SlideShare a Scribd company logo

Continuous Acceleration with a Software Supply Chain Approach

Download as PPTX, PDF
Sonatype
Sonatype

How borrowing Supply Chain Principles can help the software development industry.

Software
1 of 80
@RealGeneKim CONTINUOUS ACCELERATION with a Software Supply Chain Approach Gene Kim & Josh Corman Ask questions on Twitter during the webinar using #sonatype
@joshcorman @RealGeneKim Josh Corman Sonatype @joshcorman Gene Kim IT Revolution Press @RealGeneKim Sonatype CTO & Co - Founder of Rugged Software, I am The Cavalry CTO, Researcher & Author ‘The Phoenix Project’ , ‘Visible Ops’ Source: 2014 Sonatype Open Source and Application Security SurveyAsk questions on Twitter during the webinar using #sonatype
@joshcorman @RealGeneKim Session ID: Session Classification: Josh Corman, Gene Kim VERY ROUGH 1ST Draft Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed… CLD-106 Intermediate
@joshcorman @RealGeneKim Ask questions on Twitter during the webinar using #sonatype
@joshcorman @RealGeneKim Ask questions on Twitter during the webinar using #sonatype
@joshcorman @RealGeneKim Ask questions on Twitter during the webinar using #sonatype
#RSAC SESSION ID: Gene Kim Joshua Corman Rugged DevOps Going Even Faster With Software Supply Chains CTO Sonatype @joshcorman Researcher and Author IT Revolution Press @RealGeneKim
@joshcorman @RealGeneKim 9 10/23/2013 ~ Marc Marc Andreessen 2011
@joshcorman @RealGeneKim 10
@joshcorman @RealGeneKim 11 10/23/2013 Trade Offs Costs & Benefits
@joshcorman @RealGeneKim Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December) CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM  SEIMENS * CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM  SEIMENS * CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM  SEIMENS * CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM  HeartBleed CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM … As of today, internet scans by MassScan reveal 300,000 of original 600,000 remain unpatched or unpatchable
@joshcorman @RealGeneKim Heartbleed + (UnPatchable) Internet of Things == ___ ? In Our Bodies In Our Homes In Our InfrastructureIn Our Cars
@joshcorman @RealGeneKim Sarcsm: I’m shocked! 14
@joshcorman @RealGeneKim
@joshcorman @RealGeneKim
@joshcorman @RealGeneKim
@joshcorman @RealGeneKim •The The Cavalry isn’t coming… It falls to us Problem Statement Our society is adopting connected technology faster than we are able to secure it. Mission Statement To ensure connected technologies with the potential to impact public safety and human life are worthy of our trust. Collecting existing research, researchers, and resources Connecting researchers with each other, industry, media, policy, and legal Collaborating across a broad range of backgrounds, interests, and skillsets Catalyzing positive action sooner than it would have happened on its own Why Trust, public safety, human life How Education, outreach, research Who Infosec research community Who Global, grass roots initiative WhatLong-term vision for cyber safety Medical Automotive Connected Home Public Infrastructure I Am The Cavalry
@joshcorman @RealGeneKim Our Goals  Play Mad Chemists  The Best & Brightest of DevOps  The Best & Brightest of Security  Cause High Value / High Connection  Merge our Tribes for Mutual Awesomeness  Catalyze New Patterns and Solutions
#RSAC SESSION ID: Where We’ve Been
@RealGeneKim The Downward Spiral…
@RealGeneKim
@RealGeneKim
@RealGeneKim IT Ops And Dev At War 24
@RealGeneKim
@RealGeneKim 10 deploys per day Dev & ops cooperation at Flickr John Allspaw & Paul Hammond Velocity 2009 Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
@RealGeneKim Dev and Ops Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
@RealGeneKimSource: Theo Schlossnagle (@postwait) DevOps is incomplete, is interpreted wrong, and is too isolated
