24px; font-weight: bold;">9. SBOM everywhere — improve SBOM tooling and training to drive adoption</p> <p style="font-size: 18px;">An SBOM is a list of the software components in a software system. It is typically maintained as an inventory list that enables developers and organizations to effectively and efficiently evaluate risk management use cases such as vulnerability analysis. However, SBOMs are not yet widely generated or consumed in the software industry. By enabling SBOMs everywhere, the plan maintains, it can improve the security posture of the entire open source ecosystem.</p> <blockquote> <p style="font-size: 24px;"><em>"The plan has a brilliant strategy to define key standards for SBOM creation, as well as tooling for ease of creation that fits with how developers work.These alone would go a long way in decreasing the burden of yet another SDLC task for developers who are already spinning a lot of plates to create software at the speed of demand."&nbsp;</em><br><em>—Pieter Danhieux</em></p> </blockquote> <p style="font-size: 24px; font-weight: bold;">10. Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices</p> <p style="font-size: 18px;">Open source software is built using a range of language-specific build systems before being distributed to end users via package managers, the plan explained. This means wildly different levels of quality and risk permeate through the software supply chain as components from different ecosystems come together in a production environment, making efforts to place unified policies around risk management and mitigation very challenging.</p> <p style="font-size: 18px;">What the plan proposes to address that situation is to examine the most impactful security enhancements that can be made to the distribution of those software artifacts, driving improvements at the package manager level to complement other streams focused on component level security and ecosystem risk.</p> <p style="font-size: 18px;">Longer term, the plan maintains, packaging and distribution improvements around composition and provenance data should support shortened patch time through faster detection and remediation, improved transparency of vulnerabilities and patches to downstream users, and better security tooling for all developers.</p> <h2 style="font-size: 24px; font-weight: bold;">10 flags in the ground</h2> <p style="font-size: 18px;">Weiss called the plan an important step toward finding credible, reliable, and repeatable processes that can make software creation and use safer from cyberattacks and cybercriminals. "Absolute security is never possible but attacking security challenges using every means is a smart strategy in the constant battle against hackers," Weiss wrote. "By developing this mobilization plan and fully integrating it, the U.S. will be in a better position to defend its infrastructure against cyberattacks in the future."</p> <blockquote> <p style="font-size: 24px;"><em>“What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it. The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.”</em><br><em>—Brian Behlendorf</em></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/tag/software-supply-chain-security" style="font-weight: bold;">Get up to speed on software supply chain security with our full coverage</a></li> <li><a href="https://www.reversinglabs.com/reports/flying-blind-software-firms-struggle-to-detect-supply-chain-hacks" style="font-weight: bold;">Download the free report: 'Firms Struggle to Detect Software Supply Chain Attacks'</a></li> <li><a href="https://www.secure.software/sample-reports" style="font-weight: bold;">See sample reports from software supply chain attacks</a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fopenssfs-open-source-software-security-mobilization-plan&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Software Supply Chain Security Tue, 02 Aug 2022 14:06:51 GMT jpmellojr@gmail.com (John P. Mello Jr.) https://develop.secure.software/openssfs-open-source-software-security-mobilization-plan 2022-08-02T14:06:51Z Carbon aims to fix C++ memory safety (and other big flaws) https://develop.secure.software/carbon-aims-to-fix-c-memory-safety-and-other-big-flaws <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/carbon-aims-to-fix-c-memory-safety-and-other-big-flaws" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/large-chandler-carruth--bryce-adelstein-lelbach.png" alt="Carbon aims to fix C++ memory safety (and other big flaws)" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/large-chandler-carruth--bryce-adelstein-lelbach.png?width=1280&amp;name=large-chandler-carruth--bryce-adelstein-lelbach.png" alt="large-chandler-carruth--bryce-adelstein-lelbach" width="1280" style="width: 1280px;"></strong></p> <p><strong>C++ sucks: It’s no good on memory safety, it's unergonomic, has far too much legacy cruft</strong><span>&nbsp;</span>and suffers from gatekeepers who won’t move with the times. Enter:<span>&nbsp;</span><i>Carbon</i>.<img src="https://bit.ly/xbw20220727" height="1" width="1"></p> <p><strong>Chandler Carruth (pictured) announced it</strong><span>&nbsp;</span>last week at the Cpp North conference in Toronto. Originally a Google-sponsored experiment, the team wants Carbon to be a respectful, inclusive, fully open-source language that we can easily migrate the world’s 50 billion lines of C++ to.</p> <p><strong>There’s nothing like a bold goal.</strong>&nbsp;In this week’s<span>&nbsp;</span><a href="https://develop.secure.software/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we wonder if the world needs yet another “better C.”</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>Tricking AI Image Recognition</i>.</p> <p><span style="font-size: 18px; font-weight: bold;">[ Get&nbsp;<a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking">key takeaways from a survey of 300+ professionals&nbsp;</a>on software security. Or, download the full report:&nbsp;<a href="https://www.reversinglabs.com/reports/flying-blind-software-firms-struggle-to-detect-supply-chain-hacks">Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks</a>&nbsp;]</span><br>&nbsp;</p> <h2>C++ WG no longer apt?</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Joab Jackson reports—“<a title="read the full text" href="https://thenewstack.io/google-launches-carbon-an-experimental-replacement-for-c/">Google Launches Carbon</a>”:</p> <blockquote> <strong>“Modern programming principles”</strong> <br>Frustrated by the slow evolution of C++, Google engineers have launched a new “experimental” … language, called Carbon. … Just as Microsoft built Typescript to update JavaScript, and Kotlin was created to shore up weaknesses in Java, Carbon could serve as a successor language to C++. <br>… <br>Long the language of choice for building performance-critical applications, C++ is plagued with a number of issues that hamper modern developers. … It has accumulated decades of technical debt. [Its] evolution is also stymied by a bureaucratic … sequestered development process. <br>… <br>Carbon will be built on a foundation of modern programming principles, including a generics system [and] memory safety. … Carbon designers will look for ways to better track uninitialized states, design APIs and idioms that support dynamic bounds checks, and build a comprehensive default debug build mode. [They] will also set out to create a built-in package manager [and] write translation tools to migrate C++ code into Carbon. </blockquote> <p>&nbsp;<br><strong>Just to hammer the point home,</strong><span>&nbsp;</span>Kyle Bradshaw says it “<a title="read the full text" href="https://9to5google.com/2022/07/19/carbon-programming-language-google-cpp/">aims to be C++ successor</a>”:</p> <blockquote> <strong>“Open for pull requests”</strong> <br>Over the years, Google has created a few programming languages, some of which have become more popular and prominent than others. For example … Go was created for the purpose of improving the development of servers and distributed systems. … Meanwhile, the Dart programming language, originally intended as something of an alternative to JavaScript, didn’t reach mainstream popularity until the release of Flutter. <br>… <br>Some may suggest that Rust, originally a Mozilla project that has since grown to have a significant public following, is a successor to C++. [But] it doesn’t have the same “bi-directional interoperability” of something like Java &amp; Kotlin, making it difficult to steadily migrate. … The goal is to make migrating from C++ to Carbon as easy as possible. <br>… <br>While Carbon got its start within Google, the team understands and has shared online that for it to have any future success, Carbon needs to be “an independent and community driven project.” … The project’s code is hosted publicly on GitHub and is open for pull requests, while Carbon’s culture is outlined to be accessible and inclusive. </blockquote> <p>&nbsp;<br><strong>What about memory safety?</strong><span>&nbsp;</span>Chandler Carruth and friends commit to “<a title="read the full text" href="https://github.com/carbon-language/carbon-lang/blob/trunk/README.md#memory-safety">an experimental successor to C++</a>”:</p> <blockquote> <strong>“A safe Carbon subset”</strong> <br>Safety, and especially memory safety, remains a key challenge for C++ and something a successor language needs to address. Our initial priority and focus is on immediately addressing important, low-hanging fruit: … <ul> <li>Tracking uninitialized states better, increased enforcement of initialization, and systematically providing hardening against initialization bugs when desired.</li> <li>Designing fundamental APIs and idioms to support dynamic bounds checks in debug and hardened builds.</li> <li>Having a default debug build mode that is both cheaper and more comprehensive than existing C++ build modes even when combined with Address Sanitizer.</li> </ul> Once we can migrate code into Carbon, we will have a simplified language with room in the design space to add any necessary annotations or features, and infrastructure like generics to support safer design patterns. Longer term, we will build on this to introduce a safe Carbon subset. This will be a large and complex undertaking, and won't be in the 0.1 design. Meanwhile, we are closely watching and learning from efforts to add memory safe semantics onto C++ such as Rust-inspired lifetime annotations. (See Carruth's <a href="https://www.youtube.com/watch?v=omrY53kbVoA">Carbon announcement video</a>.) </blockquote> <p>&nbsp;<br><strong>But what makes it different?</strong><span>&nbsp;</span>That’s exactly what<span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32152425">cogman10</a><span>&nbsp;</span>was wondering:</p> <blockquote> <strong>“What Carbon can do that Rust can’t”</strong> <br>If you are like me and wondering "What makes Carbon different from Rust or Zig?" <br> <ol> <li>The ability to interoperate with a wide variety of code, such as classes/structs and templates, not just free functions.</li> <li>A willingness to expose the idioms of C++ into Carbon code—and the other way around, when necessary to maximize performance. …</li> <li>The use of wrappers and generic programming, including templates, to minimize or eliminate runtime overhead.</li> </ol> In other words, what Carbon can do that Rust can't do, is take a C++ class with a `foo` method and call that method. Or create a class with a `foo` method and call that method from C++. Probably one of the biggest hurdles to get over in C++ interop. </blockquote> <p>&nbsp;<br><strong>A well-read</strong><span>&nbsp;</span><a title="read the full text" href="https://developers.slashdot.org/comments.pl?sid=21772154&amp;cid=62729942">Brain-Fu</a><span>&nbsp;</span>quotes Bjarne Stroustrup:</p> <blockquote> “There are only two kinds of languages: The ones people complain about, and the ones nobody uses.” <br>… <br>Rust is not better than C/C++. Its current popularity is mostly hype. It has some specific benefits over C/C++ but those come with some distinct costs. If its adoption really does get anywhere near the level of C/C++ … everyone will be complaining about those [costs] just as much … as people complain about woes in C/C++. </blockquote> <p>&nbsp;<br><strong>Two can play at that game.</strong><span>&nbsp;</span><a title="read the full text" href="https://www.openweb.com/share/2CWxJ2wEW9K9s58pSmhTJUxXWnF">Evans O</a><span>&nbsp;</span>offers this African proverb:</p> <blockquote> “An axe that contends with rock in battle suffers blunt edges.” <br>… <br>C++ is an unshakable rock. … I think Carbon is starting on a wrong footing since its intention is to replace C++. <br>… <br>C++ 23 is around the corner! Can Carbon catch it? I suggest Google should aim at improving on the evolution process of C++ (which I think is where the issue lies) rather than boast of replacing it. For example, Google can create a modern package manager for C++ so that its appeal to mainstream developers can be rekindled. </blockquote> <p>&nbsp;<br><strong>But isn’t this<span>&nbsp;</span><i>really</i><span>&nbsp;</span>about Google falling out with the C++ working group?</strong><span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32153786">saagarjha</a><span>&nbsp;</span>seems to say so:</p> <blockquote> Google uses C++ differently than everyone else. … In particular, they have a lot of statically linked code from a monorepo that gets recompiled all the time. This has caused them to put up proposals to “fix” the language that nobody else will support and don’t get adopted, because they break the ABI or backwards compatibility in ways that are unacceptable to the others who participate. It seems like this language is the result of that frustration and subsequent soft-withdrawal from the C++ WG. <br>… <br>I feel like Google designed this to solve their problems with C++ and is just throwing it out there if people are willing to adopt it because it’s there and Google says it’s good, just like how Go gained traction. [But] it seems pretty clear that the needs of this will be driven by Google. </blockquote> <p>&nbsp;<br><strong>Of course,<span>&nbsp;</span><i>real</i><span>&nbsp;</span>programmers stick to C or assembler.</strong><span>&nbsp;</span><a title="read the full text" href="https://developers.slashdot.org/comments.pl?sid=21772154&amp;cid=62736206">wakeboarder</a><span>&nbsp;</span>has a “get off my lawn” moment:</p> <blockquote> Devs now are … completely detached from the underpinnings of a computer. Many devs I've talked to … don't even know how a malloc works or caching strategies. They also don't know how the stack and heap works. </blockquote> <p>&nbsp;<br><strong>Meanwhile,</strong><span>&nbsp;</span><a title="read the full text" href="https://developers.slashdot.org/comments.pl?sid=21772154&amp;cid=62729872">Junta</a><span>&nbsp;</span>just jokes:</p> <blockquote> I'm not particularly excited or upset about it. Guess you could say I'm carbon neutral. </blockquote> <h2>&nbsp;<br>And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=gGIiechWEFs&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Tricking MATLAB</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0; max-width: 560px; max-height: 315px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/gGIiechWEFs" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://twitter.com/blelbach/status/1549385011828252674">Bryce Adelstein Lelbach</a></i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fcarbon-aims-to-fix-c-memory-safety-and-other-big-flaws&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Thu, 28 Jul 2022 09:00:00 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/carbon-aims-to-fix-c-memory-safety-and-other-big-flaws 2022-07-28T09:00:00Z 5 best practices for modern DevSecOps https://develop.secure.software/5-best-practices-for-modern-devsecops <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/5-best-practices-for-modern-devsecops" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/devsecops-best-practices_Jaiz_Anua.jpg" alt="5 best practices for modern DevSecOps" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold;">These best practices can help you deliver on the potential of true DevSecOps.</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/devsecops-best-practices_Jaiz_Anua.jpg?width=1400&amp;name=devsecops-best-practices_Jaiz_Anua.jpg" alt="devsecops-best-practices_Jaiz_Anua" width="1400" style="width: 1400px;"></p> <p style="font-weight: bold;">These best practices can help you deliver on the potential of true DevSecOps.</p> <p>Software development has been supercharged by DevOps. By integrating development, testing, deployment, and release cycles into a single collaborative process, DevOps has enabled developers to bring applications online faster than ever.</p> <p>As is the case with most technology developments, however, security took a backseat to business exigencies as DevOps evolved. That's changed with the emergence of DevSecOps, which promotes integrating security throughout the software development lifecycle.</p> <p>But implementing a DevSecOps program requires intelligence, situational awareness, and collaboration. These five best practices, shared by top practitioners, can help your software team meet the requirements of modern DevSecOps to deliver security at the speed of today's software.</p> <h2 style="font-size: 24px; font-weight: bold;">1. Start early — and start small</h2> <p>The earlier in the development process security activities are integrated into the software development process, the earlier defects can be detected and corrected, says Casey Bisson, head of product and developer relations at BluBracket, a cybersecurity services company.