SlideShare a Scribd company logo

2015 | Continuous Acceleration: Why Continuous Everything Needs A Supply Chain Approach | DevOpsDays Austin 2015 | @joshcorman

Download as PPTX, PDF
J
joshcorman

Joshua Corman emphasizes the urgency of applying a supply chain approach to software development due to the rapid adoption of connected technologies and their potential risks to public safety. The document advocates for fewer and better suppliers, improved traceability, and higher quality standards to enhance efficiency and mitigate risks associated with software vulnerabilities. Corman also highlights the importance of collaboration across sectors to address known vulnerabilities and ensure that connected technologies are reliable and trustworthy.

Software
1 of 55
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
@joshcorman Continuous Acceleration: Why Continuous Everything Needs A Supply Chain Approach Josh Corman @joshcorman
@joshcorman Conclusions / Apply!  Idea: A full embrace of Deming is a SW Supply Chain:  Fewer/Better Suppliers  Highest Quality Supply  Traceability/Visibility throughout Manufacturing / Prom & Agile Recall  Benefits: Such rigor enables:  Even FASTER: Fewer instances of Unplanned/Unscheduled Work  More EFFICIENT: Faster MTTD/MTTR  Better QUALITY/RISK: Avoid elective/avoidable complexity/risk  Urgency: It’s OpenSeason on OpenSource  And our dependence on connected tech is increasingly a public safety issue  Coming Actions: Known Vulnerabilities” Convergence  Lawmakers, Insurers, Lawyers, etc. are converging
@joshcorman YOU CAN HAVE TOO MUCH OF A GOOD THING…
@joshcorman Joshua Corman Who am I? @joshcorman CTO, Sonatype
@joshcorman
@joshcorman
@joshcorman 7
@joshcorman
#RSAC SESSION ID: Gene Kim Joshua Corman Rugged DevOps Going Even Faster With Software Supply Chains CTO Sonatype @joshcorman Researcher and Author IT Revolution Press @RealGeneKim
@joshcorman 10 10/23/2013 ~ Marc Marc Andreessen 2011
@joshcorman 11
@joshcorman 12 10/23/2013 Trade Offs Costs & Benefits
@joshcorman Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December) CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM  SEIMENS * CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM  SEIMENS * CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM  SEIMENS * CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM  HeartBleed CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM … As of today, internet scans by MassScan reveal 300,000 of original 600,000 remain unpatched or unpatchable
@joshcorman Heartbleed + (UnPatchable) Internet of Things == ___ ? In Our Bodies In Our Homes In Our InfrastructureIn Our Cars
@joshcorman Sarcsm: I’m shocked! 15
@joshcorman
@joshcorman
@joshcorman
@joshcorman •The The Cavalry isn’t coming… It falls to us Problem Statement Our society is adopting connected technology faster than we are able to secure it. Mission Statement To ensure connected technologies with the potential to impact public safety and human life are worthy of our trust. Collecting existing research, researchers, and resources Connecting researchers with each other, industry, media, policy, and legal Collaborating across a broad range of backgrounds, interests, and skillsets Catalyzing positive action sooner than it would have happened on its own Why Trust, public safety, human life How Education, outreach, research Who Infosec research community Who Global, grass roots initiative WhatLong-term vision for cyber safety Medical Automotive Connected Home Public Infrastructure I Am The Cavalry
@joshcorman Innovate! PRODUCTIVITY TIME
@joshcorman
@joshcorman
@joshcorman 23
@joshcorman ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK
@joshcorman
@joshcorman Agile goats; not goat rodeo. “We need to be agile, but not fragile.” @RuggedSoftware @joshcorman @mortman #RSAC #DevOps
@joshcorman ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. Agile / CI
@joshcorman DevOps It may feel like DevOps is Pandora’s Box, but it’s open… and hope remains. ;) @joshcorman @mortman #RSAC #DevOps
@joshcorman ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. DevOps / CD Agile / CI
@joshcorman SW Supply Chains
@joshcorman ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. SW Supply Chain DevOps / CD Agile / CI
@joshcorman Toyota Advantage Toyota Prius Chevy Volt Unit Cost 61% $24,200 $39,900 Units Sold 13x 23,294 1,788 In-House Production 50% 27% 54% Plant Suppliers 16% (10x per) 125 800 Firm-Wide Suppliers 4% 224 5,500 Comparing the Prius and the Volt
@joshcorman Open source usage is EXPLODING Yesterday’s source code is now replaced with OPEN SOURCE components 33 Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests. 201320122011200920082007 2010 2B1B500M 4B 6B 8B 13B 17B 2014
@joshcorman 34 Now that software is ASSEMBLED… Our shared value becomes our shared attack surface THINK LIKE AN ATTACKER