@RealGeneKim .*Ops Source: Theo Schlossnagle (@postwait)
@RealGeneKim ^(?<dept>.+)Ops$ Source: Theo Schlossnagle (@postwait)
@RealGeneKim Justin Collins, Neil Matatall & Alex Smolen from Twitter *
@RealGeneKim High Performers Are More Agile 30x 8,000x more frequent deployments faster lead times than their peers Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic
@RealGeneKim High Performers Are More Reliable 2x 12x the change success rate faster mean time to recover (MTTR) Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic
@RealGeneKim High Performers Win In The Marketplace 2x 50%more likely to exceed profitability, market share & productivity goals higher market capitalization growth over 3 years* Source: Puppet Labs 2014 State Of DevOps
@RealGeneKim The Three Ways
#RSAC SESSION ID: Why It’s “Go Time”
@joshcorman @RealGeneKim
@joshcorman @RealGeneKim New engineer to John Allspaw: “Is it okay for me to make this change?” John Allspaw: “I don’t know. Is it?”
@joshcorman @RealGeneKim One Of The Highest Predictors Of Performance Source: Typology Of Organizational Culture (Westrum, 2004)
@joshcorman @RealGeneKim One Of The Highest Predictors Of Performance Source: Typology Of Organizational Culture (Westrum, 2004)
@joshcorman @RealGeneKim DevOps Enterprise: Lessons Learned  On Oct 21-23, we held the DevOps Enterprise Summit, a conference for horses, by horses  Speakers included fifty leaders from:  Macy’s, Disney, Target, GE Capital, Blackboard, Nordstrom, Telstra, US Department of Homeland Security, CSG, Raytheon, IBM, Ticketmaster, MITRE, Marks and Spencer, Barclays Capital, Microsoft, Nationwide Insurance, Capital One, Gov.UK, Fidelity, Rally Software, Neustar, Walmart, PNC, ADP, …
@joshcorman @RealGeneKim The most popular and talked-about presentation at DevOps Enterprise 2014? Mark Schwartz, CIO, US Citizenship and Immigration Services, Department of Homeland Security
@joshcorman @RealGeneKim Observations  They were using the same technical practices and getting the same sort of metrics as the unicorns  Target: 10+ deploys per day, < 10 incidents per month  Capital One: 100s of deploys per day, lead time of minutes  Macy’s: 1,500 manual tests every 10 days, now 100Ks automated tests run daily  Nationwide Insurance: Retirement Plans app (COBOL on mainframe)  Raytheon: testing and certification from months to a day  US CIS: security and compliance testing run every code commit
@joshcorman @RealGeneKim Observations  The transformation stories are among the most courageous I’ve ever heard –  Often the transformation leader was putting themselves in personal jeopardy  Why? Absolute clarity and conviction that it was the right thing for the organization *
@RealGeneKim Capital One: DevOpsSec Source: Tapabrata Pal, Capital One *
@joshcorman @RealGeneKim Heather Mickman, Target, Inc.  Abolished the TEP-LARB process  As a result, she won the Lifetime Achievement Award from her grateful team
@joshcorman @RealGeneKim What About Infosec?  Ed Bellis  Former CISO of Orbitz  VP Information Security at Bank of America  Currently CEO of Risk I/O
@joshcorman @RealGeneKim Risk I/O DevOps By the Numbers Small & Frequent Commits • Average between 75 & 125 commits commits to Master/week • Simplicity is your friend
@joshcorman @RealGeneKim Risk I/O DevOps By the Numbers Small & Frequent Commits • Average between 75 & 125 commits commits to Master/week • Simplicity is your friend Security Automation at Risk I/O Chef All the Things! Test All the Things! (including security) Static + Dynamic Throughout Continuous Integration via CircleCI Open-Sourced Cookbooks ModSecurity (airbag) Nessus (air bag ctrl) Nmap (brakes) SSH iptables (shoulder belt) encrypted volumes Duo 2FA openVPN ChatOps = Slack + graphite + logstash + sensu + pagerduty
@RealGeneKim The DevOps Audit Defense Toolkit http://bit.ly/DevOpsAudit James DeLuccia IV Jeff Gallimore Gene Kim Byron Miller
