Continuous Acceleration with a Software Supply Chain Approach

@RealGeneKim

CONTINUOUS ACCELERATIONwith a Software Supply Chain ApproachGene Kim & Josh Corman

Ask questions on Twitter during the webinar using #sonatype

@joshcorman@RealGeneKim

Josh CormanSonatype@joshcorman

Gene Kim IT Revolution Press@RealGeneKim

Sonatype CTO & Co - Founder of

Rugged Software, I am The Cavalry

CTO, Researcher & Author ‘The Phoenix Project’ ,

‘Visible Ops’

Source: 2014 Sonatype Open Source and Application Security SurveyAsk questions on Twitter during the webinar using #sonatype

https://twitter.com/joshcorman

https://twitter.com/RealGeneKim


Session ID:Session Classification:

Josh Corman, Gene KimVERY ROUGH 1ST Draft

Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed…

CLD-106Intermediate







#RSAC

SESSION ID:

Gene Kim Joshua Corman

Rugged DevOps

Going Even Faster With Software Supply Chains

CTOSonatype@joshcorman

Researcher and AuthorIT Revolution Press@RealGeneKim

@joshcorman@RealGeneKim9 10/23/2013

@joshcorman

~ Marc Marc Andreessen 2011

@joshcorman@RealGeneKim10


@joshcorman

Trade OffsCosts & Benefits


Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December)CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *

CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SEIMENS *

CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM


CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *

CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH

CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED **



CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleed



CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW





…

As of today, internet scans by MassScan reveal 300,000

of original 600,000 remain unpatched or unpatchable


Heartbleed + (UnPatchable) Internet of Things == ___ ?In Our Bodies In Our Homes

In Our InfrastructureIn Our Cars


Sarcsm: I’m shocked!

14





•The

The Cavalry isn’t coming… It falls to usProblem Statement

Our society is adopting connected technology faster than we are able to secure it.

Mission StatementTo ensure connected technologies with the potential to impact public safety and human life are worthy of our trust.

Collecting existing research, researchers, and resourcesConnecting researchers with each other, industry, media, policy, and legal

Collaborating across a broad range of backgrounds, interests, and skillsetsCatalyzing positive action sooner than it would have happened on its own

Why Trust, public safety, human lifeHow Education, outreach, researchWho Infosec research community

Who Global, grass roots initiativeWhat Long-term vision for cyber safety

Medical Automotive ConnectedHome

PublicInfrastructure

I Am The Cavalry


Our Goals Play Mad Chemists

The Best & Brightest of DevOps The Best & Brightest of Security

Cause High Value / High Connection Merge our Tribes for Mutual Awesomeness Catalyze New Patterns and Solutions

#RSAC

SESSION ID:

Where We’ve Been

@RealGeneKim

The Downward Spiral…

@RealGeneKim

@RealGeneKim

@RealGeneKim

IT Ops And Dev At War

24

@RealGeneKim

@RealGeneKim

10 deploys per dayDev & ops cooperation at Flickr

John Allspaw & Paul Hammond Velocity 2009

Source: John Allspaw (@allspaw) and Paul Hammond (@ph)

@RealGeneKim

Dev and Ops

Source: John Allspaw (@allspaw) and Paul Hammond (@ph)

@RealGeneKimSource: Theo Schlossnagle (@postwait)

DevOpsis incomplete,

is interpreted wrong, and is too isolated

@RealGeneKim

.*Ops

Source: Theo Schlossnagle (@postwait)

@RealGeneKim

^(?<dept>.+)Ops$

Source: Theo Schlossnagle (@postwait)

@RealGeneKim

Justin Collins, Neil Matatall & Alex Smolen from Twitter

*

@RealGeneKim

High Performers Are More Agile

30x 8,000xmore frequent deployments

faster lead times than their peers

Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic

@RealGeneKim

High Performers Are More Reliable

2x 12xthe change success rate

faster mean time to recover (MTTR)

Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic

@RealGeneKim

High Performers Win In The Marketplace

2x 50%more likely to exceed profitability, market share & productivity goals

higher market capitalization growth over 3 years*

Source: Puppet Labs 2014 State Of DevOps

@RealGeneKim

The Three Ways

#RSAC

SESSION ID:

Why It’s “Go Time”



New engineer to John Allspaw:“Is it okay for me to make this change?”

John Allspaw:“I don’t know. Is it?”


One Of The Highest Predictors Of Performance

Source: Typology Of Organizational Culture (Westrum, 2004)


One Of The Highest Predictors Of Performance

Source: Typology Of Organizational Culture (Westrum, 2004)


DevOps Enterprise: Lessons Learned On Oct 21-23, we held the DevOps Enterprise

Summit, a conference for horses, by horses Speakers included fifty leaders from:

Macy’s, Disney, Target, GE Capital, Blackboard, Nordstrom, Telstra, US Department of Homeland Security, CSG, Raytheon, IBM, Ticketmaster, MITRE, Marks and Spencer, Barclays Capital, Microsoft, Nationwide Insurance, Capital One, Gov.UK, Fidelity, Rally Software, Neustar, Walmart, PNC, ADP, …


The most popular and talked-about presentation at DevOps Enterprise 2014?

