View
734
Download
4
Category
Tags:
Preview:
Citation preview
@joshcorman
Continuous Acceleration:Why Continuous Everything Needs A Supply Chain Approach
Josh Corman@joshcorman
@joshcorman
Conclusions / Apply!
Idea: A full embrace of Deming is a SW Supply Chain: Fewer/Better Suppliers Highest Quality Supply Traceability/Visibility throughout Manufacturing / Prom & Agile Recall
Benefits: Such rigor enables: Even FASTER: Fewer instances of Unplanned/Unscheduled Work More EFFICIENT: Faster MTTD/MTTR Better QUALITY/RISK: Avoid elective/avoidable complexity/risk
Urgency: It’s OpenSeason on OpenSource And our dependence on connected tech is increasingly a public safety issue
Coming Actions: Known Vulnerabilities” Convergence Lawmakers, Insurers, Lawyers, etc. are converging
@joshcormanYOU CAN HAVE TOO MUCH OF A GOOD THING…
@joshcorman
Joshua CormanWho am I?
@joshcormanCTO, Sonatype
@joshcorman
@joshcorman
@joshcorman
7
@joshcorman
#RSAC
SESSION ID:
Gene Kim Joshua Corman
Rugged DevOps
Going Even Faster
With Software Supply Chains
CTOSonatype@joshcorman
Researcher and AuthorIT Revolution Press@RealGeneKim
@joshcorman10 10/23/2013
@joshcorman
~ Marc Marc Andreessen 2011
@joshcorman11
@joshcorman12 10/23/2013
@joshcorman
Trade OffsCosts & Benefits
@joshcorman
Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December)CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *
CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SEIMENS *
CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM
CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM
CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *
CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH
CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED **
CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM
CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM
CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleed
CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM
CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM
CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW
CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM
CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM
CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM
CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM
…
As of today, internet scans by MassScan reveal 300,000
of original 600,000 remain unpatched or unpatchable
@joshcorman
Heartbleed + (UnPatchable) Internet of Things == ___ ?
In Our Bodies In Our Homes
In Our InfrastructureIn Our Cars
@joshcorman
Sarcsm: I’m shocked!
15
@joshcorman
@joshcorman
@joshcorman
@joshcorman
•The
The Cavalry isn’t coming… It falls to us
Problem StatementOur society is adopting connected technology faster than we are able to secure it.
Mission StatementTo ensure connected technologies with the potential to impact public safety and human life are worthy of our trust.
Collecting existing research, researchers, and resourcesConnecting researchers with each other, industry, media, policy, and legal
Collaborating across a broad range of backgrounds, interests, and skillsetsCatalyzing positive action sooner than it would have happened on its own
Why Trust, public safety, human lifeHow Education, outreach, researchWho Infosec research community
Who Global, grass roots initiativeWhat Long-term vision for cyber safety
Medical Automotive ConnectedHome
PublicInfrastructure
I Am The Cavalry
@joshcorman
Innovate!
PRODUCTIVITY
TIME
@joshcorman
@joshcorman
@joshcorman23
@joshcorman
ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK
@joshcorman
@joshcormanAgile goats; not goat rodeo. “We need to be agile, but not fragile.” @RuggedSoftware @joshcorman @mortman #RSAC #DevOps
@joshcorman
ON TIME. Faster builds. Fewer interruptions.More innovation.
ON BUDGET.More efficient. More profitable.More competitive.
ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.
Agile / CI
@joshcorman
DevOps
It may feel like DevOps is Pandora’s Box, but it’s open… and hope remains. ;) @joshcorman @mortman #RSAC #DevOps
@joshcorman
ON TIME. Faster builds. Fewer interruptions.More innovation.
ON BUDGET.More efficient. More profitable.More competitive.
ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.
DevOps / CD
Agile / CI
@joshcorman
SW Supply Chains
@joshcorman
ON TIME. Faster builds. Fewer interruptions.More innovation.
ON BUDGET.More efficient. More profitable.More competitive.
ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.
SW Supply Chain
DevOps / CD
Agile / CI
@joshcorman
Toyota Advantage
ToyotaPrius
ChevyVolt
Unit Cost 61% $24,200 $39,900
Units Sold 13x 23,294 1,788
In-House Production 50% 27% 54%
Plant Suppliers 16% (10x per) 125 800
Firm-Wide Suppliers 4% 224 5,500
Comparing the Prius and the Volt
@joshcorman
Open source usage is
EXPLODING
Yesterday’s source
code is now replaced with
OPEN SOURCEcomponents
33 Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.
