SlideShare una empresa de Scribd logo

Cybercrime and the developer 2021 style

Descargar como PPTX, PDF
Steve Poole
Steve Poole

Update to the cybercrime and the developer talks. Includes more about cyber warfare and the SBOM. #fwtc21

Tecnología
1 de 75
Cybercrime and the Developer How to defend against the darker side @spoole167
Steve Poole • Developer Adocate • Sonatype @spoole167
Take away one thing As a developer, security is your problem @spoole167
Who uses wifi? Every thought about how it works? @spoole167
Would you notice one of these on the wall? @spoole167
With some simple h/w its’ easy to spoof the wifi @spoole167
How safe is your data now? @spoole167
Of course, most of us don’t know @spoole167
The world runs on software @spoole167
And software is under attack @spoole167
5 years a go I said things like this @spoole167
Organized Cybercrime is the most profitable type of crime Cybercrime was estimated to be worth 445 Billion Dollars a Year United Nations Office on Drugs and Crime (UNODC) estimated globally the illicit drug trade was worth 435 Billion Dollars • Guess which one has the least risk to the criminal? • Guess which is growing the fastest? • Guess which one is the hardest to prosecute? • Guess which one is predicted to real 2100 Billion Dollars by 2019 • Guess which one is predicted to real 6000 Billion Dollars by 2021 @spoole167
0 1000 2000 3000 4000 5000 6000 2013 2014 2015 2016 2017 2018 2019 2020 2021 Cybercrime Drug trade
What’s the status today? @spoole167
It’s much worse than predicted … As a developer your world is going to change rapidly @spoole167
Weaponised Cybercrime Nation states are preparing for the next war – and that all about software @spoole167
Cyber Attacks are rising in number and sophistication The aim is to infiltrate infrastructure and essential services… @spoole167
So they can manipulate or disable @spoole167
Cybercriminals used to search for vulnerabilities to exploit
Now they make their own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Build Tool attacks Attempts to get malware or weaknesses added into dependency source via social or tools Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” @spoole167
Put differently Payroll App V1
Payroll App V1 Most applications are 90% open source Dependencies
Payroll App V1 Bad guys still look for weaknesses Dependencies
Payroll App V1 But now they are adding their own Dependencies Tools Runtime s Platforms Code generators
Payroll App V1 Many are designed to stay hidden Until needed Dependencies Tools Runtime s Platforms Code generators
Let me tell you a story
Got one of these? @spoole167
Got one of these in it? • $2 from china
This new phase of cyber attacks Are state funded Professionally developed Regularly exercised Very sophisticated And extremely lucrative
2021 – 6 trillion dollars 2022 ? @spoole167
2021 – 6 trillion dollars 2022 - 35 Trillion dollars? @spoole167
2021 – 6 trillion dollars 2022 - 35 Trillion dollars? @spoole167
That’s $4300 per person @spoole167
What can you do? @spoole167
1: Think about the supply chain @spoole167
@spoole167
The Executive Order Recognizes the need to form a united front against “malicious cyber actors” Outlines a direction for closer working between all parts of the software industry Adds new requirements on software vendors selling to the US government Will change how we produce and consume software. @spoole167
Hardening the software supply chain : every product has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes @spoole167
SBOM – the new important term on the horizon cyclonedx.org spdx.dev @spoole167
Modern Vulnerability tools scan your builds Dependencies Payroll App V1 @spoole167
Tracking dependencies relies on tools that analyze the end result Payroll App V1 Web Server 05.1.2 Acme Framework 2.1 @spoole167
Which relies on transparency Payroll App V1 Web Server 05.1.2 Acme Framework 2.1 @spoole167
Which can be problematic Payroll App V1 Web Server 05.1.2 Acme Framework Incomplete Data Opaque Dependencies @spoole167
And is always incomplete Or even faked Payroll App V1 Web Server 05.1.2 Acme Framework What’s in the runtimes? What tools were used to build? @spoole167
Web Server 05.1.2 Acme Framework Payroll App V1 Runtime V2 OS V3.4 Compiler V9 CI/CD V2 OS V6 Compiler Environmental Information All componentry SBOMs are intended to cover ‘everything’
2: Automate everything @spoole167