@joshcorman One risky component, now affects thousands of victims ONE EASY TARGET 35 THINK LIKE AN ATTACKER
@joshcorman Global Bank Software Provider Software Provider’s Customer State University Three-Letter Agency Large Financial Exchange Hundreds of Other Sites STRUTS
@joshcorman w/many eyeballs, all bugs are??? Struts 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 10.0 9.0 8.0 7.0 6.0 5.0 4.0 3.0 2.0 1.0 CVE-2005-3745 CVE-2006-1546 CVE-2006-1547 CVE-2006-1548 CVE-2008-6504 CVE-2008-6505 CVE-2008-2025 CVE-2007-6726 CVE-2008-6682 CVE-2010-1870 CVE-2011-2087 CVE-2011-1772 CVE-2011-2088 CVE-2011-5057 CVE-2012-0392 CVE-2012-0391 CVE-2012-0393 CVE-2012-0394 CVE-2012-1006 CVE-2012-1007 CVE-2012-0838 CVE-2012-4386 CVE-2012-4387 CVE-2013-1966 CVE-2013-2115 CVE-2013-1965 CVE-2013-2134 CVE-2013-2135 CVE-2013-2248 CVE-2013-2251 CVE-2013-4316 CVE-2013-4310 CVE-2013-6348 CVE-2014-0094 CVSS Latent 7-11 yrs
@joshcorman In 2013, 4,000 organizations downloaded a version of Bouncy Castle with a level 10 vulnerability 20,000 TIMES … Into XXX,XXX Applications… SEVEN YEARS after the vulnerability was fixed NATIONAL CYBER AWARENESS SYSTEM Original Notification Date: 03/30/2009 CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 BOUNCY CASTLE
@joshcorman In December 2013, 6,916 DIFFERENT organizations downloaded a version of httpclient with broken ssl validation (cve-2012-5783) 66,824 TIMES … More than ONE YEAR AFTER THE ALERT NATIONAL CYBER AWARENESS SYSTEM Original Release Date: 11/04/2012 CVE-2012-5783 Apache Commons HttpClient 3.x CVSS v2 Base Score: 5.8 MEDIUM Impact Subscore: 4.9 Exploitability Subscore: 8.6 HTTPCLIENT 3.X
@joshcorman 40 Current approaches AREN’T WORKING TAKE COSTS OUT OF YOUR SUPPLY CHAIN Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION 228K Unique components downloaded per company ! 75% Lack meaningful controls over components in apps ! X Average number of suppliers per company ! 48 Different versions of the same component downloaded !
@joshcorman 41 5/8/2015 X Axis: Time (Days) following initial HeartBleed disclosure and patch availability Y Axis: Number of products included in the vendor vulnerability disclosure Z Axis (circle size): Exposure as measured by the CVE CVSS score COMMERCIAL RESPONSES TO OPENSSL
@joshcorman https://www.usenix.org/system/files/login/articles/15_geer_0.pdf For the 41% 390 days CVSS 10s 224 days
@joshcorman ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech TRUE COSTS (& LEAST COST AVOIDERS)
@joshcorman 44
@joshcorman H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”  Elegant Procurement Trio 1) Ingredients:  Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk:  …and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY) 3) Remediation:  …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
@joshcorman In 2013, 4,000 organizations downloaded a version of Bouncy Castle with a level 10 vulnerability 20,000 TIMES … Into XXX,XXX Applications… SEVEN YEARS after the vulnerability was fixed NATIONAL CYBER AWARENESS SYSTEM Original Notification Date: 03/30/2009 CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 PROCUREMENT TRIO + BOUNCY CASTLE
@joshcorman 47 SW Supply Chain Intelligence Goes Here
@joshcorman ACCORDING TO ADOBE
@joshcorman ACCORDING TO IBM
@joshcorman ACCORDING TO DOCKER
@joshcorman Current approaches AREN’T WORKING Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION 75% Lack meaningful controls over components in apps 27 Different versions of the same component downloaded 95% Inefficient sourcing: Components are not downloaded to caching repositories 63% Don’t track components used in production 24 Critical or severe vulnerabilities per app 4 Avg of strong copyleft licensed components per app
@joshcorman Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION PUBLIC REPOSITORIES NEXUS LIFECYCLE PRECIOUSLY IDENTIFY COMPONENTS & RISKS REMEDIATE EARLY IN DEVEOPMENT AUTOMATE POLICY ACROSS THE SDLC MANAGE RISK WITH CONSOLIDATED DASHBOARD CONTINUOUSLY MONITOR APPS FOR NEW RISKS
@joshcorman Full day of videos Assessments Available http://www.sonatype.org/nexus/
@joshcorman Conclusions / Apply!  Idea: A full embrace of Deming is a SW Supply Chain:  Fewer/Better Suppliers  Highest Quality Supply  Traceability/Visibility throughout Manufacturing / Prom & Agile Recall  Benefits: Such rigor enables:  Even FASTER: Fewer instances of Unplanned/Unscheduled Work  More EFFICIENT: Faster MTTD/MTTR  Better QUALITY/RISK: Avoid elective/avoidable complexity/risk  Urgency: It’s OpenSeason on OpenSource  And our dependence on connected tech is increasingly a public safety issue  Coming Actions: Known Vulnerabilities” Convergence  Lawmakers, Insurers, Lawyers, etc. are converging
@joshcorman Continuous Acceleration: Why Continuous Everything Needs A Supply Chain Approach Josh Corman @joshcorman

