SlideShare una empresa de Scribd logo

Using Static Analysis Tools to Become a Superhero Programmer.pptx

Descargar como PPTX, PDF
J
Jamie Coleman

Learn how to become a super hero programmer with Software composition analysis and static analysis tools.

Software
1 de 69
@Jamie_Lee_C Jamie Lee Coleman Using Static Analysis Tools to Become a Superhero Programmer
@Jamie_Lee_C Introduction About me Name: Jamie Lee Coleman Current Role: Developer Advocate @ Sonatype Past experience: Developer in Mainframe Software (CICS), WebSphere & OpenJ9 @ IBM Twitter: @Jamie_Lee_C Linked-In: https://www.linkedin.com/in/jamie-coleman/
@Jamie_Lee_C
@Jamie_Lee_C Not just the Maven Central people
@Jamie_Lee_C
@Jamie_Lee_C What will I talk about today? 1. What is Static Analysis 1. Source code Analysis 2. Byte code Analysis 2. Things to consider with Static Analysis 3. What about other Analysis terms? 4. Static Analysis tools 5. Static Analysis Tool Demo 1. What about Software Composition Analysis? 2. Why software analysis important! 3. SCA Tools 4. SBOM’s 5. Bom Dr Demo 6. Conclusion of software analysis Part 1 Part 2
@Jamie_Lee_C Part 1 – Static Analysis
@Jamie_Lee_C What Static Analysis should do ● Find Programming errors ● Enforce coding standards “Best practices” ● Find Syntax violations ● Find security vulnerabilities
@Jamie_Lee_C What can they do as a consequence? ● Help create more efficient applications ● Improve developers coding skills ● Make your application code easier to read ● Shorten the time from development to production ● Make you and your team programming hero’s!
@Jamie_Lee_C Small mistake can have big consequences!
@Jamie_Lee_C The Software Supply Chain Source Code Analysis Byte Code Analysis
@Jamie_Lee_C Byte Code/Compiled Analysis Byte code analysis generates a map of the data flows through an application. This builds a map by reading the bytecode and by emulating compilation in CC++. The map is then analysed to find entry (sources) and exit (sinks) points out of control of the code. The analysis will generate a finding for sources that are found where the pathway to a sink exists and a routine which cleanses the data is not found.
@Jamie_Lee_C Advantages & Disadvantages over Source Code Analysis Advantages: ● Higher accuracy ● Custom rules to reduce false negatives* ● Define sanitisers/validators to reduce false positives ● Data traces from sink to source Disadvantages: ● Very Slow compared to source code Analysis ● Code must be in byte code format (Compiled) ● Resource heavy!
@Jamie_Lee_C Things to consider with Static Analysis
@Jamie_Lee_C ● What data backs up the analysis! ● Who decides what is “Best practice” anyway? ● False positives/negatives. ● Customisation (per team basis, policies etc). Things to consider when using Static Analysis
@Jamie_Lee_C Other Static Analysis terms
@Jamie_Lee_C Control/Data-flow Analysis Control-flow Analysis The purpose of control-flow analysis is to obtain information about which functions can be called at various points during the execution of a program. The collected information is represented by a control-flow graph (CFG) where the nodes are instructions of the program and the edges represent the flow of control. Data-flow Analysis Data-flow analysis is a technique designed to gather information about the values at each point of the program and how they change over time. This technique is often used by compilers to optimize the code.
@Jamie_Lee_C Dynamic Analysis terms
@Jamie_Lee_C Testing, monitoring and program slicing Testing ….. Monitoring Program monitoring records and logs different kinds of information about the program such as resource usage, events, and interactions, so that it can be reviewed to find or pinpoint causes of abnormal behaviour. Program Slicing For a given subset of a program’s behaviour, program slicing consists of reducing the program to the minimum form that still produces the selected behaviour.
@Jamie_Lee_C Static Analysis Tools
@Jamie_Lee_C What is a Static Analysis Tool? SA tools examine your applications source code for: • Enforce Coding standards • Insecure code patterns • Measure test coverage • Control flow, nesting and data flow • Documentation and requirements docs
@Jamie_Lee_C Examples of available tools: SonarQube A continuous inspection engine that finds vulnerabilities, bugs and code smells. SemGrep A static analysis tool that helps expressing code standards and surfacing bugs early. OpenRewrite Enables large-scale distributed source code refactoring for framework migrations, vulnerability patches, and API migrations with an early focus on the Java language.