SBOM raise awareness of issues 1.1 Foo 2.1 Bar 3.1 product Dependency ref @spoole167
SBOM raise awareness of issues 1.1 Foo 2.1 Bar 3.1 product Dependency ref url url SBOM signature SHA1024 SHA1024 Product URL url SHA1024 @spoole167
Means more fixes to apply 1.1 Foo 2.1 Bar 3.1 url url SHA SHA url SHA1024 Gcc 3.6 RHEL url url SHA SHA zip url SHA Jenkins url SHA Github action url url
Since SBOMS inherit from dependencies 1.1 url SHA1024
More info is available 1.1 url SHA1024
More updates, more often, all the time 1.1 url SHA1024
Time to EXPLOIT? Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 2011 2012 2013 2104 2015 10 20 30 40 50 0 Average Days to Exploit Average 45 15 2017 @spoole167
2 days @spoole167
2 days Oh wait that was 2016 – what’s the number now?
2 days @spoole167
2 seconds @spoole167
The way you build software is going to change You can expect every government to follow suit on this sort of initiative Even if you're not selling directly, you could be in a chain that is The prediction is that by 2025 every software vendor, open source project etc will have to provide this proof Manual anything is going to be problematic @spoole167
You will need to be able to track back exactly how, where and with what your s/w was built. To be able to deal with an increase in the number of reported vulnerabilities Be able to build your s/w automatically at a moments notice To provide to others your ‘SBOM’ The next wave is moving from IAC to EAC (Everything as code)
3: Lower your trust levels @spoole167
The way you choose open source software is going to change What do you do if a open-source component you rely on doesn’t comply? How much risk are you willing to take? Even if they say yes - how much can you trust them? Do they have an SBOM? What’s their ability to provide updates. What’s their security posture. No more: is is it free and does it do what I want? @spoole167
Evaluating open-source projects means more than checking their license License Vulnerability reporting process Development process (how to they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU) @spoole167
4: Code defensively @spoole167
Exploitation comes often from simple mistakes Clean code Defensive architecture comprehensive tests Exception path testing Useful error messages Test dependencies Compartmentalisation of data Secured pipelines No ‘dev mode’ Code Reviews Thinking defensively …
And poor behavior Ever googled for: “very trusting trust manager” “Getting Java to accept all certs over HTTPS” “How to Trust Any SSL Certificate” “Disable Certificate Validation in Java”
We’ve found 72,609 code results AlwaysValidTrustManager TrustAllServersWrappingTrustManager A very friendly, accepting trust manager factory. Allows anything through. all kind of certificates are accepted and trusted. A very trusting trust manager that accepts anything // Install the all-trusting trust manager OverTrustingTrustProvider AllTrustingSecurityManagerPlugin.java AcceptingTrustManagerFactory.java AllTrustingCertHttpRequester.java
And poor behavior curl –insecure wget --no-check-certificate sudo apt-get --allow-unauthenticated @spoole167
And poor behavior curl –insecure wget --no-check-certificate sudo apt-get --allow-unauthenticated
And by not understanding the code and tools we use “I thought I was using the tool correctly” “I didn’t realize what the default setting was” “I trusted the tool to do the right thing” @spoole167
IF you contribute to open source • Take these behaviors with you • Think about software safety • Think defensively. @spoole167
Summary Cyber attacks have entered a new and aggressive phase Automated, evidence based Everything- as-code is the direction Open Source is still the primary vector Risk of attack is rising dramatically BYO pipelines will get replaced by commercial ones Consuming open source directly will reduce. You’ll pay for trusted versions How we write code must change How we work with other developers will change
Takeaways • The days of just taking software off the shelf are numbered : choose software based on how it’s produced not just what it does • Evidence based trust will become essential : Your own supply chain – the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny. • Software is critical to every facet of our lives – the world has woken up to that . @spoole167
As developers, we’re on the front line @spoole167
Thank you Any questions? @spoole167

