This document discusses software supply chain security and vulnerabilities. It references the Equifax data breach in 2017 that was caused by a vulnerability in the Apache Struts software. The document notes that 80-90% of modern applications and operations consist of assembled components, but not all parts are created equal from a security standpoint. It provides statistics showing that 11.1% of Java components downloaded annually have known vulnerabilities and that 80% of organizations analyzed show poor cyber hygiene. The key takeaway is that businesses are ultimately responsible for the security of their data and systems, so emphasizing security for the entire software supply chain is important.

1. We Are All Equifax
Derek E. Weeks
Vice President, Sonatype
Co-founder, All Day DevOps
@weekstweets

2. “Emphasize performance of the entire system
and never pass a defect downstream.”
Gene Kim
The Phoenix Project
2013

3. Say Hello to Your Software Supply Chain…
@weekstweets

5. THE SSC INDEX
Open Source Component Download
Requests, The Central Repository,
2008 - 2017
87
2017

6. 80% to 90% of
modern apps
consist of
assembled
components.

7. 80% to 90% of
modern
operations
consist of
assembled
containers.
Containers
Hand-built
applications and
infrastructure

8. NOT ALL PARTS ARE CREATED EQUAL
@weekstweets

9. @weekstweets
CYBERSECURITY HYGIENE RATIO IS 1 IN 8
@weekstweets

10. 170,000
Java component
downloads annually
18,870
11.1% with known
vulnerabilities
7,500 ORGANIZATIONS ANALYZED
@weekstweets

11. 6-IN-10 HAVE OPEN SOURCE POLICIES
@weekstweets

14. DEFECT PERCENTAGES FOR JAVASCRIPT
@weekstweets

15. 5 Month Opportunity to Take Corrective Action
Large Scale Exploit
March 10
Equifax applications
breached through
Struts2 vulnerability
AprMar May Jun Jul Aug Sept
March 7
Apache Struts releases
updated version to
thwart vulnerability
CVE-2017-5638
July 29
Breach is discovered
by Equifax.
Sept 7
A new RCE vulnerability
is announced and fixed.
CVE-2017-9805
Probing Hack
Crisis Management

16. 3 DAYS BEFORE EXPLOIT
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
AverageDaystoExploit
Average
45
15
2017

17. Struts vulnerability
announced
The
breach
Breach
discovered.
New Struts and
Spring vulnerabilities.
12 months since
Equifax breach.
0
20,000
40,000
60,000
80,000
100,000
120,000
Mar-17 Apr-17 May-17 Jun-17 Jul-17 Aug-17 Sep-17 Oct-17 Nov-17 Dec-17 Jan-18 Feb-18 Mar-18
Total
Breach
disclosed.
80% SHOW POOR CYBER HYGIENE
Number of vulnerable Struts component downloads per month

18. Source: Maven Central Repository, March 2018
VULNERABLE SPRING FRAMEWORK DOWNLOADS
CVE-2017-8046

19. 72%
see security
pros in the
role of “nag”.

20. Check in
Trigger
Feedback Trigger

22. Which application security tools are critical to your organization?

23. TRUSTED SOFTWARE SUPPLY CHAINS

24. The question is not:
Can we build secure software?

25. Businesses decide where and how to invest in
cybersecurity based on a cost-benefit assessment
but they are ultimately liable for the security of
their data and systems.
U.K.’s National Cyber Security Strategy
2016 - 2021

26. “Emphasize performance of the entire system
and never pass a defect downstream.”
Gene Kim
The Phoenix Project
2013

27. weeks@sonatype.com