@Jamie_Lee_C The Software Supply Chain Sonatype Lift
@Jamie_Lee_C Demo Time https://lift.sonatype.com/
@Jamie_Lee_C Part 2 – Software Analysis in General
@Jamie_Lee_C The Software Supply Chain Source Code Analysis Software Composition Analysis Byte Code Analysis
@Jamie_Lee_C What is Software Composition Analysis? https://foojay.io/today/sboms-and-software-composition-analysis/
@Jamie_Lee_C Open Source is amazing!
@Jamie_Lee_C Benefits of FOSS Personal control and customizability (4 main FOSS freedoms) Study Copy Modify Redistribute Privacy and Security* Use community to find bugs quickly Low or no costs Software is free with optional licencing Quality, collaboration and efficiency Many people and organizations working together Performance can be much better due to the amount of people contributing Project development can become more agile and efficient
@Jamie_Lee_C Sharing = better! 90% of the applications we create are shared dependencies!
@Jamie_Lee_C Supply chain problems!
@Jamie_Lee_C Dependency Managment 150 Dependencies (avg Java project) 10 Releases Per Year (avg per dependency) 1500 Updates To Consider 😱 x
@Jamie_Lee_C https://xkcd.com/2347/
@Jamie_Lee_C Direct vs Transitive Dependency Example: org.springframework.boot:spring-boot-starter-web
@Jamie_Lee_C SCA Tools Basic tools will provide: • List of declared dependencies • Basic information such as latest version available More advanced tools will provide: • Transitive dependencies • Vulnerability & Licence data • Project scoring • Visualisations • Licence data • Produce SBOM
@Jamie_Lee_C Why software analysis matters!
@Jamie_Lee_C In 2016 Cybercrime surpassed the drug trade! $450 Billion a year $14,000 a second Equivalent to 50 US Nimitz Class Aircraft carriers Cyber Crime Facts
@Jamie_Lee_C What about 2022?
@Jamie_Lee_C In 2022! $6 Trillion a year! $200,000 a second Equivalent to 620 US Nimitz Class Aircraft carriers! Cyber Crime Facts
@Jamie_Lee_C United States: $20.89 trillion China: $14.72 trillion Cyber Crime: $6 trillion Japan: $5.06 trillion Germany: $3.85 trillion India: $2.65 trillion United Kingdom: $2.63 trillion France: $2.58 trillion If Cybercrime was a country by GDP in 2022
@Jamie_Lee_C Todays Pablo Escobar uses a Laptop
@Jamie_Lee_C
@Jamie_Lee_C Devices allowed to contain OS code: IEC 62304
@Jamie_Lee_C Legislation!
@Jamie_Lee_C Be Proactive rather than Reactive “If no other manufacturing industry is permitted to ship known vulnerable or defective parts in their products, why should software manufacturers be any different?” – Brian Fox CTO/Founder of Sonatype
@Jamie_Lee_C In another historic move, the US government is calling for generational investments to: • Renew infrastructure. • Secure software and semiconductor supply chains. • Modernize cryptographic technologies. In a nutshell the themes for this new strategy are as follows: • Software providers and data owners held responsible under cybersecurity liability • Realigned long-term investment in cybersecurity will have a focus on the future • A drive to invest in security resilience starts with every digital ecosystem • Coordinated vulnerability disclosures and SBOMs are still a best practice. Get your SBOM below. US - National Cyber Secuirty Stratagy
@Jamie_Lee_C Main points of this legislation: • Essential cybersecurity requirements • Requirement for any digital products on the market and includes things such as good practices for example: “products must protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks” • Vulnerability handling requirements • Requirement for how to handle vulnerabilities with the use of policies for example: “once a security update has been made available, manufacturers must publically disclose information about fixed vulnerabilities and have a policy in place on coordinated vulnerability disclosure” • Extra requirements for Critical products • There are two classes of critical products. Class 1 includes stuff like password management, traffic and identity systems. Class 2 includes operating systems for servers, desktops and mobile devices. • Conformity of products and information and instructions to users • Requirement of software to conform to certain requirements such as Technical documentation that is available before release and is updated throughout the software lifecycle that includes stuff such as a security risk assessment and reports of tests related to vulnerabilities. It also needs to be clear and understandable to the user and includes stuff like a point of contact for reporting vulnerabilities etc. • Reporting obligations • The requirement here is to notify the ENISA within 24h of becoming aware of a actively exploited vulnerability contained in the product. Users should also be notified without undue delay and if possible you should provide them with information about fixes to said vulnerabilities. • Obligations on the rest of the supply chain • Requirements for importers of software that what they have imported has abided by the obligations in the CRA. EU - Cyber Resilience Act