More Related Content

PPTX
Continuous acceleration devopsdaysdc2015_corman
daachi
 
PDF
IEEE ANDROID APPLICATION 2016 TITLE AND ABSTRACT
tsysglobalsolutions
 
PDF
Preliminary chapter of Certified Ethical Hacker course
David Sweigert
 
PPTX
Surgency Hacking for Defense 2017
Stanford University
 
PDF
Lifeguard Works
Mark Wolfgang
 
DOCX
Earn Money from bug bounty
Jay Nagar
 
PPTX
PredictiMx H4D Stanford 2019
Stanford University
 
PDF
Implementing Crowdsourced Testing
TechWell
 
Continuous acceleration devopsdaysdc2015_corman
daachi
 
IEEE ANDROID APPLICATION 2016 TITLE AND ABSTRACT
tsysglobalsolutions
 
Preliminary chapter of Certified Ethical Hacker course
David Sweigert
 
Surgency Hacking for Defense 2017
Stanford University
 
Lifeguard Works
Mark Wolfgang
 
Earn Money from bug bounty
Jay Nagar
 
PredictiMx H4D Stanford 2019
Stanford University
 
Implementing Crowdsourced Testing
TechWell
 

Similar to 2015 | Continuous Acceleration: Why Continuous Everything Needs A Supply Chain Approach | DevOpsDays Austin 2015 | @joshcorman (20)

PPTX
Strengthening cyber resilience with Software Supply Chain Visibility
Sonatype
 
PPTX
DOES14 - Joshua Corman - Sonatype
Gene Kim
 
PPTX
Continuous Acceleration with a Software Supply Chain Approach
Sonatype
 
PDF
Integrating DevOps and Security
Stijn Muylle
 
PDF
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
Sonatype
 
PDF
Continuous Security: 5 Ways DevOps Improves Security
Sonatype
 
PPTX
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
PDF
Innovation and Architecture
Adrian Cockcroft
 
PPTX
Open Source Defense for Edge 2017
Adrian Sanabria
 
PPTX
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Perforce
 
PPTX
"Building Trust: Strengthening Your Software Supply Chain Security", Serhii V...
Fwdays
 
PPTX
How to Get Started with DevSecOps
CYBRIC
 
PDF
The Future of DevSecOps
Stefan Streichsbier
 
PDF
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
Theresa Mammarella
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PPTX
2019 04-18 -DevSecOps-software supply chain
Cameron Townshend
 
PDF
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon
 
PDF
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
PPTX
BsidesMCR_2016-what-can-infosec-learn-from-devops
James '​-- Mckinlay
 
PDF
ScotSecure 2020
Ray Bugg
 
Strengthening cyber resilience with Software Supply Chain Visibility
Sonatype
 
DOES14 - Joshua Corman - Sonatype
Gene Kim
 
Continuous Acceleration with a Software Supply Chain Approach
Sonatype
 
Integrating DevOps and Security
Stijn Muylle
 
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
Sonatype
 
Continuous Security: 5 Ways DevOps Improves Security
Sonatype
 
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
Innovation and Architecture
Adrian Cockcroft
 
Open Source Defense for Edge 2017
Adrian Sanabria
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Perforce
 
"Building Trust: Strengthening Your Software Supply Chain Security", Serhii V...
Fwdays
 
How to Get Started with DevSecOps
CYBRIC
 
The Future of DevSecOps
Stefan Streichsbier
 
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
Theresa Mammarella
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
2019 04-18 -DevSecOps-software supply chain
Cameron Townshend
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon
 
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
James '​-- Mckinlay
 
ScotSecure 2020
Ray Bugg
 
Ad

Recently uploaded (20)