201320122011200920082007 2010
2B1B500M 4B 6B 8B 13B 17B2014
@joshcorman
34
Now that software is
ASSEMBLED…Our shared value becomes
our shared attack surface
THINK LIKE AN ATTACKER
@joshcorman
One risky component,now affects thousands of victims
ONE EASYTARGET
35
THINK LIKE AN ATTACKER
@joshcorman
Global BankSoftware ProviderSoftware
Provider’s CustomerState University
Three-LetterAgency
Large FinancialExchange
Hundreds of Other Sites
STRUTS
@joshcorman
w/many eyeballs, all bugs are??? Struts
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
10.09.08.07.06.05.04.03.02.01.0
CVE-2005-3745
CVE-2006-1546CVE-2006-1547
CVE-2006-1548 CVE-2008-6504CVE-2008-6505
CVE-2008-2025CVE-2007-6726CVE-2008-6682
CVE-2010-1870
CVE-2011-2087
CVE-2011-1772
CVE-2011-2088CVE-2011-5057
CVE-2012-0392CVE-2012-0391
CVE-2012-0393
CVE-2012-0394
CVE-2012-1006CVE-2012-1007
CVE-2012-0838
CVE-2012-4386
CVE-2012-4387
CVE-2013-1966CVE-2013-2115CVE-2013-1965
CVE-2013-2134CVE-2013-2135
CVE-2013-2248
CVE-2013-2251CVE-2013-4316
CVE-2013-4310
CVE-2013-6348CVE-2014-0094
CVSS Latent 7-11 yrs
@joshcorman
In 2013, 4,000organizations downloaded a version of Bouncy Castle
with a level 10 vulnerability
20,000 TIMES …Into XXX,XXX Applications…
SEVEN YEARSafter the vulnerability was fixed
NATIONAL CYBER AWARENESS SYSTEMOriginal Notification Date:
03/30/2009CVE-2007-6721Bouncy Castle Java Cryptography APICVSS v2 Base Score: 10.0 HIGHImpact Subscore: 10.0Exploitability Subscore: 10.0
BOUNCY CASTLE
@joshcorman
In December 2013,
6,916 DIFFERENTorganizations downloaded
a version of httpclient with broken ssl validation (cve-2012-5783)
66,824 TIMES …
More than ONE YEAR AFTER THE ALERT
NATIONAL CYBER AWARENESS SYSTEMOriginal Release Date:
11/04/2012
CVE-2012-5783Apache Commons HttpClient 3.xCVSS v2 Base Score: 5.8 MEDIUMImpact Subscore: 4.9Exploitability Subscore: 8.6
HTTPCLIENT 3.X
@joshcorman
40
Current approaches
AREN’T WORKINGTAKE COSTS OUT OF YOUR SUPPLY CHAIN
Component Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT SELECTION
228KUnique components
downloaded per company
!
75% Lack meaningful
controls over components in
apps!
XAverage number of
suppliers per company
!
48Different versions
of the same component downloaded
!
@joshcorman
41 04/15/2023
X Axis: Time (Days) following initial HeartBleed disclosure and patch availabilityY Axis: Number of products included in the vendor vulnerability disclosureZ Axis (circle size): Exposure as measured by the CVE CVSS score
COMMERCIAL RESPONSES TO OPENSSL
@joshcorman
https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
For the 41% 390 daysCVSS 10s 224 days
@joshcorman
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
$
$
$
$
$
$
$
$$$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
TRUE COSTS (& LEAST COST AVOIDERS)
@joshcorman
44
@joshcorman
H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”
Elegant Procurement Trio
1) Ingredients:
Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions)
2) Hygiene & Avoidable Risk:
…and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY)
3) Remediation:
…and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
@joshcorman
In 2013, 4,000organizations downloaded a version of Bouncy Castle
with a level 10 vulnerability
20,000 TIMES …Into XXX,XXX Applications…
SEVEN YEARSafter the vulnerability was fixed
NATIONAL CYBER AWARENESS SYSTEMOriginal Notification Date:
03/30/2009CVE-2007-6721Bouncy Castle Java Cryptography APICVSS v2 Base Score: 10.0 HIGHImpact Subscore: 10.0Exploitability Subscore: 10.0
PROCUREMENT TRIO + BOUNCY CASTLE
@joshcorman
47
SW Supply Chain
Intelligence Goes Here
@joshcorman
ACCORDING TO ADOBE
@joshcorman
ACCORDING TO IBM
@joshcorman
ACCORDING TO DOCKER
@joshcorman
Current approaches
AREN’T WORKING
Component Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT SELECTION
75% Lack meaningful
controls over components in
apps
27Different versions
of the same component downloaded
95%Inefficient sourcing: Components are not
downloaded to caching repositories
63% Don’t track
components used in
production
24Critical or severe
vulnerabilities per app
4Avg of strong
copyleft licensed components per
app
@joshcorman
Component Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT SELECTION
PUBLICREPOSITORIES
NEXUS LIFECYCLE
PRECIOUSLY IDENTIFY
COMPONENTS & RISKS
REMEDIATE EARLY IN
DEVEOPMENT AUTOMATE
POLICY ACROSS THE SDLC
MANAGE RISK WITH
CONSOLIDATED DASHBOARD
CONTINUOUSLYMONITORAPPS FOR NEW RISKS
@joshcorman
Full day of videos
Assessments Available
http://www.sonatype.org/nexus/
@joshcorman
Conclusions / Apply!
Idea: A full embrace of Deming is a SW Supply Chain: Fewer/Better Suppliers Highest Quality Supply Traceability/Visibility throughout Manufacturing / Prom & Agile Recall
Benefits: Such rigor enables: Even FASTER: Fewer instances of Unplanned/Unscheduled Work More EFFICIENT: Faster MTTD/MTTR Better QUALITY/RISK: Avoid elective/avoidable complexity/risk
Urgency: It’s OpenSeason on OpenSource And our dependence on connected tech is increasingly a public safety issue
Coming Actions: Known Vulnerabilities” Convergence Lawmakers, Insurers, Lawyers, etc. are converging
@joshcorman
Continuous Acceleration:Why Continuous Everything Needs A Supply Chain Approach
Josh Corman@joshcorman
Recommended