Recomendados

Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
 
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...Black Duck by Synopsys
 
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Dana Gardner
 
Customer Centric Innovation in a World of Shiny Objects
Customer Centric Innovation in a World of Shiny ObjectsCustomer Centric Innovation in a World of Shiny Objects
Customer Centric Innovation in a World of Shiny ObjectsJoAnna Cheshire
 
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Black Duck by Synopsys
 
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyYou Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyBlack Duck by Synopsys
 
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Black Duck by Synopsys
 
"Work like a startup!" a.k.a. building an internal venture in a big company
"Work like a startup!" a.k.a. building an internal venture in a big company"Work like a startup!" a.k.a. building an internal venture in a big company
"Work like a startup!" a.k.a. building an internal venture in a big companyHarri Kiljander
 

Recomendados

Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
 
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...Black Duck by Synopsys
 
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Dana Gardner
 
Customer Centric Innovation in a World of Shiny Objects
Customer Centric Innovation in a World of Shiny ObjectsCustomer Centric Innovation in a World of Shiny Objects
Customer Centric Innovation in a World of Shiny ObjectsJoAnna Cheshire
 
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Black Duck by Synopsys
 
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyYou Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyBlack Duck by Synopsys
 
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Black Duck by Synopsys
 
"Work like a startup!" a.k.a. building an internal venture in a big company
"Work like a startup!" a.k.a. building an internal venture in a big company"Work like a startup!" a.k.a. building an internal venture in a big company
"Work like a startup!" a.k.a. building an internal venture in a big companyHarri Kiljander
 
2014 Future of Open Source Survey Results
2014 Future of Open Source Survey Results2014 Future of Open Source Survey Results
2014 Future of Open Source Survey ResultsBlack Duck by Synopsys
 
Can a lean startup be built inside a large company?
Can a lean startup be built inside a large company?Can a lean startup be built inside a large company?
Can a lean startup be built inside a large company?Harri Kiljander
 
2009 North Bridge Future of Open Source Study
2009 North Bridge Future of Open Source Study2009 North Bridge Future of Open Source Study
2009 North Bridge Future of Open Source StudyNorth Bridge
 
Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys
 
u2i - discover our projects!
u2i - discover our projects!u2i - discover our projects!
u2i - discover our projects!Weronika Szatan
 
Blockchain readiness block512
Blockchain readiness block512Blockchain readiness block512
Blockchain readiness block512JoAnna Cheshire
 
Open Source 360° Survey Key Takeaways
Open Source 360° Survey Key TakeawaysOpen Source 360° Survey Key Takeaways
Open Source 360° Survey Key TakeawaysBlack Duck by Synopsys
 
World technology hotspots 2014
World technology hotspots 2014World technology hotspots 2014
World technology hotspots 2014Alex Kalinovsky
 
Global talent map
Global talent mapGlobal talent map
Global talent mapAgileEngine
 
Global offshore software development in the next decade
Global offshore software development in the next decadeGlobal offshore software development in the next decade
Global offshore software development in the next decadeKaty Slemon
 
Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015anpapathanasiou
 
IIBR_Whitepaper
IIBR_WhitepaperIIBR_Whitepaper
IIBR_WhitepaperDebbie Doran
 
Data in the Wild: Survival Guide
Data in the Wild: Survival GuideData in the Wild: Survival Guide
Data in the Wild: Survival GuideDruva
 
GITA April 2015 Newsletter
GITA April 2015 NewsletterGITA April 2015 Newsletter
GITA April 2015 NewsletterKevin Moore MSIT, MISM
 
Codes of Ethics and the Ethics of Code
Codes of Ethics and the Ethics of CodeCodes of Ethics and the Ethics of Code
Codes of Ethics and the Ethics of CodeMark Underwood
 