PDF
Website Design Services for Small Businesses.pdf
ecomme9
 
PPTX
Weekly report ppt - harsh dattuprasad patel.pptx
bikerslovers123
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Download FL Studio Crack Latest version 2025 ?
ghrom2211g
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
CapCut Video Editor 6.8.1 Crack for PC Latest Download (Fully Activated) 2025
itskinga12
 
PDF
CCleaner Pro 6.38.11537 Crack Final Latest Version 2025
itskinga12
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
iTop VPN 6.5.0 Crack + License Key 2025 (Premium Version)
youngle786g
 
PDF
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
PDF
17 Powerful Integrations Your Next-Gen MLM Software Needs
ventaforcemlmsoftwar
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
DOCX
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
AI-Powered Threat Modeling: The Future of Cybersecurity by Arun Kumar Elengov...
Arun Kumar Elengovan
 
PPTX
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
Website Design Services for Small Businesses.pdf
ecomme9
 
Weekly report ppt - harsh dattuprasad patel.pptx
bikerslovers123
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Download FL Studio Crack Latest version 2025 ?
ghrom2211g
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
assetexplorer- product-overview - presentation
nonameist3434
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
CapCut Video Editor 6.8.1 Crack for PC Latest Download (Fully Activated) 2025
itskinga12
 
CCleaner Pro 6.38.11537 Crack Final Latest Version 2025
itskinga12
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
iTop VPN 6.5.0 Crack + License Key 2025 (Premium Version)
youngle786g
 
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
17 Powerful Integrations Your Next-Gen MLM Software Needs
ventaforcemlmsoftwar
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
AI-Powered Threat Modeling: The Future of Cybersecurity by Arun Kumar Elengov...
Arun Kumar Elengovan
 
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
Ad

2015 | Continuous Acceleration: Why Continuous Everything Needs A Supply Chain Approach | DevOpsDays Austin 2015 | @joshcorman