@Jamie_Lee_C The Product Security and Telecommunications Infrastructure (PSTI) Bill: • Require manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers. • Provide a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement, the evolving techniques employed by malicious actors, and the broader international regulatory landscape. Main points of this bill • Ban default passwords. • Products that come with default passwords are an easy target for cyber criminals. • Require products to have a vulnerability disclosure policy. • Security researchers regularly identify security flaws in products, but need a way to give notice to manufacturers of the risk they have identified, so that they can enable the manufacturer to act before criminals can take advantage. The Bill will provide measures to help ensure any vulnerabilities in a product are identified and flagged. • Require transparency about the length of time for which the product will receive important security updates. • Consumers should know if their product will be supported with security updates, and if so, what the minimum length of time is that they can expect that support to continue. UK – PSTI
@Jamie_Lee_C SBOM To The Rescue?
@Jamie_Lee_C SBOM “It is great to have a software bill of materials, but the important part is what you do with it.” - Me
@Jamie_Lee_C Easy ways to generate an SBOM 1. CycloneDX Maven Plugin 2. Kubernetes bom 3. Microsoft’s SBOM Tool 4. SPDX SBOM Generator 5. Syft 6. Sonatype Lift
@Jamie_Lee_C Even our SBOMs are not safe!
@Jamie_Lee_C Security Posture
@Jamie_Lee_C
@Jamie_Lee_C Simple ways for Identifying vulnerable projects
@Jamie_Lee_C The small things make big differences
@Jamie_Lee_C Easy ways to Improve Security • Code Review • Binaries outside of projects • Dependencies pinned to a specific version • Secure Branches
@Jamie_Lee_C Time to visit the BOM Dr https://bomdoctor.sonatype.com/
@Jamie_Lee_C Summary
@Jamie_Lee_C Small mistake can have big consequences!
@Jamie_Lee_C Static Analysis can help developers in many ways ● Programming errors ● Enforce coding standards “Best practices” ● Find Syntax violations ● Find security vulnerabilities And as a consequence can: ● Help create more efficient applications ● Improve developers coding skills ● Make your application code easier to read ● Shorten the time from development to production ● Make you and your team programming hero’s!
@Jamie_Lee_C All software analysis is important!
@Jamie_Lee_C The Software Supply Chain Source Code Analysis Software Composition Analysis Byte Code Analysis
@Jamie_Lee_C One day your luck will run out! Snapshot taken over 1 year later…
@Jamie_Lee_C Open Source in Medical Devices https://starfishmedical.com/blog/open-source-software-medical-devices/ Source vs Byte code analysis https://blog.hcltechsw.com/appscan/bytecode-compiled-vs-source-code- scanning/ History of software supply chain attacks https://www.sonatype.com/resources/vulnerability-timeline State of the software supply chain report: https://www.sonatype.com/state-of-the-software-supply-chain/ LOG4J download data: https://www.sonatype.com/resources/log4j-vulnerability-resource-center White House supply chain blog: https://blog.sonatype.com/white-house-national-cybersecurity-strategy- landmark-action-for-a-critical-threat Useful Links
@Jamie_Lee_C Get in touch Website: https://www.sonatype.com Twitter: @sonatype LinkedIn: /company/sonatype/
@Jamie_Lee_C Cool stuff to checkout! New Maven Central https://central.sonatype.com/ BOM Dr https://bomdoctor.sonatype.com/ DevZone https://dev.sonatype.com/ Foojay Series • https://foojay.io/today/sboms-first-steps-in-a-new- journey-for-developers/ • https://foojay.io/today/sboms-and-software- composition-analysis/ • https://foojay.io/today/making-sboms-threats-and- modelling-them-a-piece-of-cake/ Malware Monthly https://blog.sonatype.com/malware-monthly-march-2023
@Jamie_Lee_C Don’t forget to scan your applications with the Dr https://bomdoctor.sonatype.com/
@Jamie_Lee_C