Lost in Translation: A Handbook for Information Systems in the 21st Century
Lost in Translation: A Handbook for Information Systems in the 21st CenturyLost in Translation: A Handbook for Information Systems in the 21st Century
Lost in Translation: A Handbook for Information Systems in the 21st CenturyCapgemini Media
 
Internal Startup in an Established Company
Internal Startup in an Established CompanyInternal Startup in an Established Company
Internal Startup in an Established CompanyHarri Kiljander
 
Inside Out and Upside Down - FOO Camp 2016 - Peter Coffee
Inside Out and Upside Down - FOO Camp 2016 - Peter CoffeeInside Out and Upside Down - FOO Camp 2016 - Peter Coffee
Inside Out and Upside Down - FOO Camp 2016 - Peter CoffeePeter Coffee
 
Node.js and The Internet of Things
Node.js and The Internet of ThingsNode.js and The Internet of Things
Node.js and The Internet of ThingsLosant
 
2019 04-18 -DevSecOps-software supply chain
2019 04-18 -DevSecOps-software supply chain2019 04-18 -DevSecOps-software supply chain
2019 04-18 -DevSecOps-software supply chainCameron Townshend
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextSteve Poole
 

Más contenido relacionado

La actualidad más candente

2014 Future of Open Source Survey Results
2014 Future of Open Source Survey Results2014 Future of Open Source Survey Results
2014 Future of Open Source Survey ResultsBlack Duck by Synopsys
 
Can a lean startup be built inside a large company?
Can a lean startup be built inside a large company?Can a lean startup be built inside a large company?
Can a lean startup be built inside a large company?Harri Kiljander
 
2009 North Bridge Future of Open Source Study
2009 North Bridge Future of Open Source Study2009 North Bridge Future of Open Source Study
2009 North Bridge Future of Open Source StudyNorth Bridge
 
Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys
 
u2i - discover our projects!
u2i - discover our projects!u2i - discover our projects!
u2i - discover our projects!Weronika Szatan
 
Blockchain readiness block512
Blockchain readiness block512Blockchain readiness block512
Blockchain readiness block512JoAnna Cheshire
 
Open Source 360° Survey Key Takeaways
Open Source 360° Survey Key TakeawaysOpen Source 360° Survey Key Takeaways
Open Source 360° Survey Key TakeawaysBlack Duck by Synopsys
 
World technology hotspots 2014
World technology hotspots 2014World technology hotspots 2014
World technology hotspots 2014Alex Kalinovsky
 
Global talent map
Global talent mapGlobal talent map
Global talent mapAgileEngine
 
Global offshore software development in the next decade
Global offshore software development in the next decadeGlobal offshore software development in the next decade
Global offshore software development in the next decadeKaty Slemon
 
Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015anpapathanasiou
 
Data in the Wild: Survival Guide
Data in the Wild: Survival GuideData in the Wild: Survival Guide
Data in the Wild: Survival GuideDruva
 
Codes of Ethics and the Ethics of Code
Codes of Ethics and the Ethics of CodeCodes of Ethics and the Ethics of Code
Codes of Ethics and the Ethics of CodeMark Underwood
 
Lost in Translation: A Handbook for Information Systems in the 21st Century
Lost in Translation: A Handbook for Information Systems in the 21st CenturyLost in Translation: A Handbook for Information Systems in the 21st Century
Lost in Translation: A Handbook for Information Systems in the 21st CenturyCapgemini Media
 
Internal Startup in an Established Company
Internal Startup in an Established CompanyInternal Startup in an Established Company
Internal Startup in an Established CompanyHarri Kiljander
 
Inside Out and Upside Down - FOO Camp 2016 - Peter Coffee
Inside Out and Upside Down - FOO Camp 2016 - Peter CoffeeInside Out and Upside Down - FOO Camp 2016 - Peter Coffee
Inside Out and Upside Down - FOO Camp 2016 - Peter CoffeePeter Coffee
 
