Your SlideShare is downloading. ×
0
Securing	
  At	
  The	
  Speed	
  Of	
  Development	
  
Wendy	
  Nather	
  
Research	
  Director,	
  Enterprise	
  Securit...
Four	
  key	
  trends	
  in	
  development	
  that	
  affect	
  security	
  
Agile	
  methodology	
  –	
  faster	
  develop...
Who	
  doesn’t	
  love	
  applica@on	
  security?	
  
Quite	
  a	
  few	
  people,	
  it	
  turns	
  out:	
  
And	
  yet,	
  that’s	
  where	
  breaches	
  are	
  happening	
  
69%	
  of	
  breaches	
  in	
  EMEA	
  were	
  through	...
Why	
  aren’t	
  more	
  organiza@ons	
  tackling	
  applica@on	
  security?	
  
1.  It’s	
  not	
  all	
  theirs	
  
The	
  Punne]	
  Square	
  of	
  Doom	
  
The	
  hidden	
  size	
  of	
  the	
  supply	
  chain	
  
The	
  hidden	
  size	
  of	
  the	
  supply	
  chain	
  
*WARNING:	
  SOFTWARE	
  MAY	
  
BE	
  CRUFTIER	
  THAN	
  IT	
 ...
Why	
  aren’t	
  more	
  organiza@ons	
  tackling	
  applica@on	
  security?	
  
2.  Cri@cal	
  apps	
  will	
  generally	...
Applica@on	
  iner@a	
  zones	
  
Applica@on	
  iner@a	
  zones	
  
Applica@on	
  iner@a	
  zones	
  
Applica@on	
  iner@a	
  zones	
  
Applica@on	
  iner@a	
  zones	
  
Greatest	
  iner@a	
  
Why	
  aren’t	
  more	
  organiza@ons	
  tackling	
  applica@on	
  security?	
  
3.  Time	
  to	
  remediate	
  
 Lack	
 ...
Why	
  aren’t	
  more	
  organiza@ons	
  tackling	
  applica@on	
  security?	
  
4.  Fixing	
  is	
  only	
  part	
  of	
 ...
How	
  do	
  we	
  solve	
  this?	
  
If	
  only	
  we	
  all	
  had	
  a	
  common	
  code	
  base	
  …	
  
Reliance	
  on	
  open	
  source	
  	
  
Where	
  can	
  you	
  get	
  the	
  most	
  leverage?	
  
Shared	
  libraries	
  
Ve]ed	
  reference	
  code	
  
Also	
  more	
  leverage	
  …	
  
Everyone	
  move	
  to	
  SaaS	
  
 Granular,	
  well	
  understood,	
  non-­‐core	
  b...
Make	
  security	
  inextricable	
  
Build	
  security	
  into	
  func@onal	
  requirements,	
  not	
  non-­‐
func@onal	
 ...
Make	
  security	
  inextricable	
  
Build	
  security	
  into	
  func@onal	
  requirements,	
  not	
  non-­‐
func@onal	
 ...
The Component Lifecycle Management Company
Changing the Equation
Go Fast. Be Secure.
Tweet your thoughts: #clm
The Component Lifecycle Management Company
Assembled
A Sea Change in Software Development
Written
Source: 2012 / 2013 Sona...
The Component Lifecycle Management Company
A Highly Complex Ecosystem
Complexity Diversity Volume Change
One component may...
The Component Lifecycle Management Company
A Massive Supply Chain Problem
No
Visibility
No
Control
No
Fix
No visibility to...
The Component Lifecycle Management Company
The Practical Reality
#clm
Go Fast, Be Secure
The Component Lifecycle Management Company
early in the
development
process
Fix Flaws
flexible governance
throughout the
s...
The Component Lifecycle Management Company
Security Policies Provide Foundation for Governance
Lifecycle appropriate actio...
The Component Lifecycle Management Company
Governance Enforced Throughout Development Lifecycle
Component
intelligence &
r...
The Component Lifecycle Management Company
Side by side view
allows developers to
easily compare &
assess replacement
impa...
The Component Lifecycle Management Company
Ongoing monitoring of
production applications
assures continuous trust
Newly di...
The Component Lifecycle Management Company
Integration with Existing Security Investments
“Integrating disparate data whil...
The Component Lifecycle Management Company
Go Fast.
Be Secure.
Build security in from the start
Enforce policy in the tool...
The Component Lifecycle Management Company
http://www.sonatype.com/clm/product-tour
http://www.sonatype.com/resources
Go F...
Security at the Speed of Development: Featuring Wendy Nather, 451 Research Analyst
Security at the Speed of Development: Featuring Wendy Nather, 451 Research Analyst
Upcoming SlideShare
Loading in...5
×

