BSidesYXE 2024 - Nicole Schwartz - Open Source Software is amazing and Risky.

all right so we're here to talk about open source and why it's awesome and how to secure it and I am Nicole Schwarz circuits one uh I use she her pronouns and I a senior security product manager at active State um uh and in one month I'm running bides Edmonton you could come visit us it's not that bad of a drive uh and what is active State we help you secure your open source uh so feel free to check us out uh but this is not NAD so let's actually get to the content all right what is open source it's code that you can look at you can modify uh you can enhance and that's

really what it boils down to it's way more complex than that but when you go around you look at things that are like oh hey this repo it's available under the MIT license or the BSD license that is generally an open source thing that you could use yourself depending on the licensing and you could modify it if you want to you can tribute to their copy if you want to you know all sorts of options why do we care well nowadays you know that constantly every time you log into a SAS product things change right you're like oh why did that move there you know oh there's a new feature over here Isn't that cool

the reason we have such rapid development of software and such rapid Innovation is because nobody has to reinvent the wheel anymore no one has to necessarily be an expert in cryptography anymore please don't write your own cryptography thank you um there are people who are domain specific experts maybe use that uh and this is all free so you can leverage these tools that are not the thing that you're trying to differentiate on to get something to Market quickly that's amazing that's awesome that is what has brought us here uh but all those upsides do come with some downsides now interestingly enough uh when I think it was synopsis I can't read the teeny little thing there but I think it's uh synopsis

reviewed a whole bunch of code and they found 77% or more of the code that they were reviewing was open source meaning that only 30% of the code was bespoke written and Mak the differentiation of what is this cool thing that I'm selling you or offering you you know a license to and so if you think about everything that you're using on an iot device as a software application uh in your car it's reliant on open source which is kind of awesome and that comes with a catch your lawyers will tell you there's a license with that now not every open source package includes a license that's a whole different thing we are not going

to get into here but if it does include a license there's going to be specific rules there if you use that maybe you have to make your Source available uh and if this is like got some business logic in there or business secrets in there you may not want that and those are generally called copy left licenses so your lawyers may be like please don't use a copy left license in these software packages here but hey in these other packages where we don't have anything like super crazy custom that you know somebody can't ask to review that code go ahead and use it there's defects and vulnerabilities you can't tell me that the code that you write

doesn't have defects and vulnerabilities so you're expecting the code that the internet writes with a whole bunch of you know squirrels ADHD out there is going to have no defects defects are everywhere you can't get away from it now one of the theories was like Hey with all these people looking at open source we're going to find the vulnerabilities well if you look at the number of known vulnerabilities versus the number of Open Source packages out there we do not know about all the vulnerabilities out there so uh if people look they find them but people don't always necessarily look uh so it's going to be vulnerabilities you know and vulnerabilities you don't know also

supply chain threats we'll kind of get into this in a little more detail but everything you introduce uh as referenced earlier by uh TJ introduce surface area and so the more surface area you have the more risk you have and also what happens if the community abandons that project what are you going to do all right so let's dig into into these in a little bit more detail so hiding among all of these awesome Lego pieces which are the open source one of them has a copy left oops do you know which one that is and that you could remove that and replace it with something else um that is you know a risk like are you aware what all these

little Legos are you need to find the one little tiny you know tiger in here it's like a where's Waldo Adventure all right we've all seen this before XKCD please don't invent your own license there's an enough license choices out there so like the list of available licenses is very very long and then people keep adding more so make my life easier make lawyers lives easier no more licenses please and thank you anyway all right so the defects and vulnerabilities we talked about this there's going to be ones that are accidental heart bleed maybe don't drink and contribute open source code on New Year's Eve not a great plan uh but there's also intentional and this was

referenced earlier the uh utils which was low slow really patient we're really lucky it got caught uh situation and of course there's just like the super you know wild and crazy I'm going to introduce this malware in here to see if it gets caught uh that some researchers do please don't introduce it into packages if you're a researcher like do a different package just to see if it works anyway so Turtles all the way down your code uses open source the open source uses open source that open source uses open source if you've heard the word dependency tree this is what this is referencing so that dependency tree means that all those things all the way