Node.js and The Internet of Things
Node.js and The Internet of ThingsNode.js and The Internet of Things
Node.js and The Internet of ThingsLosant
 
2019 04-18 -DevSecOps-software supply chain
2019 04-18 -DevSecOps-software supply chain2019 04-18 -DevSecOps-software supply chain
2019 04-18 -DevSecOps-software supply chainCameron Townshend
 

La actualidad más candente (20)

2014 Future of Open Source Survey Results
2014 Future of Open Source Survey Results2014 Future of Open Source Survey Results
2014 Future of Open Source Survey Results
 
Can a lean startup be built inside a large company?
Can a lean startup be built inside a large company?Can a lean startup be built inside a large company?
Can a lean startup be built inside a large company?
 
2009 North Bridge Future of Open Source Study
2009 North Bridge Future of Open Source Study2009 North Bridge Future of Open Source Study
2009 North Bridge Future of Open Source Study
 
Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...
 
u2i - discover our projects!
u2i - discover our projects!u2i - discover our projects!
u2i - discover our projects!
 
Blockchain readiness block512
Blockchain readiness block512Blockchain readiness block512
Blockchain readiness block512
 
Open Source 360° Survey Key Takeaways
Open Source 360° Survey Key TakeawaysOpen Source 360° Survey Key Takeaways
Open Source 360° Survey Key Takeaways
 
World technology hotspots 2014
World technology hotspots 2014World technology hotspots 2014
World technology hotspots 2014
 
Global talent map
Global talent mapGlobal talent map
Global talent map
 
Global offshore software development in the next decade
Global offshore software development in the next decadeGlobal offshore software development in the next decade
Global offshore software development in the next decade
 
Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015Top 6 things_small_businesses_q12015
Top 6 things_small_businesses_q12015
 
IIBR_Whitepaper
IIBR_WhitepaperIIBR_Whitepaper
IIBR_Whitepaper
 
Data in the Wild: Survival Guide
Data in the Wild: Survival GuideData in the Wild: Survival Guide
Data in the Wild: Survival Guide
 
GITA April 2015 Newsletter
GITA April 2015 NewsletterGITA April 2015 Newsletter
GITA April 2015 Newsletter
 
Codes of Ethics and the Ethics of Code
Codes of Ethics and the Ethics of CodeCodes of Ethics and the Ethics of Code
Codes of Ethics and the Ethics of Code
 
Lost in Translation: A Handbook for Information Systems in the 21st Century
Lost in Translation: A Handbook for Information Systems in the 21st CenturyLost in Translation: A Handbook for Information Systems in the 21st Century
Lost in Translation: A Handbook for Information Systems in the 21st Century
 
Internal Startup in an Established Company
Internal Startup in an Established CompanyInternal Startup in an Established Company
Internal Startup in an Established Company
 
Inside Out and Upside Down - FOO Camp 2016 - Peter Coffee
Inside Out and Upside Down - FOO Camp 2016 - Peter CoffeeInside Out and Upside Down - FOO Camp 2016 - Peter Coffee
Inside Out and Upside Down - FOO Camp 2016 - Peter Coffee
 
Node.js and The Internet of Things
Node.js and The Internet of ThingsNode.js and The Internet of Things
Node.js and The Internet of Things
 
2019 04-18 -DevSecOps-software supply chain
2019 04-18 -DevSecOps-software supply chain2019 04-18 -DevSecOps-software supply chain
2019 04-18 -DevSecOps-software supply chain
 

Similar a Cybercrime and the developer 2021 style

GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextSteve Poole
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Steve Poole
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole
 
The Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesThe Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesSteve Poole
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysOri Pekelman
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️Ori Pekelman
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptxSteve Poole
 
GeeCON 2015 DevOps and the dark side
GeeCON 2015 DevOps and the dark side GeeCON 2015 DevOps and the dark side
GeeCON 2015 DevOps and the dark side Steve Poole
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane LackeyYandex
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureSteve Poole
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsJames '​-- Mckinlay
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
 
