Upload
sonatype
View
503
Download
0
Embed Size (px)
Citation preview
@RealGeneKim
CONTINUOUS ACCELERATIONwith a Software Supply Chain ApproachGene Kim & Josh Corman
Ask questions on Twitter during the webinar using #sonatype
@joshcorman@RealGeneKim
Josh CormanSonatype@joshcorman
Gene Kim IT Revolution Press@RealGeneKim
Sonatype CTO & Co - Founder of
Rugged Software, I am The Cavalry
CTO, Researcher & Author ‘The Phoenix Project’ ,
‘Visible Ops’
Source: 2014 Sonatype Open Source and Application Security SurveyAsk questions on Twitter during the webinar using #sonatype
@joshcorman@RealGeneKim
Session ID:Session Classification:
Josh Corman, Gene KimVERY ROUGH 1ST Draft
Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed…
CLD-106Intermediate
@joshcorman@RealGeneKim
Ask questions on Twitter during the webinar using #sonatype
@joshcorman@RealGeneKim
Ask questions on Twitter during the webinar using #sonatype
@joshcorman@RealGeneKim
Ask questions on Twitter during the webinar using #sonatype
#RSAC
SESSION ID:
Gene Kim Joshua Corman
Rugged DevOps
Going Even Faster With Software Supply Chains
CTOSonatype@joshcorman
Researcher and AuthorIT Revolution Press@RealGeneKim
@joshcorman@RealGeneKim9 10/23/2013
@joshcorman
~ Marc Marc Andreessen 2011
@joshcorman@RealGeneKim10
@joshcorman@RealGeneKim11 10/23/2013
@joshcorman
Trade OffsCosts & Benefits
@joshcorman@RealGeneKim
Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December)CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *
CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SEIMENS *
CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM
CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM
CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *
CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH
CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED **
CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM
CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM
CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleed
CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM
CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM
CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW
CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM
CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM
CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM
CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM
…
As of today, internet scans by MassScan reveal 300,000
of original 600,000 remain unpatched or unpatchable
@joshcorman@RealGeneKim
Heartbleed + (UnPatchable) Internet of Things == ___ ?In Our Bodies In Our Homes
In Our InfrastructureIn Our Cars
@joshcorman@RealGeneKim
Sarcsm: I’m shocked!
14
@joshcorman@RealGeneKim
@joshcorman@RealGeneKim
@joshcorman@RealGeneKim
@joshcorman@RealGeneKim
•The
The Cavalry isn’t coming… It falls to usProblem Statement
Our society is adopting connected technology faster than we are able to secure it.
Mission StatementTo ensure connected technologies with the potential to impact public safety and human life are worthy of our trust.
Collecting existing research, researchers, and resourcesConnecting researchers with each other, industry, media, policy, and legal
Collaborating across a broad range of backgrounds, interests, and skillsetsCatalyzing positive action sooner than it would have happened on its own
Why Trust, public safety, human lifeHow Education, outreach, researchWho Infosec research community
Who Global, grass roots initiativeWhat Long-term vision for cyber safety
Medical Automotive ConnectedHome
PublicInfrastructure
I Am The Cavalry
@joshcorman@RealGeneKim
Our Goals Play Mad Chemists
The Best & Brightest of DevOps The Best & Brightest of Security
Cause High Value / High Connection Merge our Tribes for Mutual Awesomeness Catalyze New Patterns and Solutions
#RSAC
SESSION ID:
Where We’ve Been
@RealGeneKim
The Downward Spiral…
@RealGeneKim
@RealGeneKim
@RealGeneKim
IT Ops And Dev At War
24
@RealGeneKim
@RealGeneKim
10 deploys per dayDev & ops cooperation at Flickr
John Allspaw & Paul Hammond Velocity 2009
Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
@RealGeneKim
Dev and Ops
Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
@RealGeneKimSource: Theo Schlossnagle (@postwait)
DevOpsis incomplete,
is interpreted wrong, and is too isolated
@RealGeneKim
.*Ops
Source: Theo Schlossnagle (@postwait)
@RealGeneKim
^(?<dept>.+)Ops$
Source: Theo Schlossnagle (@postwait)
@RealGeneKim
Justin Collins, Neil Matatall & Alex Smolen from Twitter
*
@RealGeneKim
High Performers Are More Agile
30x 8,000xmore frequent deployments
faster lead times than their peers
Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic
@RealGeneKim
High Performers Are More Reliable
2x 12xthe change success rate
faster mean time to recover (MTTR)
Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic
@RealGeneKim
High Performers Win In The Marketplace
2x 50%more likely to exceed profitability, market share & productivity goals
higher market capitalization growth over 3 years*
Source: Puppet Labs 2014 State Of DevOps
@RealGeneKim
The Three Ways
#RSAC
SESSION ID:
Why It’s “Go Time”
@joshcorman@RealGeneKim
@joshcorman@RealGeneKim
New engineer to John Allspaw:“Is it okay for me to make this change?”