Recomendados

Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptxWhy Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Jamie Coleman
 
Software Engineering Methodologies
Software Engineering MethodologiesSoftware Engineering Methodologies
Software Engineering Methodologies
Nesrine Shokry
 
Agile Development in Aerospace and Defense
Agile Development in Aerospace and DefenseAgile Development in Aerospace and Defense
Agile Development in Aerospace and Defense
Jim Nickel
 
The Death Star & The Ultimate Vulnerability.pptx
The Death Star & The Ultimate Vulnerability.pptxThe Death Star & The Ultimate Vulnerability.pptx
The Death Star & The Ultimate Vulnerability.pptx
Jamie Coleman
 
1506.08725v1
1506.08725v11506.08725v1
1506.08725v1
Sandeep Sivanandan
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical Systems
Alan Tatourian
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)
Aditya Bhuyan
 
computer system validation
computer system validationcomputer system validation
computer system validation
Gopal Patel
 

Recomendados

Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptxWhy Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Jamie Coleman
 
Software Engineering Methodologies
Software Engineering MethodologiesSoftware Engineering Methodologies
Software Engineering Methodologies
Nesrine Shokry
 
Agile Development in Aerospace and Defense
Agile Development in Aerospace and DefenseAgile Development in Aerospace and Defense
Agile Development in Aerospace and Defense
Jim Nickel
 
The Death Star & The Ultimate Vulnerability.pptx
The Death Star & The Ultimate Vulnerability.pptxThe Death Star & The Ultimate Vulnerability.pptx
The Death Star & The Ultimate Vulnerability.pptx
Jamie Coleman
 
1506.08725v1
1506.08725v11506.08725v1
1506.08725v1
Sandeep Sivanandan
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical Systems
Alan Tatourian
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)
Aditya Bhuyan
 
computer system validation
computer system validationcomputer system validation
computer system validation
Gopal Patel
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically Guaranteed
Ashley Zupkus
 
5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis 5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis
Perforce
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
Bitbar
 
Analysis concepts and principles
Analysis concepts and principlesAnalysis concepts and principles
Analysis concepts and principles
saurabhshertukde
 
Spm unit1
Spm unit1Spm unit1
Spm unit1
Naga Dinesh
 
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
Curiosity Software Ireland
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
TelecomValley
 
Week1.pptx
Week1.pptxWeek1.pptx
Week1.pptx
MarriamNawaz
 
Software engineering study materials
Software engineering study materialsSoftware engineering study materials
Software engineering study materials
smruti sarangi
 
Basic of Software Testing.pptx
Basic of Software Testing.pptxBasic of Software Testing.pptx
Basic of Software Testing.pptx
aparna14patil
 
Mingle box - Online Job seeking System
Mingle box - Online Job seeking SystemMingle box - Online Job seeking System
Mingle box - Online Job seeking System
Bharat Kalia
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
An update to software testing trends
An update to software testing trendsAn update to software testing trends
An update to software testing trends
BugRaptors
 
SOFWARE QUALITY, INTRODUCTION
SOFWARE QUALITY, INTRODUCTIONSOFWARE QUALITY, INTRODUCTION
SOFWARE QUALITY, INTRODUCTION
Networked Research Lab, UK
 
Introduction To Software Engineering
Introduction To Software Engineering Introduction To Software Engineering
Introduction To Software Engineering
MohsinAli773
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis
Perforce
 
SRS.pdf
SRS.pdfSRS.pdf
SRS.pdf
Lucifer272025
 
Lecture 1 se
Lecture 1 seLecture 1 se
Lecture 1 se
Tribhuvan University
 
Innovate 2013 session 1243 mobile testing.v3
Innovate 2013 session 1243 mobile testing.v3Innovate 2013 session 1243 mobile testing.v3
Innovate 2013 session 1243 mobile testing.v3
Leigh Williamson
 
Open Source Licence to Kill in Software Development
Open Source Licence to Kill in Software DevelopmentOpen Source Licence to Kill in Software Development
Open Source Licence to Kill in Software Development
Jamie Coleman
 
The Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptxThe Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptx
Jamie Coleman
 

Más contenido relacionado

Similar a Using Static Analysis Tools to Become a Superhero Programmer.pptx

5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis 5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis
Perforce
 
Analysis concepts and principles
Analysis concepts and principlesAnalysis concepts and principles
Analysis concepts and principles
saurabhshertukde
 
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
Curiosity Software Ireland
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 

Similar a Using Static Analysis Tools to Become a Superhero Programmer.pptx (20)

Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically Guaranteed
 
5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis 5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
Analysis concepts and principles
Analysis concepts and principlesAnalysis concepts and principles
Analysis concepts and principles
 
Spm unit1
Spm unit1Spm unit1
Spm unit1
 
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
 
Week1.pptx
Week1.pptxWeek1.pptx
Week1.pptx
 
Software engineering study materials
Software engineering study materialsSoftware engineering study materials
Software engineering study materials
 
Basic of Software Testing.pptx
Basic of Software Testing.pptxBasic of Software Testing.pptx
Basic of Software Testing.pptx
 
Mingle box - Online Job seeking System
Mingle box - Online Job seeking SystemMingle box - Online Job seeking System
Mingle box - Online Job seeking System
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
An update to software testing trends
An update to software testing trendsAn update to software testing trends
An update to software testing trends
 
SOFWARE QUALITY, INTRODUCTION
SOFWARE QUALITY, INTRODUCTIONSOFWARE QUALITY, INTRODUCTION
SOFWARE QUALITY, INTRODUCTION
 
Introduction To Software Engineering
Introduction To Software Engineering Introduction To Software Engineering
Introduction To Software Engineering
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis
 