PHP, AWS, and Sleep - Hampton Roads DevFest 2016
PHP, AWS, and Sleep - Hampton Roads DevFest 2016PHP, AWS, and Sleep - Hampton Roads DevFest 2016
PHP, AWS, and Sleep - Hampton Roads DevFest 2016Guillermo A. Fisher
 
6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservices6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservicesDynatrace
 

Similar a Cybercrime and the developer 2021 style (20)

GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn next
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018
 
The Anatomy of Java Vulnerabilities
The Anatomy of Java VulnerabilitiesThe Anatomy of Java Vulnerabilities
The Anatomy of Java Vulnerabilities
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...Key Takeaways for Java Developers from the State of the Software Supply Chain...
Key Takeaways for Java Developers from the State of the Software Supply Chain...
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptx
 
GeeCON 2015 DevOps and the dark side
GeeCON 2015 DevOps and the dark side GeeCON 2015 DevOps and the dark side
GeeCON 2015 DevOps and the dark side
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and Culture
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devops
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker Side
 
PHP, AWS, and Sleep - Hampton Roads DevFest 2016
PHP, AWS, and Sleep - Hampton Roads DevFest 2016PHP, AWS, and Sleep - Hampton Roads DevFest 2016
PHP, AWS, and Sleep - Hampton Roads DevFest 2016
 
6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservices6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservices
 

Más de Steve Poole

THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxSteve Poole
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Steve Poole
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven CentralSteve Poole
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxSteve Poole
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxSteve Poole
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020Steve Poole
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Steve Poole
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Steve Poole
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization Steve Poole
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkSteve Poole
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...Steve Poole
 
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Steve Poole
 
Keynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourKeynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourSteve Poole
 
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Steve Poole
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaLocking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaSteve Poole
 
Dashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your BehaviourDashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your BehaviourSteve Poole
 
QCon London - Java at Scale
QCon London - Java at ScaleQCon London - Java at Scale
QCon London - Java at ScaleSteve Poole
 

Más de Steve Poole (20)

THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chain
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptx
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven Central
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptx
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptx
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
 
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
Dev Days Vilnius 2018 : Cloud Native Java with OpenJ9- Fast, Lean and definit...
 
Keynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviourKeynote Dev Days vilnius 2018: how openness changes your behaviour
Keynote Dev Days vilnius 2018: how openness changes your behaviour
 
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
Dev talks Cluj 2018 : Java in the 21 Century: Are you thinking far enough ahead?
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with JavaLocking the Doors -7 Pernicious Pitfalls to avoid with Java
Locking the Doors -7 Pernicious Pitfalls to avoid with Java
 
Dashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your BehaviourDashboards and Culture: How Openness Changes Your Behaviour
Dashboards and Culture: How Openness Changes Your Behaviour
 
QCon London - Java at Scale
QCon London - Java at ScaleQCon London - Java at Scale
QCon London - Java at Scale
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 