John Allspaw:“I don’t know. Is it?”
@joshcorman@RealGeneKim
One Of The Highest Predictors Of Performance
Source: Typology Of Organizational Culture (Westrum, 2004)
@joshcorman@RealGeneKim
One Of The Highest Predictors Of Performance
Source: Typology Of Organizational Culture (Westrum, 2004)
@joshcorman@RealGeneKim
DevOps Enterprise: Lessons Learned On Oct 21-23, we held the DevOps Enterprise
Summit, a conference for horses, by horses Speakers included fifty leaders from:
Macy’s, Disney, Target, GE Capital, Blackboard, Nordstrom, Telstra, US Department of Homeland Security, CSG, Raytheon, IBM, Ticketmaster, MITRE, Marks and Spencer, Barclays Capital, Microsoft, Nationwide Insurance, Capital One, Gov.UK, Fidelity, Rally Software, Neustar, Walmart, PNC, ADP, …
@joshcorman@RealGeneKim
The most popular and talked-about presentation at DevOps Enterprise 2014?
Mark Schwartz, CIO, US Citizenship and Immigration Services,
Department of Homeland Security
@joshcorman@RealGeneKim
Observations They were using the same technical practices and
getting the same sort of metrics as the unicorns Target: 10+ deploys per day, < 10 incidents per month Capital One: 100s of deploys per day, lead time of minutes Macy’s: 1,500 manual tests every 10 days, now 100Ks
automated tests run daily Nationwide Insurance: Retirement Plans app (COBOL on
mainframe) Raytheon: testing and certification from months to a day US CIS: security and compliance testing run every code
commit
@joshcorman@RealGeneKim
Observations The transformation stories are among the most
courageous I’ve ever heard – Often the transformation leader was putting themselves
in personal jeopardy Why? Absolute clarity and conviction that it was the
right thing for the organization
*
@RealGeneKim
Capital One: DevOpsSec
Source: Tapabrata Pal, Capital One
*
@joshcorman@RealGeneKim
Heather Mickman, Target, Inc. Abolished the TEP-LARB process As a result, she won the Lifetime Achievement
Award from her grateful team
@joshcorman@RealGeneKim
What About Infosec?
Ed Bellis Former CISO of Orbitz VP Information Security at
Bank of America Currently CEO of Risk I/O
@joshcorman@RealGeneKim
@joshcorman@RealGeneKim
@RealGeneKim
The DevOps Audit Defense Toolkithttp://bit.ly/DevOpsAudit
James DeLuccia IVJeff Gallimore
Gene KimByron Miller
@RealGeneKim
@RealGeneKim
“deploys / day”
“deploys / day / dev”
#RSAC
SESSION ID:
Where We Want To Go
@joshcorman@RealGeneKim
Innovate!
PRODUCTIVITY
TIME
@joshcorman@RealGeneKim73 05/03/2023
X Axis: Time (Days) following initial HeartBleed disclosure and patch availabilityY Axis: Number of products included in the vendor vulnerability disclosureZ Axis (circle size): Exposure as measured by the CVE CVSS score
COMMERCIAL RESPONSES TO OPENSSL
@joshcorman@RealGeneKim
https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
For the 41% 390 daysCVSS 10s 224 days
@joshcorman@RealGeneKim
True Costs & Least Cost Avoiders
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
$
$
$
$
$
$
$
$$$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
@joshcorman@RealGeneKim76
@joshcorman@RealGeneKim
ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK
@joshcorman@RealGeneKim
@joshcorman@RealGeneKim
ON TIME. Faster builds. Fewer interruptions.More innovation.