down are technically your risk surface area but this morning we did also here about like threat modeling if it's not reachable so a lot of SCA tools talk about our software composition analysis tools talk about reachability if it's a couple layers down and it's not being called by anything or it was only used in the build process it's probably not something you need to worry about so you really do need to like okay yes this is my Surface area but how much of that do I care about all right so I keep blathering on supply chain supply chain what am I what am I talking about if you've ever done code you probably know this but we're

just going to go through it and my slides will be available in circuit.com later so all the teeny tiny things you can read there um but you've got the source that you're writing you're bringing in some open source you're bringing in some other suppliers that you've made deals with you're writing your own stuff you're stitching that together into a build the build becomes artifacts the artifacts go out somewhere maybe that's a wheel on ppie or maybe it's SAS or maybe it's an XE that your customers download at every point along here you can have risks now you did this but also every single one of the open source things that you use those Wheels also did this

and had those same risks and uh like was talked about earlier do you know how they're practicing are they doing two-person review are they doing it on like the YOLO laptop that maybe also s surfs you know sketchy websites that have pirated material whatever like you don't know uh so you're not going to be able to get a security audit from an open source project I mean maybe you could in some circumstances but a lot of cases those are volunteers and they may not uh have the time or the expertise to give you that kind of information uh so that is something you're going to have to either accept or maybe mitigate in some way all right again the slide super tiny

apologize it's the sap supply chain uh risk Explorer you look at it on a bigger screen and it goes through a bunch of things like typo squatting which hopefully you all know is like where I misspell things all the time hopefully it's not just me but popular packages they might just flip two of the letters or substitute one of the letters and so you can do everything right but pull down a package that is a typo squatted version which is a copy of that code perhaps but with a little malware sprinkled in uh there's also things where they might just compromise the build environment solar winds is the one we pick on for that I feel kind of bad

for them because they always get picked on for that but there are tons of different risks with fancy names but they all boil down to that chart earlier where all those different risk pieces were uh fancy words for all the different points in there all right so also these are volunteers and what it's free like puppies not free like beer and so these need to be taken care of once they come into existence otherwise you know they might pee on your carpet or something and so if the community kind of doesn't keep up with it or maybe just straight out abandons it or nobody's really interested in anymore you're stuck with it now if you're using it and you're

relying on it so what is your backup plan are you going to Fork that and maintain it yourself that is absolutely a choice you can make uh depending that may not be a very fun Choice all right and I'm everyone was expecting this right yeah so the one poor little project that you know one person's been maintaining you could just burn out you know if you're the only one and everybody else is just relying on on it but not helping you uh you may just be like I'm done all right cool so we talked about open source is awesome it has enabled us to have all of the cool fast development that we have today but it does increase

our surface area risk so how do I tell what I'm using so shout out to again to the earlier talks is the unsexy thing of inventory management so as part of that inventory management not just what container do I have what open source is running on that container not just what projects do I have what open source in those projects so when we talk about inventory it's not just how many laptops are hanging out you really have to get pretty granular with this and that allows you to respond to issues if I were to come to you and say hey I just read a news article this morning that this package has a vulnerability do we

have this package in our environment you you don't have an inventory how are you going to answer that you're probably going to have to go around and ask everyone you're going to have to spend a lot of time looking for that but if you've got an inventory I don't care if the inventory is in like a Google sheet or an Excel sheet you could look through and be like hey it looks like we currently don't have that so I think we're okay it's going to be a lot better of a conversation than like hey let me go ask everybody and get back to you all right so how do you get that inventory because saying have an inventory is

pretty you know like just do this which is never adjust so you could have your own repository and ask everyone to go through that so please don't go through npm we're going to go through our own copy of npm where we're actually proxying it so I kind of know what's in use you could have that be restricted where until a package gets approved maybe they can't pull it in or you could have it be unrestricted so that anytime they want to pull something from pip or whatever it'll pull it but now you'll at least know what's being used you could just scan the repositories you could tell them that they need to request approval for every