  • 1. @joshcorman Continuous Acceleration: Why Continuous Everything Needs A Supply Chain Approach Josh Corman @joshcorman
  • 2. @joshcorman Conclusions / Apply!  Idea: A full embrace of Deming is a SW Supply Chain:  Fewer/Better Suppliers  Highest Quality Supply  Traceability/Visibility throughout Manufacturing / Prom & Agile Recall  Benefits: Such rigor enables:  Even FASTER: Fewer instances of Unplanned/Unscheduled Work  More EFFICIENT: Faster MTTD/MTTR  Better QUALITY/RISK: Avoid elective/avoidable complexity/risk  Urgency: It’s OpenSeason on OpenSource  And our dependence on connected tech is increasingly a public safety issue  Coming Actions: Known Vulnerabilities” Convergence  Lawmakers, Insurers, Lawyers, etc. are converging
  • 3. @joshcorman YOU CAN HAVE TOO MUCH OF A GOOD THING…
  • 4. @joshcorman Joshua Corman Who am I? @joshcorman CTO, Sonatype
  • 9. #RSAC SESSION ID: Gene Kim Joshua Corman Rugged DevOps Going Even Faster With Software Supply Chains CTO Sonatype @joshcorman Researcher and Author IT Revolution Press @RealGeneKim
  • 13. @joshcorman Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December) CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM  SEIMENS * CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM  SEIMENS * CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM  SEIMENS * CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM  HeartBleed CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM … As of today, internet scans by MassScan reveal 300,000 of original 600,000 remain unpatched or unpatchable
  • 14. @joshcorman Heartbleed + (UnPatchable) Internet of Things == ___ ? In Our Bodies In Our Homes In Our InfrastructureIn Our Cars
  • 19. @joshcorman •The The Cavalry isn’t coming… It falls to us Problem Statement Our society is adopting connected technology faster than we are able to secure it. Mission Statement To ensure connected technologies with the potential to impact public safety and human life are worthy of our trust. Collecting existing research, researchers, and resources Connecting researchers with each other, industry, media, policy, and legal Collaborating across a broad range of backgrounds, interests, and skillsets Catalyzing positive action sooner than it would have happened on its own Why Trust, public safety, human life How Education, outreach, research Who Infosec research community Who Global, grass roots initiative WhatLong-term vision for cyber safety Medical Automotive Connected Home Public Infrastructure I Am The Cavalry
  • 24. @joshcorman ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK
  • 26. @joshcorman Agile goats; not goat rodeo. “We need to be agile, but not fragile.” @RuggedSoftware @joshcorman @mortman #RSAC #DevOps
  • 27. @joshcorman ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. Agile / CI
  • 28. @joshcorman DevOps It may feel like DevOps is Pandora’s Box, but it’s open… and hope remains. ;) @joshcorman @mortman #RSAC #DevOps
  • 29. @joshcorman ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. DevOps / CD Agile / CI
  • 31. @joshcorman ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. SW Supply Chain DevOps / CD Agile / CI
  • 32. @joshcorman Toyota Advantage Toyota Prius Chevy Volt Unit Cost 61% $24,200 $39,900 Units Sold 13x 23,294 1,788 In-House Production 50% 27% 54% Plant Suppliers 16% (10x per) 125 800 Firm-Wide Suppliers 4% 224 5,500 Comparing the Prius and the Volt
  • 33. @joshcorman Open source usage is EXPLODING Yesterday’s source code is now replaced with OPEN SOURCE components 33 Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests. 201320122011200920082007 2010 2B1B500M 4B 6B 8B 13B 17B 2014
  • 34. @joshcorman 34 Now that software is ASSEMBLED… Our shared value becomes our shared attack surface THINK LIKE AN ATTACKER
  • 35. @joshcorman One risky component, now affects thousands of victims ONE EASY TARGET 35 THINK LIKE AN ATTACKER
  • 36. @joshcorman Global Bank Software Provider Software Provider’s Customer State University Three-Letter Agency Large Financial Exchange Hundreds of Other Sites STRUTS
