Attacks on software vulnerabilities continue to increase, from Solar Winds and Log4j to name a few. There is a consensus that software supply chain security must be integrated into development as part of the CI/CD process. This is what has led to the creation of DevSecOps. Slim.AI CEO John Amaral shares key takeaways and discusses the trends to watch out for.
This year's Black Hat 2022 saw the rise of DevSecOps and the importance of DevSecOps in software supply chain security. It was discussed on the keynote stage, at vendor booths, and in casual conversations. Software supply chain security and the role of the developer in it have been raised to the top of the agenda for enterprise CTOs and CISOs as they search for strategies and solutions to protect their software.
This was the first year that we had so many attendees who were DevSecOps. CSOs and VPs of Security mentioned the importance of DevSecOps in many of their conversations. These C- and V-level leaders either had enough headcount or were actively looking to recruit.
Proactive Security
Security strategy is undergoing a significant shift. Service providers and enterprises are actively involved in moving security out of the realm of responding to security incidents. Instead, they integrate security into the software development process so that vulnerability-free software can be shipped.
It was interesting to see attendees realize that automation is the only sustainable way to achieve this. More developers are being asked to do things they have never been trained for. Security is no exception. Security requires code to be free from known exploits. Automating this process is the only way to do that.
One session that I attended included a presentation in which researchers from the University of Calgary, New York University, and other universities looked at code generated by GitHub’s AI-assisted generator, Copilot. These code snippets were examined for vulnerabilities by researchers who found that up to 40% of them are vulnerable depending on how they were written. It's up to the developer to discover those vulnerabilities. Automation is the only way to do this at scale.
To Follow Emerging Topics
CISOs and VPs for Security were searching for ways to automate their software portfolios, particularly for those that are built with containers using technologies such as Docker and Kubernetes. Many conversations were focused on achieving the goal to ship software quickly and ensure its security.
Let's take a look at some of the hot topics at Black Hat.
SBOMs
An SBOM (software billing of materials) is a nested inventory of software components according to the Cybersecurity and Infrastructure Security Administration or CISA. The May 12, 2021, Executive order by President Biden requires that all software vendors to the federal government provide an SBOM for every product they sell to the agency. The U.S. is not alone. Other countries, from Europe and the Asia Pacific, are following the same path. Currently, there are two widely accepted SBOM standards: CycloneDX, supported by OWASP, and the Cloud Native Computing Foundation-supported SPDX. We will need a common standard for SBOMs and more tools to make SBOMs actionable, not just a point-in-time recording of a container’s contents.
Signing Code
CISOs also discussed code signing. This is a way to embed an immutable identity for a developer in a code package. This is why it's useful. Cryptographic proof of an author's identity is a great method to verify that a piece of code was not altered since it was signed by the author. This is to provide code consumers with strongly encrypted identities that can be used to audit who made changes and when. This technology is not new, but Chainguard and Sigstore are advancing it. A notary is an alternative, which has support from Microsoft, and Docker, but is still in the design phase.
Container Slimming
Container slimming was a new development that was discussed at Black Hat. This technology removes components that are not useful for development but reduces the attack surface in production. DockerSlim is an early open-source project. Slimming, at its core, is about identifying and removing unnecessary items from your containers before production. Startups like Slim.AI are adding additional functionality to that core functionality.
Information Sharing About Vulnerability
Sharing is the ability to find efficient and automated ways to exchange information about software between code consumers and makers. Surprisingly the tools to achieve this are still very primitive. Black Hat attendees spoke with us about the challenges they face in integrating sharing into their software delivery systems. This is a challenge that Slim.AI faces and one that industry organizations such as the OpenSSL and government agencies like CISA are helping to facilitate.
The Next Black Hat: Looking Ahead
Each of these areas will see advancements by the time we reach Black Hat 2023. These areas will see the first mover in this space, including open source projects, commercial offerings that are built on top of them, and proprietary approaches. With any luck, the industry will already have best practices and standards in place by then to guide decisions and design processes.
It is possible to see a future where developers and engineers can access their contents and containers easily. With any luck, entire teams will be able to access vulnerability scan data to communicate the most critical exploits to the appropriate code authors. With a little luck, these capabilities can be integrated into existing CI/CD processes with a robust API vocabulary.
All of us are aware of the importance and necessity of managing our software supply chain. Engineers are working on improving security processes. They're meeting with developers and building the tools they need to reduce software vulnerabilities. These minds were eager to find solutions at Black Hat. If Black Hat 2022 is any indication, this search for ways to reduce risk through building better software will be a major part of security events moving forward.