Software rotting - 28 Apr - DeveloperWeek Europe 2022
Download as PPTX, PDF0 likes106 views
The document discusses the concept of 'software rotting' and the need for a shift in security approaches due to increasing vulnerabilities and technical inflation, which causes software value to decline over time. It highlights the importance of automating security measures and patch management within software development pipelines, especially in environments with numerous repositories and dependencies. Additionally, the document emphasizes the growing risks of zero-day exploits and the need for prioritizing timely security updates to maintain software integrity.
![Dependencies
An average .NET project has 11 direct, and 76
indirect dependencies [Source: Snyk]
Project == nuget.org package
The average application contains 118 open-
source libraries [Source: Contrast Security]
Application: Java/.NET/NodeJS](https://image.slidesharecdn.com/softwarerotting-27apr-developerweekeurope2022-220430095448/85/Software-rotting-28-Apr-DeveloperWeek-Europe-2022-20-320.jpg)
Software rotting - 28 Apr - DeveloperWeek Europe 2022
- 1. Software rotting or why you need to change your approach to security Giulio Vian 27 April 2022 @giulio_vian https://www.getlatestversion.eu http://blog.casavian.eu https://www.slideshare.net/giuliov https://github.com/giuliov
- 2. What it’s all about The environmental pressure on software has dramatically changed in few years. In quality and quantity. Mainly security concerns.
- 3. Pressure impact How we automate. How we plan, budget I suggest to introduce a new term: Technical Inflation. Inflation differs from Technical Debt. Software value decrease (even drops) over time without intervention.
- 4. Hardware spec: 1 KB RAM 4 KB ROM First computer Past employers Communities Giulio Vian Principal DevOps Engineer @giulio_vian giuliovdev@hotmail.com
- 7. Achievement unlocked! Zero-bugs! No known security issues in code! No known security issues in infrastructure!
- 8. …except…
- 9. Fix it! Now! CVE triggers Security instructs Developer Teams fix code Release Management deploy
- 10. What is affected? Application stack Container images Virtual Machine images Application itself Application code Libraries Internal 3rd party Self-contained run-time Application Run-time OS libraries Docker base image Self- contained
- 11. Tools to Identify Vulnerabilities Static Application Security Testing (SAST) Software Composition Analysis (SCA) Commercial Synopsys Black Duck, Snyk, WhiteSource Bolt, Sonatype Nexus Platform, JFrog Xray OSS npm audit, OWASP Dependency Check, GitHub dependabot, Trivy Application Run-time OS libraries v
- 12. What must be fixed? Which code matches production? master main release/* v* tags Multiple production branches release/* and hotfix/* Untagged releases SCA tools pipeline-bound Rarely built code Pipeline does not work anymore
- 13. How broadly? Many teams Many repos My company has 3,000 repos across 100 teams, storing over 13 million lines of code, and using 2,800 pipelines A single vulnerability may affect 10s teams and 100s of repos Image: The Crowd For DMB 1 by Moses
- 14. How do you fix it? Scan multiple repositories Patch code Regression test Can be automated?
- 15. Can you expedite? Separation of Duties Regulation / audit requirement Slows 0-day patching Tightly controlled usage Automated checks Single commit with limited churn Additional approvers for quick turnaround Image courtesy of SpaceX
- 16. Redeploy. Every. Day. Simplest pattern Once automated patching is in place Zero-downtime deploy in place Consider pipeline resources Image: the gerbil wheel pose by dbgg1979
- 17. A real problem Image © Mediaset
- 18. Zero-days exploits are increasing Source: Google
- 19. Open source dependency & vulnerability Source: Sonatype
- 20. Dependencies An average .NET project has 11 direct, and 76 indirect dependencies [Source: Snyk] Project == nuget.org package The average application contains 118 open- source libraries [Source: Contrast Security] Application: Java/.NET/NodeJS
- 21. App Platform shift Chrome 1 month patched after 14 days Node.JS 30 months (LTS) patched every 25 days 6 months Go 6 months patched every 26 days Two major releases supported. MongoDB 30 months patched every 5 weeks .NET 3 years (LTS) patched every 6 weeks 18 months Java 3 years (LTS) patched every 6 months 12 weeks
- 22. Consequences
- 23. Technical Debt «describes the consequences of software development actions that intentionally or unintentionally prioritize client value and/or project constraints such as delivery deadlines, over more technical implementation and design considerations.» Holvitie J., Licorish S.A., et al. - Technical debt and agile software development practices and processes – Information and Software Technology, iss. 96 (2018) p.142 Image by ThoBel-0043
- 24. Technical Inflation Unintended reduction in value of a software product over time, independent of source code changes. Depreciation does not capture two elements: Unintentionality Value can be restored Image source: Max Pixel
- 25. Restoring Value At most two platform versions Zero-(security-)issues policy Expedite pipelines Image by Marek Ślusarczyk
- 26. Never forget about consequences Image by Lionel Allorge
- 27. Thank you! @giulio_vian giuliovdev@hotmail.com Slides that follow list bibliographic references
- 29. References (2/4) https://heartbleed.com/ Why Every Business Is a Software Business — Watts S. Humphrey Informit, Feb 22, 2002 http://www.informit.com/articles/article.aspx?p=25491 https://en.wikipedia.org/wiki/Watts_Humphrey https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021 https://www.shopify.com/enterprise/global-ecommerce-statistics https://blog.cloudflare.com/popular-domains-year-in-review-2021/ https://radar.cloudflare.com/year-in-review-2021 https://snyk.io/blog/net-open-source-security-insights/ https://www.contrastsecurity.com/the-state-of-the-oss-report-2021 https://octoverse.github.com/static/github-octoverse-2020-security-report.pdf
Editor's Notes
- #22: .NET Core 3.1 3.1.0 December 3, 2019 3.1.22 December 14, 2021 got 22 patch releases in 3 years i.e. every 45 days/6 weeks Node v14 (Fermium) Active LTS start 2020-10-27 v14.15.0 2022-02-01, Version 14.19.0 total 19 releases in 463 days or 66 weeks i.e. every 24.4 days JDK 11 Java SE 11 (LTS)September 25, 2018 11.0.13+8 (GA), October 19th 2021 total 13 releases(updates) in 1121 days i.e. every 12.3 weeks or 86.2 days Go 1.16 released 2021-02-16 go1.16.14 (released 2022-02-10) total 14 updates in 360 days i.e. 26 days go1 (released 2012-03-28) -> go1.17 (released 2021-08-16) 17 major releases in 3429 days or 490 weeks MongoDB 5.0 5.0.0 - Jul 13, 2021 5.0.6 - January 31, 2022 total 6 releases in 203 days or 29 weeks i.e. every 4.8 weeks