Security at the Speed of Development: Featuring Wendy Nather, 451 Research Analyst

275

Published on

We have a problem. Application development has become agile, component-based, and open-source-dependent. We're delivering more software faster than ever before. But security approaches haven't kept up.

Wendy Nather, Research Director, Security, at 451 Research and Sonatype CSO Ryan Berg discuss the challenges that are driving new approaches to application security. http://www.sonatype.com/clm/overview

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
275
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Security at the Speed of Development: Featuring Wendy Nather, 451 Research Analyst"

  1. 1. Securing  At  The  Speed  Of  Development   Wendy  Nather   Research  Director,  Enterprise  Security  Prac@ce   451  Research  
  2. 2. Four  key  trends  in  development  that  affect  security   Agile  methodology  –  faster  development   DevOps  –  more  and  faster  changes,  not  always   involving  other  teams   Component-­‐based  –  complex  supply  chain   Use  of  open  source  soNware  –  rapid  evolu@on,  no   infrastructure  for  updates,  no  vendor  “throat  to  choke”  
  3. 3. Who  doesn’t  love  applica@on  security?   Quite  a  few  people,  it  turns  out:  
  4. 4. And  yet,  that’s  where  breaches  are  happening   69%  of  breaches  in  EMEA  were  through  SQL  injec@on   Source:  Verizon  Business  DBIR  2013     82%  of  tested  applica@ons  were  vulnerable  to  cross-­‐site   scrip@ng   Source:  Trustwave  GSR  2013   86%  of  observed  web  applica@on  a]acks  came  from   the  United  States   Source:  Solu=onary  GTIR  2013  
  5. 5. Why  aren’t  more  organiza@ons  tackling  applica@on  security?   1.  It’s  not  all  theirs  
  6. 6. The  Punne]  Square  of  Doom  
  7. 7. The  hidden  size  of  the  supply  chain  
  8. 8. The  hidden  size  of  the  supply  chain   *WARNING:  SOFTWARE  MAY   BE  CRUFTIER  THAN  IT   APPEARS  
  9. 9. Why  aren’t  more  organiza@ons  tackling  applica@on  security?   2.  Cri@cal  apps  will  generally  have  the  most  iner@a    Most  likely  to  have  the  oldest  core  code    Most  likely  to  have  interdependencies    Most  likely  to  be  patched  and  jury-­‐rigged    Least  likely  to  tolerate  changes  
  10. 10. Applica@on  iner@a  zones  
  11. 11. Applica@on  iner@a  zones  
  12. 12. Applica@on  iner@a  zones  
  13. 13. Applica@on  iner@a  zones  
  14. 14. Applica@on  iner@a  zones   Greatest  iner@a  
  15. 15. Why  aren’t  more  organiza@ons  tackling  applica@on  security?   3.  Time  to  remediate    Lack  of  authoriza@on  check  –  average  of  9.6  minutes   to  fix    Reflected  cross-­‐site  scrip@ng  –  average  of  16.2  mins    SQL  injec@on  –  average  of  97.5  minutes  to  fix   Source:  Daniel  Cornell,  Denim  Group   Need  easier  ways  to  make  fixes  
  16. 16. Why  aren’t  more  organiza@ons  tackling  applica@on  security?   4.  Fixing  is  only  part  of  the  ba]le    Change  management    Builds    Tes@ng    Deployment  
  17. 17. How  do  we  solve  this?   If  only  we  all  had  a  common  code  base  …  
  18. 18. Reliance  on  open  source    
  19. 19. Where  can  you  get  the  most  leverage?   Shared  libraries   Ve]ed  reference  code  
  20. 20. Also  more  leverage  …   Everyone  move  to  SaaS    Granular,  well  understood,  non-­‐core  business   func@ons  (email,  HR,  payroll)    Age  out  the  legacy  systems  rather  than  con@nue  to   drag  them  kicking  and  screaming  into  security    Configura@on  instead  of  code  
  21. 21. Make  security  inextricable   Build  security  into  func@onal  requirements,  not  non-­‐ func@onal  ones   Add  security  stories  to  sprints   Make  security  fixes  as  easy  as  possible   Have  just-­‐in-­‐@me  guidance  and  references  along  with   high-­‐level  educa@on   Keep  up.    
