Hi, I'm Ciara Carey, and this is Cloudsmith's webinar on all things supply chain security and artifact management. Cloudsmith is a cloud native universal artifact management platform for securing, for securely developing and distributing software. With cyber threats on the rise, effective vulnerability management is more important than ever.

Today's topic is on Practical Vulnerability Management Workflows with Cloudsmith. I'm going to start with an overview of vulnerability management, bring in how Cloudsmith can help, and then I'm going to bring on our VP of product, **Alison Sickelka**, who can talk about who has molded some of these features, and can talk about how Cloudsmith, as your single source of truth, is a great tool to enhance your vulnerability management workflows.

And then I'm going to finish with a little demo. Okay, so let's start at the start. What's a vulnerability? A vulnerability is a flaw in your organization's software and it leaves your [00:01:00] software open to attack. It's a potential gateway for attackers to exploit, leading to severe consequences for your organization.

Examples of critical vulnerabilities are log4shell, Heartbleed and Shellshock the infamous slug for Shell two years ago now, it was capable of facilitating remote code execution. It's a nightmare scenario for any system. So there's a lot of vulnerability terminology. I'm going to. I'll touch on a few of the things I'm going to talk about later.

So CVEs are common vulnerabilities and exposures. It's a program that serves to standard, it's a standardized framework for identifying a cataloging security vulnerabilities. There'll be one CVE ID per vulnerability, and each record will have assigned an ID number and a brief description. It's a standardized way to track and record your vulnerabilities.

And it's kind of, it's the, it's the thing that's used in the [00:02:00] industry. But has CVE on it's known, it's not enough. You need to have a score to help you prioritize it. And the Common Vulnerability Scoring System, or CVES, is a framework for rating the severity of your vulnerabilities. It's based on the ease and impact of a scale impact of a vulnerability on a scale from 1 to least severe, to 10 to most severe.

These scores can be translated to CVE, Ratings for easier understanding. So 10 is critical and we have high, medium, and low as well. The log4shell vulnerability was an easy to exploit remote code execution vulnerability with enormous reach. And it was assigned a CVES severity of 10 or critical in the CVE rating system.

So we've talked about vulnerabilities, but. Have we talked about vulnerability management? Vulnerability management is the process of identifying, [00:03:00] assessing, prioritizing, and mitigating security vulnerabilities within your software organization. This is a really hard problem. And the biggest problem is scale.

The sheer volume of software and dependencies used in modern applications. It makes it really difficult to track and to monitor. The dynamic nature of vulnerabilities, with new threats emerging daily, requiring constant vigilance. The need to prioritize vulnerabilities based on severity and potential impact, with limited resources.

And often, the sort of, the lack of communication between development and security teams can lead to delays and remediation efforts. So what does a successful vulnerability program look like? You probably have dedicated teams overseeing vulnerability management efforts. You have visibility in all, on all your artifacts, including your dependencies.[00:04:00]

You have policies for when developers are ingesting dependencies so that you're not consuming vulnerable packages from the get go. You have good collaboration between security and dev teams and you have a way of tracking CVEs and prioritizing updates. And you can you have adopted streamline vulnerability identification assessment and mitigation processes.

Okay, well, how can Cloudsmith help? Well, Cloudsmith serves as your centralized platform for managing software artifacts, offering comprehensive visibility into dependencies and vulnerabilities across your organization's software supply chain. By integrating scanning policy enforcement and automation capabilities, Cloudsmith empowers organizations to proactively identify, assess, and mitigate vulnerabilities, mitigating risks effectively.

One of the best places to [00:05:00] stop vulnerabilities is that ingestion and Cloudsmith recommends that you consume all your open source using package managers, Maven, NuGet, Docket, NPM, PIP, and so that you have a consistent way of consuming your open source dependencies. Cloudsmith enables you to use all this native tooling for the package managers to to help you consume open source dependencies securely.

We also recommend that you proxy and cache your, your public registries through Cloudsmith's upstreams. This gives you control of all your dependencies, all your software, where you can apply policies policies to your software to deal with vulnerabilities. Cloudsmith also offers a tool called Navigator, which gives you insights into the quality of open source packages that you might consume.

So before you introduce new dependencies into your system, check it with Navigator to make sure it's of good [00:06:00] quality.

Cloudsmith also empowers you to enforce rules with Cloudsmith's policy management tools. You can stop vulnerabilities in packages above a certain level from being deployed or downloaded. For particularly difficult vulnerabilities, you can actually have deny list rules to stop packages with.

