Continuous Acceleration with a Software Supply Chain Approach

@RealGeneKim

CONTINUOUS ACCELERATIONwith a Software Supply Chain ApproachGene Kim & Josh Corman

Ask questions on Twitter during the webinar using #sonatype

@joshcorman@RealGeneKim

Josh CormanSonatype@joshcorman

Gene Kim IT Revolution Press@RealGeneKim

Sonatype CTO & Co - Founder of

Rugged Software, I am The Cavalry

CTO, Researcher & Author ‘The Phoenix Project’ ,

‘Visible Ops’

Source: 2014 Sonatype Open Source and Application Security SurveyAsk questions on Twitter during the webinar using #sonatype

Session ID:Session Classification:

Josh Corman, Gene KimVERY ROUGH 1ST Draft

Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed…

CLD-106Intermediate

SESSION ID:

Gene Kim Joshua Corman

Rugged DevOps

Going Even Faster With Software Supply Chains

CTOSonatype@joshcorman

Researcher and AuthorIT Revolution Press@RealGeneKim

@joshcorman@RealGeneKim9 10/23/2013

@joshcorman

~ Marc Marc Andreessen 2011

@joshcorman@RealGeneKim10

@joshcorman

Trade OffsCosts & Benefits

Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December)CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *

CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SEIMENS *

CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM

CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *

CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH

CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED **

CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleed

CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW

As of today, internet scans by MassScan reveal 300,000

of original 600,000 remain unpatched or unpatchable

Heartbleed + (UnPatchable) Internet of Things == ___ ?In Our Bodies In Our Homes

In Our InfrastructureIn Our Cars

Sarcsm: I’m shocked!

•The

The Cavalry isn’t coming… It falls to usProblem Statement

Our society is adopting connected technology faster than we are able to secure it.

Mission StatementTo ensure connected technologies with the potential to impact public safety and human life are worthy of our trust.

Collecting existing research, researchers, and resourcesConnecting researchers with each other, industry, media, policy, and legal

Collaborating across a broad range of backgrounds, interests, and skillsetsCatalyzing positive action sooner than it would have happened on its own

Why Trust, public safety, human lifeHow Education, outreach, researchWho Infosec research community

Who Global, grass roots initiativeWhat Long-term vision for cyber safety

Medical Automotive ConnectedHome

PublicInfrastructure

I Am The Cavalry

Our Goals Play Mad Chemists

The Best & Brightest of DevOps The Best & Brightest of Security

Cause High Value / High Connection Merge our Tribes for Mutual Awesomeness Catalyze New Patterns and Solutions

SESSION ID:

Where We’ve Been

@RealGeneKim

The Downward Spiral…

@RealGeneKim

IT Ops And Dev At War

@RealGeneKim

10 deploys per dayDev & ops cooperation at Flickr

John Allspaw & Paul Hammond Velocity 2009

Source: John Allspaw (@allspaw) and Paul Hammond (@ph)

@RealGeneKim

Dev and Ops

Source: John Allspaw (@allspaw) and Paul Hammond (@ph)

@RealGeneKimSource: Theo Schlossnagle (@postwait)

DevOpsis incomplete,

is interpreted wrong, and is too isolated

@RealGeneKim

Source: Theo Schlossnagle (@postwait)

@RealGeneKim

^(?<dept>.+)Ops$

Source: Theo Schlossnagle (@postwait)

@RealGeneKim

Justin Collins, Neil Matatall & Alex Smolen from Twitter

@RealGeneKim

High Performers Are More Agile

30x 8,000xmore frequent deployments

faster lead times than their peers

Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic

@RealGeneKim

High Performers Are More Reliable

2x 12xthe change success rate

faster mean time to recover (MTTR)

Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic

@RealGeneKim

High Performers Win In The Marketplace

2x 50%more likely to exceed profitability, market share & productivity goals

higher market capitalization growth over 3 years*

Source: Puppet Labs 2014 State Of DevOps

@RealGeneKim

The Three Ways

SESSION ID:

Why It’s “Go Time”

New engineer to John Allspaw:“Is it okay for me to make this change?”

John Allspaw:“I don’t know. Is it?”

