Software supply chain attacks, which target vulnerabilities within the components and dependencies of applications, have emerged as a significant threat. Even in Java, a widely-used programming language known for its robustness and versatility, is not exempt from these attacks. In this insightful interview, Delan Elliott, a Java engineer at Mergebase, shares valuable insights on protecting the Java ecosystem against software supply chain attacks.
Explore the power of Mergebase and fortify your Java ecosystem
Safeguarding the Java Ecosystem - Interview Transcription
Oscar: Hi everyone, this is a Mergebase interview about the Java ecosystem and how to protect it against software supply chain attacks. Just a little spoiler, Mergebase is the best tool to protect your Java code from software supply chain attacks. There are a few reasons for that.
We have Dynamic Application Surveillance and Hardening which shrinks the attack surface. This means that not only are you better protected, but Java engineers have less work to do. We have the lowest false positives in the industry that make sure that engineers are not wasting their time.
In addition, we support everything in Java, so we support all the build tools like Maven, Gradle, and Ant. We support Uber Jars, and copy and paste detection in Java. Even if you took a piece of a library and put it somewhere else, we can detect that. So we have a number of unique features that really help Java engineers secure their applications better and quicker.
OK, let’s get into the conversation. So I’ve Delan Elliott with me, who’s a Java engineer at Mergebase, who speaks from experience. Let’s get started.
Delan, first question, why is software composition analysis so important for Java engineers?
Delan: Hi, thank you for having me Oscar. There are a few reasons why Java focuses on SCA so much. Java has more critical vulnerabilities than all other languages. Some of the reasons for that is that Java gets targeted more because it has a very large open-source ecosystem. Java has been historically used in environments where security is important, like banking, government, and highly regulated industries. All these use Java historically you know in the last 20 years.
So that means a widespread usage of the same library. The same open-source libraries are used in multiple places, which means more attack vectors. And it also means that those targets are high-value. Attackers want to do the least amount of work and get the most profits. So Java has been a profitable place for attackers to look for vulnerabilities.
Oscar: Talking about profitable places for vulnerabilities, can you give some examples of Java vulnerabilities that hurt organizations?
Delan: Sure, I’ll talk about the two of the most famous ones. The first is the Struts vulnerability which was found in 2017. About six months after the vulnerability had been published, a branch of Equifax had not upgraded their version of Struts which left a few servers vulnerable. Once you leave one server open to one of these critical vulnerabilities, it can leave you open to a widespread attack. In this case, we are talking about $1.3 billion in damages from one single attack.
Oscar: Yeah, one thing I find puzzling about Java, Java was considered a very safe language it’s very strongly typed test, it has bank memory allocation, no pointers, and things like that.
So, how is that possible that it has more critical vulnerabilities than a lot of programming that just combined where you kind of mentioned a little bit about this already but, still try to build on that?
Delan: The biggest thing is that Java relies almost entirely on open-source development. Even the largest organizations are not writing all of their own code. So what that means is that you’re going to have different levels of security research as well as different levels of ability for those developers to have you know fully test their code for every type of vulnerability.
Generally speaking, the commonly used libraries that are by Apache and other companies are very hardened. But there are always chances for security researchers incentivized by being able to steal things from companies that these attackers are incentivized to be able to find even the smallest library that might be used by many companies across libraries.
You’re always going to have attackers that are focusing on these products, so these attackers probably have more time to research the vulnerabilities than the developers. So in that environment, you’re going to see more vulnerabilities pop up.
Oscar: Yeah, so you’re saying it’s a function of effort and focus on Java compared to other languages like Lunix where we see maybe 5 vulnerabilities.
Oscar: What are some of the issues to consider when you work with a SCA tool?
Delan: There are issues you want to avoid and mitigate. You want to make sure that your SCA product has high accuracy. So, there are a couple of different types of accuracy. There’s accuracy in terms of finding all of the correct components product, and then there’s accuracy in terms of the data associated with those components.
So does it have low false positives? You know every result is not always going to be accurate, sometimes there’s going to be some erroneous results. Even in the most accurate tools on the market, there are some false results. So you’re trying to look for the tool that has the most accurate results and lowest false positives especially because for every false positive that’s found, your security team needs to go verify, triage, and then mark that result as false.
At Mergebase we pride ourselves on having low false positive rates because we want to save security researchers and developers time and so that’s one of the main things we’re looking for. For Java specifically, you want to make sure it supports your dependency manager or how you manage your dependencies internally. So for Java there are three main tools that are still used, which are Maven, Gradle, and Ant. Mergebase supports all those tools, including Ant, which is unique in the industry.
Most SCA tools are not able to support binaries built with Ant, but we have advanced binary scanning capabilities. These are some of the things you’re going to be looking for. Make sure that your dependency manager is supported by your SCA tools.
Oscar: OK, so I am hearing that it is important that your tools are supported and have high accuracy. I am also hearing a lot about SBOMs, Software Bill of Materials.
I see increasingly prevalent in the industry and how does that relate to SCA, how does that fit into the picture?
Delan: Yeah, so most SCA products index all the components that your product contains and give you the vulnerability information related to those components. The software bill materials are at the basic level an index of all those components. And the versions of them so, so you know at that stage all are going to provide you some level of support for SBOMs generally but not everyone but you know most of them now and so.