Known bad vulnerabilities like log4shell from entering your bill system. You can also manage licenses using our policy management system.

Cloudsmith scans every package and dependency on upload for malware and also scans it for CVEs. You can also re scan vulnerabilities using our API. And you can quarantine if vulnerabilities are found above a certain level.

Cloudsmith is a great tool for auditing all your software in your organization. We also calculate a signature for every file that is uploaded, and you can verify [00:07:00] this.

If you're a third party distributor of software, Cloudsmith lets you know who has who has consumed your, who has consumed your software, who has downloaded your software using entitlement tokens. This is important to do with vulnerability management when you find a vulnerability above a certain threshold that you want to contact your customers.

And automation, our APIs and our webhooks facilitate integrations, empowering you to harness security tools beyond Cloudsmith. So now

I'm going to introduce you to **Alison Sickelka**, VP of Product. Hi, Alison. Hi. Hey, so do you want to tell us about your role in Cloudsmith? Yeah,

like Ciara said, I'm **Alison Sickelka** and I head up product at Cloudsmith. So I help us figure out. what we need to build to make sure we're delivering value to our customers.

I've been with Cloudsmith for just over two [00:08:00] years and it's been really exciting to watch the evolution around artifact management and software supply chain during my time here.

And why is like artifact management important to organizations? Yeah,

ultimately, artifact management is at the core of software supply chain security.

So what used to be a nice to have a central store of all of your artifacts is becoming critical to be able to respond to remediate and ensure the security of your software supply chain. You know, that that central store of truth lets you easily understand what's in your supply chain. It lets you make sure you have the right controls in place on what sort of artifacts can get into your supply chain from the start, and it helps you quickly understand if you're impacted when an incident does occur, you can quickly come into Cloudsmith and understand where you're impacted.

And start your remediation efforts from

there. Yeah, I remember [00:09:00] when Log4Shell came about about two years ago, and our CTO, Lee Skillen, he wrote an article about how to help our users deal with this really difficult vulnerability and let them know if they're vulnerable to it by searching Cloudsmiths searching your organization and your repositories, and he also brought in some features that For log4shell specifically, and I think that's kind of berthed other features in Cloudsmith.

That wasn't so much a question, but is that where you see, is that where you saw a changing point in Cloudsmith? Yeah, so

log4shell happened. I want to say maybe a month after I started here. And it was really great to see how we could help customers who are using us as a single source of truth.

And sort of the power that came with having that central store of all artifacts for some of our customers. You essentially, you know, when, when an incident like that happens, You don't want to have to be [00:10:00] wondering about the impact and chasing down and spending time, even just knowing whether you're impacted.

You want to immediately be able to start remediation and so seeing that happen, seeing Lee jump in and help customers understand how they could start to understand impact and begin remediation. It was really great to see that.

Yeah, so how does, like, artifact management and vulnerability management, how do they relate to each other?

Yeah, so, so,

ultimately, artifact management gives you the central source of truth for everything, for every artifact that's used in your system. As you mentioned at the start, Ciara, we recommend that customers are proxying and caching even open source dependencies through us. There's been an explosion in the use of open source software over the past 10 years, and having that central store for all of that data makes it much easier to be able to manage manage and [00:11:00] respond to incidents that happen.

So, step one is having that central source of truth. From there, you need to be able to have insights and information about those packages. So what are the CVEs? What's the license information? What's the quality of this package? And be able to have that insight. And then Cloudsmith provides that control plane through policy management.

So you can say, Based on what I know about this package, do I want to let my end users, my customers access this package or not? And you can programmatically set up those policies and be able to have that control plane over what's happening in your software supply

chain. Cool. And I know what, before package, before policy management, we had We scanned packages and images, did is, was it from customers that were asking scanning alone isn't enough.

We need, we need a manager to put rules on that. How did that come about?

Yeah, so it was always somewhere we wanted to get. [00:12:00] That that control plane, that idea of being able to have control has always been important to us from the beginning, and part of that is just that we have a lot of empathy for our customers who are delivering software at scale.

And so we have some really large organizations who are using our tools, and so they don't have time to. Go in and evaluate each CVE that's coming up and decide whether they should or shouldn't let it be part of their software supply chain. They need automation and they need policies around that so that they can, they can manage that quality at scale.

And so you know, I think what we, what we really saw it after log4shell and just generally the past few years. In the artifact management space is an expectation of having this level of control and automation around policies and around CV ease. So. Yes, I think we saw a shift in what our customers were asking for as they understood more the value that can come from having that central source of truth and then just [00:13:00] being able to level up from knowing CVEs to having policies to having automation around those policies to be able to begin remediation.

