• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Security at the Speed of Development: Featuring Wendy Nather, 451 Research Analyst
 

Security at the Speed of Development: Featuring Wendy Nather, 451 Research Analyst

on

  • 336 views

We have a problem. Application development has become agile, component-based, and open-source-dependent. We're delivering more software faster than ever before. But security approaches haven't kept ...

We have a problem. Application development has become agile, component-based, and open-source-dependent. We're delivering more software faster than ever before. But security approaches haven't kept up.

Wendy Nather, Research Director, Security, at 451 Research and Sonatype CSO Ryan Berg discuss the challenges that are driving new approaches to application security. http://www.sonatype.com/clm/overview

Statistics

Views

Total Views
336
Views on SlideShare
336
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Security at the Speed of Development: Featuring Wendy Nather, 451 Research Analyst Security at the Speed of Development: Featuring Wendy Nather, 451 Research Analyst Presentation Transcript

    • Securing  At  The  Speed  Of  Development   Wendy  Nather   Research  Director,  Enterprise  Security  Prac@ce   451  Research  
    • Four  key  trends  in  development  that  affect  security   Agile  methodology  –  faster  development   DevOps  –  more  and  faster  changes,  not  always   involving  other  teams   Component-­‐based  –  complex  supply  chain   Use  of  open  source  soNware  –  rapid  evolu@on,  no   infrastructure  for  updates,  no  vendor  “throat  to  choke”  
    • Who  doesn’t  love  applica@on  security?   Quite  a  few  people,  it  turns  out:  
    • And  yet,  that’s  where  breaches  are  happening   69%  of  breaches  in  EMEA  were  through  SQL  injec@on   Source:  Verizon  Business  DBIR  2013     82%  of  tested  applica@ons  were  vulnerable  to  cross-­‐site   scrip@ng   Source:  Trustwave  GSR  2013   86%  of  observed  web  applica@on  a]acks  came  from   the  United  States   Source:  Solu=onary  GTIR  2013  
    • Why  aren’t  more  organiza@ons  tackling  applica@on  security?   1.  It’s  not  all  theirs  
    • The  Punne]  Square  of  Doom  
    • The  hidden  size  of  the  supply  chain  
    • The  hidden  size  of  the  supply  chain   *WARNING:  SOFTWARE  MAY   BE  CRUFTIER  THAN  IT   APPEARS  
    • Why  aren’t  more  organiza@ons  tackling  applica@on  security?   2.  Cri@cal  apps  will  generally  have  the  most  iner@a    Most  likely  to  have  the  oldest  core  code    Most  likely  to  have  interdependencies    Most  likely  to  be  patched  and  jury-­‐rigged    Least  likely  to  tolerate  changes  
    • Applica@on  iner@a  zones  
    • Applica@on  iner@a  zones  
    • Applica@on  iner@a  zones  
    • Applica@on  iner@a  zones  
    • Applica@on  iner@a  zones   Greatest  iner@a  
    • Why  aren’t  more  organiza@ons  tackling  applica@on  security?   3.  Time  to  remediate    Lack  of  authoriza@on  check  –  average  of  9.6  minutes   to  fix    Reflected  cross-­‐site  scrip@ng  –  average  of  16.2  mins    SQL  injec@on  –  average  of  97.5  minutes  to  fix   Source:  Daniel  Cornell,  Denim  Group   Need  easier  ways  to  make  fixes  
    • Why  aren’t  more  organiza@ons  tackling  applica@on  security?   4.  Fixing  is  only  part  of  the  ba]le    Change  management    Builds    Tes@ng    Deployment  
    • How  do  we  solve  this?   If  only  we  all  had  a  common  code  base  …  
    • Reliance  on  open  source    
    • Where  can  you  get  the  most  leverage?   Shared  libraries   Ve]ed  reference  code  
    • Also  more  leverage  …   Everyone  move  to  SaaS    Granular,  well  understood,  non-­‐core  business   func@ons  (email,  HR,  payroll)    Age  out  the  legacy  systems  rather  than  con@nue  to   drag  them  kicking  and  screaming  into  security    Configura@on  instead  of  code  
