By Sven Ruppert
He was working for over 15 years as a consultant worldwide in industries like Automotive, Space, Insurance, Banking, UN and WorldBank. Additional to his main topic DevSecOps he is working on Mutation Testing of Web apps and Distributed UnitTesting besides his evergreen topics Core Java and Kotlin.
Sven RuppertOct 08, 2021
The Power of #JFrog Build Info (Build Metadata)
This episode is also available as a blog post: https://svenruppert.com/2021/10/08/the-power-of-jfrog-build-info-build-metadata/
This video will take a detailed look at what the term build-info is all about and why it will help us protect against attacks such as the Solarwinds Hack.
What is the concept behind the term - build-info?
Let's start at the very beginning and clarify the basic principle behind the term build-info. The term build-info has been coined for many years by the company JFrog, among others. This is a particular type of repository. This repository stores the information that describes the context that led to the creation of a binary file. With this information, you can now achieve a wide variety of things. What components does build-info consist of? The content of a build-info is not strictly defined. Instead, the approach that applies is that the more, the better. Of course, you have to proceed with caution here too. All possible parameters are collected. In addition to the date and time, the system on which the process was run, which operating system was used in which patch level, to active environment variables, compiler switches and library versions. The challenge is actually that it is not known which information will later be helpful and expedient. For this reason, more rather than less should be saved.
Why do we actually need a build-info?
The task of a build-info is to enable the observation, or rather, the analysis of a past situation. There can be a variety of reasons for this. For example, it can be used to improve quality, or it can be the basis for reconstructing a cyber attack that has taken place. And with that, we come straight to the event that got everything rolling in the recent past. Trigger - SolarWinds Hack One of the others will have heard or read something about it. We are talking about one of the most significant cyberattacks that have ever taken place. It's the SolarWinds Hack. Here it was not the final target that was attacked directly, but a point in the supply chain. SolarWinds is a software company that provides a product for managing network infrastructure. With just over 300,000 customers worldwide, this software's automatic update process has been the target of the attack. It was not the update process itself that was compromised, but the creation of the binaries that will be distributed with this update process. The attack took place on the company's CI route to immediately infect the newly created binaries with each build. Here the CI route was manipulated so that another component was added to the binary to be generated. This component can be thought of as a kind of initial charge. As soon as this has been ignited or activated, further components are dynamically reloaded. As a result, each infection had different forms. These files were then offered to all customers by means of an automatic update. Thus, over 15,000 systems were infiltrated within a short time.
SolarWinds hack and the Executive Order from Mr Biden — And now?
In the past two years, we have had to learn a lot about cybersecurity. The new attack vectors are becoming more and more sophisticated and are directed more and more against the value chain in general. But what does that mean for us? What can be done about it, and what reactions have the state already taken?
Let's start with the story that got all of this rolling and made sure that the general attention was drawn to the vulnerabilities of the available IT infrastructure. We're talking about the SolarWinds Hack. What happened here, and what is more critical; What are the lessons learned from this incident?
It is essential to know that the SolarWinds company produces software that is used to manage network infrastructure. With the name "Orion Platform, " this software should help manage and administer the network components efficiently. If you look at the product description on the SolarWinds website, you can read that the software can monitor, analyse, and manage the network infrastructure. And that's exactly what the customers did. The company itself has around 300,000 customers worldwide, including individual companies and government organisations and corporations from a wide variety of areas. To always stay up to date, the software platform includes an automatic update mechanism. And that was exactly what the attackers were after. They saw in the SolarWinds company a multiplier for their own activities. But how can you go about this? The attackers obtained the necessary software tools by breaking into the FireEye company and infiltrating the SolarWinds network. The goal was the software development department in which the binaries of the Orion platform are created. Here, the CI routes have been manipulated to include compromised binaries in every build of the software. As a result, the company produced these binaries and put them into circulation through the automatic update process. In this way, around 18,000 targets could be infiltrated and compromised within a short time.
What does that mean for us now? ...
This episode is also available as a blog post: https://svenruppert.com/2021/07/27/solarwinds-hack-and-the-executive-order-from-mr-biden-and-now/
What is the difference between SAST, DAST, IAST and RASP?
This episode is also available as a blog post: https://svenruppert.com/2021/07/19/what-is-the-difference-between-sast-dast-iast-and-rasp/
This video will explain the differences between the individual cybersecurity defence techniques #SAST #DAST #IAST and #RASP.
#SAST - Static Application Security Testing
SAST is a so-called white box process. The code is visible and does not have to be running. That is why we speak of "static". The tests can identify three types of security threats. First, there are available loopholes. For example, "tainted code" can be injected. Second, some lines can be associated with files or particular classes of objects. Here, too, the focus is on the smuggling of malware. Third, there are gaps at the application level: Can the code be used to interact with third-party programs unnoticed?