And how do we power that automation? Yeah, so

we think it's really important to keep in mind. The end developer experience whether that's the end developer who's trying to pull that package, making sure they understand why that package is getting blocked, but also what can they do now that that package has been blocked and to help security teams understand what types of packages are.

My customers are my users trying to pull through Cloudsmith. And so we automate. Everything has been in the Tao of Cloudsmith from the beginning. It's a lofty goal. It takes work to get there. And even our customers, you know, like I said, it's a journey around their mitigation strategies. But investing in things like making sure we have APIs in place, making sure we have webhooks in place, building from there and understanding what does a notification system look like, where do our [00:14:00] customers need this information to show up in their workflows and just really working with our customers to understand end to end that experience around, Oh, I've had a policy violation.

What do I do next? And making sure that we're helping make that a great experience for them too.

Yeah. It's like the full circle to something actionable. It's not enough to know something. It's like for that to drive something else. Yeah. Yeah. So let's talk about some of the features that Cloudsmith has around vulnerability management.

I'm going to start my favorite feature. It's upstreams. Yeah.

Yeah, that's, that's so. Cloudsmith offers the ability to configure upstreams within your repositories and what that lets you do is essentially access packages from a source outside of Cloudsmith. So you're able to set up the major registries, like the popular open source registries, like NPM, PyPy, Maven Central, that you can access all of those packages through [00:15:00] Cloudsmith and cache those packages in Cloudsmith.

You know. Similar to the just the evolution of artifact management from a store to that control plane. Originally, upstreams were valuable for customers because they were able to have that copy accessible. So if something happened with the upstream, it became unavailable that they didn't lose critical software critical dependencies for their software.

But and we'll touch on this as we expand on some of the features, but that started to become. more of a software supply chain perspective of being able to make sure that those packages that you're sourcing from an upstream pass through your policy checks and are of a quality that you want in your software supply chain.

Oh, cool. I remember there was one particular type of, I'm not sure, a threat, I think it was called instead of an attack, where a package called leftpad was taken off. The NPM registry that, and so like kind of broke the internet because everybody was using this little package to, in their, in their in their projects or [00:16:00] in their, in their software.

And they couldn't build their projects because it was gone from the public registry. And if you had an upstream set up with Cloudsmith, you would have that cached already. So that's one of the, that's like a. Classic benefit. Yeah, that's right.

That's that's that's you know, it's sort of the original. What artifact management is known for is having that availability in that central store.

And so that's definitely a great benefit of having your upstreams configured through Cloudsmith.

Okay, so next next feature is scanning.

Yeah, so Once you have that central store, you want to understand more about the quality of the packages that are in your system. And so, we offer the ability to have your packages scanned to understand the CVEs that are associated with those packages.

So on that first upload, we check those packages on your behalf against our scanner, and we provide that CVE information to you in the application through APIs, things like that. [00:17:00] And help you start to build up an understanding of what, what does my exposure to CVEs look like within my supply chain?

Yeah. And you can actually you can trigger a web hook on this, on the on the scammers list as well.

That's right. So you can. As soon as the package gets scanned, you can have those results show up somewhere in your chat tool. In your email, different things like that. You can have that show up where you where your team that needs to understand and respond to that are.

You can have that show up there through our web hooks and through automation. I think it's also worth noting, you know, CVE are one piece of security and compliance that matters to our customers. Things like license, signatures some, some other package integrity pieces. We also are extracting that information and making that available both for policies and for just for the knowledge and information around those packages.

Oh, cool. And you can access that kind of information through, like, APIs and that kind [00:18:00] of thing? Yep, that's right. Cool. Okay, next feature is quarantining. Yeah, so

quarantining is is a package status, so you can apply the quarantine status to a package, and at that point, it will not be available to be downloaded, and it ultimately underpins our policy management feature that we'll talk about as well, but it's a status that you can apply to any package, anytime, through the UI, through the API based on webhooks, things like that.

You can, you can build, you can build your own Workflows to apply this quarantine status to a package, which essentially means that as soon as a package is in quarantine, no one within your organization can now download that package.

Okay, so you mentioned Policy Manager. Do you want to, do you want to talk about that?

It's kind of relatively recent and we are adding to it kind of all the time. Yeah, so like I

said at the start, you know, this idea of that control plane. Has been foundational to Cloudsmith from the start that once you have all your [00:19:00] artifacts in a central store, you have knowledge built up around those artifacts that you should be able to use that knowledge to apply controls to your software.