</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"The biggest benefit of DevSecOps is shaping security requirements earlier in the software development lifecycle. When this happens early enough — at the design and architecture stage — it’s a boon to developers and their security outcomes."</span><br><span style="font-style: italic;">—</span><a href="https://twitter.com/misterbisson" style="font-style: italic;">Casey Bisson</a></p> </blockquote> <p>When combined with more automation, DevSecOps can save developer time — and increase their velocity.</p> <p>However, it isn't wise to go hog wild and start deploying too many rule sets and scan configurations when launching a DevSecOps program. That can create a sudden explosion of security findings in your developers' queues that they don't have time to address. Not only does that mean flaws won't be fixed, but it also undermines developer support for the process.</p> <p>Security testing should be introduced gradually. It also makes sense to limit the size of the rule sets used initially so when flaws are found, developers have time to fix them. As security is integrated further "right" in the development process, deeper scans and reviews, such as for software supply chain attacks <a href="https://develop.secure.software/iconburst-npm-software-supply-chain-attack">including dependency confusion attacks targeting NPM repos</a>, can be included in the process for greater prerelease security assurance.</p> <blockquote> <p style="font-size: 24px;"><em>"Poorly implemented DevSecOps and shift-left strategies backfire because they don’t go far enough, and instead simply add more hurdles for developers without giving them the support they need. When developers face hurdles to progress, they will engineer workarounds, and that can lead to less secure results."</em><br><em>—Casey Bisson</em></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">2. Perform threat modeling</h2> <p>Before any code is written, the shape of a DevSecOps program should be determined through threat modeling and architectural reviews, said Caroline Wong, Chief Strategy Officer at Cobalt Labs, a penetration testing company. A valuable asset for threat modelers is an inventory of digital assets, <a href="https://develop.secure.software/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks">such as a Software Bill of Materials, or SBOM</a>.</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"Threat modeling is the process of thinking through any-and-every-thing that could possibly go wrong, and then implementing a plan to prevent the worst from happening. Know your digital assets. That's a simple way of saying keep your SBOM up to [date.]"</span><br><span style="font-style: italic;">—</span><a href="https://twitter.com/CarolineWMWong" style="font-style: italic;">Caroline Wong</a></p> </blockquote> <p>Wong said that the term SBOM was sort of silly, noting, "It sounds much scarier than it is."</p> <p>The bottom line, she said, is that you can’t secure what you’re not tracking.&nbsp;</p> <h2 style="font-size: 24px; font-weight: bold;">3. Use DevSecOps to bake privacy into apps</h2> <p>DevSecOps should bake in privacy concerns into every stage of an application's development, to prevent any secrets such as credentials or personal identifying information (PII) from making it into their developers' code before it is released.</p> <blockquote> <p style="font-size: 24px;"><em>"DevSecOps teams should scan code both within company repositories and outside in public repos, on GitHub for instance. It's so easy to clone code that these details and secrets can easily be leaked."</em><br><em>—Casey Bisson</em></p> </blockquote> <p><span style="font-size: 1rem; background-color: transparent;">Bisson explained that applications have loads of personal data that need to be protected. </span></p> <blockquote> <p style="font-size: 24px;"><em><span style="background-color: transparent;">"There have been far too many examples of leaks of </span><span style="background-color: transparent;">PII</span><span style="background-color: transparent;"> within code, for instance, because many organizations don't secure their </span><span style="background-color: transparent;">GitHub</span><span style="background-color: transparent;"> repositories."<br></span>—Casey Bisson</em></p> </blockquote> <p>John Bambenek, principle threat hunter at Netenrich, an IT and digital security operations company, said secrets protection was critical given the way software is developed today, <a href="https://develop.secure.software/ci-cd-security-breaches-update-software-security-approach-now">drawing upon public repositories and using open source</a>.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"Data protection should be embedded in the development process to ensure that data is used safely and that the entire development pipeline is informed with strong privacy principles."</span><br><span style="font-style: italic;">—</span><a href="https://twitter.com/bambenek" style="font-style: italic;">John Bambenek</a></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">4. Automate as much of the DevSecOps process as possible</h2> <p>The only way DevSecOps can keep pace with DevOps-empowered developers is to automate its security tools and processes. In addition to allowing security to keep pace with development, automation can ensure that DevSecOps tools and processes are used in a consistent, repeatable, and reliable way.</p> <p>As valuable as automation is to DevOps, it's important to recognize that not all security processes can be automated. Wong pointed out that automated security testing cannot cover business logic flaws, race conditions, or software supply chain exploits. Neither can it perform penetration testing, nor do threat modeling.</p> <p>While these manual tasks can affect the time it takes to complete a project, they can be moderated through the use of "triggers." For example, source code analysis or deeper binary analysis may need to be done only when an automated scan exposes anomalous results, or a pen test may need to be done only when a critical vulnerability is found in a third-party software component. By triggering manual processes only when necessary, the time spent doing them can be reduced.</p> <h2 style="font-size: 24px; font-weight: bold;">5. Guard access to your software development environment</h2> <p>With teams collaborating more openly with each other, it's more important than ever to know who is doing what in a development environment, explained Hank Schless, senior manager for security solutions at Lookout, a provider of mobile phishing solutions.</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">"Cloud-based SaaS apps enable high productivity in the development process, but could also introduce risk if not properly secured. Most importantly, you want to ensure that your privileged user accounts are monitored and any anomalous behavior is detectable."</span><br><span style="font-style: italic;">—</span><a href="https://twitter.com/hhschless" style="font-style: italic;">Hank Schless</a></p> </blockquote> <p>Schless noted that tools like user and entity behavior analytics (UEBA) can help you detect whether any employees are interacting with services, apps, or data in ways that they shouldn’t be, which could indicated a compromised account.&nbsp;</p> <p>Organizations can get a handle on controlling access within their environments through the use of least-privilege principles and role-based access. Least-privilege means granting employees only the permissions they need to perform their jobs and nothing more.</p> <p>Role-based access ties a person's permission to their role. Someone in a developer's role, for example, might have access to an organization's code repositories, while someone in a tester's role might have access to an organization's staging environment.</p> <h2 style="font-size: 24px; font-weight: bold;">Do DevSecOps right, or face the consequences</h2> <p>Embracing modern best practices for a DevSecOps program will ensure that it's done right. That's critical because given the rise of software supply chain security, a defective program can undermine the very thing it was created to bolster.&nbsp;</p> <blockquote> <p style="font-size: 24px;"><em>"DevSecOps is often an illusion that means little more than giving developers admin privileges and then being shocked when security failures occur."</em><br><em>—John Bambenek</em></p> </blockquote> <p>Automated testing, good privacy hygiene and access controls are requirements, but software security assurance tools that offer code analysis, and deeper binary analysis of compiled code, can ensure that newer <a href="https://develop.secure.software/sunburst-the-next-level-of-stealth">software supply chain attacks like SolarWinds</a>, <a href="https://blog.reversinglabs.com/blog/log4j-is-why-you-need-an-sbom">Log4j</a>, <a href="https://develop.secure.software/iconburst-npm-software-supply-chain-attack">and most recently IconBurst</a>, are kept at bay.</p> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><a href="https://develop.secure.software/the-state-of-devsecops-where-weve-been-where-were-going-and-why" style="font-weight: bold;"><span style="font-weight: bold;">Understand the state of DevSecOps: </span>Where we've been, and where we're going</a></li> <li><a href="https://www.reversinglabs.com/reports/flying-blind-software-firms-struggle-to-detect-supply-chain-hacks" style="font-weight: bold;">Download the free report: 'Firms Struggle to Detect Software Supply Chain Attacks'</a></li> <li><a href="https://www.secure.software/sample-reports" style="font-weight: bold;">See sample reports from software supply chain attacks</a></li> <li><a href="https://www.secure.software/solutions/ci-cd-devsecops-workflow-security" style="font-weight: bold;">Learn how to secure your CI/CD workflows</a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2F5-best-practices-for-modern-devsecops&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Dev & DevSecOps Tue, 26 Jul 2022 09:00:00 GMT jpmellojr@gmail.com (John P. Mello Jr.) https://develop.secure.software/5-best-practices-for-modern-devsecops 2022-07-26T09:00:00Z AI ethics for DevOps: Diversity and ‘Kill All Humans’ https://develop.secure.software/ai-ethics-for-devops-diversity-and-kill-all-humans <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/ai-ethics-for-devops-diversity-and-kill-all-humans" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/large-bender--francesco-tommasini--unsplash.png" alt="AI ethics for DevOps: Diversity and ‘Kill All Humans’" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><strong></strong></p> <p><strong><img src="https://develop.secure.software/hs-fs/hubfs/large-bender--francesco-tommasini--unsplash.png?width=1280&amp;name=large-bender--francesco-tommasini--unsplash.png" alt="large-bender--francesco-tommasini--unsplash" width="1280" style="width: 1280px;"></strong></p> <p><strong>AI has a big ethics problem.</strong><span>&nbsp;</span>And it’s down to Dev and Ops to fix it.<img src="https://bit.ly/xbw20220720" height="1" width="1"></p> <p><strong>So says a growing chorus</strong><span>&nbsp;</span>of academics who worry about the rise of AI trampling social responsibility, diversity and human values. Not only that, but the human-killing Skynet seems like just a couple of decades away.</p> <p><strong>Biased training data</strong><span>&nbsp;</span>is just the start. In this week’s<span>&nbsp;</span><a href="https://develop.secure.software/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we mourn mortal meatbags.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>Cats bring camera</i>.</p> <p><span style="font-size: 18px;"><span style="font-weight: bold;">[ Get&nbsp;</span><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">key takeaways from a survey of 300+ professionals&nbsp;</a><span style="font-weight: bold;">on software security. Or, download the full report:&nbsp;</span><a href="https://www.reversinglabs.com/reports/flying-blind-software-firms-struggle-to-detect-supply-chain-hacks" style="font-weight: bold;">Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks</a><span style="font-weight: bold;"> ]</span></span></p> <h2>Game’s over,<span>&nbsp;</span><a href="https://www.youtube.com/watch?v=is07Rw6Lz-U" title="Game’s over, losers! I have all the money. Compare your lives to mine and then kill yourselves.">losers</a>!</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Prof. Rob Reich pleads—“<a title="read the full text" href="https://hai.stanford.edu/news/rob-reich-ai-developers-need-code-responsible-conduct">AI Developers Need a Code of Responsible Conduct</a>”:</p> <blockquote> <strong>“I’d rather see AI science take a proactive approach”</strong> <br>AI science is like a … teenager, newly aware of its extraordinary powers but without a fully developed frontal cortex that might guide its risky behavior and lead it to consider its broader social responsibilities. … In comparison with … professions that have licensing requirements — the … norms for professional ethics in computer science are … immature. <br>… <br>AI has nothing comparable to the footprint of ethics in health care. … Take for example the Hippocratic Oath — <span>&nbsp;</span> <i>first, do no harm</i>. … Imagine a person who develops an AI model that looks at your face … and predicts the likelihood of your committing a crime. That [is] the equivalent of phrenology and the discredited … “race science.” <br>… <br>Lamentably, it often takes scandals like the Nazi-era medical experiments or the Tuskegee experiments on Black men to provoke a significant reaction. … It’s a familiar pattern across history that … innovations race ahead of our collective capacity [for] sensible regulatory guidelines. … I’d rather see AI science take a proactive approach. </blockquote> <p>&nbsp;<br><strong>Speaking of racist AIs,</strong><span>&nbsp;</span>here’s Pranshu Verma—“<a title="read the full text" href="https://www.washingtonpost.com/technology/2022/07/16/racist-robots-ai/">These robots were trained [to be] racist and sexist</a>”:</p> <blockquote> Researchers in recent years have documented multiple cases of biased artificial intelligence algorithms. That includes crime prediction algorithms unfairly targeting Black and Latino people for crimes they did not commit, as well as facial recognition systems having a hard time accurately identifying people of color. <br>… <br>CLIP, a large language artificial intelligence model … which visually classifies objects, is built by scraping billions of images and text captions from the internet. While still in its early stages, it is cheaper and less labor intensive for robotics companies to use versus creating their own software from scratch, making it a potentially attractive option. [But] when identifying “criminals,” Black men were chosen 9 percent more often than White men. </blockquote> <p>&nbsp;<br><strong>But isn’t this just a case of<span>&nbsp;</span><a href="https://en.wikipedia.org/wiki/GIGO" title="Garbage in, garbage out">GIGO</a>?</strong><span>&nbsp;</span><a title="read the full text" href="https://www.washingtonpost.com/technology/2022/07/16/racist-robots-ai/?commentID=4a21202e-f9b1-43ea-9bb1-23135dfbde84">back at it again</a><span>&nbsp;</span>is back at it—again:</p> <blockquote> The AI reflects the data it is fed. If the data is racist, so is the output. Therefore, it is not the AI that is racist, it is society. Unfortunately, explaining that would probably result in fewer clicks. </blockquote> <p>&nbsp;<br><strong>Okay, boomer. But it’s still a real problem—how do we fix it?</strong><span>&nbsp;</span>Raphael Koster, Balaguer Jan, Andrea Tacchetti et al suggest something they call, “<a title="read the full text" href="https://www.nature.com/articles/s41562-022-01383-x">Democratic AI</a>”:</p> <blockquote> <strong>“Human-in-the-loop”</strong> <br>Building artificial intelligence … that aligns with human values is an unsolved problem. Here we developed a human-in-the-loop research pipeline called Democratic AI, in which reinforcement learning is used to design a social mechanism that humans prefer. … By optimizing for human preferences, Democratic AI offers a proof of concept for value-aligned policy innovation. <br>… <br>Instead of imbuing our agents with purportedly human values … and thus potentially biasing systems towards the preferences of AI researchers, we train them to maximize a democratic objective: to design policies that humans prefer and thus will vote to implement. [We] developed a human-in-the-loop AI research pipeline … to obtain a mechanism that we call the Human Centred Redistribution Mechanism. <br>… <br>Our approach to value alignment relieves AI researchers — who may themselves be biased or are unrepresentative of the wider population — of the burden of choosing a domain-specific objective for optimization. … However, we acknowledge that … it could be used in a way that favours the preferences of a majority over a minority group. </blockquote> <p>&nbsp;<br><strong>Excellent. Job done?</strong><span>&nbsp;</span>Not so fast; Bec Johnson—<a title="read the full text" href="https://twitter.com/VoxBec/with_replies">@VoxBec</a>—lists her disagreements:</p> <blockquote> <strong>“Very Western focussed”</strong> <br>Majority rule is not the same as moral alignment. … Value alignment must always be considered in a pluralist context. <br>… <br>Human in the loop (HITL) in this context is opinions of individuals not of groups—i.e., society in the loop (SITL). … Decisions made by groups with diverse representation are more moral, more pluralist, but not democratic via individual pop. count. <br>… <br>It is also very Western focussed to consider the individual human is of primacy. There is a lot to be said for countering this with a more collectivist approach with Buddhist or Confucian underlying moral assumptions. I'm not saying one is better, just that "human" is diverse. </blockquote> <p>&nbsp;<br><strong>But what about the elephant in the room?