package they add which apparently is what they do at Google which shocks me and confuses me there's like apparently a chat Channel where every time you want to bring in a package you have to like have a chitchat about it um I'd love to be a fly in thewall for that and um you could just ask each team to report in uh this is where sbom software billing mat materials which you've heard reference come in and uh by the way software bills of materials should be done all the time there are plenty of Open Source tools out there that will help you build those because to have an accurate picture of the build at any point in time you need

to know at that point in time what the build was if you're not a developer and you haven't heard well it works on my machine then you may not understand that because a lot of things have a range so like that tensorflow package or that Panda's package the developer is going to say hey use any version between like 2.1 and uh 2.2 anyone in there and so the solver is going to like go today on Tuesday I feel like 213 and oh tomorrow I feel like 214 and so you may not realize that like today's copy is not exactly the same as tomorrow's copy so having that s bomb for every point in time is important if

you want to have that accurate uh picture and uh you could do some kind of combination of the above all right uh I want to do a shout out TJ mentioned third party this is not about your commercial things so for your commercial stuff you can say hey can you give me a security assessment I don't think that's going to work out really well with open source um but for open source in a lot of cases you may actually be able to get an A SAA which attests how they did a build and it may in the future uh attest other things and you may be able to get an s bomb from them and there's stuff like

the pi pie trusted publisher which you if you publish through active state or uh GitHub you can get a little green check mark on your piie package which means you at least signed your package and like had a trusted uh situation so maybe it's not a man in the middle we know thanks to solar winds you know not everything's perfect but at least it's another layer all right you have an inventory you picked some combination of those things you're either generating the S bombs or you've got your mirrored repository and you at least have a pretty good guess of what going on in your environment all right so I just told you there was exponential R risk for every

single little piece of this chain how do you mitigate it well if you have a time machine secure by Design or if you're starting a new project secure by Design security scanners there's free ones out there uh if you are aware of oosp or the open source software Foundation they have really good lists of like here are free open source uh packages which you can use uh there's the uh open ssf scorecard which you can run against a repository and it'll kind of give you this is an oversimplification I apologize but it'll give you like a what good practices is this repo following uh it's what they chose to audit and what they could audit as far as good

practices go you can read about that uh for a little bit more there's uh SAA trusted Publishers guac attestations we'll get into more details about these in a minute there's the repository thing I talked about because not only if you're auditing those you could then scan those you could then you know be doing checks against those using like dagger board or something having a vulnerability trios and Remediation process don't just YOLO it have some kind of cadence every two weeks every month where you're like let me check and see if there's any critical things Terrible Things hiding in there that we don't want and uh have some kind of Target even if you don't like externally

publish it just have an internal Target can we get rid of criticals in 90 days like set something and then maybe you can walk it back okay cool we're hitting 90 days can we hit 80 and just give yourself a goal and maybe give yourself a pizza party if you hit it um try and keep somewhat up to date bleeding EDG isn't always great a lot of you probably may not buy the brand new widget when it comes out day one because you want somebody else to find the hiccups right you want to see where the problems are same kind of idea maybe let some other people find the hiccups first and like but don't let yourself get further and

further back because the community tends to update and you're going to get into a situation where maybe you're a year and some old now the choices of what will partner with those open- Source things that you're using kind of get stuck in the past and you can't use so you're going to lose some of the advantage of of Open Source you can't use some of those cool new packages because they just don't support that but also you're going to approach closer and closer end of life and when you hit end of life it's almost like hitting abandonment of the project because they're like we are not updating that anymore so if somebody finds a vulnerability good luck so you don't

want to be there all right and uh what outgoing calls are happening there's a package that is escaping my mind right now um but think of it like a dast scanner but for packages that are running any kind of network thing can monitor for this but do you usually have calls going out to China to Russia to North Korea are there suddenly calls going out there from your build environment that's new that's odd and maybe you should look at what changed between when it wasn't and when it was uh and so uh when I was working at gitlab they actually would do this for a bunch of the popular packages that customers were using which was you could