One Of The Highest Predictors Of Performance

Source: Typology Of Organizational Culture (Westrum, 2004)

One Of The Highest Predictors Of Performance

Source: Typology Of Organizational Culture (Westrum, 2004)

DevOps Enterprise: Lessons Learned On Oct 21-23, we held the DevOps Enterprise

Summit, a conference for horses, by horses Speakers included fifty leaders from:

Macy’s, Disney, Target, GE Capital, Blackboard, Nordstrom, Telstra, US Department of Homeland Security, CSG, Raytheon, IBM, Ticketmaster, MITRE, Marks and Spencer, Barclays Capital, Microsoft, Nationwide Insurance, Capital One, Gov.UK, Fidelity, Rally Software, Neustar, Walmart, PNC, ADP, …

The most popular and talked-about presentation at DevOps Enterprise 2014?

Mark Schwartz, CIO, US Citizenship and Immigration Services,

Department of Homeland Security

Observations They were using the same technical practices and

getting the same sort of metrics as the unicorns Target: 10+ deploys per day, < 10 incidents per month Capital One: 100s of deploys per day, lead time of minutes Macy’s: 1,500 manual tests every 10 days, now 100Ks

automated tests run daily Nationwide Insurance: Retirement Plans app (COBOL on

mainframe) Raytheon: testing and certification from months to a day US CIS: security and compliance testing run every code

commit

Observations The transformation stories are among the most

courageous I’ve ever heard – Often the transformation leader was putting themselves

in personal jeopardy Why? Absolute clarity and conviction that it was the

right thing for the organization

@RealGeneKim

Capital One: DevOpsSec

Source: Tapabrata Pal, Capital One

Heather Mickman, Target, Inc. Abolished the TEP-LARB process As a result, she won the Lifetime Achievement

Award from her grateful team

What About Infosec?

Ed Bellis Former CISO of Orbitz VP Information Security at

Bank of America Currently CEO of Risk I/O

@RealGeneKim

The DevOps Audit Defense Toolkithttp://bit.ly/DevOpsAudit

James DeLuccia IVJeff Gallimore

Gene KimByron Miller

@RealGeneKim

“deploys / day”

“deploys / day / dev”

SESSION ID:

Where We Want To Go

Innovate!

PRODUCTIVITY

X Axis: Time (Days) following initial HeartBleed disclosure and patch availabilityY Axis: Number of products included in the vendor vulnerability disclosureZ Axis (circle size): Exposure as measured by the CVE CVSS score

COMMERCIAL RESPONSES TO OPENSSL

https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

For the 41% 390 daysCVSS 10s 224 days

True Costs & Least Cost Avoiders

Enterprise

Retail

Manufacturing

BioPharma

Education

High Tech

Enterprise

Retail

Manufacturing

BioPharma

Education

High Tech

Enterprise

Retail

Manufacturing

BioPharma

Education

High Tech

ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK

ON TIME. Faster builds. Fewer interruptions.More innovation.

ON BUDGET.More efficient. More profitable.More competitive.

ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.

Agile / CI

DevOps

DevOps / CD

Agile / CI

SW Supply Chains

SW Supply Chain

DevOps / CD

Agile / CI

SW Supply Chains

Toyota Advantage

ToyotaPrius

ChevyVolt

Unit Cost 61% $24,200 $39,900

Units Sold 13x 23,294 1,788

In-House Production 50% 27% 54%

Plant Suppliers 16% (10x per) 125 800

Firm-Wide Suppliers 4% 224 5,500

Comparing the Prius and the Volt

H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”

Elegant Procurement Trio

1) Ingredients: Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and

Open Source Components (along with their Versions)

2) Hygiene & Avoidable Risk: …and cannot use known vulnerable components for which a less vulnerable component

is available (without a written and compelling justification accepted by $PROCURING_ENTITY)