ON BUDGET.More efficient. More profitable.More competitive.
ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.
@joshcorman@RealGeneKim
@joshcorman@RealGeneKim
ON TIME. Faster builds. Fewer interruptions.More innovation.
ON BUDGET.More efficient. More profitable.More competitive.
ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.
Agile / CI
@joshcorman@RealGeneKim
DevOps
@joshcorman@RealGeneKim
ON TIME. Faster builds. Fewer interruptions.More innovation.
ON BUDGET.More efficient. More profitable.More competitive.
ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.
DevOps / CD
Agile / CI
@joshcorman@RealGeneKim
SW Supply Chains
@joshcorman@RealGeneKim
ON TIME. Faster builds. Fewer interruptions.More innovation.
ON BUDGET.More efficient. More profitable.More competitive.
ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.
SW Supply Chain
DevOps / CD
Agile / CI
@joshcorman@RealGeneKim
SW Supply Chains
@joshcorman@RealGeneKim
Toyota Advantage
ToyotaPrius
ChevyVolt
Unit Cost 61% $24,200 $39,900
Units Sold 13x 23,294 1,788
In-House Production 50% 27% 54%
Plant Suppliers 16% (10x per) 125 800
Firm-Wide Suppliers 4% 224 5,500
Comparing the Prius and the Volt
@joshcorman@RealGeneKim88
@joshcorman@RealGeneKim
H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”
Elegant Procurement Trio
1) Ingredients: Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and
Open Source Components (along with their Versions)
2) Hygiene & Avoidable Risk: …and cannot use known vulnerable components for which a less vulnerable component
is available (without a written and compelling justification accepted by $PROCURING_ENTITY)
3) Remediation: …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
#RSAC
SESSION ID:Go Forth…
…and be Rugged@joshcorman
@RealGeneKim@RuggedSoftware
@joshcorman@RealGeneKim91
SW Supply Chain
Intelligence Goes Here
@joshcorman@RealGeneKim
ACCORDING TO ADOBE
Ask questions on Twitter during the webinar using #sonatype
@joshcorman@RealGeneKim
ACCORDING TO IBM
Ask questions on Twitter during the webinar using #sonatype
@joshcorman@RealGeneKim
ACCORDING TO DOCKER
Ask questions on Twitter during the webinar using #sonatype
@joshcorman@RealGeneKim
ACCORDING TO CISCO
Ask questions on Twitter during the webinar using #sonatype
@joshcorman@RealGeneKim
Current approaches
AREN’T WORKING
Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT
SELECTION
75% Lack meaningful
controls over components in
apps
27Different versions
of the same component downloaded
95%Inefficient sourcing: Components are not
downloaded to caching repositories
63% Don’t track
components used in
production
24Critical or severe
vulnerabilities per app
4Avg of strong
copyleft licensed components per
app
Ask questions on Twitter during the webinar using #sonatype
@joshcorman@RealGeneKim
Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT
SELECTION
PUBLICREPOSITORIES
NEXUS LIFECYCLE
PRECIOUSLY IDENTIFY
COMPONENTS & RISKS
REMEDIATE EARLY IN
DEVEOPMENT AUTOMATE
POLICY ACROSS THE SDLC
MANAGE RISK WITH
CONSOLIDATED DASHBOARD
CONTINUOUSLYMONITORAPPS FOR NEW RISKS
Ask questions on Twitter during the webinar using #sonatype
@joshcorman@RealGeneKim
Ask questions on Twitter during the webinar using #sonatype
Full day of videos
Assessments Available
http://www.sonatype.org/nexus/
@joshcorman@RealGeneKim
Continuous Acceleration with a Software Supply Chain ApproachGene Kim Josh Corman@RealGeneKim @joshcorman
Source: 2014 Sonatype Open Source and Application Security SurveyAsk questions on Twitter during the webinar using #sonatype