  22. 22. Make  security  inextricable   Build  security  into  func@onal  requirements,  not  non-­‐ func@onal  ones   Add  security  stories  to  sprints   Make  security  fixes  as  easy  as  possible   Have  just-­‐in-­‐@me  guidance  and  references  along  with   high-­‐level  educa@on   Keep  up.    
  23. 23. The Component Lifecycle Management Company Changing the Equation Go Fast. Be Secure. Tweet your thoughts: #clm
  24. 24. The Component Lifecycle Management Company Assembled A Sea Change in Software Development Written Source: 2012 / 2013 Sonatype analysis of more than 1,000 enterprise applications open source components of developers say that their applications are at least #clm
  25. 25. The Component Lifecycle Management Company A Highly Complex Ecosystem Complexity Diversity Volume Change One component may rely on 00s of others 40,000 Projects 200MM Classes 400K Components Typical Enterprise Consumes 000s of Components Monthly Typical Component is Updated 4X per Year #clm
  26. 26. The Component Lifecycle Management Company A Massive Supply Chain Problem No Visibility No Control No Fix No visibility to what components are used, where they are used and where there is risk No way to govern/enforce component usage. Policies are not integrated with development . No efficient way to fix existing flaws. #clm
  27. 27. The Component Lifecycle Management Company The Practical Reality #clm
  28. 28. Go Fast, Be Secure
  29. 29. The Component Lifecycle Management Company early in the development process Fix Flaws flexible governance throughout the software lifecycle Integrate over time to ensure continuous trust Monitor A New Way to Balance Speed, Quality and Risk Provides developers with methods to improve quality, speed and agility ….while also being more secure. #clm
  30. 30. The Component Lifecycle Management Company Security Policies Provide Foundation for Governance Lifecycle appropriate actions enforced automatically support a defense-in-depth strategy Centralized policy administration simplifies enterprise management “Just by using CLM we are enforcing policy.” CISO #clm
  31. 31. The Component Lifecycle Management Company Governance Enforced Throughout Development Lifecycle Component intelligence & remediation integrated into the dev tools speeds development “We didn’t have to learn new tools, information we need to take action is in the tools we use.” CIO Agile-friendly policy guidance eliminates need for developers to bypass policy #clm
  32. 32. The Component Lifecycle Management Company Side by side view allows developers to easily compare & assess replacement impact Developers can migrate to new components automatically Developers Can Resolve Issues in Real Time “I can quickly replace flawed components in my application without leaving the IDE.” Lead Developer #clm
  33. 33. The Component Lifecycle Management Company Ongoing monitoring of production applications assures continuous trust Newly discovered vulnerabilities are proactively communicated driving quick action “We have so many applications, it’s nearly impossible to know which new threats affect us.” CISO Continuously Monitor for Emerging Threats #clm
  34. 34. The Component Lifecycle Management Company Integration with Existing Security Investments “Integrating disparate data while automating policy is transformative for our processes.” CISO #clm
  35. 35. The Component Lifecycle Management Company Go Fast. Be Secure. Build security in from the start Enforce policy in the tools you already use Reduce risk by automating governance throughout the lifecycle Reduce cost by fixing early in the process React to new threats by knowing what they are and where to fix them Go fast by using tools your developers already know Supply Chain Mgt. for Modern Software Development #clm
  36. 36. The Component Lifecycle Management Company http://www.sonatype.com/clm/product-tour http://www.sonatype.com/resources Go Fast. Be Secure. Tweet your thoughts: #clm
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×