Upload
ec-council
View
127
Download
0
Embed Size (px)
Citation preview
Security a New Era in Compu3ng: Accelera3on using So9ware Supply Chain Ingrid Centurion Centurion Technologies Consul3ng
CenturionTechnologiesConsul0ngLLC
IngridCenturion
2015 Verizon Data Breach Inves3ga3on Report
99.9%OFTHEEXPLOITEDVULNERABILITIESWERECOMPRIMISED
MORETHANAYEARAFTERTHECVEWASPUBLISHED.
2015VerizonDataBreachInvesJgaJonReport200millionsuccessfulexploitaJonsacross500+CommonVulnerabiliJesandExposures(CVEs)from
over20,000enterprisesinmorethan150countries
CenturionTechnologiesConsulJng
Ingrid Centurion: Background
LTCUSArmyAviaJon(ReJred)–Aviator,MaintenanceTestPilot,InstructorPilot,IntelligenceProductManager–QineJQNorthAmericaConsultant–Aerospace,Defense,So[wareCEO–CenturionTechnologiesConsulJngadvancingtechnologycompanies.
CenturionTechnologiesConsulJngLLC
Y
Massive volume and Variety of Parts…
Hundreds of thousands of open source suppliers and millions of components
MassiveSupplyofOpenSourceComponents
CenturionTechnologiesConsulJng
Feas3ng on Open Source Components
Lastyear,theaverageenterprisedownloaded229,000opensourcecomponents,ofthesehad6.1%hadaknownsecuritydefects.ExponenJalIncreaseLeadstoenormousrework,LicensingriskandWaste.
Security Applica3ons Management
IfyournotusingsecureComponents,yourapplicaJonsaren’tsecure.
CenturionTechnologiesConsulJng
As Technology Advances, the Criminal Pace Advances
Protenus&Databreaches.netReport–Datathe[andcybercrimearethegreatestthreats
AUack sophis3ca3on is evolving & harder to detect
• Headworms• MachinetoMachineaaacks• Jailbreaking• Ghostware• Twofacedmalware
CenturionTechnologiesConsulJng
AUacks keep Coming – Healthcare Security
ThenumberofhealthcaresecurityaaacksconJnuestogrowwithbreachesofover11millionpaJentrecordsinJune,morethananyothermonththisyear,accordingtoareportProtenusandDataBreaches.netJunebreachestotaled11,061,649paJentrecords,represenJng23of29incidentsforwhichexactnumberswereavailable.Breachesareaaributabletoasinglehackthatincludedalargeinsurerdatabase(10.3millionrecords).IAWPonemonreport,commissionedbyIDExperts,esJmatesthatdatabreachescostthehealthcare…...
79%
Theywerehitwith2ormoredatabreaches
ofhealthorganizaJonssay
Averagecostofadatabreach
$6.2B
45%
Werehitwithmorethan5breaches
CenturionTechnologiesConsulJng
• Whatcomponentsarebeingused?• Whichcomponentshaveknown
vulnerabiliJes?• IfwefindaVulnerabilitywhichapplicaJonis
atrisk?
Most Organiza3ons Can’t Answer These Ques3ons
CenturionTechnologiesConsulJng
Dr. William Edwards Deming - Father of Quality • Born14Oct1900SiouxCity,Iowa• BSEE-Wyoming1921• MSColorado1925• PHDYale1928MathemaJcalPhysics• Died20Dec1993
1900-1993
Manufacturescouldchooseanysupplier.
Anypartcouldbechosen.
ThereisnoInventory.
ThereisnoQuality
Controlfromcartocar.
Embrace 14 Deming Points (Supply Chain Principles)
1. Constancyofpurposefromimproving.2. Adoptthenewphilosophy.3. CeasedependencemassinspecJon.4. EndthepracJceofawardingbusinesson
pricealone;instead,minimizetotalcostbyworkingwithasinglesupplier.
5. Improveconstantlyandforever.6. InsJtutetrainingonthejob.7. AdoptandinsJtuteleadership.
CenturionTechnologiesConsulJng
Embrace 14 Deming Points (Supply Chain Principles)
8. DriveoutFear9. Breakdownbarrierbetweendepartments.10.Eliminatenumericalquotesfortheworkforceandnumericalgoalsformanagement.11.Removebarriersthatrobpeopleofworkmanship.12.PermitPrideofWorkmanship13.VigorousEducaJon14.TransformaJoniseveryone’sjob.
CenturionTechnologiesConsulJng
What’s in a So9ware Supply Chain?
SuppliersOpenSourceProjects
WarehousesComponentRepositories
ManufacturesSo[wareDevelopmentTeams
FinishedGoodsSo[wareApplicaJons
FlowofOpenSourceComponentsthrumodernso[warefactories CenturionTechnologiesConsulJng
“MAKINGINVISIBLETHINGSVISIBLE”
2016 State of the So9ware Supply Chain
3000organizaJons25,000applicaJons
CenturionTechnologiesConsulJng
Massive Gains in Produc3vity
80%-90%ofatypicalapplicaJonsiscomposedofcomponents(106)
Components
OriginalCode
SOFTWAREISMANUFACTUREDFROMPARTS
CenturionTechnologiesConsulJng
Parts have 2 Big Weaknesses
1)PartsarenotCreatedEqual2)PartsageandgrowstaleQuickly
25,000applicaJonsdemonstratedthat6.8%ofcomponentsinusehadaknownsecuritydefect.However,becauseasinglecomponentmaycontainmulJplevulnerabiliJesaverageapplicaJonconsisJngof106components—ofwhich6.8%areknownbadcouldcontainnumerousuniquevulnerabiliJes.
Improve Communica3ons, Improve Processes
SuppliersOpenSourceProjects
WarehousesComponentRepositories
ManufacturesSo[wareDevelopmentTeams
FinishedGoodsSo[wareApplicaJons
ReleaseUpdates14xperyear
EsJmated>125KinusetodayComponentversionsolderthan2yrsaccountedfor80%oftherisk
Automate Your Supply Chain Management with 3 Proven Principles
1.Usefewerandbeaersuppliers2.Usethebestpartsfromthosesuppliers3. ConJnuouslytrackandtracethepreciselocaJonofeverycomponent
CenturionTechnologiesConsulJng
References
• Experian3rdAnnual2016DataBreachIndustryForecast• Verizon2015/2016DataBreachInvesJgaJonsReport• Sonatype2016So[wareSupplyChainReport(2ndreport)• Cisco2015SecurityReportIngridCenturionCenturionTechnologiesConsulJngLLCTwiaer:@CTC_LLCTwiaer:@IngridCenturio3LINKEDINFACEBOOK
CenturionTechnologiesConsulJng