Upload
sonatype
View
254
Download
1
Embed Size (px)
DESCRIPTION
We have a problem. Application development has become agile, component-based, and open-source-dependent. We're delivering more software faster than ever before. But security approaches haven't kept up. Wendy Nather, Research Director, Security, at 451 Research and Sonatype CSO Ryan Berg discuss the challenges that are driving new approaches to application security. http://www.sonatype.com/clm/overview
Citation preview
Securing At The Speed Of Development
Wendy Nather Research Director, Enterprise Security Prac@ce 451 Research
Four key trends in development that affect security
Agile methodology – faster development DevOps – more and faster changes, not always involving other teams Component-‐based – complex supply chain Use of open source soNware – rapid evolu@on, no infrastructure for updates, no vendor “throat to choke”
Who doesn’t love applica@on security?
Quite a few people, it turns out:
And yet, that’s where breaches are happening
69% of breaches in EMEA were through SQL injec@on Source: Verizon Business DBIR 2013
82% of tested applica@ons were vulnerable to cross-‐site scrip@ng Source: Trustwave GSR 2013
86% of observed web applica@on a]acks came from the United States Source: Solu=onary GTIR 2013
Why aren’t more organiza@ons tackling applica@on security?
1. It’s not all theirs
The Punne] Square of Doom
The hidden size of the supply chain
The hidden size of the supply chain
*WARNING: SOFTWARE MAY BE CRUFTIER THAN IT
APPEARS
Why aren’t more organiza@ons tackling applica@on security?
2. Cri@cal apps will generally have the most iner@a Most likely to have the oldest core code Most likely to have interdependencies Most likely to be patched and jury-‐rigged Least likely to tolerate changes
Applica@on iner@a zones
Applica@on iner@a zones
Applica@on iner@a zones
Applica@on iner@a zones
Applica@on iner@a zones
Greatest iner@a
Why aren’t more organiza@ons tackling applica@on security?
3. Time to remediate Lack of authoriza@on check – average of 9.6 minutes to fix
Reflected cross-‐site scrip@ng – average of 16.2 mins SQL injec@on – average of 97.5 minutes to fix
Source: Daniel Cornell, Denim Group
Need easier ways to make fixes
Why aren’t more organiza@ons tackling applica@on security?
4. Fixing is only part of the ba]le Change management Builds Tes@ng Deployment
How do we solve this?
If only we all had a common code base …
Reliance on open source
Where can you get the most leverage?
Shared libraries Ve]ed reference code
Also more leverage …
Everyone move to SaaS Granular, well understood, non-‐core business func@ons (email, HR, payroll)
Age out the legacy systems rather than con@nue to drag them kicking and screaming into security
Configura@on instead of code
Make security inextricable
Build security into func@onal requirements, not non-‐func@onal ones Add security stories to sprints Make security fixes as easy as possible Have just-‐in-‐@me guidance and references along with high-‐level educa@on
Keep up.
Make security inextricable
Build security into func@onal requirements, not non-‐func@onal ones Add security stories to sprints Make security fixes as easy as possible Have just-‐in-‐@me guidance and references along with high-‐level educa@on
Keep up.
The Component Lifecycle Management Company
Changing the Equation
Go Fast. Be Secure.
Tweet your thoughts: #clm
The Component Lifecycle Management Company
Assembled
A Sea Change in Software Development
Written
Source: 2012 / 2013 Sonatype analysis of more than 1,000 enterprise applications
open source components
of developers say that their applications are at least
#clm
The Component Lifecycle Management Company
A Highly Complex Ecosystem
Complexity Diversity Volume Change
One component may rely on 00s of others
40,000 Projects 200MM Classes
400K Components
Typical Enterprise Consumes
000s of Components Monthly
Typical Component is Updated 4X
per Year
#clm
The Component Lifecycle Management Company
A Massive Supply Chain Problem
No Visibility
No Control
No Fix
No visibility to what components are used, where they are used and where there is risk
No way to govern/enforce component usage. Policies are not integrated with development .
No efficient way to fix existing flaws.
#clm
The Component Lifecycle Management Company
The Practical Reality
#clm
Go Fast, Be Secure
The Component Lifecycle Management Company
early in the development process
Fix Flaws
flexible governance throughout the software lifecycle
Integrate
over time to ensure continuous trust
Monitor
A New Way to Balance Speed, Quality and Risk
Provides developers with methods to improve quality, speed and agility ….while also being more secure.
#clm
The Component Lifecycle Management Company
Security Policies Provide Foundation for Governance
Lifecycle appropriate actions enforced automatically support a
defense-in-depth strategy
Centralized policy administration simplifies enterprise management
“Just by using CLM we are enforcing policy.” CISO
#clm
The Component Lifecycle Management Company
Governance Enforced Throughout Development Lifecycle
Component intelligence & remediation
integrated into the dev tools speeds
development
“We didn’t have to learn new tools, information we need to take action is in the tools we use.” CIO
Agile-friendly policy guidance eliminates need for developers
to bypass policy
#clm
The Component Lifecycle Management Company
Side by side view allows developers to
easily compare & assess replacement
impact
Developers can migrate
to new components automatically
Developers Can Resolve Issues in Real Time
“I can quickly replace flawed components in my application without leaving the IDE.” Lead Developer
#clm
The Component Lifecycle Management Company
Ongoing monitoring of production applications
assures continuous trust
Newly discovered vulnerabilities are
proactively communicated driving quick action
“We have so many applications, it’s nearly impossible to know which new threats affect us.” CISO
Continuously Monitor for Emerging Threats
#clm
The Component Lifecycle Management Company
Integration with Existing Security Investments
“Integrating disparate data while automating policy is transformative for our processes.” CISO
#clm
The Component Lifecycle Management Company
Go Fast. Be Secure.
Build security in from the start
Enforce policy in the tools you already use
Reduce risk by automating governance throughout the lifecycle
Reduce cost by fixing early in the process
React to new threats by knowing what they are and where to fix them
Go fast by using tools your developers already know
Supply Chain Mgt. for Modern Software Development
#clm
The Component Lifecycle Management Company
http://www.sonatype.com/clm/product-tour
http://www.sonatype.com/resources
Go Fast. Be Secure.
Tweet your thoughts: #clm