3) Remediation: …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed

SESSION ID:Go Forth…

…and be Rugged@joshcorman

@RealGeneKim@RuggedSoftware

SW Supply Chain

Intelligence Goes Here

ACCORDING TO ADOBE

ACCORDING TO IBM

ACCORDING TO DOCKER

ACCORDING TO CISCO

Current approaches

AREN’T WORKING

Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT

SELECTION

75% Lack meaningful

controls over components in

27Different versions

of the same component downloaded

95%Inefficient sourcing: Components are not

downloaded to caching repositories

63% Don’t track

components used in

production

24Critical or severe

vulnerabilities per app

4Avg of strong

copyleft licensed components per

Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT

SELECTION

PUBLICREPOSITORIES

NEXUS LIFECYCLE

PRECIOUSLY IDENTIFY

COMPONENTS & RISKS

REMEDIATE EARLY IN

DEVEOPMENT AUTOMATE

POLICY ACROSS THE SDLC

MANAGE RISK WITH

CONSOLIDATED DASHBOARD

CONTINUOUSLYMONITORAPPS FOR NEW RISKS

Full day of videos

Assessments Available

http://www.sonatype.org/nexus/

Continuous Acceleration with a Software Supply Chain ApproachGene Kim Josh Corman@RealGeneKim @joshcorman

Source: 2014 Sonatype Open Source and Application Security SurveyAsk questions on Twitter during the webinar using #sonatype

Continuous Acceleration with a Software Supply Chain Approach

Software

Potash Mining Supply Chain Requirement Guide · Figure 11: Continuous Miner First And Second Pass Figure 12: Schematic Of Mining Systems Figure 13: Continuous Miner Figure 14: Continuous

Tanay Nagjee - Electric Cloud - Better Continuous Integration with Test Acceleration

2015 | Continuous Acceleration: Why Continuous Everything Needs A Supply Chain Approach | DevOpsDays Austin 2015 | @joshcorman

ELECTRIC CHAIN HOIST WITH VARIABLE FREQUENCY DRIVE VFD Product Shee… · ELECTRIC CHAIN HOIST WITH VARIABLE FREQUENCY DRIVE 3-STEP INFINITELY VARIABLE CONTROL STANDARD Provides acceleration

Supply Chain Sustainability: a practical guide for continuous improvement

continuous markov chain

1 Chapter 8 Supply Chain Management. Chapter 8:Supply Chain Management2 Example: Procter & Gamble 4 Developed its continuous replenishment program (CRP)

The Acceleration of Net Zero - Ontario Geothermal · The Acceleration of Net Zero: ... May 2015 2nd meeting of the Council ... 26 Continuous improvement is better than delayed perfection

Continuous Controls Monitoring - Information Security Pres... · Continuous Control Monitoring ... Security Systems Supply Chain Other Systems ... Managing audit scope and costs are

Innovation continuous Improvement in Supply Chain a Profit Tool.docx

ACCELERATION OF SMALL SCALE LNG SUPPLY CHAIN

OPTIMAL EXPEDITING DECISIONS IN A CONTINUOUS-STAGE SERIAL ... · We consider a continuous-stage serial supply chain and as a result, the supply chain manager is allowed to take real-time,

DRIVE SUPPLY CHAIN TRANSFORMATION...Ann Lee-Blythe, Director of Supply Chain, Faraday Future COLLABORATION & TRANSPARENCY Supply Chain Lean and Continuous Improvement Lanny Million,

Lecture 4a: Continuous-Time Markov Chain Modelspeople.bu.edu/andasari/courses/stochasticmodeling/... · 2019-01-18 · Lecture 4a: Continuous-Time Markov Chain Models Continuous-time

Continuous time Markov chain models for chemical reaction networks

Continuous Delivery: the Strongest Link in Your Value Chain

Ir Ist11 Continuous Improvement in the Supply Chain PLS Tcm13 276977

Metrics for continuous improvement of the supply chain …lean-green.eu/wp-content/uploads/2017/12/2-Metrics-digitaal.pdf · 2 Metrics for continuous improvement of the supply chain

Continuous Chain Ladder - International Actuarial Association · Continuous Chain Ladder Richard Verrall Joint work with M.D. Martínez-Miranda, J.P. Nielsen and S. Sperlich

Supply Chain Risk Management...prepared companies play End-to-end supply chain monitoring Digitized supply chain networks Decisions based on business impact 1. Continuous monitoring