Uploaded bydaachi
PPTX, PDF386 views

Continuous acceleration devopsdaysdc2015_corman

Josh Corman discusses adopting a software supply chain approach to accelerate development in a secure and efficient manner. This involves treating open source and third party components like a manufacturing supply chain by having fewer, high quality suppliers, and visibility into components used. This enables faster development by reducing interruptions and issues, and improves quality by avoiding known vulnerable components. As software and connected technologies grow critical, such rigor around software supply chains will be increasingly important for security and safety.

Embed presentation

Download to read offline
@joshcorman Continuous Acceleration with a Software Supply Chain Approach Josh Corman @joshcorman
@joshcorman Conclusions / Apply!  Idea: A full embrace of Deming is a SW Supply Chain:  Fewer/Better Suppliers  Highest Quality Supply  Traceability/Visibility throughout Manufacturing / Prom & Agile Recall  Benefits: Such rigor enables:  Even FASTER: Fewer instances of Unplanned/Unscheduled Work (ALSO CONTEXT SWITCHES)  More EFFICIENT: Faster MTTD/MTTR  Better QUALITY/RISK: Avoid elective/avoidable complexity/risk  Urgency: It’s OpenSeason on OpenSource  And our dependence on connected tech is increasingly a public safety issue  Coming Actions: “Known Vulnerabilities” Convergence  Lawmakers, Insurers, Lawyers, etc. are converging
@joshcorman Joshua Corman Who am I? @joshcorman CTO, Sonatype
@joshcorman
@joshcorman
@joshcorman 6
@joshcorman True #DevOps + Security isn’t all rainbows & unicorns. Unicorn p00p has to be worked thru @joshcorman @mortman #RSAC h/t @petecheslock DevOpsDays Austin 2015
@joshcorman
#RSAC SESSION ID: Gene Kim Joshua Corman Rugged DevOps Going Even Faster With Software Supply Chains CTO Sonatype @joshcorman Researcher and Author IT Revolution Press @RealGeneKim
@joshcorman 10 10/23/2013 ~ Marc Marc Andreessen 2011
@joshcorman 11
@joshcorman 12 10/23/2013 Trade Offs Costs & Benefits
@joshcorman Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December) CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM  SIEMENS * CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM  SIEMENS * CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM  SIEMENS * CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM  HeartBleed CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM … As of today, internet scans by MassScan reveal 300,000 of original 600,000 remain unpatched or unpatchable
@joshcorman Heartbleed + (UnPatchable) Internet of Things == ___ ? In Our Bodies In Our Homes In Our InfrastructureIn Our Cars
@joshcorman Sarcsm: I’m shocked! 15
@joshcorman
@joshcorman
@joshcorman
@joshcorman •The The Cavalry isn’t coming… It falls to us Problem Statement Our society is adopting connected technology faster than we are able to secure it. Mission Statement To ensure connected technologies with the potential to impact public safety and human life are worthy of our trust. Collecting existing research, researchers, and resources Connecting researchers with each other, industry, media, policy, and legal Collaborating across a broad range of backgrounds, interests, and skillsets Catalyzing positive action sooner than it would have happened on its own Why Trust, public safety, human life How Education, outreach, research Who Infosec research community Who Global, grass roots initiative WhatLong-term vision for cyber safety Medical Automotive Connected Home Public Infrastructure I Am The Cavalry
@joshcorman
@joshcorman
@joshcorman
@joshcorman Innovate! PRODUCTIVITY TIME
@joshcorman 24
@joshcorman ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK
@joshcorman
@joshcorman Agile goats; not goat rodeo. “We need to be agile, but not fragile.” @RuggedSoftware @joshcorman @mortman #RSAC #DevOps
@joshcorman ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. Agile / CI
@joshcorman DevOps It may feel like DevOps is Pandora’s Box, but it’s open… and hope remains. ;) @joshcorman @mortman #RSAC #DevOps
@joshcorman ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. DevOps / CD Agile / CI
@joshcorman SW Supply Chains
@joshcorman ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. SW Supply Chain DevOps / CD Agile / CI
@joshcorman Toyota Advantage Toyota Prius Chevy Volt Unit Cost 61% $24,200 $39,900 Units Sold 13x 23,294 1,788 In-House Production 50% 27% 54% Plant Suppliers 16% (10x per) 125 800 Firm-Wide Suppliers 4% 224 5,500 Comparing the Prius and the Volt
@joshcorman Open source usage is EXPLODING Yesterday’s source code is now replaced with OPEN SOURCE components 34 Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests. 201320122011200920082007 2010 2B1B500M 4B 6B 8B 13B 17B 2014
@joshcorman 35 Now that software is ASSEMBLED… Our shared value becomes our shared attack surface THINK LIKE AN ATTACKER
