DevOps Will Save The World!Public Safety, Public Policy, and DevOpsin ContextJoshua Corman, Sonatype CTO

Oct 23, 2014 DevOps Enterprise Summit #DOES14

2 10/23/2013 @joshcorman~ Marc Marc Andreessen 2011

3 10/23/2013 @joshcorman

4 10/23/2013 @joshcorman

Trade Offs

Costs & Benefits

5 10/23/2013 @joshcorman

INDUSTRIAL EVOLUTION

THE REAL IMPLICATIONS OF HEARTBLEED

BEYOND HEARTBLEED: OPENSSL IN 2014 (17 IN NIST’S NVD THRU JULY 25)

8 11/14/2014

CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SEIMENS *CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUMCVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUMCVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGHCVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUMCVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUMCVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleedCVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUMCVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUMCVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOWCVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM

As of today, internet scans

by MassScan reveal

300,000 of original

600,000 remain

unpatched or unpatchable

HEARTBLEED + (UNPATCHABLE) INTERNET OF THINGS == ___ ?

In Our Bodies In Our Homes

In Our InfrastructureIn Our Cars

•The

The Cavalry isn’t coming… It falls to usProblem Statement

Our society is adopting connected technology faster than we are able to secure it.

Mission StatementTo ensure connected technologies with the potential to impact public safety and human life are worthy of our trust.

Collecting existing research, researchers, and resourcesConnecting researchers with each other, industry, media, policy, and legal

Collaborating across a broad range of backgrounds, interests, and skillsetsCatalyzing positive action sooner than it would have happened on its own

Why Trust, public safety, human lifeHow Education, outreach, researchWho Infosec research community Who Global, grass roots initiative

WhatLong-term vision for cyber safety Medical Automotive

ConnectedHome

PublicInfrastructure

I Am The Cavalry

Connections and Ongoing Collaborations

5-Star Capabilities Safety by Design – Anticipate failure and plan mitigation Third-Party Collaboration – Engage willing allies Evidence Capture – Observe and learn from failure Security Updates – Respond quickly to issues discovered Segmentation & Isolation – Prevent cascading failure

Addressing Automotive Cyber Systems

AutomotiveEngineers

SecurityResearchers

PolicyMakers

InsuranceAnalysts

AccidentInvestigators

StandardsOrganizations

https://www.iamthecavalry.org/auto/5star/

5-Star Framework

Sign and share the petitionhttp://bit.ly/5starauto

SW SUPPLY CHAIN IN CONTEXT OF CYBERSECURITY BIG PICTURE

KEY QUESTIONS

Where are Attackers most focused?

Where are Defenders most focused?

Which Activities have the most security impact?

-2014 Verizon Data Breach Investigations Report

MOST ATTACKED: WEAK SOFTWARE IS #1 ATTACK VECTOR

spending

19 11/14/2014 Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary

Software Security gets LEAST $ but MOST attacker focus

Host Security ~$10B

Data Security ~$5B

People Security ~$4B

Network Security ~$20B

SoftwareSecurity~$0.5B

LEAST SPENDING/PRIORITY: WEAK SOFTWARE

spending

20 11/14/2014

attack risk

Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary

Host Security ~$10B

Data Security ~$5B

People Security ~$4B

Network Security ~$20B

Software Security~$0.5B

Assembled 3rd Party & OpenSourceComponents

~90% of most applications

Almost No Spending

Written Code Scanning

Software Security gets LEAST $ but MOST attacker focus LEAST SPENDING/PRIORITY: WEAK SW

Worse, within Software, existing dollars go to the 10% written

Defensible Infrastructure10%

Written

Operational Excellence

Situational Awareness

Counter-measures

The software & hardware we

build, buy, and deploy. 90% of

software is assembled from 3rd

party & Open Source

MOST IMPACT: BUY/BUILD DEFENSIBLE SOFTWARE

IS IT OPEN SEASON ON OPEN SOURCE?

