Shutting the proverbial back door to your networks “cuts the risks [of attacks] down tremendously”, said application security engineer Sean Wright at Friday’s All Day DevOps.
The keynote speaker urged security teams to have “appropriate access controls in place” in order to protect themselves against a 742% rise in ‘next generation’ supply chain attacks, a threat that has mushroomed since the SolarWinds incident rocked the open source ecosystem in December 2020.
Among other techniques, attackers are leveraging typosquatting, dependancy confusion, malicious code injections, vulnerabilities within packages, protestware, and takeovers of package author accounts (the latter prompting package managers to implement multi-factor authentication (MFA)).
“Make sure that your servers are really well defined [in terms of] what and who they can speak to”, said Wright, who re-recorded his virtual keynote presentation after technical hiccups cut his live appearance short.
“Your servers should never, never ever have open outbound access”, Wright advised.
Many modern supply chain attacks “leverage the fact that many organizations do filter things coming in, but they never pay any attention to what’s going out”, added Wright.
The dramatic increase in the size of the open source ecosystem has persuaded attackers to diversify beyond attacking applications to targeting their upstream components too, he noted. If anything, Wright was surprised they did not do this sooner and at greater scale.
When a typical app has 20-30 dependencies, which themselves will often have 5-10 dependencies with something like 10,000 lines of code each, finding vulnerabilities is not so much a ‘needle in a haystack’ problem but a “needle in an open ocean” challenge, according to Wright.
Resources such as Google’s Open Source Insights are therefore invaluable. This “awesome” tool builds dependency graphs for open source packages, and annotates them with ownership, license, popularity, and other metadata.
Wright also recommended using Dependancy Track for a centralized view of your software bills of materials (SBOMs).
Purge your build system
The former software developer warned that, while package managers are quick to remove rogue packages from public repos, their use of caching means developers should “purge” their private repos and local build systems.
He praised a raft of recent initiatives around bolstering the software supply chain – SLSA, Sigstore Cosign, NIST guidance, and OSSF Security Scorecards – but despite these resources there remains much work to do.
After all, the critical Log4j bug showed that organizations had failed to heed the lesson offered by the Apache Struts bug that thrashed Equifax’s reputation in 2017 – “we’re finding 33% of downloads are still the vulnerable version”, he lamented.
“You wouldn’t typically allow any random stranger to commit code to your codebase,” Wright concluded. “But when we’re pulling down packages from random developers that’s exactly what we’re doing.”
All Day DevOps is a 24-hour software developer-focused conference. Presentations are still available to view on demand.
FIFA World Cup 2022: Duke’s first half header helps Australia to victory against Tunisia
Ugwuanyi visits community affected by farmers-herders clash in Enugu
Action Alliance disowns litigants against Bola Tinubu
FHC fines PRP presidential candidate for late filing of documents
Portable releases new album, ‘Ika of Africa’
Rising sensation LB releases new single, ‘Matter’
Dozzybeat features Byno for ‘Angelina’
Dr. Dolor’s album, “What A Time To Bee Alive,” includes Oxlade, BNXN, Seun Kuti, and Blaqbonez
[STORY] The SIXTEENTH (Final Episode 07)
[STORY] The SIXTEENTH (Episode 06)
Oyetola signs N138bn budget into law in Osun
[STORY] TIMISIRE THE GOLDEN GIRL (Episode 19)
[STORY] TIMISIRE THE GOLDEN GIRL (Episode 18)
[STORY] TIMISIRE THE GOLDEN GIRL (Episode 17)
Dankwambo Dumps Wike’s Camp, Donates 20 Buses To Atiku’s Campaign
APC mega rally: Jandor berates Sanwo-Olu for closing down Lagos markets
How to recover ‘deleted text messages’ on iPhone
Sasha Attwood, Georgia Irwin and Paige Milian cheer on England boys in World Cup
Gareth Southgate explains why he didn’t bring on Phil Foden during USA World Cup draw
Mason Mount wasn’t subbed off during England’s World Cup draw with USA – Rob Green
Gareth Southgate responds to fans booing England
Your daily horoscope for Saturday, November 26, 2022
Maybe Qatar Is Low Budget England FC