@joshcorman One risky component, now affects thousands of victims ONE EASY TARGET 36 THINK LIKE AN ATTACKER
@joshcorman Global Bank Software Provider Software Provider’s Customer State University Three-Letter Agency Large Financial Exchange Hundreds of Other Sites STRUTS
@joshcorman w/many eyeballs, all bugs are??? Struts 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 10.0 9.0 8.0 7.0 6.0 5.0 4.0 3.0 2.0 1.0 CVE-2005-3745 CVE-2006-1546 CVE-2006-1547 CVE-2006-1548 CVE-2008-6504 CVE-2008-6505 CVE-2008-2025 CVE-2007-6726 CVE-2008-6682 CVE-2010-1870 CVE-2011-2087 CVE-2011-1772 CVE-2011-2088 CVE-2011-5057 CVE-2012-0392 CVE-2012-0391 CVE-2012-0393 CVE-2012-0394 CVE-2012-1006 CVE-2012-1007 CVE-2012-0838 CVE-2012-4386 CVE-2012-4387 CVE-2013-1966 CVE-2013-2115 CVE-2013-1965 CVE-2013-2134 CVE-2013-2135 CVE-2013-2248 CVE-2013-2251 CVE-2013-4316 CVE-2013-4310 CVE-2013-6348 CVE-2014-0094 CVSS Latent 7-11 yrs
@joshcorman In 2013, 4,000 organizations downloaded a version of Bouncy Castle with a level 10 vulnerability 20,000 TIMES … Into XXX,XXX Applications… SEVEN YEARS after the vulnerability was fixed NATIONAL CYBER AWARENESS SYSTEM Original Notification Date: 03/30/2009 CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 BOUNCY CASTLE
@joshcorman In December 2013, 6,916 DIFFERENT organizations downloaded a version of httpclient with broken ssl validation (cve-2012-5783) 66,824 TIMES … More than ONE YEAR AFTER THE ALERT NATIONAL CYBER AWARENESS SYSTEM Original Release Date: 11/04/2012 CVE-2012-5783 Apache Commons HttpClient 3.x CVSS v2 Base Score: 5.8 MEDIUM Impact Subscore: 4.9 Exploitability Subscore: 8.6 HTTPCLIENT 3.X
@joshcorman 41 Current approaches AREN’T WORKING TAKE COSTS OUT OF YOUR SUPPLY CHAIN Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION 228K Unique components downloaded per company ! 75% Lack meaningful controls over components in apps ! X Average number of suppliers per company ! 48 Different versions of the same component downloaded !
@joshcorman 42 6/11/2015 X Axis: Time (Days) following initial HeartBleed disclosure and patch availability Y Axis: Number of products included in the vendor vulnerability disclosure Z Axis (circle size): Exposure as measured by the CVE CVSS score COMMERCIAL RESPONSES TO OPENSSL
@joshcorman https://www.usenix.org/system/files/login/articles/15_geer_0.pdf For the 41% 390 days CVSS 10s 224 days
@joshcorman ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech TRUE COSTS (& LEAST COST AVOIDERS)
@joshcorman 45
@joshcorman H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”  Elegant Procurement Trio 1) Ingredients:  Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk:  …and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY) 3) Remediation:  …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
@joshcorman In 2013, 4,000 organizations downloaded a version of Bouncy Castle with a level 10 vulnerability 20,000 TIMES … Into XXX,XXX Applications… SEVEN YEARS after the vulnerability was fixed NATIONAL CYBER AWARENESS SYSTEM Original Notification Date: 03/30/2009 CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 PROCUREMENT TRIO + BOUNCY CASTLE
TWO LITTLE WORDS
KNOWN VULNERABILITIES
@joshcorman Hot off the presses 2015 VZ DBIR
@joshcorman Current approaches AREN’T WORKING Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION 75% Lack meaningful controls over components in apps 27 Different versions of the same component downloaded 95% Inefficient sourcing: Components are not downloaded to caching repositories 63% Don’t track components used in production 24 Critical or severe vulnerabilities per app 4 Avg of strong copyleft licensed components per app
@joshcorman 52
@joshcorman 53 SW Supply Chain Intelligence Goes Here
1) Fewer/Better Suppliers 2) Better Supply from High Quality Suppliers 3) Traceability and Visibility throughout manufacturing
1) Less Unplanned /Unscheduled Work (and painful Context Switching) 2) Faster MTTI/MTTR when things do go wrong > 30% Boost
@joshcorman Full day of videos Assessments Available http://www.sonatype.org/nexus/
@joshcorman Conclusions / Apply!  Idea: A full embrace of Deming is a SW Supply Chain:  Fewer/Better Suppliers  Highest Quality Supply  Traceability/Visibility throughout Manufacturing / Prom & Agile Recall  Benefits: Such rigor enables:  Even FASTER: Fewer instances of Unplanned/Unscheduled Work (ALSO CONTEXT SWITCHES)  More EFFICIENT: Faster MTTD/MTTR  Better QUALITY/RISK: Avoid elective/avoidable complexity/risk  Urgency: It’s OpenSeason on OpenSource  And our dependence on connected tech is increasingly a public safety issue  Coming Actions: “Known Vulnerabilities” Convergence  Lawmakers, Insurers, Lawyers, etc. are converging
@joshcorman
@joshcorman
@joshcorman Continuous Acceleration with a Software Supply Chain Approach Josh Corman @joshcorman

More Related Content

PPTX
2015 | Continuous Acceleration: Why Continuous Everything Needs A Supply Chai...
byjoshcorman
 
