2. @Jamie_Lee_C
Introduction
About me
Name: Jamie Lee Coleman
Current Role: Developer Advocate @ Sonatype
Past experience: Developer in Mainframe Software (CICS), WebSphere & OpenJ9 @ IBM
Twitter: @Jamie_Lee_C
Linked-In: https://www.linkedin.com/in/jamie-coleman/
6. @Jamie_Lee_C
What will I talk about today?
1. What is Static Analysis
1. Source code Analysis
2. Byte code Analysis
2. Things to consider with Static Analysis
3. What about other Analysis terms?
4. Static Analysis tools
5. Static Analysis Tool Demo
1. What about Software Composition
Analysis?
2. Why software analysis important!
3. SCA Tools
4. SBOM’s
5. Bom Dr Demo
6. Conclusion of software analysis
Part 1 Part 2
8. @Jamie_Lee_C
What Static Analysis should do
● Find Programming errors
● Enforce coding standards
“Best practices”
● Find Syntax violations
● Find security vulnerabilities
9. @Jamie_Lee_C
What can they do as a consequence?
● Help create more efficient applications
● Improve developers coding skills
● Make your application code easier to read
● Shorten the time from development to production
● Make you and your team programming hero’s!
12. @Jamie_Lee_C
Byte Code/Compiled Analysis
Byte code analysis generates a map of the data flows through an application. This
builds a map by reading the bytecode and by emulating compilation in CC++. The
map is then analysed to find entry (sources) and exit (sinks) points out of control of
the code.
The analysis will generate a finding for sources that are found where the pathway
to a sink exists and a routine which cleanses the data is not found.
13. @Jamie_Lee_C
Advantages & Disadvantages over Source Code
Analysis
Advantages:
● Higher accuracy
● Custom rules to reduce false negatives*
● Define sanitisers/validators to reduce false positives
● Data traces from sink to source
Disadvantages:
● Very Slow compared to source code Analysis
● Code must be in byte code format (Compiled)
● Resource heavy!
15. @Jamie_Lee_C
● What data backs up the analysis!
● Who decides what is “Best practice” anyway?
● False positives/negatives.
● Customisation (per team basis, policies etc).
Things to consider when using Static Analysis
17. @Jamie_Lee_C
Control/Data-flow Analysis
Control-flow Analysis
The purpose of control-flow analysis is to obtain information about which functions
can be called at various points during the execution of a program. The collected
information is represented by a control-flow graph (CFG) where the nodes are
instructions of the program and the edges represent the flow of control.
Data-flow Analysis
Data-flow analysis is a technique designed to gather information about the values
at each point of the program and how they change over time. This technique is
often used by compilers to optimize the code.
19. @Jamie_Lee_C
Testing, monitoring and program slicing
Testing
…..
Monitoring
Program monitoring records and logs different kinds of information about the
program such as resource usage, events, and interactions, so that it can be
reviewed to find or pinpoint causes of abnormal behaviour.
Program Slicing
For a given subset of a program’s behaviour, program slicing consists of reducing
the program to the minimum form that still produces the selected behaviour.
21. @Jamie_Lee_C
What is a Static Analysis Tool?
SA tools examine your applications
source code for:
• Enforce Coding standards
• Insecure code patterns
• Measure test coverage
• Control flow, nesting and data
flow
• Documentation and requirements
docs
22. @Jamie_Lee_C
Examples of available tools:
SonarQube
A continuous inspection engine that finds vulnerabilities, bugs and code smells.
SemGrep
A static analysis tool that helps expressing code standards and surfacing bugs
early.
OpenRewrite
Enables large-scale distributed source code refactoring for framework migrations,
vulnerability patches, and API migrations with an early focus on the Java language.