@RealGeneKim
@RealGeneKim “deploys / day” “deploys / day / dev”
#RSAC SESSION ID: Where We Want To Go
@joshcorman @RealGeneKim Innovate! PRODUCTIVITY TIME
@joshcorman @RealGeneKim73 2/1/2016 X Axis: Time (Days) following initial HeartBleed disclosure and patch availability Y Axis: Number of products included in the vendor vulnerability disclosure Z Axis (circle size): Exposure as measured by the CVE CVSS score COMMERCIAL RESPONSES TO OPENSSL
@joshcorman @RealGeneKim https://www.usenix.org/system/files/login/articles/15_geer_0.pdf For the 41% 390 days CVSS 10s 224 days
@joshcorman @RealGeneKim True Costs & Least Cost Avoiders ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech
@joshcorman @RealGeneKim 76
@joshcorman @RealGeneKim ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK
@joshcorman @RealGeneKim
@joshcorman @RealGeneKim ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection.
@joshcorman @RealGeneKim
@joshcorman @RealGeneKim ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. Agile / CI
@joshcorman @RealGeneKim DevOps
@joshcorman @RealGeneKim ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. DevOps / CD Agile / CI
@joshcorman @RealGeneKim SW Supply Chains
@joshcorman @RealGeneKim ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. SW Supply Chain DevOps / CD Agile / CI
@joshcorman @RealGeneKim SW Supply Chains
@joshcorman @RealGeneKim Toyota Advantage Toyota Prius Chevy Volt Unit Cost 61% $24,200 $39,900 Units Sold 13x 23,294 1,788 In-House Production 50% 27% 54% Plant Suppliers 16% (10x per) 125 800 Firm-Wide Suppliers 4% 224 5,500 Comparing the Prius and the Volt
@joshcorman @RealGeneKim88
@joshcorman @RealGeneKim H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”  Elegant Procurement Trio 1) Ingredients:  Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk:  …and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY) 3) Remediation:  …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
#RSAC SESSION ID: Go Forth… …and be Rugged @joshcorman @RealGeneKim @RuggedSoftware
@joshcorman @RealGeneKim91 SW Supply Chain Intelligence Goes Here
@joshcorman @RealGeneKim ACCORDING TO ADOBE Ask questions on Twitter during the webinar using #sonatype
@joshcorman @RealGeneKim ACCORDING TO IBM Ask questions on Twitter during the webinar using #sonatype
@joshcorman @RealGeneKim ACCORDING TO DOCKER Ask questions on Twitter during the webinar using #sonatype
@joshcorman @RealGeneKim ACCORDING TO CISCO Ask questions on Twitter during the webinar using #sonatype
@joshcorman @RealGeneKim Current approaches AREN’T WORKING Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION 75% Lack meaningful controls over components in apps 27 Different versions of the same component downloaded 95% Inefficient sourcing: Components are not downloaded to caching repositories 63% Don’t track components used in production 24 Critical or severe vulnerabilities per app 4 Avg of strong copyleft licensed components per app Ask questions on Twitter during the webinar using #sonatype
@joshcorman @RealGeneKim Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION PUBLIC REPOSITORIES NEXUS LIFECYCLE PRECIOUSLY IDENTIFY COMPONENTS & RISKS REMEDIATE EARLY IN DEVEOPMENT AUTOMATE POLICY ACROSS THE SDLC MANAGE RISK WITH CONSOLIDATED DASHBOARD CONTINUOUSLY MONITOR APPS FOR NEW RISKS Ask questions on Twitter during the webinar using #sonatype
@joshcorman @RealGeneKim Ask questions on Twitter during the webinar using #sonatype Full day of videos Assessments Available http://www.sonatype.org/nexus/
@joshcorman @RealGeneKim Continuous Acceleration with a Software Supply Chain Approach Gene Kim Josh Corman @RealGeneKim @joshcorman Source: 2014 Sonatype Open Source and Application Security SurveyAsk questions on Twitter during the webinar using #sonatype