PDF
Lifeguard Works
byMark Wolfgang
 
PPTX
PredictiMx H4D Stanford 2019
byStanford University
 
DOCX
Earn Money from bug bounty
byJay Nagar
 
PDF
Preliminary chapter of Certified Ethical Hacker course
byDavid Sweigert
 
PPTX
Intelgrids H4D Stanford 2018
byStanford University
 
PPTX
InexpensiveInternetTestingImprovesBottomLineandLowersRisk
byRobert Zagar
 
PPTX
Trackid H4D Stanford 2018
byStanford University
 
2015 | Continuous Acceleration: Why Continuous Everything Needs A Supply Chai...
byjoshcorman
 
Lifeguard Works
byMark Wolfgang
 
PredictiMx H4D Stanford 2019
byStanford University
 
Earn Money from bug bounty
byJay Nagar
 
Preliminary chapter of Certified Ethical Hacker course
byDavid Sweigert
 
Intelgrids H4D Stanford 2018
byStanford University
 
InexpensiveInternetTestingImprovesBottomLineandLowersRisk
byRobert Zagar
 
Trackid H4D Stanford 2018
byStanford University
 

What's hot

PPTX
HP ArcSight & Ayehu eyeShare - Security Automation
bycohen88or
 
PPTX
Strengthening cyber resilience with Software Supply Chain Visibility
bySonatype
 
PPTX
Anthro Energy H4D 2020 lessons learned
byStanford University
 
PPT
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
byAndris Soroka
 
PPTX
21st Century Frogman Lessons Learned H4D Stanford 2017
byStanford University
 
PDF
Risks in the Software Supply Chain
byMark Sherman
 
PPTX
2015 Future of Open Source Survey Results
byBlack Duck by Synopsys
 
PPTX
Sea++ H4D Stanford 2018
byStanford University
 
PPTX
Surgency Hacking for Defense 2017
byStanford University
 
PPTX
AA+Covid-19 | Coronavirus Testing Solution | COVID-19 detection
byBrijesh Joshi
 
PDF
Digital transformation continues to drive IT strategy, How is QA and testing ...
byQA or the Highway
 
PDF
Implementing Crowdsourced Testing
byTechWell
 
HP ArcSight & Ayehu eyeShare - Security Automation
bycohen88or
 
Strengthening cyber resilience with Software Supply Chain Visibility
bySonatype
 
Anthro Energy H4D 2020 lessons learned
byStanford University
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
byAndris Soroka
 
21st Century Frogman Lessons Learned H4D Stanford 2017
byStanford University
 
Risks in the Software Supply Chain
byMark Sherman
 
2015 Future of Open Source Survey Results
byBlack Duck by Synopsys
 
Sea++ H4D Stanford 2018
byStanford University
 
Surgency Hacking for Defense 2017
byStanford University
 
AA+Covid-19 | Coronavirus Testing Solution | COVID-19 detection
byBrijesh Joshi
 
Digital transformation continues to drive IT strategy, How is QA and testing ...
byQA or the Highway
 
Implementing Crowdsourced Testing
byTechWell
 

Similar to Continuous acceleration devopsdaysdc2015_corman

PPTX
DOES14 - Joshua Corman - Sonatype
byGene Kim
 
PPTX
7 Reasons Your Applications are Attractive to Adversaries
byDerek E. Weeks
 
PPTX
Continuous Acceleration with a Software Supply Chain Approach
bySonatype
 
PDF
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
byTheresa Mammarella
 
PPTX
2019 04-18 -DevSecOps-software supply chain
byCameron Townshend
 
PDF
Integrating DevOps and Security
byStijn Muylle
 
PDF
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
bySynopsys Software Integrity Group
 
PDF
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
bySonatype
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PPTX
How to Get Started with DevSecOps
byCYBRIC
 
PDF
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
byNETWAYS
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PPTX
Security in the age of open source - Myths and misperceptions
byTim Mackey
 
PPTX
L'impatto della sicurezza su DevOps
byGiulio Vian
 
PDF
Innovation and Architecture
byAdrian Cockcroft
 
PPTX
"Building Trust: Strengthening Your Software Supply Chain Security", Serhii V...
byFwdays
 
PPTX
September 13, 2016: Security in the Age of Open Source:
byBlack Duck by Synopsys
 
PDF
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
byDevSecCon
 
PPTX
BsidesMCR_2016-what-can-infosec-learn-from-devops
byJames '​-- Mckinlay
 
PDF
ScotSecure 2020
byRay Bugg
 
DOES14 - Joshua Corman - Sonatype
byGene Kim
 
7 Reasons Your Applications are Attractive to Adversaries
byDerek E. Weeks
 
Continuous Acceleration with a Software Supply Chain Approach
bySonatype
 
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
byTheresa Mammarella
 
2019 04-18 -DevSecOps-software supply chain
byCameron Townshend
 
Integrating DevOps and Security
byStijn Muylle
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
bySynopsys Software Integrity Group
 
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
bySonatype
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
How to Get Started with DevSecOps
byCYBRIC
 