Mark Schwartz, CIO, US Citizenship and Immigration Services,

Department of Homeland Security


Observations They were using the same technical practices and

getting the same sort of metrics as the unicorns Target: 10+ deploys per day, < 10 incidents per month Capital One: 100s of deploys per day, lead time of minutes Macy’s: 1,500 manual tests every 10 days, now 100Ks

automated tests run daily Nationwide Insurance: Retirement Plans app (COBOL on

mainframe) Raytheon: testing and certification from months to a day US CIS: security and compliance testing run every code

commit


Observations The transformation stories are among the most

courageous I’ve ever heard – Often the transformation leader was putting themselves

in personal jeopardy Why? Absolute clarity and conviction that it was the

right thing for the organization

*

@RealGeneKim

Capital One: DevOpsSec

Source: Tapabrata Pal, Capital One

*


Heather Mickman, Target, Inc. Abolished the TEP-LARB process As a result, she won the Lifetime Achievement

Award from her grateful team


What About Infosec?

Ed Bellis Former CISO of Orbitz VP Information Security at

Bank of America Currently CEO of Risk I/O



@RealGeneKim

The DevOps Audit Defense Toolkithttp://bit.ly/DevOpsAudit

James DeLuccia IVJeff Gallimore

Gene KimByron Miller

http://bit.ly/DevOpsAudit

@RealGeneKim

@RealGeneKim

“deploys / day”

“deploys / day / dev”

#RSAC

SESSION ID:

Where We Want To Go


Innovate!

PRODUCTIVITY

TIME


X Axis: Time (Days) following initial HeartBleed disclosure and patch availabilityY Axis: Number of products included in the vendor vulnerability disclosureZ Axis (circle size): Exposure as measured by the CVE CVSS score

COMMERCIAL RESPONSES TO OPENSSL


https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

For the 41% 390 daysCVSS 10s 224 days

https://www.usenix.org/system/files/login/articles/15_geer_0.pdf


True Costs & Least Cost Avoiders

ACME

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

$

$

$

$

$

$

$

$$$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$



ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK



ON TIME. Faster builds. Fewer interruptions.More innovation.

ON BUDGET.More efficient. More profitable.More competitive.

ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.






Agile / CI


DevOps





DevOps / CD

Agile / CI


SW Supply Chains





SW Supply Chain

DevOps / CD

Agile / CI


SW Supply Chains


Toyota Advantage

ToyotaPrius

ChevyVolt

Unit Cost 61% $24,200 $39,900

Units Sold 13x 23,294 1,788

In-House Production 50% 27% 54%

Plant Suppliers 16% (10x per) 125 800

Firm-Wide Suppliers 4% 224 5,500

Comparing the Prius and the Volt



H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”

Elegant Procurement Trio

1) Ingredients: Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and

Open Source Components (along with their Versions)

2) Hygiene & Avoidable Risk: …and cannot use known vulnerable components for which a less vulnerable component

is available (without a written and compelling justification accepted by $PROCURING_ENTITY)

3) Remediation: …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed

#RSAC

SESSION ID:Go Forth…

…and be Rugged@joshcorman

@RealGeneKim@RuggedSoftware


SW Supply Chain

Intelligence Goes Here


ACCORDING TO ADOBE



ACCORDING TO IBM



ACCORDING TO DOCKER



ACCORDING TO CISCO



Current approaches

AREN’T WORKING

Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT

SELECTION

75% Lack meaningful

controls over components in

apps

27Different versions

of the same component downloaded

95%Inefficient sourcing: Components are not

downloaded to caching repositories

63% Don’t track

components used in

production

24Critical or severe

vulnerabilities per app

4Avg of strong

copyleft licensed components per

app



Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT

SELECTION

PUBLICREPOSITORIES

NEXUS LIFECYCLE

PRECIOUSLY IDENTIFY

COMPONENTS & RISKS

REMEDIATE EARLY IN

DEVEOPMENT AUTOMATE

POLICY ACROSS THE SDLC

MANAGE RISK WITH

CONSOLIDATED DASHBOARD

CONTINUOUSLYMONITORAPPS FOR NEW RISKS




Full day of videos

Assessments Available

http://www.sonatype.org/nexus/


Continuous Acceleration with a Software Supply Chain ApproachGene Kim Josh Corman@RealGeneKim @joshcorman

Source: 2014 Sonatype Open Source and Application Security SurveyAsk questions on Twitter during the webinar using #sonatype