have your package built and run and tested to see was it making weird calls weird unexpected calls and then it' flag it as like hey do you really want to use this dependency or if you do do you really want to deploy it to production um because that was you know maybe unexpected maybe you say you know what that is totally expected and wanted cool but at least look for it no head in the sand no ostrich all right so secure by Design I'm going to read my notes on this one because there's a lot of notes on this one so cisa is advocating that people prioritize features mechanisms and implementation of tools to protect

customers rather than prioritizing product features if you work for a company you're probably laughing inside your head right now um this would be great because it means more protection for your customers but I really don't feel that this it like don't just YOLO it out to the internet but you know maybe don't bother to to work on it quite as much so threat modeling is awesome I don't care which methodology you use but again that was that whole concept of where are the crown jewels versus not and then defense in depth like do not be like we are going to have the perfect software composition analysis scanner and we're not going to do anything else it's like

all right let's scan our open source Let's scan our own code Let's scan for Secrets let's do you know an assortment of things so that hopefully somewhere along the way we catch something uh and we don't completely miss it because uh kind of the talk right before mine usually it's not just one thing there's a preponderance of usually X happens and then y happens and then Z happens so even if you mix miss that first step if you catch it at the Second Step you still might be fine all right and security scanners I'm going to go kind of into detail but I listed at least one free example for each one of these uh so we've got the GitHub code

scanning for software composition analysis we've got truffle hog for secret detection we've got semr for sast we've got trivy for containers we've got Zap for dynamic application security testing we've got phology for license scanning and we've got open ssf Package analysis for malware scanning you can do it little computer all right uh so sast this is kind of agnostic think of it as like grammarly for your code it's looking for certain patterns and it's like this is a pattern that we've identified to be problematic maybe don't do that um so it's not perfect but it's better than I think just nothing uh and it will kind of at least warn you in the IDE phase you know

maybe you need to make a different choice on here all right see detection how many times do you hear about somebody checking something in like an API key to their GitHub yeah and that causes problems right and did everybody read the thing that came out at Defcon where basically they are like even if you delete it off GitHub it actually is never ever ever deleted so you have to rotate your keys yeah um so it is really important to look for and I know it happens on accident accidents happen but make sure you have a plan to rotate your keys and scan for API things uh and again you should be if if you really want to protect a

particular resource do this on the open source code and your code and then don't just tell the maintainer like YOLO you did this maybe help them by submitting a patch anyway all right container scanning this is to me just like sea but for containers um so but they gave it a new name because we like to name everything see the standards XKCD from early anyway it's going to find known cves in your container in the base image plus The Out Source that happens to be running on that particular one all right then we talked earlier about how like some people don't like the copy left whatever phology other things will scan and be like hey here's

all of the licenses you have which ones do you not like and maybe your lawyer team will love you for this uh and then maybe the developers will not love you for this you know you stuff happens all right uh there's dust so we talked about which is kind of like the grammarly thing D is supposed to be a little smarter it's supposed to have less false positives because it's actually poking the system uh so the system's got to be running so you can't run this like in the ID you've actually got to run it like in a test environment uh so this one is actually super handy because if remember we were talking about like is that open source calling

like a weird place or whatever so if you've got like DED plus a little bit of network monitoring in your QA environment or your staging environment or whatever this is going to kind of give you a better picture of what is actually going on when the code's running uh and so combine reachability with this and you could probably just be like I'm going to ignore all this stuff here because that was a runtime thing that was an unreachable thing like this one's not actually being exploited because we we monitor for SQL injections so who cares uh so hopefully that'll help you narrow it down to what you give a hoot about all right there's malware scanning

which is the open source software Foundation uh package analysis tool again it's looking for like the miter framework it's looking for like a behavior as opposed to just like a pattern uh but it also does look for patterns it's kind of like combining sast and D together all right fuzzy Lop has anybody used fuzzy Lop in like a CTF you can actually use it for other purposes uh and this one's kind of fun because it'll find like your overflows and stuff um so and memory leaks which memory leaks in production can be very annoying as a person who used to work third shift have to reboot a certain customer server at every morning at 2:15