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
byNETWAYS
 
The Future of DevSecOps
byStefan Streichsbier
 
Security in the age of open source - Myths and misperceptions
byTim Mackey
 
L'impatto della sicurezza su DevOps
byGiulio Vian
 
Innovation and Architecture
byAdrian Cockcroft
 
"Building Trust: Strengthening Your Software Supply Chain Security", Serhii V...
byFwdays
 
September 13, 2016: Security in the Age of Open Source:
byBlack Duck by Synopsys
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
byDevSecCon
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
byJames '​-- Mckinlay
 
ScotSecure 2020
byRay Bugg
 

Recently uploaded

PDF
HYBRID APP DEVELOPMENT AND TECHNOLOGY 01
bydavidjohansen1597
 
PDF
AI Girlfriend Platforms Compared 2026 AI Angels Janitor AI Character AI Candy AI
byAi Angels
 
PDF
Think before you Click (Ligap Project) - SI Ebhonu at FGGC.pdf
bySylvester Ebhonu
 
PDF
Darknet Master Tor and Deep Web Secrets (Procolo Scotto).pdf
bykuldeepbauddh1
 
PPTX
TOPFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.ppX
bycontactvidyawan
 
PPTX
Cybersecurity cyber incident Weeks_7_to_9.pptx
byriaz59
 
PPTX
Mind Sound Resonance Technique (MSRT) Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 
HYBRID APP DEVELOPMENT AND TECHNOLOGY 01
bydavidjohansen1597
 
AI Girlfriend Platforms Compared 2026 AI Angels Janitor AI Character AI Candy AI
byAi Angels
 
Think before you Click (Ligap Project) - SI Ebhonu at FGGC.pdf
bySylvester Ebhonu
 
Darknet Master Tor and Deep Web Secrets (Procolo Scotto).pdf
bykuldeepbauddh1
 
TOPFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.ppX
bycontactvidyawan
 
Cybersecurity cyber incident Weeks_7_to_9.pptx
byriaz59
 
Mind Sound Resonance Technique (MSRT) Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 