SRS.pdf
SRS.pdfSRS.pdf
SRS.pdf
 
Lecture 1 se
Lecture 1 seLecture 1 se
Lecture 1 se
 
Innovate 2013 session 1243 mobile testing.v3
Innovate 2013 session 1243 mobile testing.v3Innovate 2013 session 1243 mobile testing.v3
Innovate 2013 session 1243 mobile testing.v3
 

Más de Jamie Coleman

Open Source Licence to Kill in Software Development
Open Source Licence to Kill in Software DevelopmentOpen Source Licence to Kill in Software Development
Open Source Licence to Kill in Software Development
Jamie Coleman
 
The Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptxThe Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptx
Jamie Coleman
 
Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the Left
Jamie Coleman
 
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptxDeploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
Jamie Coleman
 
Replicating production on your laptop using the magic of containers v2
Replicating production on your laptop using the magic of containers v2Replicating production on your laptop using the magic of containers v2
Replicating production on your laptop using the magic of containers v2
Jamie Coleman
 
Replicating production on your laptop using the magic of containers
Replicating production on your laptop using the magic of containersReplicating production on your laptop using the magic of containers
Replicating production on your laptop using the magic of containers
Jamie Coleman
 
Codecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshopCodecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshop
Jamie Coleman
 
Cloud native java workshop
Cloud native java workshopCloud native java workshop
Cloud native java workshop
Jamie Coleman
 
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at JavanturaHands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
Jamie Coleman
 

Más de Jamie Coleman (19)

Open Source Licence to Kill in Software Development
Open Source Licence to Kill in Software DevelopmentOpen Source Licence to Kill in Software Development
Open Source Licence to Kill in Software Development
 
The Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptxThe Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptx
 
Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the Left
 
Code to Cloud Workshop.pptx
Code to Cloud Workshop.pptxCode to Cloud Workshop.pptx
Code to Cloud Workshop.pptx
 
Magic of Automation and Everyday Chores.pptx
Magic of Automation and Everyday Chores.pptxMagic of Automation and Everyday Chores.pptx
Magic of Automation and Everyday Chores.pptx
 
Code to Cloud Workshop
Code to Cloud WorkshopCode to Cloud Workshop
Code to Cloud Workshop
 
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptxDeploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
 
Microservices made easy JavaCro 2021
Microservices made easy JavaCro 2021Microservices made easy JavaCro 2021
Microservices made easy JavaCro 2021
 
Replicating production on your laptop using the magic of containers v2
Replicating production on your laptop using the magic of containers v2Replicating production on your laptop using the magic of containers v2
Replicating production on your laptop using the magic of containers v2
 
Simple tweaks to get the most out of your JVM
Simple tweaks to get the most out of your JVMSimple tweaks to get the most out of your JVM
Simple tweaks to get the most out of your JVM
 
Open Source In The World Of Java
Open Source In The World Of JavaOpen Source In The World Of Java
Open Source In The World Of Java
 
Replicating production on your laptop using the magic of containers
Replicating production on your laptop using the magic of containersReplicating production on your laptop using the magic of containers
Replicating production on your laptop using the magic of containers
 
Simple tweaks to get the most out of your jvm
Simple tweaks to get the most out of your jvmSimple tweaks to get the most out of your jvm
Simple tweaks to get the most out of your jvm
 
Codecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshopCodecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshop
 
Cloud native java workshop
Cloud native java workshopCloud native java workshop
Cloud native java workshop
 
Seriously Open Cloud Native Java Microservices
Seriously Open Cloud Native Java MicroservicesSeriously Open Cloud Native Java Microservices
Seriously Open Cloud Native Java Microservices
 
The new java developers kit bag
The new java developers kit bagThe new java developers kit bag
The new java developers kit bag
 
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at JavanturaHands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
 
Are you ready for cloud-native java JavaCro2019
Are you ready for cloud-native java JavaCro2019Are you ready for cloud-native java JavaCro2019
Are you ready for cloud-native java JavaCro2019
 

Último

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 

Último (20)