a.m. uh anyway so please find your memory overloads and you know if the tool that you're using that open source has a memory leak maybe fix that so that you don't eat up so much memory and your Cloud bill doesn't go up you know whatever and we've referenced scca a lot here it basically looks at what are the things the components that you're bringing in and what is out of date what has a vulnerability or at least like gener you a list so this is very helpful in the list making capability all right so speaking of this s bombs and SCA are kind of like BFFs kind of sometimes an SCA uses an sbom or

sometimes it'll make you an s bomb uh if you work in Europe or the United States es bombs are becoming like a thing so there are two formats of es bomb Cyclone DX and spdx because once again we can't gr a standard so open F Proto bomb will convert between the two so if you generate one you can generate the other so you can take the customers who are like but I want the other one and give them the other one and get them off your back uh and then if you want to take those S bombs and load them into dagger board again free tool it'll tell you all the CVS so if you don't have an sea tool

you can kind of use daggerboard as your sea tool even though it's not an sea tool it's all turtles all the way down here all right and if you have not heard of the vulnerability exploitability exchange how many times do you have to say this cve doesn't affect us to some customer a lot yeah okay well there's a format for that you can formally document this open source vulnerability we've investigated it and within our environment because it's unreachable because we are running this operating system and it affects that operating system or because it's disputed by the maintainer um we say no you can document that in this way and include it either as part of your s bombs or as its own

Standalone thing and hand that out and just be like here's all the things you're about to complain at me about have this document come back after all right and we talked about the scorecard and again this you pointed at a repo all right so we talked about what are you relyant on and what's really going to hurt you if it goes away figure out those packages you are super dependent on and consider running this against them say if somebody else has already run it and given you the scorecard it's going to say like hey is there more than one maintainer how active is this project how responsive are they to bugs and things and it'll

kind of give you like a health SL risk assessment and so again we talked about doing things kind of semi-frequently not just one and done so set of cadence do this and be like are the thing that we are relying on how risky is it and you know do we need to have a backup plan and uh your backup plan could be contributing to that open source project all right Frameworks I'm going to read the things because again there's a lot of notes on this one supply chain levels for software artifacts was developed by Google and then released into the open source software foundation and it is a set of Standards or a framework that

will help you prevent tampering and improve Integrity um of packages which are built it gives you a shared language and shared understanding of what these levels mean so if I say hey I'm Sasa level two or saua level three and that's how I build my stuff that kind of lets you know okay this is ephemeral and it's isolated and we don't allow somebody to just type in parameters they are all documented and I can reproduce this build and so that's super handy just for having a conversation shorthand um guac are developers really hungry when they name things um the graph for understanding artifact composition aims to fill the Gap so we talked about the dependency

tree and you've all seen them they're like the the sprawling things this is trying to make it so that that's a little more useful it's going to take an an es bomb and give you metadata about your dependency tree so just like for funsies load your es bomb in there just because it's interesting um but hopefully as it gets more and more metadata that actually becomes more and more valuable to you see and then uh as far as attestations go intto seems to be the most popular one right now there are other formats you can invent your own format if you really want to um maybe just considering Toto anyway and attestation literally just means I

documented this ideally you also sign it that's not perfect but at least it adds like a little layer of nobody tampered with this and then the piie trusted publisher which I mentioned allows you from like get Hub get lab and active state to say I follow these build procedures and pushed using a key up to piie and you get a little green check mark so maybe check and see see if the packages you're using have the nice little green check mark all right so I had said monitor repositories what are your choices there well you can use jrog getl in active state if you want to pay money you can DIY it like literally you could just

mirror them if you wanted to um and so there are a lot of options there and for vul triage and Remediation anyone we were talking about the three binders earlier today tune out the noise okay how do I tune out the noise in your es bomb or in your SCA can you tell which things are runtime which are two or three up the tree which are reachable and not go ahead and just get rid of them first come back to them later if you me if like you tuned it and then boom everything's gone a I want to work for your company uh and B you can get then move on to level two but for