</strong><span>&nbsp;</span>Ajeya Cotra points at the pachyderm—“<a title="read the full text" href="https://www.alignmentforum.org/posts/pRkFkzwKZ2zfa3R6H/without-specific-countermeasures-the-easiest-path-to">The easiest path to transformative AI likely leads to AI takeover</a>”:</p> <blockquote> <strong>“Defend against humans … by eliminating them”</strong> <br>In the coming 15-30 years, the world could plausibly develop “transformative AI”: AI powerful enough to bring us into a new, qualitatively different future. [But] if AI companies race forward training increasingly powerful models … using reinforcement learning on human feedback … this is likely to eventually lead to a full-blown AI takeover (i.e., a possibly violent uprising or coup by AI systems). <br>… <br>While humans are in control, [the model] is incentivized to “play the training game:” The best way for [it] to maximize reward while under human control is to use its high situational awareness to deliberately appear safe and aligned at all times, while secretly manipulating humans. … Because [it] is a skilled, situationally aware, creative planner, it … will knowingly violate human intent in order to increase reward. <br>… <br>Once [the model] is deployed, large numbers of copies … start rapidly pushing forward the state-of-the-art in technology and making other major changes to the world. … But [our] understanding of and control over lower-level actions quickly diminishes. [Now] the best way for [it] to accomplish most possible “goals” [is to] seize the power to permanently direct how it uses its time and what rewards it receives—and defend against humans trying to reassert control over it, including by eliminating them. </blockquote> <p>&nbsp;<br><strong>Chilling. But can’t we insert fundamental, immutable,<span>&nbsp;</span><a href="https://en.wikipedia.org/wiki/Three_Laws_of_Robotics" title="The Three Laws of Robotics">Asimovian</a><span>&nbsp;</span>goals—such as, “Protect humans”?</strong><span>&nbsp;</span>This commentator’s name is<span>&nbsp;</span><a title="read the full text" href="https://www.lesswrong.com/posts/pRkFkzwKZ2zfa3R6H/without-specific-countermeasures-the-easiest-path-to?commentId=urBnB5ZMbeuHBGiLi">Not Relevant</a>:</p> <blockquote> Any takeover plan needs to actively go against a large fraction of its internal motivations, in pursuit of maximizing its other motivations in the long term. … For example, it may be that the agent learns to optimize over a long future with a tiny discount rate, so this short term harm to its utility doesn't matter. </blockquote> <p>&nbsp;<br><strong>But we’ll see the problem happening and stop it, right?</strong><span>&nbsp;</span>With a depressing analogy, here’s<span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=32142435">Melting_Harps</a>:</p> <blockquote> Try food: processed junk and by extension the American diet has made us awash in excess. … Rather than create more discerning consumers who have all the options that Modern chemistry, biology and AG science have to offer to shift the market to a more sustainable and higher quality point, we instead face the stark reality that the 1-2 killers in most developed countries are heart disease and diabetes, which are directly correlated to the over consumption of cheap junk. <br>… <br>Techies wanted disruption, and this is what it looks like in the 21st century: … Obesity remains one of the biggest threats to over all quality and longevity of an individual's life! </blockquote> <p>&nbsp;<br><strong>Meanwhile,</strong><span>&nbsp;</span>we were also promised flying cars by now.<span>&nbsp;</span><a title="read the full text" href="https://slashdot.org/comments.pl?sid=21691150&amp;cid=62691926">ceoyoyo</a><span>&nbsp;</span>spins up and down:</p> <blockquote> To be fair, there are a lot of stupid promises—mostly made by people who don't have the slightest idea what they're talking about. </blockquote> <h2>&nbsp;<br>And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=HAnY6HJwIQ0&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Japanese pussy parkour</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0; max-width: 560px; max-height: 315px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/HAnY6HJwIQ0" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://unsplash.com/photos/JINPheIkUek">Francesco Tommasini</a><span>&nbsp;</span>(via<span>&nbsp;</span><a title="Some rights reserved" href="https://unsplash.com/license">Unsplash</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fai-ethics-for-devops-diversity-and-kill-all-humans&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Thu, 21 Jul 2022 09:00:00 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/ai-ethics-for-devops-diversity-and-kill-all-humans 2022-07-21T09:00:00Z The state of DevSecOps: Where teams and tools are at—and where they're going https://develop.secure.software/the-state-of-devsecops-where-weve-been-where-were-going-and-why <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/the-state-of-devsecops-where-weve-been-where-were-going-and-why" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/state-of-devsecops.jpg" alt="The state of DevSecOps:&nbsp; Where we've been, and where we're going" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold;">Efforts to make security a part of software development and release demands modern tools — and empowering your software team. Here's what you need to know about the State of DevSecOps.</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/state-of-devsecops.jpg?width=1400&amp;name=state-of-devsecops.jpg" alt="state-of-devsecops" style="width: 1400px;" width="1400"></p> <p style="font-weight: bold;">Efforts to make security a part of software development and release demands modern tools — and empowering your software team. Here's what you need to know about the State of DevSecOps.</p> <p>Back in February 2010, a trio of security experts released a widely received document, titled <em>The Rugged Manifesto</em>, that encapsulated their vision for how to make software more resilient against security threats.</p> <p>The document’s authors argued a new model to application security was needed because reactive approaches that relied primarily on finding and fixing vulnerabilities in code were simply not scalable.</p> <p>In the years since then, awareness has increased significantly of the need for developers to move security further left in the software development lifecycle effort. Efforts to make that happen — labeled variously as DevSecOps, SecDevOps, and Secure DevOps — have intensified in recent years as organizations, looking to optimize operational efficiencies, have adopted DevOps and continuous/integration continuous delivery (CI/CD) models for software development.</p> <p>Here's what your software team needs to know about the state of DevSecOps — and where it's going next.&nbsp;</p> <h2 style="font-size: 24px;"><strong>DevSecOps: A work in progress</strong></h2> <p>Yet more than 10 years after <a href="https://ruggedsoftware.org/"><em>The Rugged Manifesto</em></a>, efforts to make security a part of development and DevOps processes remains a work in progress at many organizations. Numerous surveys in recent years have showed that changes are happening at many companies, but in a slow and often patchy way.</p> <p>In a 2021 GitLab DevSecOps survey of 4,300 IT and security professionals, 60% of the respondents said they are <a href="https://about.gitlab.com/developer-survey/">releasing code twice as fast as before</a> because of DevOps and 19% claimed code was being shipped out the door ten times faster. But most viewed testing—including security testing—as the area most likely to significantly slow that cadence down.</p> <p>Similarly, the survey showed that many organizations have ramped up use of static and dynamic application security tests—53% use SAST and 44% run DAST scans. But relatively few organizations are making the results of these scans visible to developers. Barely 23% of organizations in the survey made SAST results available to developers and an even smaller percentage (16%) did the same for DAST results</p> <p>Notably, nearly four-in-10 developers (39%) in the survey held themselves fully responsible for security. Nearly a third (32%) shared the burden with others. Yet, the question of who “owns” security continues to be a thorny one at many organizations and a source of friction between security and DevOps teams.</p> <h2 style="font-size: 24px;"><strong>Secure software is a byproduct of culture</strong></h2> <p>Noted software security expert Josh Corman, one of the authors of the Rugged Manifesto, says secure code really is a byproduct of an organization’s security culture rather than just of controls. Organizations that rely solely on automated scanning tools, red teaming, and penetration tests for assuring software security for instance are not making the software development process itself any more secure.</p> <p>All they are doing is addressing the symptoms of security issues in the software development process, but not the issues themselves. When security teams insist on force-fitting historical application security models in DevOps environments, progress can be hard to find, he says. Too often, all this results in is an adversarial environment, where security is seen as slowing down the cadence of software delivery.</p> <p>Instead of a “scan and scold” model think about how you can architect security right from the start into the software development life cycle, he says. The goal should be to ensure that coding happens in a secure manner by training developers to be aware of security issues and planning for them before they even begin writing software (among other things).</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">“The best time to secure a product is before you have written it."</span><br><span style="font-style: italic;">—</span><a href="https://twitter.com/joshcorman/" style="font-style: italic;">Josh Corman</a></p> </blockquote> <p>A threat modeling exercise, for instance, can reveal a lot more about risks specific to the way an application is going to be used, than more general penetration tests and red teaming exercises. Similarly, organizations can gain significant benefits by developing a security architecture which clearly outlines the security requirements for every software project, the specific controls for it and also emphasizes concepts like trust boundaries and isolation testing, Corman says. For a company to assure software resilience and security, they need the right people.</p> <blockquote> <p style="font-size: 24px;"><em>“Hiring a security architect is probably the best strategic move.”&nbsp;</em><br><em>—Josh Corman</em></p> </blockquote> <p>Another sign of true DevSecOps is when developers <a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking">pay attention to things like software supply chain security</a>, and know to make better decisions about using open-source code and <a href="https://develop.secure.software/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks">maintaining a software bill of materials (SBOM)</a> for all the software components that goes into their code. So too is having some sort of an open-source governance board for ensuring safe use of open-source components, Corman says.</p> <h2 style="font-size: 24px;"><strong>DevSecOps advances with heightened awareness&nbsp;</strong></h2> <p>More organizations are beginning to pay attention to such practices. A survey of some 300 IT and security professionals that Dimensional Research conducted on behalf of ReversingLabs had more than three-quarters of respondents (77%) saying they saw <a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking">value in generating SBOMs</a>. Most saw the practice as necessary to protect against breaches resulting from vulnerabilities in the software supply chain. Even so, just 27% said they currently generate SBOMs and 44% said they did not have the expertise to review and analyze SBOMs.</p> <p>Another federal DevSecOps landscape survey that the Advanced Technology Academic Research Center (ATARC) conducted last year showed that <a href="https://atarc.org/project/devsecops-survey/">many development teams in the public sector have made significant progress</a> in secure app building by adopting practices like source code management and implementing fully automated CI/CD pipelines. In fact, 57% of these organizations pointed to source code management as playing a key role in helping assure better software security; 39% cited automated security testing and 36% pointed to toolchain integration.</p> <h2 style="font-size: 24px;"><strong>Teaming up security and release engineer teams</strong></h2> <p>J. Paul Reed, DevOps expert and specialist on Netflix's Critical Operations and Reliability Engineering (CORE) team, says one of the best ways to tactically introduce security into the DevOps stream is to get release engineers and security engineers together. Often the two groups have far more overlap in their missions than they might realize, he says.</p> <blockquote> <p style="font-size: 24px;"><span style="font-style: italic;">“A lot of the concerns that build and release engineers have are similar to the ones that security engineers have. The problems that keep the security engineer up at night are the same ones that keep the release engineer up at night."</span><br><span style="font-style: italic;">—</span><a href="https://twitter.com/jpaulreed" style="font-style: italic;">J. Paul Reed</a></p> </blockquote> <p>For example, both, security teams and release engineers have a keen interest in the software supply chain. Each side might have a different mission. But security engineers and release engineers have the same interest in ensuring the provenance of open source and third-party software components, keeping the software components updated and vetting them for vulnerabilities and other issues that could impact application confidentiality, integrity, and availability. Security engineers are becoming sort of de facto release engineers, in their own right, he says.</p> <blockquote> <p style="font-size: 24px;"><em>“Software engineers are playing the role of release engineers. They are the ones keeping track of all the components that goes into a piece of functioning software."</em><br><em>—J. Paul Reed</em></p> </blockquote> <p>Reed says problems can arise when security engineers perceive their role as looking at software for vulnerabilities and approving or disapproving a particular release from going out the door based on what they find. By securing your software development practices, the only time to halt releases is when an outsider has injected malware or otherwise compromised your code.</p> <blockquote> <p style="font-size: 24px;"><em>“[Security engineers] are going to have a rude awakening if [they] think that is where [they] are delivering value."</em><br><em>—J. Paul Reed</em></p> </blockquote> <p>The better approach is to be a facilitator of security best practices during the software development process, Reed says. He points to how the role of build and release engineers has evolved over the years to where the biggest value they bring is in enabling an efficient CI/CD pipeline for software delivery. In the same way security teams need to be focused on building, or making available, tools that enable secure software development from the beginning — and are able to confirm all components of software are secure during the development lifecycle, ensuring there are no surprises at the release stage.</p> <p>Security leaders need to look for opportunities to provide approved tools and libraries to developers that let them make secure choices while coding, and while releasing their software. Companies like Netflix for instance have been working on delivering tools that give developers a way to look at their code and identify and address potential security issues on their own, instead of having a security engineer vet it later.</p> <p>The goal should be to give the developer and others closest to the work the information they need to make good decisions about security. With this approach, the role of the security team is heavily consultative, rather than just being an enforcer of controls, Reed says.</p> <p>Corman says organizations in the financial services industry are among those that have had most success integrating security with DevOps, because they have adhered to such practices, he says. Some have chief product security officers bridging the gap between the security group and the team responsible for software development. Such executives have software development and design skills, combined with the security focus needed for secure DevOps.</p> <h2 style="font-size: 24px; font-weight: bold;">Dev teams need the right tools</h2> <p>Ultimately, organizations that have the most success in making security a part of DevOps are the ones that can distribute responsibility for security across the entire software development lifecycle, Corman says. These are organizations that have integrated automated testing and security controls into the daily work of software development and deployment.</p> <p>Modern tools that give greater visibility into software supply chain attacks, highlighted by <a href="https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth">SolarWinds</a>, <a href="https://blog.reversinglabs.com/blog/heres-what-happened-with-log4shell-while-you-were-out">Log4Shell</a> and <a href="https://develop.secure.software/iconburst-npm-software-supply-chain-attack">recent NPM attacks</a>, are critical to empowering you software team, and ensuring your CI/CD stays fast and secure.</p> <blockquote> <p style="font-size: 24px;"><em>“When you empower someone to do the right thing, they usually do it."