#DAST - Dynamic Application Security Testing
Loosely translated, DAST means something like "dynamic security test of applications". Specifically, a scanner connects to the application in question and simulates external attacks while it is running. Hence the term "dynamic" comes from. Since the application is attacked from the outside, DAST is a black-box process. The code itself is invisible to the testing software.
#IAST - Interactive Application Security Testing
IAST uses software tools to evaluate application performance and identify vulnerabilities. IAST takes an "agent-like" approach; The agents and sensors run to continuously analyze application functions during automated tests, manual tests, or a mixture of both.
The process and feedback occur in real-time in the IDE, Continuous Integration (CI) environment or quality assurance or during production. The sensors have access to:
+ Complete source code
+ Data and control flow
+ System configuration data
+ Web components
+ Backend connection data
#RASP - Runtime Application Self Protection
RASP is about the approach to secure the application from within. The backup takes place at runtime and generally consists of looking for suspicious commands when they are executed. With the RASP approach, you can examine the entire context of the application on the production machine and in real-time. Here all commands that are processed are examined for possible attack patterns. Therefore, this procedure aims to identify existing security gaps and attack patterns and those that are not yet known.
Have fun - Cheers Sven
The Lifeline of a Vulnerability
Again and again, we read something in the IT news about security gaps that have been found. The more severe the classification of this loophole, the more attention this information will get in the general press. Most of the time, you don't even hear or read anything about all the security holes found that are not as well known as the SolarWinds Hack, for example. But what is the typical lifeline of such a security gap?...
This episode is also available as a blog post: https://svenruppert.com/2021/06/25/the-lifeline-of-a-vulnerability/
Delegation Versus Inheritance In Graphical User Interfaces
In this article, we will look at the difference between the inheritance and delegation concepts. Or, to put it better, why I prefer delegation and why I want to emphasize this rarely-used feature in Java.
The challenge we face today is quite common in the field of graphic user interfaces like desktop- or web-apps. Java is widely used as the development language for both worlds, and it does not matter if we are in the classic swing, JavaFX, or the field of web frameworks like Vaadin. Explicitly, I've opted for a pseudo-class model in core Java, as I'd like to look at the design patterns here without any technical details.
The goal is to create a custom component that consists of a text input field and a button. Both elements should be displayed next to each other, i.e. in a horizontal layout. The respective components have no function in this example. I want to be here exclusively to work towards the differences between inheritance and delegation.....
This episode is also available as a blog post: https://svenruppert.com/2021/02/18/delegation-versus-inheritance-in-graphical-user-interfaces/
CVSS – explained – the Basics
This episode is also available as a blog post: https://svenruppert.com/2021/04/07/cvss-explained-the-basics/
What is the Common Vulnerability Scoring System short called CVSS, who is behind it, what are we doing with it and what a CVSS Value means for you? I will explain how a CVSS Score is calculated, what the different elements of it mean and what are the differences between the different CVSS versions.
The Basic Idea Of CVSS
The basic idea behind CVSS is to provide a general classification of the severity of a security vulnerability. This is about the classification and evaluation of weak points. But what does the abbreviation CVSS mean? ...
DevSecOps – Be Independent Again
What do the effects the news of the last few months can have to do with risk management and the presumption of storage, and why is it an elementary component of DevSecOps?
Again and again, changes have happened that set things in motion that were considered to have been set. In some cases, services or products have been freely available for many years, or the type of restriction has not changed. I am taking one of the last changes as an occasion to show the resulting behaviour and to formulate solutions that help you deal with it.
This episode is also available as a blog post: https://svenruppert.com/2021/02/12/devsecops-be-independent-again/
A Challenge of the Software Distribution
Software development is more and more dependent on Dependencies and the frequency of deployments is increasing. Both trends together are pushing themselves higher. Another element that turns the delivery of software into a network bottleneck is the usage of compounded artefacts. And the last trend that is working against us, is the exploding amount of edges or better-called edge nodes.All four trends together are a challenge for the infrastructure. But what we could do against it?
This episode is also available
- as a blog post: https://svenruppert.com/2021/02/14/a-challenge-of-the-software-distribution/
- or on youtube in English: https://youtu.be/VSLZ4Q6ELEk
- or on youtube in German: https://youtu.be/IzKc_gffiYk
The quick Wins of DevSecOps
Hello and welcome to my DevSecOps series. Here in Germany, it's winter right now, and the forests are quiet. The snow slows down everything, and it's a beautiful time to move undisturbed through the woods. Here you can pursue your thoughts, and I had to think about a subject that customers or participants at conferences ask me repeatedly. The question is almost always: What are the quick wins or low hanging fruits if you want to deal more with the topic of security in software development? And I want to answer this question right now!
This episode is also available as a blog post: https://svenruppert.com/2021/01/28/the-quick-wins-of-devsecops/