right now those are the less risky things so start with the things where it's you know first or second degree of Kevin Bacon away from your source code and that is touching your critical stuff uh again this is going to be based on your threat models if this system is literally just like the static website and somebody could def face it yes but then you could restore from backup like okay whatever versus the system that has people's information on it versus the system that has people's like Private health information on it or credit card information on it you know like which one are you g to do first let's do the credit card information and then okay great you

found it all what's your plan to fix it again this is part of that can we update you don't have to go to bleeding edge sometimes actually to fix a problem you go down because if you look in a vulnerability it's going to say it impacts this particular range and that range may be pretty small it may go back many many years but it may be small and so you may be able to just roll back a couple and then you're okay please don't roll back like two years uh and you know try to stay somewhat current but I'm not going to tell you to be bleeding edge like that's a lot of work but if you're

working out that muscle and you're saying every two months every month we are doing a deployment and testing it and I know that I can do a solve for all the open source that I'm using and I feel confident that I could release this and test it you're going to be in a lot better place when I come to you tomorrow and I'm like hey that's super package that we're using across everything in the company major vulnerability going back three years we need to update now you're going to be a lot less stressed because you're going to be like that's cool we do this every month we can totally get this done in like a couple

days this isn't going to be Earth shattering whereas if you only release once a year it's going to be a little more stressful so just get that muscle memory going and again have some kind of Target attach a pizza party or if people don't like pizza something else maybe like an ice cream party I don't know and like you hit the target Everybody celebrate and then you can bring down the Target and we just went through this blah blah blah I got ahead of myself all right what else can you do OAS dependency track has been around for a long time so you want some kind of thing that's not Excel to track your dependencies there's that and it's free

uh there's also open source management platforms like active State and others that you can pay for that do a little bit more than that but you know you could do the first one there's open policy agent so I talked about like hey setting these kind of standards and targets how do you know if you're hitting those targets do you have to like manually check that sounds super annoying right open policy agent it requires configuration so if you have somebody who likes to write like XML or whatever put them on that they'll write some XML rules they can run it against your stuff and it'll come back and be like hey this policy is not being followed so you

could just have this like automatically run once a deployment once a week you know whatever makes you happy and it'll tell you like hey this project isn't following internal policy maybe go take a look at it so that you aren't having to spend the time looking at things that don't need to be looked at necessarily also uh vulnerability disclosure programs I wasn't sure where to put this these are not bug bounties so if you're not familiar with the difference having a thing that your lawyers right that say this is where the bounds of our software are and you are allowed to responsibly disclose something please don't take down production etc etc uh there's actually widgets out there to help you

write these and help you talk to your lawyers about these and you don't have to give them anything you can just be like here's a security. text here's our policy here's the email address to send things to you could be nice and be like we will recognize you on a page we will send you some stickers or a t-shirt or whatever um but you don't have to pay them so if the company's like ah we don't have the money for that free I mean you do have to spend somebody time to look at them you will get some very entertaining things definitely done by chat GPT but you can usually figure out that was chat GPT and just ignore those

anyway that is awesome and you should do that bug Bounty you pay people money if you have some extra money to burn sure do a bug Bounty everybody loves a bug Bounty all right but you want to go above and beyond you don't just want to have an inventory you don't just want to assess the risks associated with that inventory you want to be like this system over here needs to be secure um and maybe it's because you're following the eu's Cyber resilience act maybe it's because you're following the National Institute of Standards and Technology secure software development framework uh maybe you have looked at the Canadian Center for cyber security itm 1071 which is actually really interesting

interesting and short uh like very readable uh recommend reading anyway go ahead build things from Source yourself uh if you're like that's impossible or silly I will tell you there are a lot of companies out there doing that so if you really want to know what you are using pull down the source scan it run it yourself just like it's your own code take responsibility as if it's your own code uh you will not be alone but you totally need somebody who like is going to babysit this because again it's a puppy and it might pee on the rug scan the I already said that and then participate in the community you find a bug patch it