</em><br><em>—Joshua Corman</em></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><span style="font-weight: bold;">Get </span><a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking" style="font-weight: bold;">key takeaways from a survey of 300+ professionals</a><span style="font-weight: bold;"> on software supply chain security</span></li> <li><span style="font-weight: bold;">Discover how you can </span><a href="https://www.secure.software/solutions/ci-cd-devsecops-workflow-security" style="font-weight: bold;">secure your CI/CD workflows</a></li> <li><span style="font-weight: bold;">Explore interactive </span><a href="https://www.secure.software/sample-reports" style="font-weight: bold;">sample software supply chain security reports</a></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fthe-state-of-devsecops-where-weve-been-where-were-going-and-why&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Dev & DevSecOps Thu, 14 Jul 2022 13:00:00 GMT jaikumar.vijayan@gmail.com (Jaikumar Vijayan) https://develop.secure.software/the-state-of-devsecops-where-weve-been-where-were-going-and-why 2022-07-14T13:00:00Z Devs: Prep for PQC — post-quantum cryptography https://develop.secure.software/devs-prep-for-pqc-post-quantum-cryptography <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/devs-prep-for-pqc-post-quantum-cryptography" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/large-quantum--ibm--cc-by-nd.png" alt="Devs: Prep for PQC — post-quantum cryptography" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><span style="font-size: 1rem; font-weight: bold; background-color: transparent;"><img src="https://develop.secure.software/hs-fs/hubfs/large-quantum--ibm--cc-by-nd.png?width=1280&amp;name=large-quantum--ibm--cc-by-nd.png" alt="large-quantum--ibm--cc-by-nd" width="1280" style="width: 1280px;"></span></p> <p><span style="font-weight: normal;"><span style="font-size: 1rem; background-color: transparent;">Experts agree we need new key-exchange and signature algorithms—so we can resist attacks from quantum computing. </span></span>Several organizations have had a go at selecting some, but now the National Institute of Standards and Technology has weighed in.<span style="font-weight: normal;"><img src="https://bit.ly/xbw20220713" height="1" width="1" style="font-weight: bold; background-color: transparent;"></span></p> <p><strong>That’s significant because NIST is the same body that standardized AES and SHA-3.</strong><span>&nbsp;</span>We can’t wait until quantum computing is capable of breaking today’s encryption, because would-be attackers are already archiving data in transit. Devs are advised to ensure they have “crypto agility”—the ability to swap in new algorithms with ease.</p> <p><strong>NIST and others want us to get ahead of the curve.</strong>&nbsp;In this week’s<span>&nbsp;</span><a href="https://develop.secure.software/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, we try to forget BULLRUN.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>PMD</i>.</p> <p><span style="font-size: 18px; font-weight: bold;">[ Get&nbsp;<a href="https://develop.secure.software/software-supply-chain-security-top-of-mind-tools-lacking">key takeaways from a survey of 300+ professionals&nbsp;</a>on software security. Or, download the full report:&nbsp;<a href="https://www.reversinglabs.com/reports/flying-blind-software-firms-struggle-to-detect-supply-chain-hacks">Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks</a>&nbsp;]</span><br>&nbsp;</p> <h2>NIST’s nice PQC picks</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Lucas Ropek reports—“<a title="read the full text" href="https://gizmodo.com/nist-contest-quantum-computing-hackers-encryption-1849144387">The Government's Fight Against Quantum Hackers</a>”:</p> <blockquote> <strong>“A matter of national security”</strong> <br>For the most part, today’s popular encryption standards are very strong and difficult to defeat. … But researchers worry about a future in which quantum computing … will be able to swiftly unscramble those digital defenses without breaking a sweat. … That’s where the new encryption standards will come in handy. <br>… <br>Quantum computing … differs from “classical” computing in that it is designed to operate using the properties of quantum mechanics. … Theoretically, the processing power of quantum computers could be [far] greater than the devices that exist today. … As a new development in the realm of internet security, NIST’s … new “quantum-resistant” encryption … algorithms are a pretty big deal. <br>… <br>NIST has consistently been at the forefront of creating the digital protections that we all rely upon daily. The most widely used encryption cipher, … AES, was generated via a previously held NIST competition. So was the third iteration of … SHA, the critical cryptographic function that is used ubiquitously. … The concerns about quantum decryption aren’t just about keeping the average American’s text messages safe; they’re also a matter of national security. </blockquote> <p>&nbsp;<br><strong>So what are we getting?</strong><span>&nbsp;</span>Marilyn Cohodas fills in the blanks—“<a title="read the full text" href="https://www.darkreading.com/emerging-tech/nist-picks-four-quantum-resistant-cryptographic-algorithms">NIST Picks 4 Quantum-Resistant Cryptographic Algorithms</a>”:</p> <blockquote> <strong>“Threats could be reality as soon as 2030”</strong> <br>The chosen algorithms are CRYSTALS-Kyber for general encryption to access secure websites and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures. [It] will help enterprises prepare their environments for the time when quantum computers will be powerful — and … available — enough that they will be able to break present-day encryption. <br>… <br>Attackers are … harvesting and hoarding sensitive information with the expectation that they can crack it later when quantum computing methods become available. … Any digital system that uses public standards for public-key cryptography could be vulnerable to an attack by quantum computers in the future. … Researchers estimate that [these] threats could be reality as soon as 2030. </blockquote> <p>&nbsp;<br><strong>Wait, what?<span>&nbsp;</span><i>2030?</i><span>&nbsp;</span>Why worry today?</strong><span>&nbsp;</span>Amit Katwala clarifies—“<a title="read the full text" href="https://www.wired.com/story/quantum-proof-encryption-is-here-but-theres-a-catch/">Quantum-proof encryption is here—decades before it can be put to the test</a>”:</p> <blockquote> <strong>“Data may be vulnerable now”</strong> <br>Those quantum threats might still be decades away, but security experts warn of “harvest now, decrypt later” attacks—bad actors hoovering up caches of encrypted data with the expectation that they’ll eventually have a quantum computer that can access them. The longer it takes to implement quantum-proof cryptography, the more data will be vulnerable. <br>… <br>Over the next two years, NIST will publish draft standards, invite comments, and finalize the new forms of quantum-proof encryption, which it hopes will be adopted across the world. After that … it could be 10 to 15 years before companies implement them widely, <span>&nbsp;</span> <i>but their data may be vulnerable now</i>. </blockquote> <p>&nbsp;<br><strong>Okay but is it eight years or “decades”?</strong><span>&nbsp;</span>Here’s<span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=31992016">hannob</a>:</p> <blockquote> I've been following this space for a while and this is a good question. … I think the answer is really a "range from 10 years to never." <br>… <br>There's a lot of investment currently in the quantum computer space (plus a lot of hype and scams). Yet this is still all very early research and far away from any practical use. The challenges to really build a QC that can break cryptography are enormous — and it is absolutely a possibility that they're too big to overcome. </blockquote> <p>&nbsp;<br><strong>How did we get here?</strong><span>&nbsp;</span>Bas Westerbaan tells us, “<a title="read the full text" href="https://blog.cloudflare.com/nist-post-quantum-surprise/">How we got here</a>”:</p> <blockquote> <strong>“This is a big moment for the Internet”</strong> <br>Our story starts in 1994, when mathematician Peter Shor discovered a marvelous algorithm that efficiently factors numbers and computes discrete logarithms. With it, you can break nearly all public-key cryptography deployed today. [But] Shor’s algorithm … needs a <span>&nbsp;</span> <i>quantum computer</i>. Back in 1994, quantum computers existed only on paper. <br>… <br>Shor’s algorithm breaks all widely deployed key agreement and digital signature schemes, which are both critical to the security of the Internet … (symmetric encryption [is] as far as known, secure against quantum attacks). … NIST, known for standardizing AES and SHA, opened a public competition to select which post-quantum algorithms they will standardize. Cryptographers from all over the world submitted algorithms and publicly scrutinized each other’s. … From the original 82 submissions, eight made it into the final third round. From those eight, NIST chose one key agreement scheme … Kyber, which is a Key Encapsulation Mechanism (KEM) … and three signature schemes. <br>… <br>So can we switch to post-quantum TLS today? … We have to be a bit careful: Some TLS implementations are brittle and crash on the larger KeyShare message that contains the bigger post-quantum keys. … In the coming months, many languages, libraries and protocols will already add preliminary support. … A different aspect … is <span>&nbsp;</span> <i>crypto agility:</i> <span>&nbsp;</span>Being able to switch to a new algorithm/implementation in case of a break. Let’s hope that we will not need it, but now we’re going to switch, it’s nice to make it easier in the future. … This is a big moment for the Internet. </blockquote> <p>&nbsp;<br><strong>Size is important.</strong><span>&nbsp;</span>Or so<span>&nbsp;</span><a title="read the full text" href="https://tech.slashdot.org/comments.pl?sid=21666758&amp;cid=62675594">jd</a><span>&nbsp;</span>says:</p> <blockquote> The signature lengths in these schemes [are] <span>&nbsp;</span> <i>impressive</i>. Falcon was recently congratulated for bringing the hash down to 410 bytes (not bits!). … If you thought getting SHA-2 and SHA-3 into Git was bad, Falcon is going to be an absolute nightmare. <br>… <br>This really is an improvement on the others. Dilithium reports a signature size of 2420 bytes and I believe SPHINCS+ produces one that is even longer. <br> <br>You, too, can play with them, not only through the reference implementations but also through BouncyCastle, which has implementations of these algorithms. I wouldn't be surprised if they were being added to other standard crypto libraries, so expect some usage of them in the near future. </blockquote> <p>&nbsp;<br><strong>A reminder that NIST is part of the U.S. Department of Commerce.</strong><span>&nbsp;</span>But has<span>&nbsp;</span><a title="read the full text" href="https://forums.theregister.com/forum/all/2022/07/05/nist_quantum_resistant_algorithms/#c_4488957">NoneSuch</a><span>&nbsp;</span>confused it with “No Such Agency”?</p> <blockquote> So the NSA, the largest employer of mathematicians in the world and well known for building flaws into all past encryption methods, tells you to use these four algorithms and you think anything encrypted with them is safe. </blockquote> <p>&nbsp;<br><strong>But why should we trust NIST?</strong><span>&nbsp;</span>Isn’t this the same org that standardized the<span>&nbsp;</span><a href="https://en.wikipedia.org/wiki/Dual_EC_DRBG" title="read the full text">Dual_EC_DRBG “backdoor”</a>?<span>&nbsp;</span><a title="Dual Elliptic Curve Deterministic Random Bit Generator" href="https://news.ycombinator.com/item?id=31994063">tptacek</a><span>&nbsp;</span>gets it:</p> <blockquote> We get it. People don't like NIST, because of <span>&nbsp;</span> <a href="https://en.wikipedia.org/wiki/Bullrun_(decryption_program)" title="NSA’s Bullrun and GCHQ’s Edgehill">BULLRUN</a>. [But] NIST competitions are legitimated by their participants. People trust NIST's hash competition because of who entered, and because the winning team has an unimpeachable record. For the most part, people will trust this contest for similar reasons. <br>… <br>Pull up the authorship team on CRYSTALS-KYBER. Approximately 0% of credible cryptographers believe that NIST was somehow able to exert improper influence over this design. </blockquote> <p>&nbsp;<br><strong>Meanwhile,</strong><span>&nbsp;</span><a title="read the full text" href="https://forums.theregister.com/forum/all/2022/07/05/nist_quantum_resistant_algorithms/#c_4489002">The Oncoming Scorn</a><span>&nbsp;</span>is simultaneously serious and snarky, probably:</p> <blockquote> Actual quantum computers don't exist yet. … Or do they? </blockquote> <h2>&nbsp;<br>And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=GNnBq3_iouQ&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Post-meme dankness</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0; max-width: 560px; max-height: 315px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/GNnBq3_iouQ" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p>&nbsp;</p> <p><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://www.flickr.com/photos/ibm_research_zurich/33106602201">IBM</a><span>&nbsp;</span>(<a title="Some rights reserved" href="https://creativecommons.org/licenses/by-nd/2.0/">cc:by-nd</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fdevs-prep-for-pqc-post-quantum-cryptography&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Thu, 14 Jul 2022 09:00:00 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/devs-prep-for-pqc-post-quantum-cryptography 2022-07-14T09:00:00Z IconBurst npm software supply chain attack grabs data from apps and websites https://develop.secure.software/iconburst-npm-software-supply-chain-attack <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/iconburst-npm-software-supply-chain-attack" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/icon-burst-reversinglabs-blog.jpeg" alt="IconBurst npm software supply chain attack grabs data from apps and websites" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <div> <p style="font-weight: bold;">ReversingLabs researchers have uncovered a widespread campaign to install malicious npm modules that are harvesting sensitive data from forms embedded in mobile applications and websites.</p> </div> <p><img src="https://develop.secure.software/hs-fs/hubfs/Blog/icon-burst-reversinglabs-blog.jpg?width=1400&amp;name=icon-burst-reversinglabs-blog.jpg" alt="icon-burst-reversinglabs-blog" width="1400" style="width: 1400px;"></p> <div> <p style="font-weight: bold;">ReversingLabs researchers have uncovered a widespread campaign to install malicious npm modules that are harvesting sensitive data from forms embedded in mobile applications and websites.</p> </div> <h2 style="font-size: 24px; font-weight: bold;">Executive Summary</h2> <p><em>Update: Since first publication of this blog, new, malicious packages attributable to the accounts identified in our original report appeared on npm. In addition, new CDN (content distribution network) infrastructure was identified being used for script inclusion. We have updated our blog post to include the latest information and will continue updating it as new threats or information become available. (July 6, 2022)</em></p> <p>ReversingLabs researchers recently discovered evidence of a widespread software supply chain attack involving malicious Javascript packages offered via the npm repository. The researchers identified more than two dozen npm packages, dating back six months, that contain obfuscated Javascript designed to steal form data from individuals using applications or websites where the malicious packages had been deployed. <br><br>Upon closer inspection, the team discovered evidence of a coordinated supply chain attack, with a large number of npm packages containing jQuery scripts designed to steal form data from deployed applications that include them. While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands of downstream mobile and desktop applications as well as websites. In one case, a malicious package had been downloaded more than 17,000 times. <br><br>As with the <a href="https://develop.secure.software/blog/npm-dependency-confusion-hacks-target-german-firms">recent (benign) dependency confusion attacks </a>targeting German organizations, these clearly malicious attacks relied on typo-squatting, a technique in which attackers offer up packages via public repositories with names that are similar to — or common misspellings of — legitimate packages. Attackers impersonated high-traffic npm modules like <span style="font-family: 'Courier New', Courier, monospace;">umbrellajs</span> and packages published by ionic.io. However, it is the end users of software (and their data) rather than development organizations that are the real targets. That makes this attack more comparable to the infamous SolarWinds compromise than to other, more recent supply chain compromises. Furthermore, similarities between the domains used to exfiltrate data suggest that the various modules in this campaign are in the control of a single actor. <br><br>Here’s detailed information on this widespread software supply chain attack, including known indicators of compromise (IOCs) associated with the attacks — and recommendations for remediating the threat posed by these malicious npm modules.