  • 37. @joshcorman w/many eyeballs, all bugs are??? Struts 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 10.0 9.0 8.0 7.0 6.0 5.0 4.0 3.0 2.0 1.0 CVE-2005-3745 CVE-2006-1546 CVE-2006-1547 CVE-2006-1548 CVE-2008-6504 CVE-2008-6505 CVE-2008-2025 CVE-2007-6726 CVE-2008-6682 CVE-2010-1870 CVE-2011-2087 CVE-2011-1772 CVE-2011-2088 CVE-2011-5057 CVE-2012-0392 CVE-2012-0391 CVE-2012-0393 CVE-2012-0394 CVE-2012-1006 CVE-2012-1007 CVE-2012-0838 CVE-2012-4386 CVE-2012-4387 CVE-2013-1966 CVE-2013-2115 CVE-2013-1965 CVE-2013-2134 CVE-2013-2135 CVE-2013-2248 CVE-2013-2251 CVE-2013-4316 CVE-2013-4310 CVE-2013-6348 CVE-2014-0094 CVSS Latent 7-11 yrs
  • 38. @joshcorman In 2013, 4,000 organizations downloaded a version of Bouncy Castle with a level 10 vulnerability 20,000 TIMES … Into XXX,XXX Applications… SEVEN YEARS after the vulnerability was fixed NATIONAL CYBER AWARENESS SYSTEM Original Notification Date: 03/30/2009 CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 BOUNCY CASTLE
  • 39. @joshcorman In December 2013, 6,916 DIFFERENT organizations downloaded a version of httpclient with broken ssl validation (cve-2012-5783) 66,824 TIMES … More than ONE YEAR AFTER THE ALERT NATIONAL CYBER AWARENESS SYSTEM Original Release Date: 11/04/2012 CVE-2012-5783 Apache Commons HttpClient 3.x CVSS v2 Base Score: 5.8 MEDIUM Impact Subscore: 4.9 Exploitability Subscore: 8.6 HTTPCLIENT 3.X
  • 40. @joshcorman 40 Current approaches AREN’T WORKING TAKE COSTS OUT OF YOUR SUPPLY CHAIN Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION 228K Unique components downloaded per company ! 75% Lack meaningful controls over components in apps ! X Average number of suppliers per company ! 48 Different versions of the same component downloaded !
  • 41. @joshcorman 41 5/8/2015 X Axis: Time (Days) following initial HeartBleed disclosure and patch availability Y Axis: Number of products included in the vendor vulnerability disclosure Z Axis (circle size): Exposure as measured by the CVE CVSS score COMMERCIAL RESPONSES TO OPENSSL
  • 45. @joshcorman H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”  Elegant Procurement Trio 1) Ingredients:  Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk:  …and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY) 3) Remediation:  …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
  • 46. @joshcorman In 2013, 4,000 organizations downloaded a version of Bouncy Castle with a level 10 vulnerability 20,000 TIMES … Into XXX,XXX Applications… SEVEN YEARS after the vulnerability was fixed NATIONAL CYBER AWARENESS SYSTEM Original Notification Date: 03/30/2009 CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 PROCUREMENT TRIO + BOUNCY CASTLE
  • 51. @joshcorman Current approaches AREN’T WORKING Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION 75% Lack meaningful controls over components in apps 27 Different versions of the same component downloaded 95% Inefficient sourcing: Components are not downloaded to caching repositories 63% Don’t track components used in production 24 Critical or severe vulnerabilities per app 4 Avg of strong copyleft licensed components per app
  • 52. @joshcorman Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION PUBLIC REPOSITORIES NEXUS LIFECYCLE PRECIOUSLY IDENTIFY COMPONENTS & RISKS REMEDIATE EARLY IN DEVEOPMENT AUTOMATE POLICY ACROSS THE SDLC MANAGE RISK WITH CONSOLIDATED DASHBOARD CONTINUOUSLY MONITOR APPS FOR NEW RISKS
  • 53. @joshcorman Full day of videos Assessments Available http://www.sonatype.org/nexus/
  • 54. @joshcorman Conclusions / Apply!  Idea: A full embrace of Deming is a SW Supply Chain:  Fewer/Better Suppliers  Highest Quality Supply  Traceability/Visibility throughout Manufacturing / Prom & Agile Recall  Benefits: Such rigor enables:  Even FASTER: Fewer instances of Unplanned/Unscheduled Work  More EFFICIENT: Faster MTTD/MTTR  Better QUALITY/RISK: Avoid elective/avoidable complexity/risk  Urgency: It’s OpenSeason on OpenSource  And our dependence on connected tech is increasingly a public safety issue  Coming Actions: Known Vulnerabilities” Convergence  Lawmakers, Insurers, Lawyers, etc. are converging
  • 55. @joshcorman Continuous Acceleration: Why Continuous Everything Needs A Supply Chain Approach Josh Corman @joshcorman