Último (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

Cybercrime and the developer 2021 style

  • 1. Cybercrime and the Developer How to defend against the darker side @spoole167
  • 2. Steve Poole • Developer Adocate • Sonatype @spoole167
  • 3. Take away one thing As a developer, security is your problem @spoole167
  • 4. Who uses wifi? Every thought about how it works? @spoole167
  • 5. Would you notice one of these on the wall? @spoole167
  • 6. With some simple h/w its’ easy to spoof the wifi @spoole167
  • 7. How safe is your data now? @spoole167
  • 8. Of course, most of us don’t know @spoole167
  • 9. The world runs on software @spoole167
  • 10. And software is under attack @spoole167
  • 11. 5 years a go I said things like this @spoole167
  • 12. Organized Cybercrime is the most profitable type of crime Cybercrime was estimated to be worth 445 Billion Dollars a Year United Nations Office on Drugs and Crime (UNODC) estimated globally the illicit drug trade was worth 435 Billion Dollars • Guess which one has the least risk to the criminal? • Guess which is growing the fastest? • Guess which one is the hardest to prosecute? • Guess which one is predicted to real 2100 Billion Dollars by 2019 • Guess which one is predicted to real 6000 Billion Dollars by 2021 @spoole167
  • 13. 0 1000 2000 3000 4000 5000 6000 2013 2014 2015 2016 2017 2018 2019 2020 2021 Cybercrime Drug trade
  • 14. What’s the status today? @spoole167
  • 15. It’s much worse than predicted … As a developer your world is going to change rapidly @spoole167
  • 16. Weaponised Cybercrime Nation states are preparing for the next war – and that all about software @spoole167
  • 17. Cyber Attacks are rising in number and sophistication The aim is to infiltrate infrastructure and essential services… @spoole167
  • 18. So they can manipulate or disable @spoole167
  • 19. Cybercriminals used to search for vulnerabilities to exploit
  • 20. Now they make their own Typosquatting A lookalike domain, dependency with one or two wrong or different characters Open source repo attacks Build Tool attacks Attempts to get malware or weaknesses added into dependency source via social or tools Attempts to get malware into the tools that are used to produce dependencies Dependency confusion Attempts to get a Different version added into a binary repository Often “latest” @spoole167
  • 22. Payroll App V1 Most applications are 90% open source Dependencies
  • 23. Payroll App V1 Bad guys still look for weaknesses Dependencies
  • 24. Payroll App V1 But now they are adding their own Dependencies Tools Runtime s Platforms Code generators
  • 25. Payroll App V1 Many are designed to stay hidden Until needed Dependencies Tools Runtime s Platforms Code generators
  • 26.
  • 27. Let me tell you a story
  • 28. Got one of these? @spoole167
  • 29. Got one of these in it? • $2 from china
  • 30. This new phase of cyber attacks Are state funded Professionally developed Regularly exercised Very sophisticated And extremely lucrative
  • 31. 2021 – 6 trillion dollars 2022 ? @spoole167
  • 32. 2021 – 6 trillion dollars 2022 - 35 Trillion dollars? @spoole167
  • 33. 2021 – 6 trillion dollars 2022 - 35 Trillion dollars? @spoole167
  • 35. What can you do? @spoole167
  • 36. 1: Think about the supply chain @spoole167
  • 38. The Executive Order Recognizes the need to form a united front against “malicious cyber actors” Outlines a direction for closer working between all parts of the software industry Adds new requirements on software vendors selling to the US government Will change how we produce and consume software. @spoole167
  • 39. Hardening the software supply chain : every product has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third- party software and services Demonstrate regular audit processes @spoole167
  • 40. SBOM – the new important term on the horizon cyclonedx.org spdx.dev @spoole167
  • 42. Tracking dependencies relies on tools that analyze the end result Payroll App V1 Web Server 05.1.2 Acme Framework 2.1 @spoole167
  • 43. Which relies on transparency Payroll App V1 Web Server 05.1.2 Acme Framework 2.1 @spoole167
  • 44. Which can be problematic Payroll App V1 Web Server 05.1.2 Acme Framework Incomplete Data Opaque Dependencies @spoole167
  • 45. And is always incomplete Or even faked Payroll App V1 Web Server 05.1.2 Acme Framework What’s in the runtimes? What tools were used to build? @spoole167
  • 46. Web Server 05.1.2 Acme Framework Payroll App V1 Runtime V2 OS V3.4 Compiler V9 CI/CD V2 OS V6 Compiler Environmental Information All componentry SBOMs are intended to cover ‘everything’
  • 48. SBOM raise awareness of issues 1.1 Foo 2.1 Bar 3.1 product Dependency ref @spoole167