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 

Using Static Analysis Tools to Become a Superhero Programmer.pptx

  • 1. @Jamie_Lee_C Jamie Lee Coleman Using Static Analysis Tools to Become a Superhero Programmer
  • 2. @Jamie_Lee_C Introduction About me Name: Jamie Lee Coleman Current Role: Developer Advocate @ Sonatype Past experience: Developer in Mainframe Software (CICS), WebSphere & OpenJ9 @ IBM Twitter: @Jamie_Lee_C Linked-In: https://www.linkedin.com/in/jamie-coleman/
  • 4. @Jamie_Lee_C Not just the Maven Central people
  • 6. @Jamie_Lee_C What will I talk about today? 1. What is Static Analysis 1. Source code Analysis 2. Byte code Analysis 2. Things to consider with Static Analysis 3. What about other Analysis terms? 4. Static Analysis tools 5. Static Analysis Tool Demo 1. What about Software Composition Analysis? 2. Why software analysis important! 3. SCA Tools 4. SBOM’s 5. Bom Dr Demo 6. Conclusion of software analysis Part 1 Part 2
  • 7. @Jamie_Lee_C Part 1 – Static Analysis
  • 8. @Jamie_Lee_C What Static Analysis should do ● Find Programming errors ● Enforce coding standards “Best practices” ● Find Syntax violations ● Find security vulnerabilities
  • 9. @Jamie_Lee_C What can they do as a consequence? ● Help create more efficient applications ● Improve developers coding skills ● Make your application code easier to read ● Shorten the time from development to production ● Make you and your team programming hero’s!
  • 10. @Jamie_Lee_C Small mistake can have big consequences!
  • 11. @Jamie_Lee_C The Software Supply Chain Source Code Analysis Byte Code Analysis
  • 12. @Jamie_Lee_C Byte Code/Compiled Analysis Byte code analysis generates a map of the data flows through an application. This builds a map by reading the bytecode and by emulating compilation in CC++. The map is then analysed to find entry (sources) and exit (sinks) points out of control of the code. The analysis will generate a finding for sources that are found where the pathway to a sink exists and a routine which cleanses the data is not found.
  • 13. @Jamie_Lee_C Advantages & Disadvantages over Source Code Analysis Advantages: ● Higher accuracy ● Custom rules to reduce false negatives* ● Define sanitisers/validators to reduce false positives ● Data traces from sink to source Disadvantages: ● Very Slow compared to source code Analysis ● Code must be in byte code format (Compiled) ● Resource heavy!
  • 14. @Jamie_Lee_C Things to consider with Static Analysis
  • 15. @Jamie_Lee_C ● What data backs up the analysis! ● Who decides what is “Best practice” anyway? ● False positives/negatives. ● Customisation (per team basis, policies etc). Things to consider when using Static Analysis
  • 17. @Jamie_Lee_C Control/Data-flow Analysis Control-flow Analysis The purpose of control-flow analysis is to obtain information about which functions can be called at various points during the execution of a program. The collected information is represented by a control-flow graph (CFG) where the nodes are instructions of the program and the edges represent the flow of control. Data-flow Analysis Data-flow analysis is a technique designed to gather information about the values at each point of the program and how they change over time. This technique is often used by compilers to optimize the code.
  • 19. @Jamie_Lee_C Testing, monitoring and program slicing Testing ….. Monitoring Program monitoring records and logs different kinds of information about the program such as resource usage, events, and interactions, so that it can be reviewed to find or pinpoint causes of abnormal behaviour. Program Slicing For a given subset of a program’s behaviour, program slicing consists of reducing the program to the minimum form that still produces the selected behaviour.
  • 21. @Jamie_Lee_C What is a Static Analysis Tool? SA tools examine your applications source code for: • Enforce Coding standards • Insecure code patterns • Measure test coverage • Control flow, nesting and data flow • Documentation and requirements docs
  • 22. @Jamie_Lee_C Examples of available tools: SonarQube A continuous inspection engine that finds vulnerabilities, bugs and code smells. SemGrep A static analysis tool that helps expressing code standards and surfacing bugs early. OpenRewrite Enables large-scale distributed source code refactoring for framework migrations, vulnerability patches, and API migrations with an early focus on the Java language.
  • 23. @Jamie_Lee_C The Software Supply Chain Sonatype Lift
  • 25. @Jamie_Lee_C Part 2 – Software Analysis in General
  • 26. @Jamie_Lee_C The Software Supply Chain Source Code Analysis Software Composition Analysis Byte Code Analysis
  • 27. @Jamie_Lee_C What is Software Composition Analysis? https://foojay.io/today/sboms-and-software-composition-analysis/
  • 29. @Jamie_Lee_C Benefits of FOSS Personal control and customizability (4 main FOSS freedoms) Study Copy Modify Redistribute Privacy and Security* Use community to find bugs quickly Low or no costs Software is free with optional licencing Quality, collaboration and efficiency Many people and organizations working together Performance can be much better due to the amount of people contributing Project development can become more agile and efficient
  • 30. @Jamie_Lee_C Sharing = better! 90% of the applications we create are shared dependencies!
  • 32. @Jamie_Lee_C Dependency Managment 150 Dependencies (avg Java project) 10 Releases Per Year (avg per dependency) 1500 Updates To Consider 😱 x
  • 34. @Jamie_Lee_C Direct vs Transitive Dependency Example: org.springframework.boot:spring-boot-starter-web
  • 35. @Jamie_Lee_C SCA Tools Basic tools will provide: • List of declared dependencies • Basic information such as latest version available More advanced tools will provide: • Transitive dependencies • Vulnerability & Licence data • Project scoring • Visualisations • Licence data • Produce SBOM
  • 37. @Jamie_Lee_C In 2016 Cybercrime surpassed the drug trade! $450 Billion a year $14,000 a second Equivalent to 50 US Nimitz Class Aircraft carriers Cyber Crime Facts
  • 39. @Jamie_Lee_C In 2022! $6 Trillion a year! $200,000 a second Equivalent to 620 US Nimitz Class Aircraft carriers! Cyber Crime Facts
  • 40. @Jamie_Lee_C United States: $20.89 trillion China: $14.72 trillion Cyber Crime: $6 trillion Japan: $5.06 trillion Germany: $3.85 trillion India: $2.65 trillion United Kingdom: $2.63 trillion France: $2.58 trillion If Cybercrime was a country by GDP in 2022
  • 43. @Jamie_Lee_C Devices allowed to contain OS code: IEC 62304