23 11/14/2014

Now that software is

ASSEMBLED…Our shared value becomes

our shared attack surface

THINK LIKE AN ATTACKER

One risky component,now affects thousands of victims

ONE EASYTARGET

24 11/14/2014

THINK LIKE AN ATTACKER

-

1,000

2,000

3,000

4,000

5,000

6,000

7,000

8,000

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Req

ue

sts

in

Mill

ion

s

13 BillionRequests in 2013

Growth Drivers

Mobile Cloud

Web Apps Big Data

Component Usage Has Exploded

25

OPEN SOURCE USAGE IS EXPLODING

Global Bank

Software ProviderSoftware

Provider’s CustomerState University

Three-LetterAgency

Large FinancialExchange

Hundreds of Other Sites

STRUTS

W/MANY EYEBALLS, ALL BUGS ARE SHALLOW? STRUTS

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

10.0

9.0

8.0

7.0

6.0

5.0

4.0

3.0

2.0

1.0

CVE-2005-3745

CVE-2006-1546CVE-2006-1547

CVE-2006-1548 CVE-2008-6504CVE-2008-6505

CVE-2008-2025CVE-2007-6726CVE-2008-6682

CVE-2010-1870

CVE-2011-2087

CVE-2011-1772

CVE-2011-2088CVE-2011-5057

CVE-2012-0392CVE-2012-0391

CVE-2012-0393

CVE-2012-0394

CVE-2012-1006CVE-2012-1007

CVE-2012-0838

CVE-2012-4386

CVE-2012-4387

CVE-2013-1966CVE-2013-2115CVE-2013-1965

CVE-2013-2134CVE-2013-2135

CVE-2013-2248

CVE-2013-2251CVE-2013-4316

CVE-2013-4310

CVE-2013-6348CVE-2014-0094

CVSS

Latent 7-11 yrs

In 2013, 4,000organizations downloaded a version of Bouncy Castle

with a level 10 vulnerability

20,000 TIMES …Into XXX,XXX Applications…

SEVEN YEARSafter the vulnerability was fixed

NATIONAL CYBER AWARENESS SYSTEM

Original Notification Date:

03/30/2009CVE-2007-6721

Bouncy Castle Java Cryptography API

CVSS v2 Base Score: 10.0 HIGH

Impact Subscore: 10.0

Exploitability Subscore: 10.0

BOUNCY CASTLE

In December 2013,

6,916 DIFFERENTorganizations downloaded

a version of httpclient with broken ssl validation (cve-2012-5783)

66,824 TIMES …

More than ONE YEAR AFTER THE ALERT

NATIONAL CYBER AWARENESS SYSTEM

Original Release Date:

11/04/2012

CVE-2012-5783

Apache Commons HttpClient 3.x

CVSS v2 Base Score: 5.8 MEDIUM

Impact Subscore: 4.9

Exploitability Subscore: 8.6

HTTPCLIENT 3.X

IS IT TIME FOR A SOFTWARE SUPPLY CHAIN?

ELEGANT PROCUREMENT TRIO

31 11/14/2014

1) Ingredients: Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions)

2) Hygiene & Avoidable Risk:…and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY)

3) Remediation: …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed

In 2013, 4,000organizations downloaded a version of Bouncy Castle

with a level 10 vulnerability

20,000 TIMES …Into XXX,XXX Applications…

SEVEN YEARSafter the vulnerability was fixed

NATIONAL CYBER AWARENESS SYSTEM

Original Notification Date:

03/30/2009CVE-2007-6721

Bouncy Castle Java Cryptography API

CVSS v2 Base Score: 10.0 HIGH

Impact Subscore: 10.0

Exploitability Subscore: 10.0

PROCUREMENT TRIO + BOUNCY CASTLE

APPLICATIONPLATFORMS &

TOOLSCOMPONENT

VERSIONCOMPONENTSPROJECTS

DELIVERYINTEGRATIONSELECTIONSUPPLYSUPPLIER

OPTIMIZATION(MONITORING)

Supply Chain Management

INDUSTRIAL EVOLUTION

35 10/23/2013 @joshcorman

Toyota’s Transformation of the Automobile Industry: v4L

36

• Comparing the XXXX and Prius

• $39,900 versus $24,200

• 1,788 units versus 23,294

• Plant suppliers: 125 versus 800

• Firm-wide suppliers: 224 versus 5,500

• In-house production: 27% versus 54%

Toyota’s Transformation of the Automobile Industry: v4L

37

• Variety of products offered

• Velocity of product flow

• Variability of outcomes against forecast

• Visibility of processes to enable learning

Toyota’s Transformation of the Automobile Industry: v4L

38

• Variety of software produced

• Velocity of software delivery

• Variability of outcomes against forecast

• Visibility of processes to enable learning

The ‘L’ in v4L

39

Create Awareness (transparency)

“Unless problems are seen, they will not be solved. Systems need to be in place to report ideas, problems, deviations, and potential issues with no delay.”

Establish capability (empower)

“Unless someone is capable of solving a problem that might arise within the boundaries set for him or her, that person will be unable to contribute to the problem solving process.”

Make action protocols (govern)

“Actions have to be taken within a set of constraints, and they must conform to certain standards.”

Generate system-level awareness (monitor)

“As experience with solving problems is obtained, greater awareness of other areas that might be affected needs to be created.”