Continuous acceleration devopsdaysdc2015_corman

  • 1.
    @joshcorman Continuous Acceleration with aSoftware Supply Chain Approach Josh Corman @joshcorman
  • 2.
    @joshcorman Conclusions / Apply! Idea: A full embrace of Deming is a SW Supply Chain:  Fewer/Better Suppliers  Highest Quality Supply  Traceability/Visibility throughout Manufacturing / Prom & Agile Recall  Benefits: Such rigor enables:  Even FASTER: Fewer instances of Unplanned/Unscheduled Work (ALSO CONTEXT SWITCHES)  More EFFICIENT: Faster MTTD/MTTR  Better QUALITY/RISK: Avoid elective/avoidable complexity/risk  Urgency: It’s OpenSeason on OpenSource  And our dependence on connected tech is increasingly a public safety issue  Coming Actions: “Known Vulnerabilities” Convergence  Lawmakers, Insurers, Lawyers, etc. are converging
  • 3.
    @joshcorman Joshua Corman Who amI? @joshcorman CTO, Sonatype
  • 4.
  • 5.
  • 6.
  • 7.
    @joshcorman True #DevOps +Security isn’t all rainbows & unicorns. Unicorn p00p has to be worked thru @joshcorman @mortman #RSAC h/t @petecheslock DevOpsDays Austin 2015
  • 8.
  • 9.
    #RSAC SESSION ID: Gene KimJoshua Corman Rugged DevOps Going Even Faster With Software Supply Chains CTO Sonatype @joshcorman Researcher and Author IT Revolution Press @RealGeneKim
  • 10.
  • 11.
  • 12.
  • 13.
    @joshcorman Beyond Heartbleed: OpenSSLin 2014 (31 in NIST’s NVD thru December) CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM  SIEMENS * CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM  SIEMENS * CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM  SIEMENS * CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM  HeartBleed CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM … As of today, internet scans by MassScan reveal 300,000 of original 600,000 remain unpatched or unpatchable
  • 14.
    @joshcorman Heartbleed + (UnPatchable)Internet of Things == ___ ? In Our Bodies In Our Homes In Our InfrastructureIn Our Cars
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
    @joshcorman •The The Cavalry isn’tcoming… It falls to us Problem Statement Our society is adopting connected technology faster than we are able to secure it. Mission Statement To ensure connected technologies with the potential to impact public safety and human life are worthy of our trust. Collecting existing research, researchers, and resources Connecting researchers with each other, industry, media, policy, and legal Collaborating across a broad range of backgrounds, interests, and skillsets Catalyzing positive action sooner than it would have happened on its own Why Trust, public safety, human life How Education, outreach, research Who Infosec research community Who Global, grass roots initiative WhatLong-term vision for cyber safety Medical Automotive Connected Home Public Infrastructure I Am The Cavalry
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
    @joshcorman ON TIME ONBUDGET ACCEPTABLE QUALITY/RISK
  • 26.
  • 27.
    @joshcorman Agile goats; notgoat rodeo. “We need to be agile, but not fragile.” @RuggedSoftware @joshcorman @mortman #RSAC #DevOps
  • 28.
    @joshcorman ON TIME. Faster builds. Fewerinterruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. Agile / CI
  • 29.
    @joshcorman DevOps It may feellike DevOps is Pandora’s Box, but it’s open… and hope remains. ;) @joshcorman @mortman #RSAC #DevOps
  • 30.
    @joshcorman ON TIME. Faster builds. Fewerinterruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. DevOps / CD Agile / CI
  • 31.
  • 32.
    @joshcorman ON TIME. Faster builds. Fewerinterruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. SW Supply Chain DevOps / CD Agile / CI
  • 33.
    @joshcorman Toyota Advantage Toyota Prius Chevy Volt Unit Cost 61%$24,200 $39,900 Units Sold 13x 23,294 1,788 In-House Production 50% 27% 54% Plant Suppliers 16% (10x per) 125 800 Firm-Wide Suppliers 4% 224 5,500 Comparing the Prius and the Volt
  • 34.
    @joshcorman Open source usageis EXPLODING Yesterday’s source code is now replaced with OPEN SOURCE components 34 Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests. 201320122011200920082007 2010 2B1B500M 4B 6B 8B 13B 17B 2014
  • 35.
    @joshcorman 35 Now that softwareis ASSEMBLED… Our shared value becomes our shared attack surface THINK LIKE AN ATTACKER
  • 36.
    @joshcorman One risky component, nowaffects thousands of victims ONE EASY TARGET 36 THINK LIKE AN ATTACKER
  • 37.
    @joshcorman Global Bank Software Provider Software Provider’s Customer StateUniversity Three-Letter Agency Large Financial Exchange Hundreds of Other Sites STRUTS
