Security at the Speed of Development: Featuring Wendy Nather, 451 Research Analyst

Securing At The Speed Of Development

Wendy Nather Research Director, Enterprise Security Prac@ce 451 Research

Four key trends in development that affect security

Agile methodology – faster development DevOps – more and faster changes, not always involving other teams Component-‐based – complex supply chain Use of open source soNware – rapid evolu@on, no infrastructure for updates, no vendor “throat to choke”

Who doesn’t love applica@on security?

Quite a few people, it turns out:

And yet, that’s where breaches are happening

69% of breaches in EMEA were through SQL injec@on Source: Verizon Business DBIR 2013

82% of tested applica@ons were vulnerable to cross-‐site scrip@ng Source: Trustwave GSR 2013

86% of observed web applica@on a]acks came from the United States Source: Solu=onary GTIR 2013

Why aren’t more organiza@ons tackling applica@on security?

1.  It’s not all theirs

The Punne] Square of Doom

The hidden size of the supply chain

The hidden size of the supply chain

*WARNING: SOFTWARE MAY BE CRUFTIER THAN IT

APPEARS


2.  Cri@cal apps will generally have the most iner@a  Most likely to have the oldest core code  Most likely to have interdependencies  Most likely to be patched and jury-‐rigged  Least likely to tolerate changes

Applica@on iner@a zones





Greatest iner@a


3.  Time to remediate  Lack of authoriza@on check – average of 9.6 minutes to fix

 Reflected cross-‐site scrip@ng – average of 16.2 mins  SQL injec@on – average of 97.5 minutes to fix

Source: Daniel Cornell, Denim Group

Need easier ways to make fixes


4.  Fixing is only part of the ba]le  Change management  Builds  Tes@ng  Deployment

How do we solve this?

If only we all had a common code base …

Reliance on open source

Where can you get the most leverage?

Shared libraries Ve]ed reference code

Also more leverage …

Everyone move to SaaS  Granular, well understood, non-‐core business func@ons (email, HR, payroll)

 Age out the legacy systems rather than con@nue to drag them kicking and screaming into security

 Configura@on instead of code

Make security inextricable

Build security into func@onal requirements, not non-‐func@onal ones Add security stories to sprints Make security fixes as easy as possible Have just-‐in-‐@me guidance and references along with high-‐level educa@on

Keep up.

Make security inextricable

Build security into func@onal requirements, not non-‐func@onal ones Add security stories to sprints Make security fixes as easy as possible Have just-‐in-‐@me guidance and references along with high-‐level educa@on

Keep up.

The Component Lifecycle Management Company

Changing the Equation

Go Fast. Be Secure.

Tweet your thoughts: #clm


Assembled

A Sea Change in Software Development

Written

Source: 2012 / 2013 Sonatype analysis of more than 1,000 enterprise applications

open source components

of developers say that their applications are at least

#clm


A Highly Complex Ecosystem

Complexity Diversity Volume Change

One component may rely on 00s of others

40,000 Projects 200MM Classes

400K Components

Typical Enterprise Consumes

000s of Components Monthly

Typical Component is Updated 4X

per Year

#clm


A Massive Supply Chain Problem

No Visibility

No Control

No Fix

No visibility to what components are used, where they are used and where there is risk

No way to govern/enforce component usage. Policies are not integrated with development .

No efficient way to fix existing flaws.

#clm


The Practical Reality

#clm

Go Fast, Be Secure


early in the development process

Fix Flaws

flexible governance throughout the software lifecycle

Integrate

over time to ensure continuous trust

Monitor

A New Way to Balance Speed, Quality and Risk

Provides developers with methods to improve quality, speed and agility ….while also being more secure.

#clm


Security Policies Provide Foundation for Governance

Lifecycle appropriate actions enforced automatically support a

defense-in-depth strategy

Centralized policy administration simplifies enterprise management

“Just by using CLM we are enforcing policy.” CISO

#clm


Governance Enforced Throughout Development Lifecycle

Component intelligence & remediation

integrated into the dev tools speeds

development

“We didn’t have to learn new tools, information we need to take action is in the tools we use.” CIO

Agile-friendly policy guidance eliminates need for developers

to bypass policy

#clm


Side by side view allows developers to

easily compare & assess replacement

impact

Developers can migrate

to new components automatically

Developers Can Resolve Issues in Real Time

“I can quickly replace flawed components in my application without leaving the IDE.” Lead Developer

#clm


Ongoing monitoring of production applications

assures continuous trust

Newly discovered vulnerabilities are

proactively communicated driving quick action

“We have so many applications, it’s nearly impossible to know which new threats affect us.” CISO

Continuously Monitor for Emerging Threats

#clm


Integration with Existing Security Investments

“Integrating disparate data while automating policy is transformative for our processes.” CISO

#clm


Go Fast. Be Secure.

Build security in from the start

Enforce policy in the tools you already use

Reduce risk by automating governance throughout the lifecycle

Reduce cost by fixing early in the process

React to new threats by knowing what they are and where to fix them

Go fast by using tools your developers already know

Supply Chain Mgt. for Modern Software Development

#clm


http://www.sonatype.com/clm/product-tour

http://www.sonatype.com/resources

Go Fast. Be Secure.

Tweet your thoughts: #clm

Technology

Security at the Speed of Development: Featuring Wendy Nather, 451 Research Analyst