  • 45. @Jamie_Lee_C Be Proactive rather than Reactive “If no other manufacturing industry is permitted to ship known vulnerable or defective parts in their products, why should software manufacturers be any different?” – Brian Fox CTO/Founder of Sonatype
  • 46. @Jamie_Lee_C In another historic move, the US government is calling for generational investments to: • Renew infrastructure. • Secure software and semiconductor supply chains. • Modernize cryptographic technologies. In a nutshell the themes for this new strategy are as follows: • Software providers and data owners held responsible under cybersecurity liability • Realigned long-term investment in cybersecurity will have a focus on the future • A drive to invest in security resilience starts with every digital ecosystem • Coordinated vulnerability disclosures and SBOMs are still a best practice. Get your SBOM below. US - National Cyber Secuirty Stratagy
  • 47. @Jamie_Lee_C Main points of this legislation: • Essential cybersecurity requirements • Requirement for any digital products on the market and includes things such as good practices for example: “products must protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks” • Vulnerability handling requirements • Requirement for how to handle vulnerabilities with the use of policies for example: “once a security update has been made available, manufacturers must publically disclose information about fixed vulnerabilities and have a policy in place on coordinated vulnerability disclosure” • Extra requirements for Critical products • There are two classes of critical products. Class 1 includes stuff like password management, traffic and identity systems. Class 2 includes operating systems for servers, desktops and mobile devices. • Conformity of products and information and instructions to users • Requirement of software to conform to certain requirements such as Technical documentation that is available before release and is updated throughout the software lifecycle that includes stuff such as a security risk assessment and reports of tests related to vulnerabilities. It also needs to be clear and understandable to the user and includes stuff like a point of contact for reporting vulnerabilities etc. • Reporting obligations • The requirement here is to notify the ENISA within 24h of becoming aware of a actively exploited vulnerability contained in the product. Users should also be notified without undue delay and if possible you should provide them with information about fixes to said vulnerabilities. • Obligations on the rest of the supply chain • Requirements for importers of software that what they have imported has abided by the obligations in the CRA. EU - Cyber Resilience Act
  • 48. @Jamie_Lee_C The Product Security and Telecommunications Infrastructure (PSTI) Bill: • Require manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers. • Provide a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement, the evolving techniques employed by malicious actors, and the broader international regulatory landscape. Main points of this bill • Ban default passwords. • Products that come with default passwords are an easy target for cyber criminals. • Require products to have a vulnerability disclosure policy. • Security researchers regularly identify security flaws in products, but need a way to give notice to manufacturers of the risk they have identified, so that they can enable the manufacturer to act before criminals can take advantage. The Bill will provide measures to help ensure any vulnerabilities in a product are identified and flagged. • Require transparency about the length of time for which the product will receive important security updates. • Consumers should know if their product will be supported with security updates, and if so, what the minimum length of time is that they can expect that support to continue. UK – PSTI
  • 50. @Jamie_Lee_C SBOM “It is great to have a software bill of materials, but the important part is what you do with it.” - Me
  • 51. @Jamie_Lee_C Easy ways to generate an SBOM 1. CycloneDX Maven Plugin 2. Kubernetes bom 3. Microsoft’s SBOM Tool 4. SPDX SBOM Generator 5. Syft 6. Sonatype Lift
  • 55. @Jamie_Lee_C Simple ways for Identifying vulnerable projects
  • 56. @Jamie_Lee_C The small things make big differences
  • 57. @Jamie_Lee_C Easy ways to Improve Security • Code Review • Binaries outside of projects • Dependencies pinned to a specific version • Secure Branches
  • 58. @Jamie_Lee_C Time to visit the BOM Dr https://bomdoctor.sonatype.com/
  • 60. @Jamie_Lee_C Small mistake can have big consequences!
  • 61. @Jamie_Lee_C Static Analysis can help developers in many ways ● Programming errors ● Enforce coding standards “Best practices” ● Find Syntax violations ● Find security vulnerabilities And as a consequence can: ● Help create more efficient applications ● Improve developers coding skills ● Make your application code easier to read ● Shorten the time from development to production ● Make you and your team programming hero’s!
  • 63. @Jamie_Lee_C The Software Supply Chain Source Code Analysis Software Composition Analysis Byte Code Analysis
  • 64. @Jamie_Lee_C One day your luck will run out! Snapshot taken over 1 year later…
  • 65. @Jamie_Lee_C Open Source in Medical Devices https://starfishmedical.com/blog/open-source-software-medical-devices/ Source vs Byte code analysis https://blog.hcltechsw.com/appscan/bytecode-compiled-vs-source-code- scanning/ History of software supply chain attacks https://www.sonatype.com/resources/vulnerability-timeline State of the software supply chain report: https://www.sonatype.com/state-of-the-software-supply-chain/ LOG4J download data: https://www.sonatype.com/resources/log4j-vulnerability-resource-center White House supply chain blog: https://blog.sonatype.com/white-house-national-cybersecurity-strategy- landmark-action-for-a-critical-threat Useful Links
  • 67. @Jamie_Lee_C Cool stuff to checkout! New Maven Central https://central.sonatype.com/ BOM Dr https://bomdoctor.sonatype.com/ DevZone https://dev.sonatype.com/ Foojay Series • https://foojay.io/today/sboms-first-steps-in-a-new- journey-for-developers/ • https://foojay.io/today/sboms-and-software- composition-analysis/ • https://foojay.io/today/making-sboms-threats-and- modelling-them-a-piece-of-cake/ Malware Monthly https://blog.sonatype.com/malware-monthly-march-2023
  • 68. @Jamie_Lee_C Don’t forget to scan your applications with the Dr https://bomdoctor.sonatype.com/