  • 38.
    @joshcorman w/many eyeballs, allbugs are??? Struts 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 10.0 9.0 8.0 7.0 6.0 5.0 4.0 3.0 2.0 1.0 CVE-2005-3745 CVE-2006-1546 CVE-2006-1547 CVE-2006-1548 CVE-2008-6504 CVE-2008-6505 CVE-2008-2025 CVE-2007-6726 CVE-2008-6682 CVE-2010-1870 CVE-2011-2087 CVE-2011-1772 CVE-2011-2088 CVE-2011-5057 CVE-2012-0392 CVE-2012-0391 CVE-2012-0393 CVE-2012-0394 CVE-2012-1006 CVE-2012-1007 CVE-2012-0838 CVE-2012-4386 CVE-2012-4387 CVE-2013-1966 CVE-2013-2115 CVE-2013-1965 CVE-2013-2134 CVE-2013-2135 CVE-2013-2248 CVE-2013-2251 CVE-2013-4316 CVE-2013-4310 CVE-2013-6348 CVE-2014-0094 CVSS Latent 7-11 yrs
  • 39.
    @joshcorman In 2013, 4,000 organizationsdownloaded a version of Bouncy Castle with a level 10 vulnerability 20,000 TIMES … Into XXX,XXX Applications… SEVEN YEARS after the vulnerability was fixed NATIONAL CYBER AWARENESS SYSTEM Original Notification Date: 03/30/2009 CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 BOUNCY CASTLE
  • 40.
    @joshcorman In December 2013, 6,916DIFFERENT organizations downloaded a version of httpclient with broken ssl validation (cve-2012-5783) 66,824 TIMES … More than ONE YEAR AFTER THE ALERT NATIONAL CYBER AWARENESS SYSTEM Original Release Date: 11/04/2012 CVE-2012-5783 Apache Commons HttpClient 3.x CVSS v2 Base Score: 5.8 MEDIUM Impact Subscore: 4.9 Exploitability Subscore: 8.6 HTTPCLIENT 3.X
  • 41.
    @joshcorman 41 Current approaches AREN’T WORKING TAKECOSTS OUT OF YOUR SUPPLY CHAIN Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION 228K Unique components downloaded per company ! 75% Lack meaningful controls over components in apps ! X Average number of suppliers per company ! 48 Different versions of the same component downloaded !
  • 42.
    @joshcorman 42 6/11/2015 X Axis:Time (Days) following initial HeartBleed disclosure and patch availability Y Axis: Number of products included in the vendor vulnerability disclosure Z Axis (circle size): Exposure as measured by the CVE CVSS score COMMERCIAL RESPONSES TO OPENSSL
  • 43.
  • 44.
  • 45.
  • 46.
    @joshcorman H.R. 5793 “CyberSupply Chain Management and Transparency Act of 2014”  Elegant Procurement Trio 1) Ingredients:  Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk:  …and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY) 3) Remediation:  …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
  • 47.
    @joshcorman In 2013, 4,000 organizationsdownloaded a version of Bouncy Castle with a level 10 vulnerability 20,000 TIMES … Into XXX,XXX Applications… SEVEN YEARS after the vulnerability was fixed NATIONAL CYBER AWARENESS SYSTEM Original Notification Date: 03/30/2009 CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 PROCUREMENT TRIO + BOUNCY CASTLE
  • 48.
  • 49.
  • 50.
    @joshcorman Hot off thepresses 2015 VZ DBIR
  • 51.
    @joshcorman Current approaches AREN’T WORKING Component Selection DEVELOPMENTBUILD AND DEPLOY PRODUCTION COMPONENT SELECTION 75% Lack meaningful controls over components in apps 27 Different versions of the same component downloaded 95% Inefficient sourcing: Components are not downloaded to caching repositories 63% Don’t track components used in production 24 Critical or severe vulnerabilities per app 4 Avg of strong copyleft licensed components per app
  • 52.
  • 53.
  • 54.
    1) Fewer/Better Suppliers 2)Better Supply from High Quality Suppliers 3) Traceability and Visibility throughout manufacturing
  • 55.
    1) Less Unplanned /UnscheduledWork (and painful Context Switching) 2) Faster MTTI/MTTR when things do go wrong > 30% Boost
  • 56.
    @joshcorman Full day ofvideos Assessments Available http://www.sonatype.org/nexus/
  • 57.
    @joshcorman Conclusions / Apply! Idea: A full embrace of Deming is a SW Supply Chain:  Fewer/Better Suppliers  Highest Quality Supply  Traceability/Visibility throughout Manufacturing / Prom & Agile Recall  Benefits: Such rigor enables:  Even FASTER: Fewer instances of Unplanned/Unscheduled Work (ALSO CONTEXT SWITCHES)  More EFFICIENT: Faster MTTD/MTTR  Better QUALITY/RISK: Avoid elective/avoidable complexity/risk  Urgency: It’s OpenSeason on OpenSource  And our dependence on connected tech is increasingly a public safety issue  Coming Actions: “Known Vulnerabilities” Convergence  Lawmakers, Insurers, Lawyers, etc. are converging
  • 58.
  • 59.
  • 60.
    @joshcorman Continuous Acceleration with aSoftware Supply Chain Approach Josh Corman @joshcorman