World Cup Result: USA bundled England To Secure a Tough Draw
Elon Musk to provide ‘amnesty’ to some suspended accounts
Twitter fails to remove racist tweets targeted at World Cup stars
FRSC is not recruiting, stop patronizing scammers – Spokesman
Buhari doesn’t ‘use and dump’ – Ibrahim Gambari
FRSC decries carrying fuel in gallons on journeys
South East has rejected Tinubu – Bwala
Guber candidate says It’s time for APC to takeover Benue
INEC releases guidelines for political campaigns, party expenses
FIFA World Cup 2022: Qatar on verge of World Cup elimination after defeat to Senegal
Mercy Eke predicts Peter Obi’s victory in 2023 elections
BBNaija’s Pere shares his dream of becoming an evangelist
Sammie Okposo passes away at 51
Ayra Starr responds to criticism on her skimpy outfit
Igor Jovicevic urges Mykhaylo Mudryk to reject January move to Arsenal
Neymar to miss Brazil’s final group games with injury
PDP Will Win 2023 Elections Despite Crisis – Seyi Makinde
DOWNLOAD Complete Black Adam (2022 film) Subtitles File [English SRT] 2022
No Beer No Problem! Ecuador Destroys Qatar in World Cup Opening Game [WATCH HIGHLIGHT]
Brazil chooses “unusual” starting lineup for the World Cup opener against Serbia, leaving Fred out
Anthony Martial among three options being considered to replace Karim Benzema in France squad
I’ve made many sacrifices for my music – Dote Urban
World Cup 2022: Poor Qatar Has Absolutely Nothing To Press Against Ecuador
Reno Omokri speaks after “Obi’s Supporters” made him waste $4,000 on Tinubu’s investigation
Saka, Grealish, Rashford Helps England Destroy Iran in Qatar’s World Cup [WATCH HIGHLIGHT]
Blood And Water: All episode titles for season 3
Dj Sumbody shot dead in South Africa
Your weekly tarot horoscope for November 20 to 26
Kizz Daniel Delivers A Spectacular Performance At 2022 FIFA World Cup, Qatar
Cristiano Ronaldo gain 500 million Instagram followers
Why World Cup stadium called ‘Stadium 974’ and why is it made of containers?
World Cup 2022: Saudi Arabia defeats Argentina as they end their 36-game unbeaten run
Miyetti Allah justifies his backing of Tinubu
Twitter resumed hiring after Elon Musk declared the end of layoffs
John Barnes warns Bukyao Saka may not feature much for England at World Cup in Qatar
All Day DevOps: Third of Log4j downloads continue to use insecure versions despite threat of supply chain attacks
WC 2022: Ecuador’s Enner Valencia scores opening goal against host Qatar
Mayorkun and Oxlade collaborate on the new song “Bad Boy”
Avatar 2 is ‘very f**king’ expensive – James Cameron
Kevin De Bruyne discusses their falling out after Belgium’s victory over Canada
Nigeria still maintains COVID-19 travel protocols – FG
England must ‘focus on football’ instead of ‘gestures’ to protest OneLove armband ban – Gareth Southgate
“Toyin Abraham Is In The Past, Nobody Should Ask Me about Her Again” – Seun Egbegbe
Tompolo donates N150m to help flood victims in Bayelsa, Rivers, Delta
Lupita Nyong’o shares training routine for Black Panther
Thousands of World Cup seats remain unfilled despite Qatar’s shady announcement of attendance data
World Cup Result: 2-Bangs From Richarlison Saves Brazil From Serbia [WATCH VIDEO HIGHLIGHT]
World Cup commentator Sam Matterface says Roy Keane just pretends to be ‘steely’
2022 AMAs: 5 cutest couples that graced the red carpet
Nasa’s Artemis spaceship arrives at the moon
Gareth Bale believes representing Wales at the World Cup is ‘the biggest honour’
I Don’t Read Social Media Anymore, They Abuse The Hell Out Of Me – Tinubu (Video)
Nigerians respond to the newly designed naira notes as Emefiele trends on Twitter
David Beckham Is ‘Open To Talks’ Over Manchester United Takeover
YCEE returns with new single, ‘Azul ’22’ feat Costa Titch, Phantom Steeze & Ma Gang Official
Dietmar Hamann blasts Antonio Rudiger after Germany’s World Cup defeat to Japan
Zlatan teams up with Young Jonn, Willis for the new street anthem “Astalavista”
ANE Billboard Hots
Technology5 months ago
VoIP Number: Everything You Need To Know
Music5 months ago
[Music] Akon – Sorry Blame It On Me
Music3 years ago
[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you
Music5 months ago
Alan Walker – Faded [INSTRUMENTAL]
Music5 months ago
[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
Music5 months ago
[INSTRUMENTAL] John Legend – All Of Me
Music5 months ago
[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me
ANE Stories4 years ago
[STORY] AMAKA THE LESBIAN (Complete Episodes)