Editor's Notes

  • #6: Incentives Incentivize – Any strategy that requires human nature to change is likely to fail The Eternal Essence of SW Developers is to be “On Time. On Budget. With Acceptable Quality/Risk” Which translates into Go Faster,. Be more Efficient. Manage Quality.” In that order… IMG SRC = https://www.flickr.com/photos/opensourceway/4862920379/in/photolist-8pHJNP-9YLxpV-bZwfxo-4cv2XJ-6u2Sii-6u2Sbv-6u2RPV-7TCwgh-7DhXvU-8bpC9J-f119g-6V7UHx-63Bo2R-bwS9ux-7svgys-755bHf-9YLxvr-4R4GZV-dhtwk7-6V69PL-8nuXRE-c8Hc9m-9RTeA4-5HhfEX-8Vnaei-aFf72q-pgL6BQ-6n9a5w-6n98H1-6n99vN-6n4YQe-751hbP-4PLgno-M3uTP-9YPru5-BAPs6-8JMvEe-6t2Jfa-k9ZQVz-eF7qWf-6VbWPN-4UKjC3-7z4qGQ-jAC6Ap-9YLuSK-9YLuLD-9YLwYr-5zUdBo-64ooGC-9YLvPx
  • #7: Gene and I realized back in 2011 that DevOps was a game changer and that Security as we knew it was not going to survive. My Rugged Software Manifesto and movement and our shored beliefs of culture and incentives compelled us to marry the tribes for mutual benefit.
  • #9: An in 2015 We now Merge with the broader DevOps leadership community… with a full day 700 person Rugged DevOps workshop… at this year’s RSAC Gene is realizing the mad chemistry we’ve done… Jez is asking what the heck am I getting myself into ;)
  • #12: http://www.caida.org/research/security/code-red/coderedv2_analysis.xml#animations
  • #14: NIST’s NVD (National Vulnerability Database_ http://web.nvd.nist.gov/view/vuln/search-results?query=OpenSSL&search_type=all&cves=on  SEIMENS was affected by 4 OpenSSL flaws beyond HeartBleed. One from 2010 http://www.scmagazine.com/siemens-industrial-products-impacted-by-four-openssl-vulnerabilities/article/361997/ “Several Siemens products used for process and network control and monitoring in critical infrastructure sectors are affected by four vulnerabilities in the company's OpenSSL cryptographic software library. The vulnerabilities – CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470 – can be exploited remotely, and fairly easily, to hijack a session as part of a man-in-the-middle attack or to crash the web server of the product, according to a Thursday ICS-CERT post. Siemens has already issued updates for APE versions prior to version 2.0.2 and WinCC OA (PVSS), but has only issued temporary mitigations for CP1543-1, ROX 1, ROX 2, and S7-1500. The products are typically used in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors, according to the post.”
  • #18: www.ruggedsoftware.org https://www.ruggedsoftware.org/documents/
  • #19: www.ruggedsoftware.org https://www.ruggedsoftware.org/documents/ “I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security“
  • #22: [ picture of messy data center ] Ten minutes into Bill’s first day on the job, he has to deal with a payroll run failure. Tomorrow is payday, and finance just found out that while all the salaried employees are going to get paid, none of the hourly factory employees will. All their records from the factory timekeeping systems were zeroed out. Was it a SAN failure? A database failure? An application failure? Interface failure? Cabling error?
  • #24: Deming has sage advice for us… but he has more than that… Deming may be the key to changing our fate… …more on this later… See also Josh’s RSA Europe Keynote Video: Survival Isn’t Mandatory: Challenges and Opportunities of DevOps http://youtu.be/m4Y_K7MXQxQ
  • #25: Incentives Incentivize – Any strategy that requires human nature to change is likely to fail The Eternal Essence of SW Developers is to be “On Time. On Budget. With Acceptable Quality/Risk” Which translates into Go Faster,. Be more Efficient. Manage Quality.” In that order… IMG SRC = https://www.flickr.com/photos/opensourceway/4862920379/in/photolist-8pHJNP-9YLxpV-bZwfxo-4cv2XJ-6u2Sii-6u2Sbv-6u2RPV-7TCwgh-7DhXvU-8bpC9J-f119g-6V7UHx-63Bo2R-bwS9ux-7svgys-755bHf-9YLxvr-4R4GZV-dhtwk7-6V69PL-8nuXRE-c8Hc9m-9RTeA4-5HhfEX-8Vnaei-aFf72q-pgL6BQ-6n9a5w-6n98H1-6n99vN-6n4YQe-751hbP-4PLgno-M3uTP-9YPru5-BAPs6-8JMvEe-6t2Jfa-k9ZQVz-eF7qWf-6VbWPN-4UKjC3-7z4qGQ-jAC6Ap-9YLuSK-9YLuLD-9YLwYr-5zUdBo-64ooGC-9YLvPx
  • #26: Waterfall -> Agile -> DevOps -> SW Supply Chains Creative Commons https://www.flickr.com/photos/edwarddalmulder/16007135379
  • #27: Waterfall -> Agile -> DevOps -> SW Supply Chains Bring up Agile Manifesto – why it got Adoption/Motivational Aligment… Rugged Manifesto IMG SRC = https://www.flickr.com/photos/spam/3793946621/in/photolist-6MfY9M-pibhYF-4pewTp-5r6nyV-9dQpr8-4KHaSk-7GpW1s-aghWN5-qKUeyx-3paWa5-pTBrTu-oWLEkK-fBgcPD-dTGid3-d9Wqz3-cX8kCE-8djLzu-aghWX1-gG5tkQ-oES1PD-67gTBy-ccZ3iL-dDSEQW-qqZViu-DWdGA-6ZR48F-dtySAq-uxgZq-GGsSn-aghWK1-8VBRBX-yNrLX-7PQWEZ-7HC962-7xbdLo-aPMVLp-8s5w6E-aghWM9-agfcea-8bB8gn-dTGhjY-dnp9es-qth42k-5sXSCT-mDbZND-4MAAEZ-fKh9sA-pww9X8-8Qsyys-9MpqGa Creative Commons
  • #29: Waterfall -> Agile -> DevOps -> SW Supply Chains IMG SRC = https://www.flickr.com/photos/psd/8634021085/in/photolist-c3BfF9-9M9wdC-e9XBEv-nfWJyu-nP7Kpu-nQSeD8-nRai9p-nSWNhM-nStWnY-nA8njq-nSjUtV-i8j8nr-9bfKQs-9bfKod-9bfJVJ-9bcAi4-9bfJ39-rc2ry5-bByrik-cnMSNq-i8jk14-nebFtv-nebFb6-nvFrhD-dMajYn-d7gLpU-nvpMUQ-pjoDDE-d7gCq9-dXCzrc-dXKmus-dXDDfp-dXDD4D-dXKjLN-dXKngf-dXDCKz-dXDDVP-dXKm33-dXDBBX-dXDDsP-dXKiis-dXKmZq-dXDCcD-dXDBXV-dXDFfT-dXKi3L-dhg27j-nyiAKG-pSip9A-dkdPkb Creative Commons
  • #31: Waterfall -> Agile -> DevOps -> SW Supply Chains Creative Commons https://www.flickr.com/photos/fordapa/3886403372
  • #33: Comparing Toyota and General Motors JOSH: Bring up: Healthcare.gov 81 versions of Spring vs 1 15% Innovation lift at Insurer MTTD 6 minutes versus 6 weeks