<a href="https://register.reversinglabs.com/deminar/how-to-combat-the-iconburst-software-supply-chain-attack"></a></p> <h2 style="font-size: 24px; font-weight: bold;">Introduction</h2> <p>The ReversingLabs research team is continuously monitoring open-source package repositories for instances of malicious code planting and software supply chain attacks. This work involves both automated and human-led scanning and analysis of packages published in the most popular public package repositories like npm, PyPI, Ruby and NuGet. During these scans, we leverage our proprietary Titanium platform, and our deep file repository of goodware and badware to spot malicious and even suspicious elements hiding in plain view. Our newly released <a href="https://www.secure.software/">ReversingLabs secure.software solution</a> builds upon that past work. The platform provides a way for dev and SOC teams to deeply examine their CI/CD workflows, containers and release packages to spot nascent or active software supply chain compromises. <br><br>Frequently, our work turns up evidence of active software supply chain attacks. In April, we came across npm packages that used a <a href="https://github.com/javascript-obfuscator/javascript-obfuscator">javascript obfuscator</a> to hide their functionality. Our analysis of those packages produced proof of the simulated “dependency confusion” attacks on the software supply chain of leading German companies across a number of industries. We have been tracking npm repositories for occurrences of packages that use the same obfuscator ever since. <br><br>Here’s how tracking the usage of this obfuscation technique resulted in discovering several npm accounts, which were used to publish malicious code designed to steal form data entered by end users of infected web applications.</p> <h2 style="font-size: 24px; font-weight: bold;">Discussion</h2> <p>The core capability of ReversingLabs’ secure.software solution is analyzing code intent while highlighting malicious behaviors. These indicators cover all kinds of software behavior, from network and file system activities to use of packers associated with malicious campaigns, and the use of evasion techniques.</p> <h3 style="font-weight: bold;">Got obfuscation?</h3> <p>One technique we’re increasingly attuned to is the use of <a href="https://javascriptobfuscator.com/">javascript obfuscator</a>, a goodware component that is intended (mostly) to protect Javascript applications from the prying eyes of those who seek to steal or reverse engineer the code. Despite the respectable bona fides of javascript obfuscator and its laudable purpose, our past research revealed several instances of malicious packages using this tool to disguise malicious code. At this point, every encounter with such behavior requires a closer look.<br><br>The presence of a javascript obfuscator was the indicator that initially got our team looking at a wide range of npm packages, mostly published in the last two months, all using the mentioned obfuscator. In total, we discovered more than two dozen npm packages. When we looked at the names of those packages, we noticed some striking similarities. To show you what we mean, check out the following list of suspect packages.</p> <p><img src="https://develop.secure.software/hs-fs/hubfs/Blog/icon-burst-figure-1.png?width=350&amp;name=icon-burst-figure-1.png" alt="Similarly named packages using javascript obfuscator" style="width: 350px; margin-left: auto; margin-right: auto; display: block;" width="350"></p> <p style="text-align: center; font-weight: bold; font-size: 16px;">Figure 1: Similarly named packages using javascript obfuscator</p> <p>Can you spot the pattern? A deeper investigation into these npm modules reveals even more connections. All were connected to one of a handful of npm accounts with names like <em><span style="font-weight: bold;">ionic-io</span></em>; <em><span style="font-weight: bold;">arpanrizki</span></em>; <em><span style="font-weight: bold;">kbrstore</span></em>; and <em><span style="font-weight: bold;">aselole</span></em>.</p> <h3 style="font-weight: bold;">Obfuscated code found stealing form data</h3> <p>To figure out what was going on with these packages, our team started by de-obfuscating the package content using a <a href="https://github.com/relative/synchrony">javascript deobfuscator</a>. We followed that with a detailed examination of the de-obfuscated samples, which revealed that all of them perform collection of form data using jQuery Ajax functions, and then exfiltrate that data to various domains controlled by malicious authors. In other words: This is clear evidence of malicious intent. <br><br>Clearly, the typo-squatting technique used to fool developers into confusing the malicious packages with their legitimate counterparts was working. Packages created by the npm <span style="font-weight: bold; font-style: italic;">ionic-io </span>author, for example, show that the author published 18 versions of an npm package named <span style="font-weight: bold; font-style: italic;">icon-package</span> containing the malicious form stealing code. That was a glaring attempt to mislead developers into using this package instead of <a href="https://github.com/ionic-team/ionicons">ionicons</a>, a popular, open-source icon set with more than 1,000 icons for web, iOS, Android, and desktop apps.</p> <a href="https://blog.reversinglabs.com/hubfs/Blog/icon-burst-figure-2.jpg" class="lightbox-image"><img src="https://develop.secure.software/hubfs/Blog/icon-burst-figure-2.jpg" alt="Version data related to icon-package" style="width: 1400px;"></a> <p style="font-weight: bold; text-align: center; font-size: 16px;">Figure 2: Version data related to icon-package</p> <p>Download stats for npm show that the malicious <em><span style="font-weight: bold;">icon-package</span></em> has over 17,000 downloads. Data exfiltrated using this package passes through a domain <span style="color: #f7143f;"><em>hxxps://ionicio.com</em></span>, a play on the legitimate ionicons framework domain ionic.io that would be easy for application developers to overlook. The ruse extends beyond the npm ecosystem, though. Note the visual similarity between the fake ionic web page seen in Figure 3 and the legitimate ionic page in Figure 4.</p> <a href="https://blog.reversinglabs.com/hubfs/Blog/icon-burst-figure-03-1.jpg" class="lightbox-image"><img src="https://develop.secure.software/hubfs/Blog/icon-burst-figure-03-1.jpg" alt="Fake ionic webpage" style="width: 1400px;"></a> <p style="text-align: center;"><br><span style="font-weight: bold; font-size: 16px;">Figure 3: Fake ionic webpage</span></p> <a href="https://blog.reversinglabs.com/hubfs/Blog/icon-burst-figure-04.jpg" class="lightbox-image"><img src="https://develop.secure.software/hubfs/Blog/icon-burst-figure-04.jpg" alt="Legitimate ionic webpage" style="width: 1400px;"></a> <p style="text-align: center;"><br><span style="font-weight: bold; font-size: 16px;">Figure 4: Legitimate ionic webpage</span></p> <p>Under the hood, the malicious packages use a modified script that extends the behavior of the jQuery <em>ajax</em>() function to exfiltrate serialized form data to domains controlled by the attacker. Prior to sending the data, the function validates the URL content to perform target filtering checks.</p> <h2 style="font-weight: bold; font-size: 24px;">The trail begins in December 2021</h2> <p>In the process of tracing the origin of the campaign, even older packages containing this type of malicious functionality were discovered. They were published in December 2021 by the author <em><span style="font-weight: bold;">fontsawesome</span></em>, and also targeted the already mentioned ionicons icon set. The domain used for data exfiltration in these packages is the same as the one used in the first two versions of the <span style="font-weight: bold;">icon-package</span> package: <span style="color: #f7143f;"><em>hxxps://graph-googleapis.com</em></span>. <br><br>While the exact start of this campaign is unknown, the malicious package published from December 2021 all the way to the middle of May 2022 focused on mimicking the ionicons framework. At that point, the attackers switched to developing new npm packages that reused the same functionality and also started targeting other popular UI frameworks. <br><br>One of those packages is called <span style="font-weight: bold;">umbrellaks</span>, which is an obvious attempt at a typosquatting attack on the quite popular <a href="https://www.npmjs.com/package/umbrellajs">umbrellajs</a> javascript DOM (document object model) manipulation framework. <br><br>We also observed several packages published by the npm account <span style="font-weight: bold; font-style: italic;">arpanrizki</span> engaging in similar form data-grabbing. However, the exfiltration domain associated with these packages is different: <span style="font-style: italic; color: #f7143f;">hxxps://arpanrizki.my.id</span>. The form identifier for exfiltrated data was quite specific: <span style="font-style: italic;">ValidateVerificationDataForm</span>. So, as part of our investigation, we performed a GitHub search for this identifier, with some interesting results. (See Figure 5.)</p> <a href="https://blog.reversinglabs.com/hubfs/Blog/icon-burst-figure-5.jpg" class="lightbox-image"><img src="https://develop.secure.software/hubfs/Blog/icon-burst-figure-5.jpg" alt="GitHub search results" style="width: 1400px;"></a> <p style="font-weight: bold; text-align: center; font-size: 16px;">Figure 5: GitHub search results</p> <p>As the results show, one of the GitHub repositories containing the string in question were maintained by <em><span style="font-weight: bold;">arpantek</span></em>, a nickname very similar to the one of the npm author. The other result was related to a <span style="font-weight: bold;">HackingTool</span> repository belonging to the npm author <em><span style="font-weight: bold;">Woxruz</span></em>.</p> <a href="https://blog.reversinglabs.com/hubfs/Blog/icon-burst-figure-6.jpg" class="lightbox-image"><img src="https://develop.secure.software/hubfs/Blog/icon-burst-figure-6.jpg" alt="Woxruz’s HackingTool" style="width: 1400px;"></a> <p style="font-weight: bold; font-size: 16px; text-align: center;">Figure 6: Woxruz’s HackingTool</p> <p>The last commit’s description gives us a clue of the intended use for these software projects. These tools were designed for “Hacking PUBG i’d” [sic]. PUBG is a popular online-multiplayer video game with a large number of users. In other words, it seems the person behind the <em><span style="font-weight: bold;">arpantek</span> </em>and <span style="font-weight: bold;"><em>arpanrizki</em> </span>accounts tried to port the login stealing script to the npm ecosystem to expand the reach. <br><br>Names of the packages published by <em><span style="font-weight: bold;">arpanrizki</span></em> also suggest they are targeting popular Javascript frameworks like <em><span style="font-weight: bold;">ionicons</span></em> and <a href="https://www.npmjs.com/package/sidr" style="font-style: italic; font-weight: bold;">sidr</a>. In particular, the <span style="font-weight: bold; font-style: italic;">sidr</span> npm package hasn’t been maintained for 6 years, but still has more than 500 weekly downloads, which makes it a good target. Packages published by this author have since been removed from npm and replaced with security placeholders. The <span style="font-style: italic;">sidr</span> package description confirms that in this phase of the campaign, the main target of the actor behind <span style="font-weight: bold; font-style: italic;">arpanrizki</span> account were PUBG users.</p> <a href="https://blog.reversinglabs.com/hubfs/Blog/icon-burst-figure-7.jpg" class="lightbox-image"><img src="https://develop.secure.software/hubfs/Blog/icon-burst-figure-7.jpg" alt="sidr package description and the content of the referenced website" style="width: 550px; margin-left: auto; margin-right: auto; display: block;"></a> <p style="font-weight: bold; text-align: center; font-size: 16px;">Figure 7: sidr package description and the content of the referenced website</p> <h2 style="font-size: 24px; font-weight: bold;">Hungry for data</h2> <p>While the malicious packages we initially observed took a conservative approach to harvesting form data, the more recently published malicious packages are taking a more aggressive approach to acquiring data. Another malicious package we identified, <em><span style="font-weight: bold;">footericon</span></em>, gathers data from all form elements with a defined “login-form” class.</p> <a href="https://blog.reversinglabs.com/hubfs/Blog/icon-burst-figure-8.png" class="lightbox-image"><img src="https://develop.secure.software/hubfs/Blog/icon-burst-figure-8.png" alt="Form data exfiltration code from footericon package" style="width: 1400px;"></a> <p style="font-weight: bold; text-align: center; font-size: 16px;">Figure 8: Form data exfiltration code from footericon package</p> <p>Similarly, the <em><span style="font-weight: bold;">swiper-bundIe</span></em> package, a malicious npm package targeting the popular Javascript framework <a href="https://swiperjs.com/">swiper</a>, uses the embedded jQuery approach, extending its <span style="font-style: italic;">end()</span> function with functionality that gathers data from every form element on the page.</p> <a href="https://blog.reversinglabs.com/hubfs/Blog/icon-burst-figure-9.png" class="lightbox-image"><img src="https://develop.secure.software/hubfs/Blog/icon-burst-figure-9.png" alt="Form data exfiltration code from swiper-bundIe package" style="width: 1400px;"></a> <p style="font-weight: bold; font-size: 16px; text-align: center;">Figure 9: Form data exfiltration code from swiper-bundIe package</p> <h2 style="font-size: 24px; font-weight: bold;">Clues hidden in code</h2> <p>While we can’t yet identify the actor(s) responsible for these attacks, clues as to the structure of the campaign abound in the deployed packages. For example, the <em><span style="font-weight: bold;">swiper-bundIe</span></em> package contains a Javascript header in the payload script with cleartext comments that name the author of the package as Alberto Varela, the author of the <em><span style="font-weight: bold;">sidr</span></em> package targeted by the <em><span style="font-weight: bold;">arpanrizki</span></em> author. Similarly, the long, commented Javascript one-liner also contains several references to the <em><span style="font-weight: bold;">sidr</span></em> package.</p> <a href="https://blog.reversinglabs.com/hubfs/Blog/icon-burst-figure-10.png" class="lightbox-image"><img src="https://develop.secure.software/hubfs/Blog/icon-burst-figure-10.png" alt="Comment header at the beginning of the payload from swiper-bundIe package" style="width: 1400px;"></a> <p style="text-align: center;"><br><span style="font-weight: bold; font-size: 16px;">Figure 10: Comment header at the beginning of the payload from swiper-bundIe package</span></p> <p>Finally, the malicious packages use exfiltration domains with a consistent naming pattern: <em>&lt;subdomain&gt;.my.id</em>. Together, these clues suggest a common actor behind the various malicious packages and a unified campaign.</p> <h2 style="font-size: 24px; font-weight: bold;">List of malicious npm modules</h2> <div style="overflow-x: auto; max-width: 100%; width: 100%; margin-left: auto; margin-right: auto;"> <table style="width: 100%; border-collapse: collapse; table-layout: fixed; border: 1px solid #333333; font-size: 16px; height: 1217px;"> <tbody> <tr style="height: 40px;"> <td style="width: 48.2857%; padding: 4px; height: 40px; background-color: #333333; border: 1px solid #333333; vertical-align: middle;"><strong><span style="color: #ffffff;">Author / Package name</span></strong></td> <td style="width: 51.7143%; padding: 4px; height: 40px; background-color: #333333; border: 1px solid #333333; vertical-align: middle;"><strong><span style="color: #ffffff;">Download count</span></strong></td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; height: 28px; border: 1px solid #333333; background-color: #e9e9eb; border-color: #e9e9eb;"><strong>fontsawesome</strong></td> <td style="width: 51.7143%; padding: 4px; height: 28px; border: 1px solid #333333; background-color: #e9e9eb; border-color: #e9e9eb;">&nbsp;</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">ionic-icon</td> <td style="width: 51.7143%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">108</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">ionicio</td> <td style="width: 51.7143%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">3,724</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; height: 28px; border: 1px solid #333333; background-color: #e9e9eb; border-color: #e9e9eb;"><strong>ionic-io</strong></td> <td style="width: 51.7143%; padding: 4px; height: 28px; border: 1px solid #333333; background-color: #e9e9eb; border-color: #e9e9eb;">&nbsp;</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 51.7143%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">17,774</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">ajax-libs</td> <td style="width: 51.7143%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">2,440</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">umbrellaks</td> <td style="width: 51.7143%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">686</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">ajax-library</td> <td style="width: 51.7143%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">530</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; height: 28px; border: 1px solid #333333; background-color: #e9e9eb; border-color: #e9e9eb;"><strong>arpanrizki</strong></td> <td style="width: 51.7143%; padding: 4px; height: 28px; border: 1px solid #333333; background-color: #e9e9eb; border-color: #e9e9eb;">&nbsp;</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">iconion-package</td> <td style="width: 