    • Make  security  inextricable   Build  security  into  func@onal  requirements,  not  non-­‐ func@onal  ones   Add  security  stories  to  sprints   Make  security  fixes  as  easy  as  possible   Have  just-­‐in-­‐@me  guidance  and  references  along  with   high-­‐level  educa@on   Keep  up.    
    • Make  security  inextricable   Build  security  into  func@onal  requirements,  not  non-­‐ func@onal  ones   Add  security  stories  to  sprints   Make  security  fixes  as  easy  as  possible   Have  just-­‐in-­‐@me  guidance  and  references  along  with   high-­‐level  educa@on   Keep  up.    
    • The Component Lifecycle Management Company Changing the Equation Go Fast. Be Secure. Tweet your thoughts: #clm
    • The Component Lifecycle Management Company Assembled A Sea Change in Software Development Written Source: 2012 / 2013 Sonatype analysis of more than 1,000 enterprise applications open source components of developers say that their applications are at least #clm
    • The Component Lifecycle Management Company A Highly Complex Ecosystem Complexity Diversity Volume Change One component may rely on 00s of others 40,000 Projects 200MM Classes 400K Components Typical Enterprise Consumes 000s of Components Monthly Typical Component is Updated 4X per Year #clm
    • The Component Lifecycle Management Company A Massive Supply Chain Problem No Visibility No Control No Fix No visibility to what components are used, where they are used and where there is risk No way to govern/enforce component usage. Policies are not integrated with development . No efficient way to fix existing flaws. #clm
    • The Component Lifecycle Management Company The Practical Reality #clm
    • Go Fast, Be Secure
    • The Component Lifecycle Management Company early in the development process Fix Flaws flexible governance throughout the software lifecycle Integrate over time to ensure continuous trust Monitor A New Way to Balance Speed, Quality and Risk Provides developers with methods to improve quality, speed and agility ….while also being more secure. #clm
    • The Component Lifecycle Management Company Security Policies Provide Foundation for Governance Lifecycle appropriate actions enforced automatically support a defense-in-depth strategy Centralized policy administration simplifies enterprise management “Just by using CLM we are enforcing policy.” CISO #clm
    • The Component Lifecycle Management Company Governance Enforced Throughout Development Lifecycle Component intelligence & remediation integrated into the dev tools speeds development “We didn’t have to learn new tools, information we need to take action is in the tools we use.” CIO Agile-friendly policy guidance eliminates need for developers to bypass policy #clm
    • The Component Lifecycle Management Company Side by side view allows developers to easily compare & assess replacement impact Developers can migrate to new components automatically Developers Can Resolve Issues in Real Time “I can quickly replace flawed components in my application without leaving the IDE.” Lead Developer #clm
    • The Component Lifecycle Management Company Ongoing monitoring of production applications assures continuous trust Newly discovered vulnerabilities are proactively communicated driving quick action “We have so many applications, it’s nearly impossible to know which new threats affect us.” CISO Continuously Monitor for Emerging Threats #clm
    • The Component Lifecycle Management Company Integration with Existing Security Investments “Integrating disparate data while automating policy is transformative for our processes.” CISO #clm
    • The Component Lifecycle Management Company Go Fast. Be Secure. Build security in from the start Enforce policy in the tools you already use Reduce risk by automating governance throughout the lifecycle Reduce cost by fixing early in the process React to new threats by knowing what they are and where to fix them Go fast by using tools your developers already know Supply Chain Mgt. for Modern Software Development #clm
    • The Component Lifecycle Management Company http://www.sonatype.com/clm/product-tour http://www.sonatype.com/resources Go Fast. Be Secure. Tweet your thoughts: #clm