  • #34: In fact open source usage is exploding based on the number of downloads from the (Maven) Central Repository. Looking at these numbers it is easy to understand why only 10% of a typical application is source code. As the stewards of the Central repository, we have the unique insight into both the phenomenal growth – as well as the related risk. ……. Way back in the dark ages of 2001, our founder named Jason van Zyl, who was very, very frustrated about how inefficient the leveraging of open source was in that time, created this thing called Maven. And Maven, I’m sure most of you know, but Maven is basically a recipe container and dependency resolver and it allowed for very efficient use of open source binaries. When he created Maven, he said he decided that it would be really convenient if Maven could just look to a default place. And so as an afterthought he created and became caretakers of the Maven Central. And it gives us an incredible amount of visibility into how the ecosystem works. We can see who is contributing what innovations, who is consuming what components, what trends there are in open source usage. We’ve seen is just an explosion of module software development. Last year we serviced 13 billion open source component requests. And as big as that number sounds, it’s understated because 25% of the requests came from cash and proxies like Nexus.
  • #35: From an attacker eye view… it used to require finding a flaw in Bank XYZ and then exploiting that bankand only than bank… but now….
  • #36: …if an attacker finds a flaw in Struts… it can attack EVERY bank who uses it – which is most of them. Same reason Heartblled was so far reaching… shared depenedance == shared risk/attack surface POINT: INCREASE in attacker interest/value – aka Blood is in the water…
  • #37: Before the highly publicized OpenSSL Heartbleed Last summer/fall… a worst case CVSS 10 flaw in the hugely popular Apache Struts Project was used to compromise most of the banks and other serious targets above. This bug had been there for YEARS unnoticed. Many had to be told by the FBI that they were compromised This triggered the FS-ISAC to issue guidance on 3rd Party and OpenSource Supply Chain risk… out of necessity The 3 letter agency SHOCKED me… but alas is true The green is a Chinese attack tool out almost immediately after the CVE was announced.
  • #38: I looked deeper into the Apache Struts Project. A pattern I’ve recognized is that there is more vulnerability/attacker interest in the most depended upon OpenSource Projects. Struts is one of the most depended upon – especially so in the Financial Services industries… As previously stated, one of the CVSS lvl 10 (of 10) struts vulnerabilities wreaked havoc on POINT: There are more vulnerabilities – and more serious ones…. in the recent year to two. I may ask this gets dynamically autogenerated per-project by my teams. NOTE: Many of these flaws were dormant a VERY long time – despite the “many eyeballs” false belief. NOTE: I personally think this more speaks to attacker/aversary interest.
  • #39: Here are just a few examples so you can see that this risk is real… Bouncy Castle is a popular open source component… and even after critical security alerts were issued in 2009 (CVE issued earlier in 2007), 4000 companies still downloaded it 20,000 times. And that was seven years after a better, safer replacement was issued. This is a level 10 critical security risk. Imagine the exposed applications out there… maybe some of them store your personal credit card data or other personal information.
  • #40: This example is even worse… a version of httpclient with a broken SSL validation downloaded by 6,916 organizations 66,824 times more than a year after the alert. It wasn’t hard for us to find these examples… this just skims the surface. Some of you may have heard about the FBI Warning last year about Struts… a vulnerable – and old – version of this framework was used to hack into a handful of large organizations.It mde a lot of news. But people are still using it today.
  • #41: Bouncy Castle – CVSS 10 – 2009 -- Since then 11,236 organizations downloaded it 214,484 times httpClient Since then 29,468 organizations downloaded it 3,749,193 times
  • #42: Qualitative takeaways:   Virtually all major (and not so major) software vendors are building on a stack of open source (including security vendors). The breadth of use across some vendors, IBM most notably is remarkably high (open source is not just in a few rogue products). New discoveries are getting more serious over time. New discoveries are getting less vendor attention (fewer vendor disclosures) despite their being more serious. Vendors are responding to new discoveries at a somewhat slower pace. The significant increase in product disclosures after the later OpenSSL disclosures, which affect all versions of OpenSSL not just versions 1.0.1 or later, implies that many vendors and products were using old libraries (version 0.9.8 was first released in July, 2005).   Total disclosures: 227   Total product instances affected by disclosures: 2,513   Mean time to repair: 35.8   Median time to repair: 22.0  
  • #47: Here are just a few examples so you can see that this risk is real… Bouncy Castle is a popular open source component… and even after critical security alerts were issued in 2009, 4000 companies still downloaded it 20,000 times. And that was five years after a better, safer replacement was issued. This is a level 10 critical security risk. Imagine the exposed applications out there… maybe some of them store your personal credit card data or other personal information.
  • #52: Bouncy Castle – CVSS 10 – 2009 -- Since then 11,236 organizations downloaded it 214,484 times httpClient Since then 29,468 organizations downloaded it 3,749,193 times
  • #53: Early and Ongoing Vulnerability Identification Provide tools throughout the development lifecycle to identify potential issues as early as possible to build a secure software supply pipeline Understand and Remediate Monitor high risk franchise applications to determine vulnerabilities included in application components Implement an *Application VTM* type process to look at internally consumed products like we do in the VTM cycle