Editor's Notes

  • #5 Incentives Incentivize – Any strategy that requires human nature to change is likely to fail The Eternal Essence of SW Developers is to be “On Time. On Budget. With Acceptable Quality/Risk” Which translates into Go Faster,. Be more Efficient. Manage Quality.” In that order… IMG SRC = https://www.flickr.com/photos/opensourceway/4862920379/in/photolist-8pHJNP-9YLxpV-bZwfxo-4cv2XJ-6u2Sii-6u2Sbv-6u2RPV-7TCwgh-7DhXvU-8bpC9J-f119g-6V7UHx-63Bo2R-bwS9ux-7svgys-755bHf-9YLxvr-4R4GZV-dhtwk7-6V69PL-8nuXRE-c8Hc9m-9RTeA4-5HhfEX-8Vnaei-aFf72q-pgL6BQ-6n9a5w-6n98H1-6n99vN-6n4YQe-751hbP-4PLgno-M3uTP-9YPru5-BAPs6-8JMvEe-6t2Jfa-k9ZQVz-eF7qWf-6VbWPN-4UKjC3-7z4qGQ-jAC6Ap-9YLuSK-9YLuLD-9YLwYr-5zUdBo-64ooGC-9YLvPx
  • #6 Gene and I realized back in 2011 that DevOps was a game changer and that Security as we knew it was not going to survive. My Rugged Software Manifesto and movement and our shored beliefs of culture and incentives compelled us to marry the tribes for mutual benefit.
  • #8  IMG SRC == https://www.flickr.com/photos/pedestriantype/3447676191
  • #9 An in 2015 We now Merge with the broader DevOps leadership community… with a full day 700 person Rugged DevOps workshop… at this year’s RSAC Gene is realizing the mad chemistry we’ve done… Jez is asking what the heck am I getting myself into ;)
  • #12 http://www.caida.org/research/security/code-red/coderedv2_analysis.xml#animations
  • #14 NIST’s NVD (National Vulnerability Database_ http://web.nvd.nist.gov/view/vuln/search-results?query=OpenSSL&search_type=all&cves=on  SEIMENS was affected by 4 OpenSSL flaws beyond HeartBleed. One from 2010 http://www.scmagazine.com/siemens-industrial-products-impacted-by-four-openssl-vulnerabilities/article/361997/ “Several Siemens products used for process and network control and monitoring in critical infrastructure sectors are affected by four vulnerabilities in the company's OpenSSL cryptographic software library. The vulnerabilities – CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470 – can be exploited remotely, and fairly easily, to hijack a session as part of a man-in-the-middle attack or to crash the web server of the product, according to a Thursday ICS-CERT post. Siemens has already issued updates for APE versions prior to version 2.0.2 and WinCC OA (PVSS), but has only issued temporary mitigations for CP1543-1, ROX 1, ROX 2, and S7-1500. The products are typically used in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors, according to the post.”
  • #18 www.ruggedsoftware.org https://www.ruggedsoftware.org/documents/
  • #19 www.ruggedsoftware.org https://www.ruggedsoftware.org/documents/ “I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security“
  • #21 [ picture of messy data center ] Ten minutes into Bill’s first day on the job, he has to deal with a payroll run failure. Tomorrow is payday, and finance just found out that while all the salaried employees are going to get paid, none of the hourly factory employees will. All their records from the factory timekeeping systems were zeroed out. Was it a SAN failure? A database failure? An application failure? Interface failure? Cabling error?
  • #25 Deming has sage advice for us… but he has more than that… Deming may be the key to changing our fate… …more on this later… See also Josh’s RSA Europe Keynote Video: Survival Isn’t Mandatory: Challenges and Opportunities of DevOps http://youtu.be/m4Y_K7MXQxQ
  • #26 Incentives Incentivize – Any strategy that requires human nature to change is likely to fail The Eternal Essence of SW Developers is to be “On Time. On Budget. With Acceptable Quality/Risk” Which translates into Go Faster,. Be more Efficient. Manage Quality.” In that order… IMG SRC = https://www.flickr.com/photos/opensourceway/4862920379/in/photolist-8pHJNP-9YLxpV-bZwfxo-4cv2XJ-6u2Sii-6u2Sbv-6u2RPV-7TCwgh-7DhXvU-8bpC9J-f119g-6V7UHx-63Bo2R-bwS9ux-7svgys-755bHf-9YLxvr-4R4GZV-dhtwk7-6V69PL-8nuXRE-c8Hc9m-9RTeA4-5HhfEX-8Vnaei-aFf72q-pgL6BQ-6n9a5w-6n98H1-6n99vN-6n4YQe-751hbP-4PLgno-M3uTP-9YPru5-BAPs6-8JMvEe-6t2Jfa-k9ZQVz-eF7qWf-6VbWPN-4UKjC3-7z4qGQ-jAC6Ap-9YLuSK-9YLuLD-9YLwYr-5zUdBo-64ooGC-9YLvPx
  • #27 Waterfall -> Agile -> DevOps -> SW Supply Chains Creative Commons https://www.flickr.com/photos/edwarddalmulder/16007135379
  • #28 Waterfall -> Agile -> DevOps -> SW Supply Chains Bring up Agile Manifesto – why it got Adoption/Motivational Aligment… Rugged Manifesto IMG SRC = https://www.flickr.com/photos/spam/3793946621/in/photolist-6MfY9M-pibhYF-4pewTp-5r6nyV-9dQpr8-4KHaSk-7GpW1s-aghWN5-qKUeyx-3paWa5-pTBrTu-oWLEkK-fBgcPD-dTGid3-d9Wqz3-cX8kCE-8djLzu-aghWX1-gG5tkQ-oES1PD-67gTBy-ccZ3iL-dDSEQW-qqZViu-DWdGA-6ZR48F-dtySAq-uxgZq-GGsSn-aghWK1-8VBRBX-yNrLX-7PQWEZ-7HC962-7xbdLo-aPMVLp-8s5w6E-aghWM9-agfcea-8bB8gn-dTGhjY-dnp9es-qth42k-5sXSCT-mDbZND-4MAAEZ-fKh9sA-pww9X8-8Qsyys-9MpqGa Creative Commons
  • #30 Waterfall -> Agile -> DevOps -> SW Supply Chains IMG SRC = https://www.flickr.com/photos/psd/8634021085/in/photolist-c3BfF9-9M9wdC-e9XBEv-nfWJyu-nP7Kpu-nQSeD8-nRai9p-nSWNhM-nStWnY-nA8njq-nSjUtV-i8j8nr-9bfKQs-9bfKod-9bfJVJ-9bcAi4-9bfJ39-rc2ry5-bByrik-cnMSNq-i8jk14-nebFtv-nebFb6-nvFrhD-dMajYn-d7gLpU-nvpMUQ-pjoDDE-d7gCq9-dXCzrc-dXKmus-dXDDfp-dXDD4D-dXKjLN-dXKngf-dXDCKz-dXDDVP-dXKm33-dXDBBX-dXDDsP-dXKiis-dXKmZq-dXDCcD-dXDBXV-dXDFfT-dXKi3L-dhg27j-nyiAKG-pSip9A-dkdPkb Creative Commons
  • #32 Waterfall -> Agile -> DevOps -> SW Supply Chains Creative Commons https://www.flickr.com/photos/fordapa/3886403372
  • #34 Comparing Toyota and General Motors JOSH: Bring up: Healthcare.gov 81 versions of Spring vs 1 15% Innovation lift at Insurer MTTD 6 minutes versus 6 weeks