And so policy management is the backbone of that. Like you said, it's relatively new. I want to say maybe March of 2023 was the first iteration of policy management, but we let our customers build policies around things like licenses, CVEs and now we have package deny policies as well. And so we'll continue to expand and grow that policy feature set based on what is important to our customers.

And for the deny policy, it's quite a hammer policy. You can stop a package from being used within your organization.

That's right. So if you went back to that log4shell example, as soon as that happened, as soon as that was announced, you could go into Cloudsmith and you could immediately use, use that deny policy to stop any downloading of that package [00:20:00] moving forward.

And then you can begin your remediation effort once you've put that block in place.

Yeah, I can imagine like some desperate zero day vulnerability comes in and you can set up a rule straight away. So you feel a little more kind of safe. Yeah,

for that, for zero day for sure. And then, you know, for some of our larger organizations, they've built up knowledge internally about unsafe packages that they want to block as well.

And so they can use that package deny policy to be able to implement those blocks across their organization through Cloudsmith.

Yeah. One thing I heard about like vulnerability management is like, say for log4shell, the security professionals came in, they scrubbed the system of all log4shell and then it gets reintroduced somehow by developers.

So that's why we need features like this. It just like kind of sneaks its way back in unless you have like policies around ingestion. Yeah,

policies around ingestion and then [00:21:00] that central store, right? If, if you, if you as a security team don't have a place where you can apply those, that, that that policy, then anybody can be using anything within your organization.

Okay. And so I'm going to bring back in, I mentioned before about Navigator. It's this new tool that we have to help our customers decide if a dependency is, is worthy of being brought into your organization or not. How is that related to vulnerability management?

Yeah. So vulnerability management is just one piece of having a software supply chain security strategy.

You're frameworks develop in this space. Things like SLSA. And some other policies in this space. There are some other frameworks in this

space. S2, C2F is the one I really like for consuming open source securely. Yeah.

And so a lot of these new frameworks are, are responding to, or addressing the idea that at the very start of deciding what you want to include in your software [00:22:00] supply chain.

You can understand what a quality package is. You can have integrity around the packages that are being used within your organization. And so Navigator essentially brings together a view of the packages available on popular open source registries and applies a quality score, a perspective on the quality of those packages.

It takes into account different things like Is it well maintained? When was the last update? Things like that and starts to have that viewpoint on quality that you can start to use at the, at the very beginning of deciding what should be in your software supply chain. So CVE mitigation, you know, that's sort of That's sort of further down but really at the start of deciding what you want to be dependent on or what dependencies you want to use within your software supply chain.

Navigator helps you make better choices up front.

Yeah, I'm seeing a lot of talk about bringing developers into the security conversation and how they're responsible for bringing a lot of these dependencies [00:23:00] with. possible vulnerability in. And so we need tools to empower them to make good decisions.

Yeah. Ultimately you want your developers to be able to ship fast. And so you want to have a set of policies and practices in place that help them make better choices in a way that still lets them focus on the things that are critical to their job, which is delivering software for your business.

Finally how do you think our evolving vulnerability management features, how did you see vulnerability management evolving in Cloudsmith? Yeah. So, so we like

to listen to our customers and understand how they are thinking about software supply chain security. We're interested in things like the life cycle of a package and understanding what information and knowledge you can, you can gain from understanding the life cycle and the provenance of a package within your system things like that package quality that I mentioned that information [00:24:00] around our quality scores and navigator, but also things like security score cards.

There's a lot of data out there that we can feed into our system. So we want to just continually be building up the knowledge and insights we have around a package and then make sure that that knowledge and information is available to our customers to be able to build their policies and make good decisions around that.

Yeah, it's looking forward to it. Well, right now we already have a good few features around vulnerability managing to help our customers. And I'm going to do a demo now. So say a little prayer to the gods. I'm going to share my screen. Thank you so much, Alison. And let me share my screen and show some of those lovely features.

Okay.

So this is a little Python project with a an old version of requests, which has a few vulnerabilities. These vulnerabilities are moderate, so they're not that high, but I'm going to show you how to push package just to Cloudsmith, have them scan for vulnerabilities, find the vulnerabilities in question, and then [00:25:00] alert by means of Linear, using webhooks and Zapier to create a new task in Linear that shows that you need to eventually update this package because it's, has some vulnerabilities in it.

Okay, so let's run this. And this action just pushes it to Cloudsmith.