Recommended

A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
Sonatype
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
Findings Revealed: 2015 State of the Software Supply Chain
Findings Revealed: 2015 State of the Software Supply Chain Findings Revealed: 2015 State of the Software Supply Chain
Findings Revealed: 2015 State of the Software Supply Chain
Sonatype
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)
Dinis Cruz
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016
Black Duck by Synopsys
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
Alex Stamos
 

Recommended

A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
Sonatype
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
Findings Revealed: 2015 State of the Software Supply Chain
Findings Revealed: 2015 State of the Software Supply Chain Findings Revealed: 2015 State of the Software Supply Chain
Findings Revealed: 2015 State of the Software Supply Chain
Sonatype
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)
Dinis Cruz
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016
Black Duck by Synopsys
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
Alex Stamos
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
Parasoft
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
Q1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and BeyondQ1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and Beyond
Black Duck by Synopsys
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey
Sonatype
 
PNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture JamPNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture Jam
Pacific Northwest Software Quality Conference
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)
Dinis Cruz
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...
Sonatype
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
SBWebinars
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
Denim Group
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
Priyanka Aash
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
Sonatype
 
Leading Your DevOps Enterprise Journey
Leading Your DevOps Enterprise JourneyLeading Your DevOps Enterprise Journey
Leading Your DevOps Enterprise Journey
CA Technologies
 

More Related Content

What's hot

Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
Parasoft
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)
Dinis Cruz
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 

What's hot (20)

Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
Q1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and BeyondQ1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and Beyond
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey
 
PNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture JamPNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture Jam
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
 

Similar to Continuous Acceleration with a Software Supply Chain Approach

DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos 
Perforce
 
Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps
Gene Kim
 
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6aSecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
Gene Kim
 
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev opsKim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Gene Kim
 
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOpsServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
Gene Kim
 
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6aKim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Gene Kim
 
DevOps: From Adoption to Performance
DevOps: From Adoption to PerformanceDevOps: From Adoption to Performance
DevOps: From Adoption to Performance
Dynatrace
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)
Gene Kim
 
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology OrgsWhy Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Gene Kim
 
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
Gene Kim
 
2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene Kim2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene Kim
Gene Kim
 

Similar to Continuous Acceleration with a Software Supply Chain Approach (20)

DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
 
Leading Your DevOps Enterprise Journey
Leading Your DevOps Enterprise JourneyLeading Your DevOps Enterprise Journey
Leading Your DevOps Enterprise Journey
 
DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos DevOps and the Importance of Single Source Code Repos 
DevOps and the Importance of Single Source Code Repos 
 
Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps Infosec at Ludicrous Speeds - Rugged DevOps
Infosec at Ludicrous Speeds - Rugged DevOps
 
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6aSecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6a
 
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev opsKim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev ops
 
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOpsServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOps
 
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6aKim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6a
 
Leading A DevOps Transformation: Lessons Learned
Leading A DevOps Transformation: Lessons LearnedLeading A DevOps Transformation: Lessons Learned
Leading A DevOps Transformation: Lessons Learned
 
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014
Keynote: The Phoenix Project: Lessons Learned - PuppetConf 2014
 
DevOps: From Adoption to Performance
DevOps: From Adoption to PerformanceDevOps: From Adoption to Performance
DevOps: From Adoption to Performance
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)The Unicorn Project and The Five Ideals (Updated Dec 2019)
The Unicorn Project and The Five Ideals (Updated Dec 2019)
 
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology OrgsWhy Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
 
DevOps Done Right The How and Why of Versioning Environment Artifacts
DevOps Done Right The How and Why of Versioning Environment ArtifactsDevOps Done Right The How and Why of Versioning Environment Artifacts
DevOps Done Right The How and Why of Versioning Environment Artifacts
 
Why Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimWhy Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene Kim
 
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Top Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps HandbookTop Lessons Learned From The DevOps Handbook
Top Lessons Learned From The DevOps Handbook
 
2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene Kim2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene Kim
 

More from Sonatype

Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
Sonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
Sonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Sonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
Sonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
Sonatype
 

More from Sonatype (20)

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
 

Recently uploaded

Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 

Recently uploaded (20)

