Con i sempre più numerosi security breaches che si verificano ogni settimana, è di vitale importanza che la sicurezza e il DevOps lavorino insieme per integrare e semplificare il delivery, bilanciando la velocità e la sicurezza senza alcun compromesso. Implementa la tua strategia DevOps, senza rinunciare alla sicurezza e alla qualità del software.
3. Data di nascita: 2005
Dove siamo:
Via Po, 1 – Torino
Piazzale Luigi Sturzo, 15 - Roma
“Il nostro impegno è nella costante ricerca della
migliore soluzione per il cliente, garantendo
eccellenza nella qualità di servizi e prodotti
proposti. La nostra promessa è di svolgere il nostro
lavoro con costanza e passione”
Emerasoft Srl
6. Agenda
Webinar: “Il software: la strategia vincente sta nella qualità”
APRILE
• La Supply Chain del software
• Devops e sicurezza: lo scenario attuale
• Sonatype Nexus per un software di
qualità
• Q&A
Il webinar di oggi
Ugo Ciracì
DevOps Specialist @Emerasoft
NOVEMBRE
8
Steve Millard
International Partner Business Manager @Sonatype
8. Say Hello to Your Software Supply Chain…
State of the Software Supply Chain
9. 1,096 new projects per day
10,000 new versions per day
14x releases per year
• 3M npm components
• 2M Java components
• 900K NuGet components
• 870K PyPI components
State of the Software Supply Chain
13. 80% to 90% of
modern
operations
consist of
assembled
containers.
Containers
Hand-built
applications
and
infrastructure
State of the Software Supply Chain
14. NOT ALL PARTS ARE CREATED
EQUAL
State of the Software Supply Chain
16. zero
days
mean
time to
repair
CVE ID: CVE-
2017-5638
March 7
Apache fixed the
vulnerability
March 7
APACHE STRUTS2 MEAN TIME TO REPAIR
State of the Software Supply Chain
21. 5 Month Opportunity to Take Corrective Action
Large Scale Exploit
March
10
Equifax
applications
breached through
Struts2 vulnerability
AprMar May Jun Jul Aug Sept
March 7
Apache Struts releases
updated version to
thwart vulnerability
CVE-2017-5638
July 29
Breach is discovered
by Equifax.
Sept 7
A new RCE
vulnerability is
announced and fixed.
CVE-2017-9805
Probing Hack Crisis
Management
Il caso: Equifax
22. TIME TO RESPOND BEFORE EXPLOITSource: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
AverageDaystoExploit
Average
45
15
2017
Il caso: Equifax
23. 9 years later, vulnerable
versions of Bouncy Castle
were downloaded…
11M
CVE-2007-6721
CVSS Base Score: 10.0 HIGH
Exploitability Subscore: 10.0
23M
2007 2016
BOUNCY CASTLE
Bouncy Castle
24. 18,330,958
78% downloads were vulnerable
COMMONS COLLECTION
CWE-502
23,476,966
total downloads in 2016
Software Supply Chain
28. THE REWARDS ARE IMPRESSIVE
90%
improvement in time to
deploy
34,000
hours saved in
90 days
48%
increase in application
quality
Software Supply Chain
29. Businesses decide where and how to invest in
cybersecurity based on a cost-benefit assessment
but they are ultimately liable for the security of
their data and systems.
U.K.’s National Cyber Security Strategy
2016 - 2021
30. 1. You are using more open source than you think
2. There are good parts and bad components
3. You are responsible for your component choices
4. The new normal for getting business requirements into production is 3 days
5. It’s time to have the conversation internally
Five Takeaways
31. Contenuti disponibili su:
Canale slideshare di Emerasoft
Canale Youtube Emerasoft
Visita il nostro sito emerasoft.com
Contattaci: sales@emerasoft.com @
WWW
Emerasoft Srl
Say hello to YOUR software supply chain, not “the software supply chain”; personalizing it more for the audience.
For those of you that are unfamiliar with a software supply chain, it's really an allegate to the traditional supply chains used in manufacturing today. Those supply chains have suppliers that are building components. In the case of software development, that is the open-source [projects 00:07:53] that are building components, and making them freely available to developers around the world.
[00:08:00] They're able to store and distribute those components in the large central warehouses, like the central repository that Sonatype is responsible for managing, but also repositories like rubygems.org, [pipi.org 00:08:16], thenugetgallery, etc. This is where the components are stored and available to the manufacturers, that are really the software development teams, that are consuming these components and downloading these components over the years. Those components are then used to create the finished goods, or the software applications, that organizations are then delivering to their customers. We'll continue to use this supply chain analogy for the software supply chain, then compare and contrast what's happening in traditional manufacturing, is to what's happening in software today.
There's a really interesting site out there called moduleaccounts.com. It has a simple value, it keeps track of the number of different components, or packages that are available across the different development languages, from pipi, to nuget, to bower, to maven, components, etc. And it shows the increase in the number of these components that are available to the developer ecosystem, or the developer population, over time. We used some data from that site to see that over a thousand new open-source projects were created each day. People delivering a new kind of software, a new kind of component.
Then, from the general population of all open-source projects worldwide, we were able to estimate that ten thousand new versions of components are introduced every day. There's this huge supply of components entering the ecosystem, and available to our software supply chains. When we look at the central repository that Sonatype manages, of maven style or java open-source components, we looked across 380 thousand open-source projects, and found that on average those projects were releasing fourteen new versions of their components every year. That's great from a supply chain aspect, that the suppliers are very active, actively releasing new software, actively releasing new innovations, and actively improving the software that they're making available to developers worldwide.
Unfortunately, not all parts are equal...
Some are healthy, some are not…
…and all go bad over time (like milk, not like wine).
[00:14:00] One of the things that we measured year over year, and we do do some year over year comparisons throughout the report, is that 6.2% of the downloads from the central repository last year out of the billions of downloads, had a known security vulnerability in them. This past year we saw 6.1% of the downloads had a known vulnerability. That's about one in sixteen of every component download has a known vulnerability in it.
[00:14:00] One of the things that we measured year over year, and we do do some year over year comparisons throughout the report, is that 6.2% of the downloads from the central repository last year out of the billions of downloads, had a known security vulnerability in them. This past year we saw 6.1% of the downloads had a known vulnerability. That's about one in sixteen of every component download has a known vulnerability in it.
in 2016 there were 197 GAVs related to bouncycastle downloaded a total of 23,412,020 times. 61 of thos GAVs were insecure, and those were downloaded 11,181,493 times
for commons-collection, there were 25 GAVs downloaded a total of 23,476,966 times. 7 of those GAVs were insecure, and those were downloaded 18,330,958 times.
[00:18:00] Part of those practices are how much hygiene are we building into our software supply chain? This year's report allowed us to get visibility from the downloads from the central warehouses, being 6% were known vulnerable, to components that were downloaded to repository managers. Imagine a local warehouse, if you will, for component parts used by developers. 5.6% of those downloads were known vulnerable. Then the finished goods, across the 25000 applications that we analyze, 6.8% of those components were known vulnerable. That means that the components that were downloaded ended up in the finished goods, or in the applications that are being shipped and shared with customers. Meaning, there's not enough vetting taking place from where we're sourcing components and bringing them into our organizations to what's ending up in the final products.
If you are passing defects downstream, you are ultimately liable.
Which side of history will you be on?
If you are passing defects downstream, you are ultimately liable.
Which side of history will you be on?