  • #35 In fact open source usage is exploding based on the number of downloads from the (Maven) Central Repository. Looking at these numbers it is easy to understand why only 10% of a typical application is source code. As the stewards of the Central repository, we have the unique insight into both the phenomenal growth – as well as the related risk. ……. Way back in the dark ages of 2001, our founder named Jason van Zyl, who was very, very frustrated about how inefficient the leveraging of open source was in that time, created this thing called Maven. And Maven, I’m sure most of you know, but Maven is basically a recipe container and dependency resolver and it allowed for very efficient use of open source binaries. When he created Maven, he said he decided that it would be really convenient if Maven could just look to a default place. And so as an afterthought he created and became caretakers of the Maven Central. And it gives us an incredible amount of visibility into how the ecosystem works. We can see who is contributing what innovations, who is consuming what components, what trends there are in open source usage. We’ve seen is just an explosion of module software development. Last year we serviced 13 billion open source component requests. And as big as that number sounds, it’s understated because 25% of the requests came from cash and proxies like Nexus.
  • #36 From an attacker eye view… it used to require finding a flaw in Bank XYZ and then exploiting that bankand only than bank… but now….
  • #37 …if an attacker finds a flaw in Struts… it can attack EVERY bank who uses it – which is most of them. Same reason Heartblled was so far reaching… shared depenedance == shared risk/attack surface POINT: INCREASE in attacker interest/value – aka Blood is in the water…
  • #38 Before the highly publicized OpenSSL Heartbleed Last summer/fall… a worst case CVSS 10 flaw in the hugely popular Apache Struts Project was used to compromise most of the banks and other serious targets above. This bug had been there for YEARS unnoticed. Many had to be told by the FBI that they were compromised This triggered the FS-ISAC to issue guidance on 3rd Party and OpenSource Supply Chain risk… out of necessity The 3 letter agency SHOCKED me… but alas is true The green is a Chinese attack tool out almost immediately after the CVE was announced.
  • #39 I looked deeper into the Apache Struts Project. A pattern I’ve recognized is that there is more vulnerability/attacker interest in the most depended upon OpenSource Projects. Struts is one of the most depended upon – especially so in the Financial Services industries… As previously stated, one of the CVSS lvl 10 (of 10) struts vulnerabilities wreaked havoc on POINT: There are more vulnerabilities – and more serious ones…. in the recent year to two. I may ask this gets dynamically autogenerated per-project by my teams. NOTE: Many of these flaws were dormant a VERY long time – despite the “many eyeballs” false belief. NOTE: I personally think this more speaks to attacker/aversary interest.
  • #40 Here are just a few examples so you can see that this risk is real… Bouncy Castle is a popular open source component… and even after critical security alerts were issued in 2009 (CVE issued earlier in 2007), 4000 companies still downloaded it 20,000 times. And that was seven years after a better, safer replacement was issued. This is a level 10 critical security risk. Imagine the exposed applications out there… maybe some of them store your personal credit card data or other personal information.
  • #41 This example is even worse… a version of httpclient with a broken SSL validation downloaded by 6,916 organizations 66,824 times more than a year after the alert. It wasn’t hard for us to find these examples… this just skims the surface. Some of you may have heard about the FBI Warning last year about Struts… a vulnerable – and old – version of this framework was used to hack into a handful of large organizations.It mde a lot of news. But people are still using it today.
  • #42 Bouncy Castle – CVSS 10 – 2009 -- Since then 11,236 organizations downloaded it 214,484 times httpClient Since then 29,468 organizations downloaded it 3,749,193 times
  • #43 Qualitative takeaways:   Virtually all major (and not so major) software vendors are building on a stack of open source (including security vendors). The breadth of use across some vendors, IBM most notably is remarkably high (open source is not just in a few rogue products). New discoveries are getting more serious over time. New discoveries are getting less vendor attention (fewer vendor disclosures) despite their being more serious. Vendors are responding to new discoveries at a somewhat slower pace. The significant increase in product disclosures after the later OpenSSL disclosures, which affect all versions of OpenSSL not just versions 1.0.1 or later, implies that many vendors and products were using old libraries (version 0.9.8 was first released in July, 2005).   Total disclosures: 227   Total product instances affected by disclosures: 2,513   Mean time to repair: 35.8   Median time to repair: 22.0  
  • #48 Here are just a few examples so you can see that this risk is real… Bouncy Castle is a popular open source component… and even after critical security alerts were issued in 2009, 4000 companies still downloaded it 20,000 times. And that was five years after a better, safer replacement was issued. This is a level 10 critical security risk. Imagine the exposed applications out there… maybe some of them store your personal credit card data or other personal information.
  • #51 HDMoore’s Law proven by Risk I/O
  • #52 Bouncy Castle – CVSS 10 – 2009 -- Since then 11,236 organizations downloaded it 214,484 times httpClient Since then 29,468 organizations downloaded it 3,749,193 times
  • #53 Deming has sage advice for us… but he has more than that… Deming may be the key to changing our fate… …more on this later… See also Josh’s RSA Europe Keynote Video: Survival Isn’t Mandatory: Challenges and Opportunities of DevOps http://youtu.be/m4Y_K7MXQxQ
  • #60 Incentives Incentivize – Any strategy that requires human nature to change is likely to fail The Eternal Essence of SW Developers is to be “On Time. On Budget. With Acceptable Quality/Risk” Which translates into Go Faster,. Be more Efficient. Manage Quality.” In that order… IMG SRC = https://www.flickr.com/photos/opensourceway/4862920379/in/photolist-8pHJNP-9YLxpV-bZwfxo-4cv2XJ-6u2Sii-6u2Sbv-6u2RPV-7TCwgh-7DhXvU-8bpC9J-f119g-6V7UHx-63Bo2R-bwS9ux-7svgys-755bHf-9YLxvr-4R4GZV-dhtwk7-6V69PL-8nuXRE-c8Hc9m-9RTeA4-5HhfEX-8Vnaei-aFf72q-pgL6BQ-6n9a5w-6n98H1-6n99vN-6n4YQe-751hbP-4PLgno-M3uTP-9YPru5-BAPs6-8JMvEe-6t2Jfa-k9ZQVz-eF7qWf-6VbWPN-4UKjC3-7z4qGQ-jAC6Ap-9YLuSK-9YLuLD-9YLwYr-5zUdBo-64ooGC-9YLvPx