There’s a growing need for companies to generate SBOMs. There are a few reasons for that. If you are a software vendor, your clients may want an SBOM for your products. If you’re a software consumer, you may want to get an SBOM from your vendor because you want to manage the vulnerabilities that are in this product and keep your vendor honest about how often they update their components, and you, know regulators are also demanding this for some industries.
So you know, especially healthcare recently as well as embedded products, especially U.S. government regulators are asking software developers and engineers to provide SBOMs for all their software.
Oscar: Yeah, so the regulators are leading the charge here, and that makes SBOMs a critical component of your strategy to defend against software supply chain attacks.
Oscar: When I am a Java engineer using SCA, what are some of the capabilities that make my life easier?
Delan: So essentially what you’re doing with SCA, you are trying to find the current state of your product. As well as what changes need to be made to make the software secure. It was not very secure, so some things that help with that is what you might call Developer Guidance, which is showing you exactly which versions of the software you’re currently using, as well as which version you should be using to make your software secure.
So that you know that guidance and suggestion about what kind of a non-vulnerable version is important as well as either automatically or manually generating code snippets that you can put into your dependency management files.
So you get some XML or just get a little nice little tag that you can paste into your code, things like that. Another thing is that with SCA you also want to know whether you have direct or transitive dependency on vulnerable components.
With Java especially, you’re gonna have many transitive dependencies in your products if you’re using Maven. Lots of things get pulled in that you might not have added at all into anywhere in your software, but they actually get pulled in by other pieces of software depending on them. So insight into where the root cause of this dependency is in your project. Then also, providing insight into your code coverage.
If you’re using this vulnerable library many times throughout the project is something that if you could do that, that’s also very helpful. As well as you’re doing active developments on your projects. You want to be able to use an SCA tool, but you don’t want the SCA tool in your CICD pipeline, you don’t want it to block the pipeline permanently.
Having something like what we call our suppression management and Mergebase to manage the risks on a security dashboard without blocking your build pipelines, that’s something that’s very important. Interacting between your security officers and your developers and making sure that your developers can continue to work while still improving the security of your product.
Oscar: You mentioned developer guidance, things like transitive to make life easier for developers and ad not blocking your build pipeline so. Talking a little bit more about the build pipeline, so CICD tools.
What tools does Mergebase support for Java developers?
Delan: Yeah, so we support all the major build pipeline tools, we have plugins for some of them. So for Jenkins, Azure DevOps, and Bamboo, we have built-in plugins with one click to integrate with MergeBase. We have scripts as well as example files for getting it working in many other environments like GitLab CI, GitHub, and Actions. I think those are probably all the main ones, you know, Team City, oh any basically every pipeline MergeBase will work with.
It’s about 3 lines in your script in order to add MergeBase into your CICD pipeline. We have many options that make it possible to block or not block, depending on the results. We give you lots of flexibility on how to use MergeBase in the CICD environment.
Oscar: Can you mention some additional benefits that Mergebase has for Java?
Delan: So there is there’s three things I want to talk about which is first that Mergebase protects all of your IP. We actually don’t upload any code, no code files are uploaded to Mergebase servers. This is very important for some organizations that want to maintain code integrity. The only thing that we touch is dependency management files.
So basically the things that we need in order to index the exact versions of components that you open source, those are the only things that we upload. We don’t upload any code. We also have the ability to intercept supply chain attacks. This is because we basically have a fingerprint, a binary fingerprint of every single component in the Maven ecosystem.
If you’re using something like Artifactory or some other internal repository tool, we are able to make sure that that isn’t being compromised by an external actor because we have a verification process for all of these. For all these binary artifacts.
If you’re doing a binary scan of any of your jar files, we can find attacks. Another feature that we have specifically for Java is Dynamic Application Hardening, and this is a unique feature to MergeBase that no other SCA offers, which allows us to shrink the application’s attack surface by monitoring what parts of the library are used and being able to shut off all the parts that aren’t used during the normal operation of a product. By being able to do that, we reduce attack vectors for malicious actors as well as provide Peace of Mind when using open-source components.
Oscar: That last point, Dynamic Application Surveillance and Hardening, where you shrink to your attack surface. I always get the question, well, how does that work? How is that possible?
Delan: Well, we don’t want to get too technical, but essentially Mergebase has a patented technology where we’re able to do a very small rewrite to the content of your Java files which allows us to monitor the usage of all the methods within your application.
We analyze which methods are used in attack vectors for vulnerabilities. So for critical vulnerabilities we’re able to monitor the method usage and then ensure that you know those critical vulnerability methods aren’t being used or are part of the default pattern. So and you know the first thing people usually ask about this is you know, what’s the performance impact like this?
You know, MergeBase actually has this Dynamic Application Surveillance and Hardening that has a very low performance impact. It’s about 1%, generally speaking. It’s not the same as running something like a runtime agent where you’re intercepting, doing live intercepts of all calls or memory interception, things like that which can have 5-10% performance impact, even more in some cases. MergeBase has a very low footprint for using a dynamic application.
Empowering Java Engineers with SCA in the Java Ecosystem
Explore the power of Mergebase and fortify your Java ecosystem against software supply chain attacks. With Dynamic Application Surveillance and Hardening, precise vulnerability detection, seamless CI/CD integration, and unparalleled accuracy, Mergebase empowers you to build secure and resilient Java applications. Take the first step towards enhanced Java security within the Java ecosystem today.