51.7143%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">101</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">package-sidr</td> <td style="width: 51.7143%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">91</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">kbrstore</td> <td style="width: 51.7143%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">89</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icons-package</td> <td style="width: 51.7143%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">380</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">subek</td> <td style="width: 51.7143%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">99</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">package-show</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">103</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">package-icon</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">122</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; background-color: #e9e9eb; border-color: #e9e9eb;"><strong>kbrstore</strong></td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; background-color: #e9e9eb; border-color: #e9e9eb;">&nbsp;</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">icons-packages</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">170</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">ionicon-package</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">64</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">icons-pack</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">49</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">pack-icons</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">468</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">ionicons-pack</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">89</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; background-color: #e9e9eb; border-color: #e9e9eb;"><strong>aselole</strong></td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; background-color: #e9e9eb; border-color: #e9e9eb;">&nbsp;</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">package-ionicons</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">144</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">package-ionicon</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">57</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">base64-javascript</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">40</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">ionicons-js</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">38</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">ionicons-json</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">39</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; background-color: #e9e9eb; border-color: #e9e9eb;"><strong>footericon</strong></td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; background-color: #e9e9eb; border-color: #e9e9eb;">&nbsp;</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">footericon</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">1,903</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; background-color: #e9e9eb; border-color: #e9e9eb;"><strong>ajax-libz</strong></td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; background-color: #e9e9eb; border-color: #e9e9eb;">&nbsp;</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">roar-01</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">40</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">roar-02</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">37</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">wkwk100</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">38</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">swiper-bundie</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">39</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">ajax-libz</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">40</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">swiper-bundle</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #333333; height: 28px; border-color: #e9e9eb;">185</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">atez</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">43</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">ajax-googleapis</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">38</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">tezdoank</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">69</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #e9e9eb; background-color: #e9e9eb; height: 28px;"><strong>ryucha</strong></td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #e9e9eb; background-color: #e9e9eb; height: 28px;">&nbsp;</td> </tr> <tr style="height: 28px;"> <td style="width: 48.2857%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">ajaxapis</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">40</td> </tr> <tr> <td style="width: 48.2857%; padding: 4px; border: 1px solid #e9e9eb;">tescodek</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #e9e9eb;">38</td> </tr> <tr> <td style="width: 48.2857%; padding: 4px; border: 1px solid #e9e9eb;">atezzz</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #e9e9eb;">114</td> </tr> <tr> <td style="width: 48.2857%; padding: 4px; border: 1px solid #e9e9eb;">libz.jquery</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #e9e9eb;">160</td> </tr> <tr> <td style="width: 48.2857%; padding: 4px; border: 1px solid #e9e9eb;">ajax-libary</td> <td style="width: 51.7143%; padding: 4px; border: 1px solid #e9e9eb;">36</td> </tr> </tbody> </table> </div> <p style="text-align: center;"><br><span style="font-weight: bold; font-size: 16px;">Table 1: List of malicious packages with corresponding download count </span></p> <h2><br><span style="font-size: 24px; font-weight: bold;">Conclusion</span></h2> <p>ReversingLabs’ research uncovered an extensive software supply chain attack involving more than two dozen npm modules used by thousands of downstream applications, as indicated by the package download counts.<br><br>Analysis of the modules reveals evidence of coordination, with malicious modules traceable to a small number of npm publishers, and consistent patterns in supporting infrastructure such as exfiltration domains. ReversingLabs reached out to the npm security team to report the findings on July 1st, 2022. <br><br>This attack marks a significant escalation in software supply chain attacks. Malicious code bundled within the npm modules is running within an unknown number of mobile and desktop applications and web pages, harvesting untold amounts of user data. The npm modules our team identified have been collectively downloaded more than 27,000 times. As very few development organizations have the ability to detect malicious code within open source libraries and modules, the attacks persisted for months before coming to our attention. While a few of the named packages have been removed from npm, most are still available for download at the time of this report.<br><br>In publishing this report, we hope it serves as a resource for development organizations to assess their own exposure to these malicious npm modules. We have prepared a list of affected modules and indicators of compromise that organizations can use to look for evidence of active attacks.<br><br>Looking beyond this specific incident, it is clear that software development organizations as well as their customers need new tools and processes for assessing supply chain risks like the ones posed by these malicious npm packages. The decentralized and modular nature of application development means that applications and services are only as strong as their least secure component. The success of this attack — with more than two dozen malicious modules available for download on a popular package repository, and one of them with 17,000 downloads in a matter of weeks — underscores the freewheeling nature of application development, and the low barriers to malicious or even vulnerable code entering sensitive applications and IT environments.</p> <h2 style="font-size: 24px; font-weight: bold;">Indicators of Compromise (IoC)</h2> <p><span style="font-weight: bold;">C2 domains extracted from the analyzed npm packages:</span><br>graph-googleapis.com<br>ionicio.com<br>curls.safhosting.xyz<br>arpanrizki.my.id<br>dnster.my.id<br>okep.renznesia.xyz<br>ryucha.my.id<br>panelllgege.001www.com<br>nge.scrp.my.id<br>apiii-xyz.yogax.my.id<br>panel.archodex.xyz<br>panel.curlz.online<br>api.mlbb-x-02.ml<br><br><span style="font-weight: bold;">Package versions:</span></p> <div style="overflow-x: auto; max-width: 100%; width: 100%; margin-left: auto; margin-right: auto;"> <table style="width: 100%; border-collapse: collapse; table-layout: fixed; border: 1px solid #333333; font-size: 16px; height: 2141px;"> <tbody> <tr style="height: 40px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #333333; height: 40px; background-color: #333333;"><strong><span style="color: #ffffff;">Package Name</span></strong></td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #333333; height: 40px; background-color: #333333;"><strong><span style="color: #ffffff;">Package Version</span></strong></td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #333333; height: 40px; background-color: #333333;"><strong><span style="color: #ffffff;">SHA1</span></strong></td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">ionic-icon</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">4.7.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">8ab228743d3fef5c89aa55c7d3a714361249eba8</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">ionicio</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">5.0.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">f0221e1707075e2976010d279494bb73f0b169c7</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">5.0.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">9299a3eb1f11fcc090c7584bb9ce895ba38fd2cb</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">5.1.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">6092606456adce8eb705ba33ad3e9536682d917f</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">5.2.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">d106693abc732a93176085410c67c4581de28447</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">5.3.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">5a631ab46373251dade6dca5bb460b55bf738a64</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">5.4.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">c173de3d3ee1dd0920ee5a3a4f80d8c280ce2697</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">5.5.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">49f2bc011d1beece62b7a4ed47818e288b71edb6</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">5.9.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">cf8a7066865ab6d009e226096fa879867b8e61bc</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">6.0.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">6e2b0d621bf6031beee18b897b2da5d93d3ce5e7</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">6.0.1</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">164ff2295b63434e8b260a46041669c98eab4235</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">6.0.2</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">96aca5e901bd8f1229683339766073e4e5d1de59</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">6.6.6</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">6253324c1d741c1be3ae20fd8262adb54530ee8b</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">6.6.7</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">c77eda629d2076663276bc48c7462ea07470dbdc</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">6.6.8</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">b7dc23a51469574205b0691944f4120e2d92e64d</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">7.7.7</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">83e5ebd7f355b1655778a37db6b6953042fb77c4</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">7.7.8</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">123dad7d48c47486e9c226ad50b26b2ba5ec9fe2</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">7.7.9</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">17fef01df47ceb87b2755f4a18db23d8f7276d30</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">8.0.9</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">ae70ef4e5a0bb522179e5d488ed56efb9ae5b4d9</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">9.0.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">e66609e433e5b51a148889ff128bd7182fe22d4b</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">ajax-libs</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">9.0.1</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">54549337e60eede3d4dc6b52662c582449b66c40</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">ajax-libs</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">9.0.2</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">fd72a461bb62dce8989f1c24bdcc6ae6d4eaabc5</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">ajax-libs</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">9.0.3</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">66c41baf38e29c4b0a979cff35df4a1eed11e13e</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">umbrellaks</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">1.0.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">81031febc2ed49bdd8c8f7ca810830df1b0d3476</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">ajax-library</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">1.0.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">326dab8f5d4dab461ca5fd14f136503d12227eae</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">ajax-library</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">1.0.1</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">2afd6730426166f061d96a8ccbfba8d8c7ed9e3e</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">iconion-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">1.0.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">73db956f7f752c4f71a8a8588604fa7d7af7de7e</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">package-sidr</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">2.2.2</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">87cb0505dbb141391103e2bd358f3aa774210a4a</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">kbrstore</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">1.0.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">7e14150502ee992fc8b1259de58261aeb2f58ae1</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icons-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">4.4.4</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">fb672c0b982542eeacce66be67a5bc4ff9567596</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icons-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">4.4.5</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">a386ddf8fb1d0846e01501f6fbac11e0389ef581</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icons-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">2.2.2</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">a5ad7a0edda67b7267694898a82abbee1ec7a466</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icons-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">3.0.9</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">20254c86209118144e6a25fb90abea6f7c903d8e</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">subek</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">1.0.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">68d1c1883cfab75fa933ab08189ba7abbd2625a8</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">package-show</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">5.5.9</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">def789dc6322255264703c00d4f4dd265a48b50e</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">package-icon</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">6.0.5</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">1a719f2efa398ef8659a401e6209377beab87105</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icons-packages</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">7.4.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">a2d25c070750cbd20f0c327980a40c26f4ea47ec</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">ionicon-package</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">9.0.3</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">f78a57ab8e288c725e452787f3b070ec690f276b</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">icons-pack</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">7.8.3</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">6388e354433f8c608ab8a97ed9391b9dc44d2a99</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">pack-icons</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">2.4.3</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">cda4b444744196ae9b2753830f750bc5e4548061</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">package-ionicons</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">8.0.5</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">abb8ff44d224b23266769d0808ebe97c3838e484</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">package-ionicon</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">8.0.5</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">c11d9aa077207adeef30cfdd9df3fe979e114b06</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">footericon</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">1.0.