Build Security In, Fix and Remediate Security, License and Architectural Risk Early in Your SDLC Process

Nick Coombs, SonatypeRyan Sheldrake, Sonatype

90%Assembled

A Sea Change in Application Development

Written

Source: 2012 / 2013 Sonatype analysis of more than 1,000 enterprise applications

Modern Software Development

SUPPLIERSOpen Source Projects

3.7 million open source developers

Over 1.56M component versions contributed105,000 open source

projects

WAREHOUSESComponent Repositories

31 billion download requests last year

90,000 private component repositories

in use

MANUFACTURERSSoftware DevTeams

11 million developers160,000 organizations

7,600 external suppliers used in an

average development organization

FINISHED GOODSSoftware Applications

80 - 90% component-based

106 components per application

The Modern Software Supply Chain

Once uploaded, always available3-4 yearly updates, no way to inform development teamsMean-time-to-repair a security vulnerability: 390 days

6.2% of requests have known security vulnerabilities34% of downloads have restrictive licenses95% rely on inefficient component distribution (or “sourcing”) practices.

27 versions of the same component downloaded43% don’t have open source policies75% of those with policies don’t enforce them31% suspect a related breach

24 known security vulnerabilities per application, critical or severe 9 restrictive licenses per application, critical or severe 60% don’t have a complete software Bill of Materials

Java Cryptography APICVSS v2 Base Score:

10.0 HIGHExploitability:

10.0

Since then 11,236 organizations

downloaded it214,484 times

Bouncy CastleCVE Date:

11/10/2007

Java HTTP implementationCVSS v2 Base Score:

5.8 MEDIUMExploitability:

8.6

Since then 29,468

organizationsdownloaded it

3,749,193 times

HttpClientCVE Date:

11/04/2012

Web application frameworkCVSS v2 Base Score:

9.3 HIGHExploitability:

10

Since then 4,076

organizationsdownloaded it

179,050 times

Apache Struts 2

CVE Date:07/20/2013

Intelligence Matters (components in an Application)

Components older than 2 years:• Account for 62% of all components• Account for 77% of the security risk• Are likely inactive

Application vulnerability density is 6.8 %

Commercial in Confidence

Shift Left – Fix in Development

Source : IBM - https://www.ibm.com/developerworks/community/blogs/invisiblethread/entry/enabling_devops_success_with_shift_left_continuous_testing?lang=en

OWASP A9 - Using Components with Known Vulnerabilities

ISO 27001 – A.14.2.1 - Secure development policy

13 05/01/2023

UK Government – Cyber Essentials

What if manufacturers built cars the way we build software:without supply chain visibility, process and automation …

Any part can be chosen

even if it is outdated or known to be

unsafe.

Since parts aren’t tracked,

it’schallenging to issue a recall.

There is no quality

control or consistency from car to car.

There is no inventory

of the parts that were used, or

where.

Manufacturers could choose any supplier they want for

any given part, regardless of

quality.

Time for a

FRESH APPROACH?Sonatype Nexus Lifecycle

• Precisely identify component and risks

• Remediate early in development

• Automate policy across the SDLC

• Manage risk with consolidated dashboard

• Continuously monitor applications for new risks

Use Case - Shift Left, Integrate with SDLC

Developers

SCM

Create Code

CI - Build‘Intellisense’Policy

Components Production

Nexus Firewall

Sonatype

Policy License Security Architecture

RulesNexus IQ Server

Continuous Assessment

Sonatype Research

REST APIJIRASonarQube

Policy Evaluation License Security Architecture

KPIs Security Architecture

ReportingTrending

Managers Production Support Legal IT Risk Cyber

Nexus Repository

Third Party & OSS

Components

Components

The Business Case for Building Security In

• Shift Left –> 30x lower cost to fix in development

• Manual Processes don’t work –> 1 to 4 hours per component

• Increase developer efficiency – > 8% to 30% time saving per day

• Faster releases• Less unplanned work• Fewer break-fixes• Increased innovation• And better quality software!

• One days consultancy to help build the business case

• Free assessment on up to 3 applications

• Report

Free Scan & Consultancy

Be DevOpstastic