Black Hat is best known for its traditional hardware and software exploits, but this year it features more software supply chain security issues, marking the shift in the threat landscape.
Black Hat, the annual gathering of hackers and information security professionals in Las Vegas, kicks off next week – the 25th such gathering. This comes after two years of COVID-inspired cancellations and delays. Over the years, Black Hat and its sister conference, DEF CON, have made headlines by showcasing high-level hardware and software exploits – from Cisco routers and ATMs to enterprise platforms such as Oracle, SQL Server and Active Directory.
You can also find many of these conferences this year. But they will share the stage with a growing body of discussion about cyber threats, vulnerabilities, and potential attacks on developers, open source modules, and the underlying infrastructure supporting modern DevOps organizations. Together, the talks mark a shift in the threat landscape and the growing importance of security threats to the software supply chain.
Here are the discussions related to software development and supply chain risk, as well as some of the themes that emerged.
Development teams in the crosshairs
The security of the tools and platforms used by DevOps organizations is a clear theme in this year’s Black Hat Briefings, with a number of discussions addressing specific threats to source code management systems for open source and closed source software. .
On Wednesday, for example, NCC Group researchers Iain Smart and Viktor Gazdag will present their talk, RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromises. In the talk, the two years of leverage work tests the security of development groups within a range of organizations — from small businesses to Fortune 500 companies.
Describing CI/CD pipelines as “the most dangerous potential attack surface in your software supply chain”, the duo will argue that these development platforms are the crown jewel of any company’s IT infrastructure, providing attackers a way to transform tools intended to accelerate software. development into a malicious “Remote Code Execution-as-a-Service” platform. The pair will also talk about the best approach to defend CI/CD pipelines against attacks and compromises.
Also picking up on the theme of “threats to DevOps environments,” Thursday’s presentation by IBM X-Force researcher Brett Hawkins. Brett will explore the different ways source code management systems (SCM) such as GitHub Enterprise, GitLab Enterprise, and Bitbucket could be attacked and compromised.
Hawkins’ talk, Controlling the Source: Abusing Source Code Management Systems, presents research that has uncovered a variety of attack scenarios that can allow malicious actors to gain access to SCM systems. It will also release open source tools to facilitate SCM attacks, including reconnaissance, user role manipulation, repository takeovers, and spoofing. Hawkins will also provide guidance on how to defend SCM systems from attack.
Open source: risky business
Given the software industry‘s heavy reliance on open source software to facilitate development and the growing prevalence of threats and attacks via open source platforms and code, it is not surprising that open source cyber risk is another central theme of this year’s Black Hat Briefings. Data compiled by the firm Synopsys, for example, revealed that the average software application in 2021 depended on more than 500 open source libraries and components, up 77% in two years. Attackers have taken note. As noted, there have been numerous software supply chain attacks that have caused developers (and development teams) to rely heavily on open source repositories such as PyPi and npm.
The Black Hat Agenda picks up on this trend, with discussions that explore the risks posed by open source code and offer remedies.
For example, researchers Jonathan Leitschuh, Patrick Way, and Shyam Mehta use their discourse to tackle a key problem in open source security: how to adapt the security response to meet the challenge of massive open source platforms like GitHub. While modern tools could allow us to automate the analysis and identification of vulnerabilities, the outcome of these efforts often overwhelms simple homo sapiens tasked with assessing, triaging, and responding to the flood of identified flaws.
Leitschuh, Way and Mehta offer a solution: the automated generation of bulk pull requests, as well as tools such as OpenRewrite, developed by Netflix, which can help security teams adapt their security response. Check out their talk, Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All, Thursday at 3:20 p.m.
And, as companies unleash AI on the vast repository of open source code in hopes of developing coding bots that could one day replace developers, the presentation In Need of ‘Pair’ Review: Vulnerable Code Contributions by GitHub Copilot deserves your attention. The work of a group of researchers from NYU and the University of Calgary, the conference analyzes the results of “Copilot”, an “AI-based pair programmer” published by GitHub in 2021.
Copilot leverages a deep learning model trained on open source GitHub code. But, as the researchers note, much of that code “isn’t great.” And, as Microsoft learned with its AI-powered chatbot for Twitter, artificial intelligence is great at absorbing input and unraveling patterns, but terrible at assessing the underlying quality of information fed to it.
An analysis of the Copilot code revealed a high preponderance of common flaws, including SQL injection, buffer overflow, and use-after-free vulnerabilities. In fact, out of 1,689 suggestions generated in 89 different scenarios using the AI Copilot, the researchers found around 40% to be vulnerable.
The discussion has implications for development organizations looking to offload low-level coding work onto bots, of course. But the high density of flaws in the GitHub repositories is also a red flag for organizations that further scrutiny is needed to assess the quality and stability of open source components before dependencies are created, rather than after.
Developers: The Elephant in the Security Lounge
The elephant in the DevOps security room is, of course, the developer itself. While source code analysis tools can improve security assessments of proprietary and open source code, and vulnerability scans can identify flaws and weaknesses in developed code, the best security “patch” comes in the form of better-written, high-quality code.
This is the subject that researcher Adam Shostack addresses in his conference A Fully Trained Jedi, You Are Not, on Wednesday August 10 at 11:20 a.m. Shostack, an expert in threat modeling, secure development, and DevOps, talks about the “boil the ocean” problem that many organizations face when trying to train developers in the intricacies of secure development without sacrificing other priorities, such as developing usable code on time. and on the budget.
In this talk, Shostack explains how organizations can operationalize security training for developers. The goal is not to produce a team of “Jedi-grade” secure developers, but to improve the security awareness and skills of the broad population of developers, with the goal of reducing common security issues. but still prevalent that affect developed applications.
“A rebellion doesn’t work on a single Jedi,” Shostack notes. To this end, it will outline a “knowledge scaffolding and tiered approach to learning” that is scalable across development organizations.
*** This is a Security Bloggers Network syndicated blog from the ReversingLabs blog written by Paul Roberts. Read the original post at: https://blog.reversinglabs.com/blog/software-supply-chain-security-takes-center-stage-at-black-hat-2022