%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 

Continuous Acceleration with a Software Supply Chain Approach

Editor's Notes

  1. We are in the business of open source governance, management and compliance (add in slide or on cover slide) Your Company Runs on Software – it must be trusted
  2. Gene and I realized back in 2011 that DevOps was a game changer and that Security as we knew it was not going to survive. My Rugged Software Manifesto and movement and our shored beliefs of culture and incentives compelled us to marry the tribes for mutual benefit.
  3. Gene and I realized back in 2011 that DevOps was a game changer and that Security as we knew it was not going to survive. My Rugged Software Manifesto and movement and our shored beliefs of culture and incentives compelled us to marry the tribes for mutual benefit.
  4. Over the years our Tribe has grown…
  5. An in 2015 We now Merge with the broader DevOps leadership community… with a full day 700 person Rugged DevOps workshop… at this year’s RSAC Gene is realizing the mad chemistry we’ve done… Jez is asking what the heck am I getting myself into ;)
  6. My name is Gene Kim. My area of passion started when I was the CTO and founder of Tripwire in 1999. I started keeping a list that we called “Gene’s list of people with great kung fu.” These were the organizations that simutaneously… In the next 25 minutes, I’m really excited to share with you some of my key learnings, which I’m hoping that will not only be applicable to you, but that you’ll be able to put into practice right away, and get some amazing results. But let me tell you how my journey began…
  7. http://www.caida.org/research/security/code-red/coderedv2_analysis.xml#animations
  8. NIST’s NVD (National Vulnerability Database_ http://web.nvd.nist.gov/view/vuln/search-results?query=OpenSSL&search_type=all&cves=on  SEIMENS was affected by 4 OpenSSL flaws beyond HeartBleed. One from 2010 http://www.scmagazine.com/siemens-industrial-products-impacted-by-four-openssl-vulnerabilities/article/361997/ “Several Siemens products used for process and network control and monitoring in critical infrastructure sectors are affected by four vulnerabilities in the company's OpenSSL cryptographic software library. The vulnerabilities – CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470 – can be exploited remotely, and fairly easily, to hijack a session as part of a man-in-the-middle attack or to crash the web server of the product, according to a Thursday ICS-CERT post. Siemens has already issued updates for APE versions prior to version 2.0.2 and WinCC OA (PVSS), but has only issued temporary mitigations for CP1543-1, ROX 1, ROX 2, and S7-1500. The products are typically used in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors, according to the post.”
  9. www.ruggedsoftware.org https://www.ruggedsoftware.org/documents/
  10. www.ruggedsoftware.org https://www.ruggedsoftware.org/documents/ “I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security“
  11. [ picture of messy data center ] Ten minutes into Bill’s first day on the job, he has to deal with a payroll run failure. Tomorrow is payday, and finance just found out that while all the salaried employees are going to get paid, none of the hourly factory employees will. All their records from the factory timekeeping systems were zeroed out. Was it a SAN failure? A database failure? An application failure? Interface failure? Cabling error?
  12. Source: http://biobreak.wordpress.com/2010/10/07/games-evangelism-dos-and-donts/
  13. There are many ways to react to this: like, fear, horror, trying to become invisible… All understandable, given the circumstances… Because infosec can no longer take 4 weeks to turn around a security review for application code, or take 6 weeks to turnaround a firewall change. But, on the other hand, I think it’s will be the best thing to ever happen to infosec in the past 20 years. We’re calling this Rugged DevOps, because it’s a way for infosec to integrate into the DevOps process, and be welcomed. And not be viewed as the shrill hysterical folks who slow the business down.
  14. My name is Gene Kim. My area of passion started when I was the CTO and founder of Tripwire in 1999. I started keeping a list that we called “Gene’s list of people with great kung fu.” These were the organizations that simutaneously… In the next 25 minutes, I’m really excited to share with you some of my key learnings, which I’m hoping that will not only be applicable to you, but that you’ll be able to put into practice right away, and get some amazing results. But let me tell you how my journey began…