29. @Jamie_Lee_C
Benefits of FOSS
Personal control and
customizability (4
main FOSS
freedoms)
Study
Copy
Modify
Redistribute
Privacy and
Security*
Use community to find
bugs quickly
Low or no costs
Software is free with
optional licencing
Quality, collaboration
and efficiency
Many people and
organizations working
together
Performance can be
much better due to the
amount of people
contributing
Project development
can become more
agile and efficient
35. @Jamie_Lee_C
SCA Tools
Basic tools will provide:
• List of declared dependencies
• Basic information such as latest
version available
More advanced tools will provide:
• Transitive dependencies
• Vulnerability & Licence data
• Project scoring
• Visualisations
• Licence data
• Produce SBOM
37. @Jamie_Lee_C
In 2016 Cybercrime surpassed the
drug trade!
$450 Billion a year
$14,000 a second
Equivalent to 50 US Nimitz Class
Aircraft carriers
Cyber Crime Facts
40. @Jamie_Lee_C
United States: $20.89 trillion
China: $14.72 trillion
Cyber Crime: $6 trillion
Japan: $5.06 trillion
Germany: $3.85 trillion
India: $2.65 trillion
United Kingdom: $2.63 trillion
France: $2.58 trillion
If Cybercrime was a country by GDP in 2022
45. @Jamie_Lee_C
Be Proactive rather than Reactive
“If no other manufacturing industry is permitted to ship
known vulnerable or defective parts in their products,
why should software manufacturers be any different?” –
Brian Fox CTO/Founder of Sonatype
46. @Jamie_Lee_C
In another historic move, the US
government is calling for generational
investments to:
• Renew infrastructure.
• Secure software and semiconductor supply chains.
• Modernize cryptographic technologies.
In a nutshell the themes for this new strategy are as
follows:
• Software providers and data owners held
responsible under cybersecurity liability
• Realigned long-term investment in cybersecurity will
have a focus on the future
• A drive to invest in security resilience starts with
every digital ecosystem
• Coordinated vulnerability disclosures and SBOMs
are still a best practice. Get your SBOM below.
US - National Cyber Secuirty Stratagy
47. @Jamie_Lee_C
Main points of this legislation:
• Essential cybersecurity requirements
• Requirement for any digital products on the market and includes things such as
good practices for example: “products must protect the availability of essential
functions, including the resilience against and mitigation of denial of service
attacks”
• Vulnerability handling requirements
• Requirement for how to handle vulnerabilities with the use of policies for
example: “once a security update has been made available, manufacturers
must publically disclose information about fixed vulnerabilities and have a
policy in place on coordinated vulnerability disclosure”
• Extra requirements for Critical products
• There are two classes of critical products. Class 1 includes stuff like password
management, traffic and identity systems. Class 2 includes operating systems
for servers, desktops and mobile devices.
• Conformity of products and information and
instructions to users
• Requirement of software to conform to certain requirements such as
Technical documentation that is available before release and is
updated throughout the software lifecycle that includes stuff such as
a security risk assessment and reports of tests related to
vulnerabilities. It also needs to be clear and understandable to the
user and includes stuff like a point of contact for reporting
vulnerabilities etc.
• Reporting obligations
• The requirement here is to notify the ENISA within 24h of becoming
aware of a actively exploited vulnerability contained in the product.
Users should also be notified without undue delay and if possible
you should provide them with information about fixes to said
vulnerabilities.
• Obligations on the rest of the supply chain
• Requirements for importers of software that what they have imported
has abided by the obligations in the CRA.
EU - Cyber Resilience Act
48. @Jamie_Lee_C
The Product Security and Telecommunications
Infrastructure (PSTI) Bill:
• Require manufacturers, importers and distributors to
ensure that minimum security requirements are met in
relation to consumer connectable products that are
available to consumers.
• Provide a robust regulatory framework that can adapt
and remain effective in the face of rapid technological
advancement, the evolving techniques employed by
malicious actors, and the broader international
regulatory landscape.
Main points of this bill
• Ban default passwords.
• Products that come with default passwords are an easy
target for cyber criminals.
• Require products to have a vulnerability
disclosure policy.
• Security researchers regularly identify security flaws in
products, but need a way to give notice to manufacturers
of the risk they have identified, so that they can enable
the manufacturer to act before criminals can take
advantage. The Bill will provide measures to help ensure
any vulnerabilities in a product are identified and flagged.