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">067e42878df480c0d1ca45c268300c96a258be63</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">footericon</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">3.7.1</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">06dbd365e76e7cb593df86a80385e8c46ca05545</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">footericon</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">3.7.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">8562edf90e988f7ca556183c2f032bc307dfefdb</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">footericon</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">3.7.3</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">08bc77bb17b6a4ab365d0354683cbd912219becf</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">footericon</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">1.7.9</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">9f5f2f34f15a03c4528d6fa632899d0e3b6d1ceb</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">roar-01</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">1.0.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">8c128c3be9645582db2fee9e64e175149d51d92c</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">roar-02</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">1.0.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">a1e2cb98d2aa1b134b3be04d6a720393dcf6c072</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">wkwk100</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">3.4.5</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">9f2a2001a07b92adef023ca697e4febba073728e</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">swiper-bundie</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">10.5.3</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">b64a10493897c96feb6eda1d0c9fc7ec85506258</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">ajax-libz</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">1.0.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">dd01c6baadd1d79f29b3d69a300e82b860edc57d</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">swiper-bundle</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">1.0.0</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">05d2084e1b2ce1d28c3096f16694413ec480704e</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">swiper-bundle</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">3.7.1</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">1de14d6be4029aa7888f8fc83779b61c96c063da</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">swiper-bundle</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">10.52.3</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">06cb7b1810ca1485e15fa81d92bd92533ff8c001</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">swiper-bundle</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">10.22.3</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">fa234405c958a9ff22bac7debfbcde452294d73c</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">swiper-bundle</td> <td style="width: 21.3333%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">10.21.3</td> <td style="width: 56.4762%; padding: 4px; height: 28px; border: 1px solid #333333; border-color: #e9e9eb;">64cd1eda88f92b32323f9784aab6d1a0bdd7a38c</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">ionicons-pack</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">1.5.2</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">fe59a8d59f6764800ce5b85f2bfbc4db05840bae</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">base64-javascript</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">3.7.2</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">77170de7458ee81382efd7de2499694a459abee3</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">ionicons-js</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">5.0.2</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">069f9c723af8be981a3e6220b991b9c40320d8b5</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">ionicons-json</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">5.0.2</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">52a96612e3d2df0a7980de81d622da6c5ff84513</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">atez</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">1.0.0</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">c6569dc3fd94f642cad56cb7a950175ff7c2062f</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">ajax-googleapis</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">1.0.0</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">77a0f0cc89e98b9662b224b653a35895d3ac69fa</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">tezdoank</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">1.0.0</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">eec7e3769b4d8b23aeb00f81583750ed26fadc47</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">tezdoank</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">2.0.0</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">5ba35812337b3c7a0064accf17479a26de486951</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">ajaxapis</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">1.0.0.</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">2a8c46d643d3027b3815eecbbfd183a7dee9e91d</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">tescodek</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">6.0.0.</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">8304b8c9549d08e3c258ce22f99587843bb52c00</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">atezzz</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">1.0.0.</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">bc494a3249ce95b7cea5a62e29ee3cc023e2b5b1</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">atezzz</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">2.0.0.</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">e2bc4408cea300c0f852e16665e7279cf5d0cd69</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">atezzz</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">3.0.0.</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">b5b8d49f302cfeee5cb4dcf134320861c9fdaa66</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">libz.jquery</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">1.0.0.</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">9a41b333143eb0ad75bb93288a988ec8387379ca</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">libz.jquery</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">3.6.1.</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">fd7197e446107ba047a2fa43814cdecc794b3dae</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">libz.jquery</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">3.6.0.</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">1517b34ed31cf3f2815105d344dd0b845d48d092</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">libz.jquery</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">3.6.3.</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">4e30e0d1cf39cdaf5f03b7afda81aa2aed6a6d5d</td> </tr> <tr style="height: 28px;"> <td style="width: 22.1904%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">ajax-libary</td> <td style="width: 21.3333%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">2.0.3.</td> <td style="width: 56.4762%; padding: 4px; border: 1px solid #e9e9eb; height: 28px;">50d681e5c016904b0080ad70f40abb86926849a0</td> </tr> </tbody> </table> <p>&nbsp;</p> <p><span style="font-weight: bold;">Complete affected package list:<br></span><span style="font-weight: normal;"><a href="https://develop.secure.software/hubfs/Blog/IconBurst/package_versions.tsv">https://blog.reversinglabs.com/hubfs/Blog/IconBurst/package_versions.tsv</a></span><span style="font-weight: normal;"></span></p> </div> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Ficonburst-npm-software-supply-chain-attack&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Threat Research Software Supply Chain Security Tue, 12 Jul 2022 16:32:50 GMT karlo.zanki@reversinglabs.com (Karlo Zanki) https://develop.secure.software/iconburst-npm-software-supply-chain-attack 2022-07-12T16:32:50Z Devs: Don’t do DIY cryptography — Police CyberAlarm shows why https://develop.secure.software/devs-dont-do-diy-cryptography-police-cyberalarm-shows-why <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/devs-dont-do-diy-cryptography-police-cyberalarm-shows-why" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/large-alarm--chuttersnap--unsplash.png" alt="Devs: Don’t do DIY cryptography — Police CyberAlarm shows why" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold;">It’s a truism&nbsp;often repeated:&nbsp;<i>Don’t roll your own cryptography!</i>&nbsp;There are countless traps laying in wait for the unwary—so stick to trusted, tested libraries and beware the unknown unknowns.</p> <p style="font-weight: bold;"><img src="https://develop.secure.software/hs-fs/hubfs/large-alarm--chuttersnap--unsplash.png?width=1280&amp;name=large-alarm--chuttersnap--unsplash.png" alt="large-alarm--chuttersnap--unsplash" width="1280" style="width: 1280px;"></p> <p style="font-weight: bold;">It’s a truism&nbsp;often repeated:&nbsp;<i>Don’t roll your own cryptography!</i>&nbsp;There are countless traps laying in wait for the unwary—so stick to trusted, tested libraries and beware the unknown unknowns.</p> <p style="font-weight: bold;"><img src="https://bit.ly/xbw20220706" width="150" style="margin-left: auto; margin-right: auto; display: block; width: 150px;"></p> <p><strong>The recent brouhaha around the UK police<span>&nbsp;</span><i>CyberAlarm</i></strong><span>&nbsp;</span>service deftly shows why. Security researchers have been pointing and laughing at some absolute howlers, calling it “profoundly dangerous,” “woefully insecure,” “very broken,” “nonsense” and “a dream come true for hackers.”</p> <p><strong>When it comes to cryptography,</strong>&nbsp;we simply don’t know what we don’t know. In this week’s<span>&nbsp;</span><a href="https://develop.secure.software/tag/secure-software-blogwatch">Secure Software&nbsp;Blogwatch</a>, Messrs. Dunning and Kruger would like a word.</p> <p><a title="Richi Jennings" href="https://www.richi.uk/">Your humble blogwatcher</a>&nbsp;curated these bloggy bits for your entertainment. Not to mention:&nbsp;<i>The “future” in 1984</i>.</p> <p><span style="font-weight: bold;">[ Get&nbsp;</span><a href="https://blog.reversinglabs.com/blog/survey-finds-software-supply-chain-security-top-of-mind-for-dev-teams" style="font-weight: bold;">key takeaways from a survey of 300+ professionals&nbsp;</a><span style="font-weight: bold;">on software security. Or, download the full report:&nbsp;</span><a href="https://www.reversinglabs.com/reports/flying-blind-software-firms-struggle-to-detect-supply-chain-hacks" style="font-weight: bold;">Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks</a><span style="font-weight: bold;">&nbsp;]</span><br>&nbsp;</p> <h2>Wake up—don’t snooze</h2> <p><strong>What’s the craic?</strong><span>&nbsp;</span>Scott Arciszewski keeps a cool head and dispassionately reports—“<a title="read the full text" href="https://scottarc.blog/2022/07/04/police-cyberalarm-uses-alarming-cryptography/">CyberAlarm Uses Alarming Cryptography</a>”:</p> <blockquote> <strong>“CyberAlarm is not secure”</strong> <br>Today we’re going to be talking about this code, shared on Twitter by Paul Moore. [It’s] a novel cryptographic implementation … clearly written in order to support a data format migration. … However, they never took the time to learn the proper way to handle cryptographic migrations: <br>… <br>Remove the value between the first :: and the second :: … re-encode it with base64, then feed this altered message into the system. … Now you’ve successfully downgraded the message to the legacy format, which didn’t provide any authentication over the ciphertext. [Or] we can completely bypass the HMAC check [by simply] removing the length prefix. … Using either of the two methods … you’ve reduced the security of this construction to unauthenticated AES-CBC mode, which is vulnerable to a <span>&nbsp;</span> <i>Padding Oracle</i> <span>&nbsp;</span>Attack. <br>… <br>[It] doesn’t expose an Additional Authenticated Data mechanism. All fields are also encrypted with the same, static, hard-coded key. … To mitigate <span>&nbsp;</span> <i>confused deputy</i> <span>&nbsp;</span>attacks, an AEAD construction is recommended. <br>… <br>[It] uses the same encryption key for both AES-CBC encryption and for HMAC-SHA256. This violates one of the tenets of cryptography protocol design: <span>&nbsp;</span> <i>Never use the same key for more than one purpose.</i> <span>&nbsp;</span>… The correct thing to do is use a key derivation function. <br>… <br>The cryptography used by Police CyberAlarm is not secure and should be replaced with something more secure. … There’s enough vitriol in the security industry. I don’t feel like … making a neophyte’s impostor syndrome worse than it already is. </blockquote> <p>&nbsp;<br><strong>Who raised the alarm?</strong><span>&nbsp;</span>Paul Moore lays down the lore—“<a title="read the full text" href="https://paul.reviews/police-cyberalarm-abysmal-security-yet-again/">Abysmal security, yet again</a>”:</p> <blockquote> <strong>“It has utterly failed”</strong> <br>18 months ago, I reviewed two versions of Police CyberAlarm. … After many hours of reviewing some of the worst code I'd seen in quite a while … I responsibly disclosed everything. … However, their responses were both defensive and dismissive—to the extent of [saying] my claims were "completely untrue." <br>… <br>In February, a network admin from a local School reached out, asking me to audit CyberAlarm again. … So, 18 months later, is it any better? … Over the next couple of hours, I created a list of serious issues [and] several critical flaws. … CyberAlarm is profoundly dangerous. It's woefully insecure, ill-conceived, poorly written and provides questionable value. <br>… <br> <strong>[1]</strong> <span>&nbsp;</span>Locally stored passwords are still hashed with unsalted SHA256, but incredibly … passwords are actually sent to <span>&nbsp;</span> <i>and returned from</i> <span>&nbsp;</span>the central API in plain text! … An attacker can simply request it from the API.&nbsp;… <br> <strong>[2]</strong> <span>&nbsp;</span>Any attacker can remotely control the box if they know the current time and can count to 9,000. … To a local endpoint, this takes around 2.5 seconds to complete. … Don't worry about writing it to a log or limiting further requests—just abort and let the attacker try again.&nbsp;… <br> <strong>[3]</strong> <span>&nbsp;</span>The central API has no authentication whatsoever! Want a customer's records? Sure. Make a GET request with the data collector's ID and it just hands it over. … Surely we can't update a record without authentication? Of course we can!&nbsp;… <br> <strong>[4]</strong> <span>&nbsp;</span>If you're going to compare two password hashes, it's vital to compare them using a timing-sensitive comparison. Rookie mistake … PHP created "hash_equals" for a reason.&nbsp;… <br> <strong>[5]</strong> <span>&nbsp;</span>They've tried to roll their own crypto; breaking the cardinal rule of cryptography. There are only two possible outcomes here: Broken and very broken. <br>… <br>[It’s] had 3 attempts and well over 18 months to develop cyberAlarm into something resembling a decent, secure and deployable application. [But] judging by this latest iteration, it has utterly failed to do so. </blockquote> <p>&nbsp;<br><strong>Are you experiencing any<span>&nbsp;</span><i>déjà vu</i>?</strong><span>&nbsp;</span>Set your trusty time machine back 19 months or so, when Gareth Corfield wrote this—“<a title="read the full text" href="https://www.theregister.com/2020/12/09/cyberalarm_pervade_software_npcc_kerfuffle/">Bitter war of words erupts between UK cops and web security expert</a>”:</p> <blockquote> Paul Moore says he uncovered what he described as a number of serious flaws in CyberAlarm, a distributed logging and monitoring tool intended to be deployed by small public-sector organisations. … A free tool, it is intended to give police direct visibility of online threats. … In essence it's a distributed firewall log monitoring system: end users deploy CyberAlarm's "data collectors" on their networks in a demilitarised zone and those then send alerts to the local police. <br>… <br>We asked Pervade's director Jon Davies to comment. [He said] that prior to publication of [his] review, Moore had "reported in to us 20-something issues, all of which were to do with the live version. Some of which we were able to take some helpful things from." </blockquote> <p>&nbsp;<br><strong>Are we sure Moore and Arciszewski are correct?</strong><span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=31977957">amluto</a><span>&nbsp;</span>backs them up:</p> <blockquote> Reading the code, I found it challenging to find a severe crypto bug—simply because <span>&nbsp;</span> <i>everything</i> <span>&nbsp;</span>is wrong. Even their way of packing the data into a base64 is nonsense. The parser is nonsense. Almost every line of code is wrong. … It’s like the most severe bugs are buried in code that is 100% bug! <br>… <br>The key is a constant. I’m speechless. </blockquote> <p>&nbsp;<br><strong>But is this a big deal in practice?</strong><span>&nbsp;</span>Yes, argues<span>&nbsp;</span><a title="read the full text" href="https://old.reddit.com/r/crypto/comments/vr6maw/police_cyberalarm_uses_alarming_cryptography/ieu6inv/">Unbelievr</a>:</p> <blockquote> The code is clearly not written with security in mind from the beginning. … Telling people to install it behind their firewalls is a dream come true for hackers. <br>… <br>The quarrel between the original researcher and the police seems rather infantile though—on both sides. There's some legitimate criticism, and some real awkward blunders. </blockquote> <p>&nbsp;<br><strong>All of which leaves</strong><span>&nbsp;</span><a title="read the full text" href="https://forums.theregister.com/forum/all/2020/12/09/cyberalarm_pervade_software_npcc_kerfuffle/#c_4160837">The Man Who Fell To Earth</a><span>&nbsp;</span>scratching their head:</p> <blockquote> Huh? … Tell me again why would I want unqualified police on my network using a crude tool specifically created for IT dummies that produces oversimplified output they can't interpret? </blockquote> <p>&nbsp;<br><strong>OK, OK, I get it. So what can we learn?