Core Principles

Create Awareness

40

Empower

Govern

Monitor

41 11/14/2014

Compound Project Consumer“Part”

Discovery Repair Discovery Repair Aware Recovery

AirbagAirbagAirbag

Car X

AirbagAirbag

Alex’s Jaguar

42 11/14/2014

Compound Project Consumer“Part”

AirbagAirbagAirbag

Car X

AirbagAirbag

Alex’s Jaguar

StrutsAirbagAirbag

Bank of X…

AirbagAirbag

Sally Bank Customer

StrutsAirbagAirbag

IBM WebSphere

AirbagAirbag

Bank of X…

Bouncy CastleAirbagAirbag

20,000 Applications

AirbagAirbag

x ??? Users

Discovery Repair Discovery Repair Aware Recovery

TRUE COSTS & LEAST COST AVOIDERS: DOWNSTREAM

ACME

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

44 11/14/2014

Compound Parts ProductPart (Bolt) End Consumer

Discovery Repair Discovery Repair Aware Recovery Aware Recovery

Foo_0

IBM WebSphere

Bank of X.com

Foo_1

Foo_2

Foo_3

Foo_4

Foo_5

Foo_6

Foo_7

Foo_8

Foo_9

Foo_ 10

Foo_11

Foo_0

Foo_1

Foo_2

Foo_3

Foo_4

Foo_5

Foo_6

Foo_7

Foo_8

Foo_9

Foo_ 10

Foo_11

Foo_0

Foo_1

Foo_2

Foo_3

Foo_4

Foo_5

Foo_6

Foo_7

Foo_8

Foo_9

Foo_ 10

Foo_11

Struts 2

45 11/14/2014

X Axis: Time (Days) following initial HeartBleed disclosure and patch availability

Y Axis: Number of products included in the vendor vulnerability disclosure

Z Axis (circle size): Exposure as measured by the CVE CVSS score

COMMERCIAL RESPONSES TO OPENSSL

How can we choose the best components

FROM THE START?

Shift Upstream = ZTTR (Zero Time to Remediation)

Analyze all components from within your IDE

License, Security and Architecture data for each component, evaluated against your policy

@joshcorman@451wendy

MANUAL POLICIES CAN’T WORK AT DEVOPS SPEED OR ENTERPRISE SCALE

4711/14/2014

If you’re not using secure

COMPONENTSyou’re not building secure

APPLICATIONS

Component Selection

DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT

SELECTION

Component Selection

DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT

SELECTION

Today’s approaches

AREN’T WORKING

46m vulnerable

components downloaded

!

71% of apps have 1+

critical or severe

vulnerability

!

90% of

repositories have 1+ critical

vulnerability

!

RUGGED DEVOPS AND GENE’S “THREE WAYS”

1) Systems Thinking

2) Amplify Feedback Loops

3) Culture of Continuous Experimentation & Learning

ADOPT A "DEVSECOPS" MINDSET

Policies, Models, Templates

IT Operations Intelligence and Security Intelligence

Requirements

PreventIssues

DetectIssues

Remediate/Change

BuildAssemble

Test

Deploy

PredictIssues

Monitoring and Analytics

Source: Neil MacDonald Gartner

52 10/23/2013 @joshcorman

Defensible Infrastructure

Operational Excellence

Situational Awareness

Counter-measures

DevOps

DevOps

DevOps

FURTHER RESOURCES

1. AS OPEN SOURCE USAGE EXPANDS, SO DO THE RISKS

2. SECURITY BUDGETS ARE OUT OF SYNC WITH RISK AND REALITY

3. PARETO PRINCIPLE 2.0? (THE “90/10” RULE): LOW EFFORT AND BIG GAINS

4. YOU USE A SOFTWARE SUPPLY CHAIN. HOW WELL DO YOU MANAGE IT?

5. EMPOWER YOUR DEVELOPERS. THEY’RE YOUR FRONT LINE DEFENSE

6. MANUAL POLICIES JUST DON’T WORK IN A SECURE DEVELOPMENT LIFECYCLE

7. AGILE DEVELOPMENT REQUIRES AGILE SECURITY

54

“Sonatype presents a rare opportunity to do something concrete in the application security space. One of the 1st tools that comes close to remediation not just scan results and recommendations.”

-- Wendy Nather

https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

For the 41%

390 days (median 265

days). CVSS 10s 224 days.

• Summary: The number of components

analyzed, including security issues and

licenses used

• Bill of Materials: A complete list of the

components used in your application

• Security Analysis: Known security threats by

vulnerability and severity level

• Quality Analysis: Details component age,

fingerprint verification & adherence to policies

• License Analysis: License descriptors for

every component & license implication for your

application

SAMPLE OPEN SOURCE VISIBILITY REPORT:

A FINAL THOUGHT…

60

THANK YOU

@JOSHCORMAN

@SONATYPE

6111/14/2014