  • 49. SBOM raise awareness of issues 1.1 Foo 2.1 Bar 3.1 product Dependency ref url url SBOM signature SHA1024 SHA1024 Product URL url SHA1024 @spoole167
  • 50. Means more fixes to apply 1.1 Foo 2.1 Bar 3.1 url url SHA SHA url SHA1024 Gcc 3.6 RHEL url url SHA SHA zip url SHA Jenkins url SHA Github action url url
  • 51. Since SBOMS inherit from dependencies 1.1 url SHA1024
  • 52. More info is available 1.1 url SHA1024
  • 53. More updates, more often, all the time 1.1 url SHA1024
  • 54. Time to EXPLOIT? Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 2011 2012 2013 2104 2015 10 20 30 40 50 0 Average Days to Exploit Average 45 15 2017 @spoole167
  • 56. 2 days Oh wait that was 2016 – what’s the number now?
  • 59. The way you build software is going to change You can expect every government to follow suit on this sort of initiative Even if you're not selling directly, you could be in a chain that is The prediction is that by 2025 every software vendor, open source project etc will have to provide this proof Manual anything is going to be problematic @spoole167
  • 60. You will need to be able to track back exactly how, where and with what your s/w was built. To be able to deal with an increase in the number of reported vulnerabilities Be able to build your s/w automatically at a moments notice To provide to others your ‘SBOM’ The next wave is moving from IAC to EAC (Everything as code)
  • 61. 3: Lower your trust levels @spoole167
  • 62. The way you choose open source software is going to change What do you do if a open-source component you rely on doesn’t comply? How much risk are you willing to take? Even if they say yes - how much can you trust them? Do they have an SBOM? What’s their ability to provide updates. What’s their security posture. No more: is is it free and does it do what I want? @spoole167
  • 63. Evaluating open-source projects means more than checking their license License Vulnerability reporting process Development process (how to they review contributions) Build process – is it secure? Who can trigger it? General assessment of their quality (MTTU) @spoole167
  • 65. Exploitation comes often from simple mistakes Clean code Defensive architecture comprehensive tests Exception path testing Useful error messages Test dependencies Compartmentalisation of data Secured pipelines No ‘dev mode’ Code Reviews Thinking defensively …
  • 66. And poor behavior Ever googled for: “very trusting trust manager” “Getting Java to accept all certs over HTTPS” “How to Trust Any SSL Certificate” “Disable Certificate Validation in Java”
  • 67. We’ve found 72,609 code results AlwaysValidTrustManager TrustAllServersWrappingTrustManager A very friendly, accepting trust manager factory. Allows anything through. all kind of certificates are accepted and trusted. A very trusting trust manager that accepts anything // Install the all-trusting trust manager OverTrustingTrustProvider AllTrustingSecurityManagerPlugin.java AcceptingTrustManagerFactory.java AllTrustingCertHttpRequester.java
  • 68. And poor behavior curl –insecure wget --no-check-certificate sudo apt-get --allow-unauthenticated @spoole167
  • 69. And poor behavior curl –insecure wget --no-check-certificate sudo apt-get --allow-unauthenticated
  • 70. And by not understanding the code and tools we use “I thought I was using the tool correctly” “I didn’t realize what the default setting was” “I trusted the tool to do the right thing” @spoole167
  • 71. IF you contribute to open source • Take these behaviors with you • Think about software safety • Think defensively. @spoole167
  • 72. Summary Cyber attacks have entered a new and aggressive phase Automated, evidence based Everything- as-code is the direction Open Source is still the primary vector Risk of attack is rising dramatically BYO pipelines will get replaced by commercial ones Consuming open source directly will reduce. You’ll pay for trusted versions How we write code must change How we work with other developers will change
  • 73. Takeaways • The days of just taking software off the shelf are numbered : choose software based on how it’s produced not just what it does • Evidence based trust will become essential : Your own supply chain – the software you use, how you develop, how you deploy will become a certified step in someone else's evidence chain. • A complex and challenging new world lies ahead. GDPR changed how we thought and deal with user information – supply chains are going to get the same sort of scrutiny. • Software is critical to every facet of our lives – the world has woken up to that . @spoole167
  • 74. As developers, we’re on the front line @spoole167