Notas del editor

  1. Talk about origins of Sonatype
  2. What is the difference between these two lines of code? *pause* One is a vulnerability and one is not. These aren’t big changes, anyone can make this type of mistake CVE-2022-3602 An off by one error in the punycode decoder allowed for a single unsigned int overwrite of a buffer which could cause a crash and possible code execution. vulnerability might be described as CRITICAL if “remote code execution is considered likely in common situations”. This was not the case for this CVE as it was unlikely in common system configurations. Secondly, many modern platforms implement stack overflow protections which would mitigate against the risk of remote code execution and usually lead to a crash instead. Examples of protection from following best practices. Source: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ https://github.com/openssl/openssl/commit/3b421ebc64c7b52f1b9feb3812bdc7781c784332
  3. Talk about advantages of having a web based tool such as greater analytical capabilities as opposed to in a IDE plugin. Disadvantage is speed to develop might be slower. Having checks at both points in the development lifecycle is the ideal situation!
  4. This picture you see on the screen might be familiar. It is from a web-comic and they reason why it is so popular it is because of how accurate it is. This is your modern digital infrastructure. It is irrelevant on which industry you are looking at because it applies almost everywhere. Everything is siting on that one component that is being maintained by someone in Nebraska (or anywhere in the world) in their bedroom or garage and if that component suddenly disappears there will be chaos. Our experience has shown that around 90% of applications out there are using Open source components. And it does make sense. Developers don’t want to re-invent the wheel every time they work in a project. They can re-use parts they used in a different project OR (and most importantly) could go and find an Open Source project which does what they need and implement it to their code. Then they will package the application and release it to the market (or sell it to the consumer). Open source will help deliver features faster so it will allow the company to increase their profits and accelerate their go to market.
  5. The Product Security and Telecommunications Infrastructure (PSTI) Bill 
  6. Talk about SBOM tools being hacked
  7. What is the difference between these two lines of code? *pause* One is a vulnerability and one is not. These aren’t big changes, anyone can make this type of mistake CVE-2022-3602 An off by one error in the punycode decoder allowed for a single unsigned int overwrite of a buffer which could cause a crash and possible code execution. vulnerability might be described as CRITICAL if “remote code execution is considered likely in common situations”. This was not the case for this CVE as it was unlikely in common system configurations. Secondly, many modern platforms implement stack overflow protections which would mitigate against the risk of remote code execution and usually lead to a crash instead. Examples of protection from following best practices. Source: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ https://github.com/openssl/openssl/commit/3b421ebc64c7b52f1b9feb3812bdc7781c784332