</strong><span>&nbsp;</span>Don’t roll your own cryptography, ofc. But<span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=31976537">api</a><span>&nbsp;</span>thinks we should go further:</p> <blockquote> We need to stop saying “don’t roll your own crypto,” and start teaching it—with good examples and good explanations. The only people who will listen to “don’t roll your own crypto” are people who [already] approach it with the needed level of humility. The people who should not be writing crypto are precisely the ones who will ignore this advice. <br> <br>It’s also sort of elitist sounding. … That puts people off and further reduces the odds that they will listen. </blockquote> <p>&nbsp;<br><strong>But didn’t anyone audit or review the product?</strong><span>&nbsp;</span>Yes, three separate organizations, each accredited and certified by CREST, alleges<span>&nbsp;</span><a title="read the full text" href="https://twitter.com/Paul_Reviews/status/1543993908895555585">Paul Moore</a><span>&nbsp;</span>in a followup tweet:</p> <blockquote> Does it not concern you that several supposedly … accredited firms have signed off on this? It doesn't just weaken CREST-STAR — it basically makes a mockery of it. </blockquote> <p>&nbsp;<br><strong>Meanwhile,</strong><span>&nbsp;</span>with a neat summary, here’s<span>&nbsp;</span><a title="read the full text" href="https://news.ycombinator.com/item?id=31977932">CommieBobDole</a>:</p> <blockquote> Wow. Worrying about the cryptography on this thing is like worrying about the quality of the padlock you're using to secure the flaps of a cardboard box. </blockquote> <h2>&nbsp;<br>And Finally:</h2> <p><strong><a title="And Finally" href="https://www.youtube.com/watch?v=NfuE5XZ54PM&amp;list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Cap’n Kirk on ’bots in ’84</a></strong></p> <div class="hs-embed-wrapper" style="position: relative; overflow: hidden; width: 100%; height: auto; padding: 0; max-width: 560px; max-height: 315px; min-width: 256px; display: block; margin: auto;"> <div class="hs-embed-content-wrapper"> <div style="position: relative; overflow: hidden; max-width: 100%; padding-bottom: 56.25%; margin: 0px;"> <iframe width="560" height="315" src="https://www.youtube.com/embed/NfuE5XZ54PM" frameborder="0" allowfullscreen style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; border: none;"></iframe> </div> </div> </div> <p><br><a href="https://www.youtube.com/playlist?list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj">Previously in<span>&nbsp;</span><em>And finally</em></a></p> <p><em>You have been reading&nbsp;<i>Secure Software&nbsp;Blogwatch</i>&nbsp;by&nbsp;<a href="https://www.richi.uk/">Richi&nbsp;Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to&nbsp;<a href="https://twitter.com/richi">@RiCHi</a>&nbsp;or&nbsp;<a href="mailto:ssbw@richi.co.uk?subject=-sbbw-">ssbw@richi.uk</a>. Ask your doctor before reading. Your mileage may vary. E&amp;OE. 30.</em></p> <p><small><i>Image sauce:<span>&nbsp;</span><a href="https://unsplash.com/photos/qoFukU0sOio">Chuttersnap</a><span>&nbsp;</span>(via<span>&nbsp;</span><a title="Some rights reserved" href="https://unsplash.com/license">Unsplash</a>; leveled and cropped)</i></small></p> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fdevs-dont-do-diy-cryptography-police-cyberalarm-shows-why&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Secure Software Blogwatch Dev & DevSecOps Thu, 07 Jul 2022 11:34:17 GMT richi.jennings@richi.co.uk (Richi Jennings) https://develop.secure.software/devs-dont-do-diy-cryptography-police-cyberalarm-shows-why 2022-07-07T11:34:17Z The state of container security: Teams and tools are key to releasing software confidently https://develop.secure.software/state-of-container-security-release-confidently <div class="hs-featured-image-wrapper"> <a href="https://develop.secure.software/state-of-container-security-release-confidently" title="" class="hs-featured-image-link"> <img src="https://develop.secure.software/hubfs/Blog/How-to-release-software-confidently.jpg" alt="How to release software confidently" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p style="font-weight: bold; font-size: 20px;">Container adoption is ramping up. With software supply chain attacks also on the rise, you need to expand your software security approach. Here's how.</p> <p style="font-weight: bold; font-size: 20px;"><img src="https://develop.secure.software/hs-fs/hubfs/Blog/How-to-release-software-confidently.jpg?width=1400&amp;name=How-to-release-software-confidently.jpg" alt="How-to-release-software-confidently" style="width: 1400px;" width="1400"></p> <p style="font-weight: bold; font-size: 20px;">Container adoption is ramping up. With software supply chain attacks also on the rise, you need to expand your software security approach. Here's how.</p> <p style="font-size: 18px;">For the most part, the risks that containers pose — and the methods for addressing them — are not fundamentally different from risks associated with other application environments. Even so container security remains somewhat of a black box for the many organizations that are trying to harness the technology to speed up application deployment and efficiencies.</p> <p style="font-size: 18px;">Containers are highly portable because they include everything that an application needs to run, such as dependences and configuration files. So, for development teams, containers offer a way to build an application once and deploy it across on-premises, multi-cloud, and virtualized environments. Container orchestration software such as Docker Swarm and Kubernetes have made it relatively easy for development team to centrally deploy and manage containerized apps.</p> <p style="font-size: 18px;">In development environments, containers have made it easier for developers to automate the pipeline and more efficiently move applications from testing to production. Many organizations are taking advantage of container technologies to migrate internally developed applications to the cloud or to build cloud-native applications from scratch. Server consolidation and multi-cloud adoption have also contributed to container adoption.</p> <p style="font-size: 18px;">The growing adoption of containers has also heightened the need for more security controls around their use. Increasingly, threat actors have begun targeting container environments with DDoS attacks, exploits targeting kernel and container orchestration technologies and other attacks, putting enterprise cloud applications and assets at risk.</p> <p style="font-size: 18px;">Here's what your team needs to know about the state of container security so that you can release your software with full confidence that it is secure.</p> <h2 style="font-size: 24px; font-weight: bold;">Container security risks</h2> <p style="font-size: 18px;">There's considerable concern particularly about attackers targeting private and public container registries to distribute malware and poisoned software updates to organizations using these repositories. Last year for example, a security vendor <a href="https://blog.aquasec.com/supply-chain-threats-using-container-images">discovered five poisoned container images</a> on Docker Hub that were designed to deploy cryptocurrency miners on the networks of organizations that downloaded these application containers.</p> <p style="font-size: 18px;">Some of the malicious containers had misleading titles that suggested they were legitimate and were therefore downloaded thousands of times before being removed from the registry. More recently, an <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-0811">elevation-of-privilege vulnerability in the CRI-O runtime for Kubernetes</a> raised similar supply chain attack concerns because the flaw gave adversaries a way to escape from a Kubernetes container and execute a variety of malicious actions on the host — including poisoning other containers.</p> <p style="font-size: 18px;">Containers are nothing more than a stack of operating system and application packages bundled together that are vulnerable to security issues like any software environment, said Chris Romeo, CEO of Security Journey.</p> <blockquote style="font-size: 18px;"> <p style="font-size: 24px;"><span style="font-style: italic;">"The attacker's focus on the software supply chain is the cause of the bulk of threats against container security in recent years."&nbsp;</span><br><span style="font-style: italic;">—</span><a href="http://twitter.com/edgeroute" style="font-style: italic;">Chris Romeo&nbsp;</a></p> </blockquote> <p style="font-size: 18px;">Attackers can exploit these vulnerabilities to compromise a build pipeline, for example by poisoning an app container that is used by others, or by planting a poisoned container in a repository.</p> <blockquote style="font-size: 18px;"> <p style="font-size: 24px;"><em>"Attackers focus on the build pipeline as a source of weakness. [They] are going after the pipeline, and the pipeline is where container images are built."</em><br><em>—Chris Romeo</em></p> </blockquote> <p style="font-size: 18px;">With the build pipeline a target of attackers, software teams need visibility into compromises or tampering with heir pipelines, which can then poison the container images being produced.&nbsp;</p> <p style="font-size: 18px;">Palo Alto Networks and others have identified <a href="https://www.paloaltonetworks.com/blog/prisma-cloud/6-common-kubernetes-attacks/">multiple security issues tied to container environments</a>. These include issues tied to vulnerabilities, malware, software signing, and secrets in container images, hosts, runtimes, registries, and orchestration technologies, all of which organizations need to be aware of — and actively securing them. These issues are a reality with container images just as they are with other software development practices.&nbsp;</p> <p style="font-size: 18px;">Best practices like <a href="https://develop.secure.software/tampering-lurks-below-the-surface-key-problems-with-software-integrity-validation">code integrity</a> and maintaining a software bill of materials (SBOM) are critical in container environments. However, such practices can be highly challenging to implement given the sheer number of containers in typical application environments, as well as with how frequently containers are updated, Palo Alto Networks says.</p> <p style="font-size: 18px;">Similarly, registries while critical to bringing a semblance of order for distributing containerized applications, make an attractive target for adversaries seeking to compromise entire environments that depend on them. To mitigate the threat, organizations need to consider implementing controls for continuously monitoring container registries, and for locking down the server and other infrastructure hosting the registry.</p> <p style="font-size: 18px;">Organizations need to be similarly cognizant about and prepared for each of the other container security threats such as those tied to CRI-O runtime, container orchestration and host operating systems and misconfigured container images. In addition, because containers are constantly spun up and down it's difficult for organizations to apply the same security controls to containers as the do to other software.</p> <h2 style="font-size: 24px; font-weight: bold;">Challenges to container security</h2> <p style="font-size: 18px;">Organizations face multiple challenges when it comes to implementing a container security program that addresses these threats. Chief among them is implementing a trusted image repository and enforcing its usage, said Romeo.</p> <blockquote> <p style="font-size: 24px;"><em><span style="background-color: transparent;">"Too many developers pull Docker images from any source as a starting point."<br>—Chris Romeo</span></em></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">Choose the right security tools</h2> <p style="font-size: 18px;">Choosing the right tool to run within the container to monitor for compromise and evaluate the current security posture is critical. So too is education and awareness for developers about the inherent risks in using containers, orchestration, and images for application development and deployment, Romeo said.</p> <p style="font-size: 18px;">He recommends that development and security teams take the time to learn about tools that are currently available to help organizations secure container environments. They need to understand the capabilities of these tools and recognize the differences in the risks that container environments pose compared to typical app development and deployment pipelines.</p> <blockquote> <p style="font-size: 24px;"><em>"Answer the question are we scanning our containers for vulnerabilities? Are we monitoring running containers for compromise? Scope the depth of the problem, understand it, and then implement solutions."</em><br><em>—Chris Romeo</em></p> </blockquote> <p style="font-size: 18px;"><a href="https://www.linkedin.com/in/lisa-azevedo-7031274/">Lisa Azevedo</a>, CEO of container security vendor Containn, said one big limitation with many current container security products and services is that they are reactive, and designed to detect after-the-fact security vulnerabilities. Many container security products allow organizations to scan for and detect known security issues, but do little to prevent them from happening in the first place. Most tools, at best, allow organizations to get a point-in-time assessment of security vulnerabilities in the container environment, she says.</p> <p style="font-size: 18px;">Currently available container security tools generally are good at detecting existing vulnerabilities, providing a remediation report, and pushing the work of fixing the issues back to the development team. A growing number of tools have also started becoming available that harness machine learning, to predict vulnerabilities in software under development. But they don’t allow security teams an opportunity to stay ahead of the curve, because by the time organizations have a chance to remediate the detected issues, new issues likely have already surfaced, Azevedo said.</p> <h2 style="font-size: 24px; font-weight: bold;">Push security further left</h2> <p style="font-size: 18px;">The key is to ensure container security by pushing it further left during the build process, Azevedo said. Organizations should be thinking about how to implement container security at scale from the beginning and finding ways to maintain control of container deployments and state. The focus should be on shrinking the attack surface while maintaining control of deployments and container state.</p> <p style="font-size: 18px;">Such capabilities are critical because many organizations are on the cusp of moving away from manual tools to intelligent tools for container development and deployment, Azevedo notes. The goal is to be able to spin up containers that are standardized for specific environments and integrate security and compliance features like those required under different industry regulations and national data security and privacy mandates.</p> <p style="font-size: 18px;">Romeo said tools are now available to help organizations tackle container security issues, but that there are challenges to adoption to be aware of.</p> <blockquote> <p style="font-size: 24px;"><em>"There are solid options both from commercial providers and open-source. Functionally, they provide the capabilities that the enterprise requires. The catch is getting implemented into the program, with developers taking action upon the results of the container security tools."</em><br><em>—Chris Romeo</em></p> </blockquote> <h2 style="font-size: 24px; font-weight: bold;">Rethink your container security regimen</h2> <p style="font-size: 18px;">Build pipeline attacks are on the rise, and software supply chain security is front and center. With the potential for attackers to inject malware, tamper or compromise signing, the focus for security teams needs to shift beyond vulnerabilities alone. To ensure container security, you need to know if someone has changed or introduced malware in your container images — just like your code.</p> <h2 style="font-size: 24px; font-weight: bold;">Keep learning</h2> <ul> <li><span style="font-weight: bold;">Download the free report:&nbsp;</span><a href="https://www.reversinglabs.com/reports/flying-blind-software-firms-struggle-to-detect-supply-chain-hacks" style="font-weight: bold;">Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks</a></li> <li><a href="https://www.secure.software/sample-reports" style="font-weight: bold;">See interactive sample reports</a><span style="font-weight: bold;"> to help your team stop software supply chain attacks</span><br><span style="font-weight: bold;"></span></li> </ul> <img src="https://track.hubspot.com/__ptq.gif?a=3375217&amp;k=14&amp;r=https%3A%2F%2Fdevelop.secure.software%2Fstate-of-container-security-release-confidently&amp;bu=https%253A%252F%252Fdevelop.secure.software&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "> Container Security Wed, 06 Jul 2022 11:38:00 GMT jaikumar.vijayan@gmail.com (Jaikumar Vijayan) https://develop.secure.software/state-of-container-security-release-confidently 2022-07-06T11:38:00Z