jOpenSpace 2024

Miloš Havránek

Software Engineer

linkedin.com/in/miloshavranek

L. Casei Securitas

​

L. Casei Securitas - Dev to Devs

• Use common sense
• Trust but verify
• Don’t overreach
• Magic tools alone won’t save you

Covered intensively

​

Blind spots

​

Not covered

External threats vs. Internal threats

How to discover/implant exploitable weakness of/to a system?

Requires:

• Access
• Knowledge

Obtained through:

• People
• Source code
• Open sourced Dependencies
• Public API
• …

The more dependencies, the more Adidas

Know your dependencies..

Supply chain attack, MavenGate

How?:

• Claiming packages on official repository
• Altering packages contents

Options:

• Use private repository manager (DX neutral)
• Proxy external repositories
• Verify package signatures
• Repository order matters!
• Lock package signatures (DX negative)
• SBOM + Software Composition Analysis (DX positive)

Public cloud - Github, Artifactory, ...

Allows:

• Bypass nearly all other company security
• Unlimited access through API token / ssh key without 2FA
• Obtaining company assets
• Providing access to 3rd party

​

​

​

Github Copilot - Syphoning secrets

Kernel level access for everything

• XDR/EDR (Endpoint Detection and Response)
• Anticheat
• Antivirus

Negative Effects:

• Slow computer (DX negative)
• Sending your files, secrets
• Attack vector + Rootkit
• Single point of failure

What to read

• https://www.lupa.cz/clanky/crowdstrike-budicek-proti-bezmyslenkovitemu-nasazovani-bezpecnostnich-nastroju/
• https://www.bleepingcomputer.com/news/security/us-dismantles-laptop-farm-used-by-undercover-north-korean-it-workers/
• https://www.coindesk.com/tech/2024/10/02/how-north-korea-infiltrated-the-crypto-industry/
• https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
• https://devops.com/sboms-101-what-you-need-to-know/
• https://spring.io/blog/2024/05/24/sbom-support-in-spring-boot-3-3

How would

Jabba Developer

look like

​

Bonus 1

Bonus 2