• Require transparency about the length of time
for which the product will receive important
security updates.
• Consumers should know if their product will be supported
with security updates, and if so, what the minimum length
of time is that they can expect that support to continue.
UK – PSTI
57. @Jamie_Lee_C
Easy ways to Improve Security
• Code Review
• Binaries outside of projects
• Dependencies pinned to a
specific version
• Secure Branches
61. @Jamie_Lee_C
Static Analysis can help developers in many ways
● Programming errors
● Enforce coding standards “Best practices”
● Find Syntax violations
● Find security vulnerabilities
And as a consequence can:
● Help create more efficient applications
● Improve developers coding skills
● Make your application code easier to read
● Shorten the time from development to production
● Make you and your team programming hero’s!
65. @Jamie_Lee_C
Open Source in Medical Devices
https://starfishmedical.com/blog/open-source-software-medical-devices/
Source vs Byte code analysis
https://blog.hcltechsw.com/appscan/bytecode-compiled-vs-source-code-
scanning/
History of software supply chain attacks
https://www.sonatype.com/resources/vulnerability-timeline
State of the software supply chain report:
https://www.sonatype.com/state-of-the-software-supply-chain/
LOG4J download data:
https://www.sonatype.com/resources/log4j-vulnerability-resource-center
White House supply chain blog:
https://blog.sonatype.com/white-house-national-cybersecurity-strategy-
landmark-action-for-a-critical-threat
Useful Links
What is the difference between these two lines of code? *pause*
One is a vulnerability and one is not. These aren’t big changes, anyone can make this type of mistake
CVE-2022-3602
An off by one error in the punycode decoder allowed for a single unsigned int
overwrite of a buffer which could cause a crash and possible code execution.
vulnerability might be described as CRITICAL if “remote code execution is considered likely in common situations”. This was not the case for this CVE as it was unlikely in common system configurations.
Secondly, many modern platforms implement stack overflow protections which would mitigate against the risk of remote code execution and usually lead to a crash instead. Examples of protection from following best practices.
Source:
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
https://github.com/openssl/openssl/commit/3b421ebc64c7b52f1b9feb3812bdc7781c784332
Talk about advantages of having a web based tool such as greater analytical capabilities as opposed to in a IDE plugin.
Disadvantage is speed to develop might be slower.
Having checks at both points in the development lifecycle is the ideal situation!
This picture you see on the screen might be familiar. It is from a web-comic and they reason why it is so popular it is because of how accurate it is.
This is your modern digital infrastructure. It is irrelevant on which industry you are looking at because it applies almost everywhere. Everything is siting on that one component that is being maintained by someone in Nebraska (or anywhere in the world) in their bedroom or garage and if that component suddenly disappears there will be chaos.
Our experience has shown that around 90% of applications out there are using Open source components. And it does make sense.
Developers don’t want to re-invent the wheel every time they work in a project. They can re-use parts they used in a different project OR (and most importantly) could go and find an Open Source project which does what they need and implement it to their code. Then they will package the application and release it to the market (or sell it to the consumer). Open source will help deliver features faster so it will allow the company to increase their profits and accelerate their go to market.
The Product Security and Telecommunications Infrastructure (PSTI) Bill
Talk about SBOM tools being hacked
What is the difference between these two lines of code? *pause*
One is a vulnerability and one is not. These aren’t big changes, anyone can make this type of mistake
CVE-2022-3602
An off by one error in the punycode decoder allowed for a single unsigned int
overwrite of a buffer which could cause a crash and possible code execution.
vulnerability might be described as CRITICAL if “remote code execution is considered likely in common situations”. This was not the case for this CVE as it was unlikely in common system configurations.
Secondly, many modern platforms implement stack overflow protections which would mitigate against the risk of remote code execution and usually lead to a crash instead. Examples of protection from following best practices.
Source:
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
https://github.com/openssl/openssl/commit/3b421ebc64c7b52f1b9feb3812bdc7781c784332