Great, so while it's building there, I'm going to show you Cloudsmith. This is the Cloudsmith repository that I'm going to push everything to. It's empty at the moment. I have already set up an upstream. To PyPy and I've set it to cache and proxy from PyPy. This means that all dependencies used in my Python project will be brought into Cloudsmith and it means that all the scanning and all the Policy rules that I've set up will apply to any all those packages and all those dependencies

I've also set up a webhook You can see some of the [00:26:00] packages being brought in now. I've also set up a webhook and this webhook Is triggered on the scan results So I'll just show you that now. Let's edit it.

So I'm just subscribing to package security scan completed and then it will trigger a webhook that I'm using in Zapier and then Zapier will check if a vulnerability is present and open a linear task for the right project. Okay, so let's see that running now. It should be should be nearly pulled all those packages in.

Okay, so we have our requests our requests Package has been brought in as it's detected vulnerabilities. Oh, there's another one here. Your, your lib3. And so if we go to linear, we can see that it's created two new tasks. These two packages have have a vulnerability in it of medium level. [00:27:00] So that's great.

We've set up a, Linear notification to the right team to to go about and solve those vulnerabilities.

I'd like to see how we can automatically quarantine packages of high or above, and these were just moderate. So let's just start again. Let's delete all these lads. Let's go back into my workflow in GitHub actions. Go into my Project and I'm going to yeah,

I'm going to bring in an older version of requests that has an issue

with the vulnerability higher than higher than that's higher above. So let's see, we've deleted everything from our Cloudsmith workflow.

If I commit this change, it will automatically kick off. GitHub action.

Okay, great. So while it's building there, I'm going to show you the organization's policy [00:28:00] management tool. You can see over on the left hand side here, all the sections around policy management. You can have policies around authentication, around licensing, no GPL licenses please around vulnerabilities and deny lists, that big hammer to stop a vulnerable package from getting into your organization.

We're only going to set up a vulnerability policy. I've one prepared earlier. It's the webinar demo one. We have this policy is only for the vulnerability workflow repository that I'm using. You can see here, it's actually this package query is a really powerful Boolean syntax that you can use to have fine grain logic around Your policy rules and who it applies to you can also I'm going to make sure that it's just for my repository.

You can set the level from critical high, medium, low, depending on. What rule you want to set up and [00:29:00] Allison, you can also decide not to quarantine the package, right? You can just alert people.

Yeah, that's right. If you wanted to build the workflow that Ciara shows here where you don't necessarily stop the build or block it with the package and instead you just alert on those on those violations, you can do that as well.

Cool. So I'm just going to cancel out of this here because I've already created this policy rule. And let's go back into my repo.

Oh yes, here we go. We have a bold package request that has a detected vulnerabilities and these vulnerabilities violate our new policy. This package is in violation of the following rules and it shows you the rule in question. And this is above a certain severity. So you cannot deploy or download this package and you can see here in linear, it's created a new A new task for for the [00:30:00] high level of vulnerability for this request package.

Okay, great. I'm going to finish sharing my screen.

Hey, Alison, I'll bring you back on stage. Yeah. Yeah, so you can actually create. Loads of different workflows with Cloudsmith around vulnerability management using our webhooks, our APIs. I didn't show you how we can also attach an SBOM to your images. You can you can also schedule rescans because sometimes you, you use a package, it has no vulnerabilities, but at a later stage, They are discovered, and so you may need to schedule re scans for packages.

So, Alison, we've explored the importance of vulnerability management, and how Cloudsmith provides solutions to address these challenges. Cloudsmith is a central place to control all your organization software, and of course its dependencies. We have an integrated scanner and policy management to help you control [00:31:00] artifact ingestion, and we have automation to help you build actionable workflows.

I encourage you to explore Cloudsmith further. Come to our webpage, Cloudsmith. com, open up a chat, start a free trial. It's like we want to hear more of you. We want you using these features. We want to hear your feedback. Any last words, Alison?

Yeah, no, I think you covered most of it. You know, we think that artifact management is core to software supply chain security, and we're eager to help our customers secure their software supply chain.

We have knowledge, insights and control built into our platform, and we hope that folks find that valuable and come and understand the benefits of artifact management.

Yeah, this is it. So thank you so much, Alison. And thanks everybody for joining us today. Oh, to let you know, we're going to KubeCon in Paris.

So you can talk to us there as well. For more information on Cloudsmith, start a free trial and come to our website, [00:32:00] Cloudsmith. com. Thanks again for coming today. Bye.