New Paper in IEEE: Continuous Verification of Open Source Components in a World of Weak Links

I published a research paper^[1] titled “Continuous Verification of Open Source Components in a World of Weak Links” available through IEEE.

The paper addresses security risks in open source software, noting that 99% of today’s software utilizes open source. These next-generation supply chain attacks have increased 430% in the last year. The work presents six continuous verification controls that enable organizations to make data-driven decisions and mitigate breaches. In case studies, the controls identified high levels of risk immediately even though the package is widely used and has over 7 million downloads a week.

Abstract:

We are heading for a perfect storm, making open source software poisoning and next-generation supply chain attacks much easier to execute, which could have major im-plications for organizations. The widespread adoption of open source (99% of today’s software utilizes open source), the ease of today’s package managers, and the best practice of implementing continuous delivery for software projects provide an unprece-dented opportunity for attack. Once an adversary compromises a project, they can deploy malicious code into production under the auspicious of a software patch. Downstream projects will ingest the compromised patch, and now those projects are potentially running the malicious code. The impact could be implementing backdoors, gathering intelligence, delivering malware, or denying a service. According to Sonatype, a leading commercial software security company, these next-generation supply chain attacks have increased 430 % in the last year and there is not a good way to vet or monitor an open-source project prior to incorporating the project. In this paper, we analyzed two case studies of compromised open source components. We propose six continuous verification controls that enable organizations to make data-driven decisions and mitigate breaches, such as analyzing community metrics and project hygiene using scorecards and monitoring the boundary of the software in production. In one case study, the controls identified high levels of risk immediately even though the package is widely used and has over 7 million downloads a week. In both case studies we found that the controls could have prevented malicious actions despite the project breaches.

Dissertation Proposal Defended

Today I defended my dissertation proposal at the University of Colorado at Colorado Springs^[1], where I am a Ph.D. candidate in the Computer Science Department^[2]. Below is a snippet from my abstract.

We are heading for a perfect storm, making open source software poisoning and next-generation supply chain attacks much easier to execute, which could have major implications for organizational security postures. The widespread adoption of open source (99% of today’s software utilizes open source)^[3], the ease of today’s package managers, and the best practice of implementing continuous delivery for software projects provide an unprecedented opportunity for attack. Once an adversary compromises a project, they can deploy malicious code into production under the auspicious of a software patch. Downstream projects will ingest the compromised patch, and now those projects are potentially running the malicious code. The impact of which could be implementing backdoors, gathering ingintelligence, delivering malware, denying a service, or destroying hardware, as we witnessed with Stuxnet^[4]. These types of attacks show no sign of slowing down. According to Sonatype, a leading commercial software security company, these next-generation supply chain attacks have increased 430% in the last year^[5].

To Catch a Scammer

My parents had been married for 30 years and 8 years ago my dad passed away. I encouraged my mom to get on social media so that we could keep up with each other. Before this, my mom hadn’t been interested in social media but signed up because I asked. My dad took care of the technical aspects of their lives. Growing up, my parents had always asked me not to talk to strangers, not to give out personal information in chatrooms, and never to meet anyone in person whom I had met online. I thought it sounded like good advice, and I didn’t think I’d have to give my mom the same advice almost 15 years later.

What's In Your Container?

I’m excited to be speaking at JFrog’s swampUP conference in May.

I’ll be speaking on using Xray and Artifactory to produce secure containers. Avoiding known security vulnerability in prod, providing the US Gov with a complete Bill or Materials and ensuring compliance with copyright laws does not need to be scary. A brief case study in how to use JFrog products to support missions and developers around the globe.

Cost of Securing IEEE 802.11s Mesh Networks Using CJDNS

Abstract - The Internet is weak, it is broken, and we are not doing anything to fix it. The Internet can be affected by natural disasters, wars, governments, and surveillance. It is running out of address space and the internet service providers are not incentivized to fix it. Mesh networks, using the IEEE standard 802.11s, may one day provide a more robust and resilient infrastructure. Although mesh networking is not a new idea or a new concept, wireless mesh networking is stripping previous barriers to entry. IEEE 802.11s makes mesh networks a reality for users who otherwise would never have been able to setup such a distributed network. Applications like cjdns are making it easier than ever to create secure wireless mesh network among communities. This paper will look at the system costs associated with using cjdns. How much performance are we willing to sacrifice for ease of use and security?

Full Paper: Cost of Securing IEEE 802.11s Mesh Networks Using CJDNS^[1]