  15. My name is Gene Kim. My area of passion started when I was the CTO and founder of Tripwire in 1999. I started keeping a list that we called “Gene’s list of people with great kung fu.” These were the organizations that simutaneously… In the next 25 minutes, I’m really excited to share with you some of my key learnings, which I’m hoping that will not only be applicable to you, but that you’ll be able to put into practice right away, and get some amazing results. But let me tell you how my journey began…
  16. Qualitative takeaways:   Virtually all major (and not so major) software vendors are building on a stack of open source (including security vendors). The breadth of use across some vendors, IBM most notably is remarkably high (open source is not just in a few rogue products). New discoveries are getting more serious over time. New discoveries are getting less vendor attention (fewer vendor disclosures) despite their being more serious. Vendors are responding to new discoveries at a somewhat slower pace. The significant increase in product disclosures after the later OpenSSL disclosures, which affect all versions of OpenSSL not just versions 1.0.1 or later, implies that many vendors and products were using old libraries (version 0.9.8 was first released in July, 2005).   Total disclosures: 227   Total product instances affected by disclosures: 2,513   Mean time to repair: 35.8   Median time to repair: 22.0  
  17. Deming has sage advice for us… but he has more than that… Deming may be the key to changing our fate… …more on this later… See also Josh’s RSA Europe Keynote Video: Survival Isn’t Mandatory: Challenges and Opportunities of DevOps http://youtu.be/m4Y_K7MXQxQ
  18. Incentives Incentivize – Any strategy that requires human nature to change is likely to fail The Eternal Essence of SW Developers is to be “On Time. On Budget. With Acceptable Quality/Risk” Which translates into Go Faster,. Be more Efficient. Manage Quality.” In that order… IMG SRC = https://www.flickr.com/photos/opensourceway/4862920379/in/photolist-8pHJNP-9YLxpV-bZwfxo-4cv2XJ-6u2Sii-6u2Sbv-6u2RPV-7TCwgh-7DhXvU-8bpC9J-f119g-6V7UHx-63Bo2R-bwS9ux-7svgys-755bHf-9YLxvr-4R4GZV-dhtwk7-6V69PL-8nuXRE-c8Hc9m-9RTeA4-5HhfEX-8Vnaei-aFf72q-pgL6BQ-6n9a5w-6n98H1-6n99vN-6n4YQe-751hbP-4PLgno-M3uTP-9YPru5-BAPs6-8JMvEe-6t2Jfa-k9ZQVz-eF7qWf-6VbWPN-4UKjC3-7z4qGQ-jAC6Ap-9YLuSK-9YLuLD-9YLwYr-5zUdBo-64ooGC-9YLvPx
  19. Waterfall -> Agile -> DevOps -> SW Supply Chains Creative Commons https://www.flickr.com/photos/edwarddalmulder/16007135379
  20. Waterfall -> Agile -> DevOps -> SW Supply Chains Bring up Agile Manifesto – why it got Adoption/Motivational Aligment… Rugged Manifesto IMG SRC = https://www.flickr.com/photos/spam/3793946621/in/photolist-6MfY9M-pibhYF-4pewTp-5r6nyV-9dQpr8-4KHaSk-7GpW1s-aghWN5-qKUeyx-3paWa5-pTBrTu-oWLEkK-fBgcPD-dTGid3-d9Wqz3-cX8kCE-8djLzu-aghWX1-gG5tkQ-oES1PD-67gTBy-ccZ3iL-dDSEQW-qqZViu-DWdGA-6ZR48F-dtySAq-uxgZq-GGsSn-aghWK1-8VBRBX-yNrLX-7PQWEZ-7HC962-7xbdLo-aPMVLp-8s5w6E-aghWM9-agfcea-8bB8gn-dTGhjY-dnp9es-qth42k-5sXSCT-mDbZND-4MAAEZ-fKh9sA-pww9X8-8Qsyys-9MpqGa Creative Commons
  21. Waterfall -> Agile -> DevOps -> SW Supply Chains IMG SRC = https://www.flickr.com/photos/psd/8634021085/in/photolist-c3BfF9-9M9wdC-e9XBEv-nfWJyu-nP7Kpu-nQSeD8-nRai9p-nSWNhM-nStWnY-nA8njq-nSjUtV-i8j8nr-9bfKQs-9bfKod-9bfJVJ-9bcAi4-9bfJ39-rc2ry5-bByrik-cnMSNq-i8jk14-nebFtv-nebFb6-nvFrhD-dMajYn-d7gLpU-nvpMUQ-pjoDDE-d7gCq9-dXCzrc-dXKmus-dXDDfp-dXDD4D-dXKjLN-dXKngf-dXDCKz-dXDDVP-dXKm33-dXDBBX-dXDDsP-dXKiis-dXKmZq-dXDCcD-dXDBXV-dXDFfT-dXKi3L-dhg27j-nyiAKG-pSip9A-dkdPkb Creative Commons
  22. Waterfall -> Agile -> DevOps -> SW Supply Chains Creative Commons https://www.flickr.com/photos/fordapa/3886403372
  23. Waterfall -> Agile -> DevOps -> SW Supply Chains Creative Commons https://www.flickr.com/photos/eulothg/4270340730
  24. Comparing Toyota and General Motors JOSH: Bring up: Healthcare.gov 81 versions of Spring vs 1 15% Innovation lift at Insurer MTTD 6 minutes versus 6 weeks
  25. Bouncy Castle – CVSS 10 – 2009 -- Since then 11,236 organizations downloaded it 214,484 times httpClient Since then 29,468 organizations downloaded it 3,749,193 times
  26. Early and Ongoing Vulnerability Identification Provide tools throughout the development lifecycle to identify potential issues as early as possible to build a secure software supply pipeline Understand and Remediate Monitor high risk franchise applications to determine vulnerabilities included in application components Implement an *Application VTM* type process to look at internally consumed products like we do in the VTM cycle