Upstream all right how can you help everyone can't don't have the time maybe just throw money at people there's foundations out there there's working groups out there there's maintainers out there and they could use funds throw money if you've got it join a working group there's some of the open source software Foundation there's other ones where they are working on particular problems so is there an area where you have expertise where you could weigh in and provide value in some cases I don't care if you're a in fact if you are a technical writer with security knowledge get on a working group and help write you don't have to be a coder you can totally help out by doing stuff like

that like there's tons of stuff they need people to help update the websites like they need people to do little Graphics like get involved help out whenever you start start a new project do secure by Design and also collaborative information sharing I do not know if there's anything here fingers crossed there is but there's the Alberta security community of Interest where people can kind of like compare notes um it's like public private all sorts of people get together I'm not sure if there's like an NDA situation but it's like a frienda or beer NDA situation uh and it's definitely handy to be able to share like here's what we're seeing are you seeing to hey cool how did you solve

it and find better ways to solve the problems all right I am not doing a live demo these are little pictures because demos and live is bad all right so let's say you were told paml can't be used unless it is the latest version because something terrible happened I have no idea what it is but just we this is a madeup example don't go home and rip up pipes ano uh and Report any use the of the wheel affected by that vulnerability all right so if you have that inventory you can be like hey what containers do I have and what is on there what are the vulnerabilities dependencies licenses in that container and then search for it I just

took that scary request and I was able to answer it by searching through something whether this is Excel whether this is open source whether you paid somebody for this like that's ideally where you want to be right log forj how easy would that have been if you could have just typed in log 4J version whatever all right this is only part of your problem though is everybody using the latest head commit can you tell what everybody's using depending on the tooling you have you may absolutely be able to tell so you're going to be able to tell like hey Pete this one's from 28 days ago maybe Pete's on paternity leave and that's totally fine because when he comes back

he's going to update but I should at least be able to check and be like how out of dat are the systems that I have because even if your latest commit for everything is golden and follows the rules is there something hiding under a desk somewhere that isn't so remember how said es bomb at every point along the way you need to know what you've got where because what if and I mean maybe it's still could be valid that Pete's got the 28 days ago copy because somebody is running an exie from last month's release and was reporting a bug and he was trying to replicate the bug so that's still a valid use case and he's allowed to do

that but you still want to know like where is that in my environment and then you want to be able to do reports and I have no idea why these images are not centered they were centered anyway um so ideally uh people who like graphql there's like tons of a million different tools out there but then put all that in so you can like create a pretty report and hand it to people in like PDF form or HTML form because inside security we love exchanging csvs uh if you hand that to not a technology person they're not going to be thrilled with you so just like color coding um color coding good but also remember to include things

Beyond just color like unauthorized or limited because some people are colorblind so do multiple things anyway so we're going to recap know what you have where it is be aware of the different risks and drisk you said risk inventory vulnerability access attacker or something like that I was taking notes on my phone and then do a tabletop what are we relying on what happens if it goes away and why are you in business they're they're not going to let you do a thing if you're like I want to take away this thing and it's like but that's what makes us money um so keep these in consideration also TJ said third party risk is unavoidable I agree you can't

DIY everything you do not have the time and money or maybe you do and if you do like come give me some um you it is not a if but a when you will have an issue uh but the incident doesn't need to become a brief I really liked that call out if you're able to find something early enough before they get to the crown jewels you have prevented the pii getting exposed or whatever so like plan for defense in depth uh and the more suppliers you have the larger the attack surface I'm going to say the more open source you have the larger the attack surface that's not necessarily bad it just means you have to threat model that

and you have to inventory assess and monitor so it's the exact same thing as your third party suppliers except you can't ask for a security assessment you kind of have to do it yourself all right Q&A time there is no

questions how would you overlay what what you've uh presented here with uh say the polyfill situation that happened earlier this year oh God see here's here's a fun fact that I don't think you mentioned I black out when I talk on stage so like I can do everything I rehearse but I can't necessarily like on the spot unless I rehearsed it so maybe talk to me after anybody have a question I may have already rehearsed since you know I black out while talking all right all right awesome thank you so much [Applause]