Security a New Era in Compu3ng: Accelera3on using So9ware Supply Chain Ingrid Centurion Centurion Technologies Consul3ng

CenturionTechnologiesConsul0ngLLC

IngridCenturion

2015 Verizon Data Breach Inves3ga3on Report

99.9%OFTHEEXPLOITEDVULNERABILITIESWERECOMPRIMISED

MORETHANAYEARAFTERTHECVEWASPUBLISHED.

2015VerizonDataBreachInvesJgaJonReport200millionsuccessfulexploitaJonsacross500+CommonVulnerabiliJesandExposures(CVEs)from

over20,000enterprisesinmorethan150countries

CenturionTechnologiesConsulJng

Ingrid Centurion: Background

LTCUSArmyAviaJon(ReJred)–Aviator,MaintenanceTestPilot,InstructorPilot,IntelligenceProductManager–QineJQNorthAmericaConsultant–Aerospace,Defense,So[wareCEO–CenturionTechnologiesConsulJngadvancingtechnologycompanies.

CenturionTechnologiesConsulJngLLC

Why is this Happening?

CenturionTechnologiesConsulJng

Count of Exploited CVEs

CenturionTechnologiesConsulJng

Y

Massive volume and Variety of Parts…

Hundreds of thousands of open source suppliers and millions of components

MassiveSupplyofOpenSourceComponents

CenturionTechnologiesConsulJng

Feas3ng on Open Source Components

Lastyear,theaverageenterprisedownloaded229,000opensourcecomponents,ofthesehad6.1%hadaknownsecuritydefects.ExponenJalIncreaseLeadstoenormousrework,LicensingriskandWaste.

Security Applica3ons Management

IfyournotusingsecureComponents,yourapplicaJonsaren’tsecure.

CenturionTechnologiesConsulJng

Security & IT must work together

As Technology Advances, the Criminal Pace Advances

Protenus&Databreaches.netReport–Datathe[andcybercrimearethegreatestthreats

AUack sophis3ca3on is evolving & harder to detect

•  Headworms•  MachinetoMachineaaacks•  Jailbreaking•  Ghostware•  Twofacedmalware

CenturionTechnologiesConsulJng

AUacks keep Coming – Healthcare Security

ThenumberofhealthcaresecurityaaacksconJnuestogrowwithbreachesofover11millionpaJentrecordsinJune,morethananyothermonththisyear,accordingtoareportProtenusandDataBreaches.netJunebreachestotaled11,061,649paJentrecords,represenJng23of29incidentsforwhichexactnumberswereavailable.Breachesareaaributabletoasinglehackthatincludedalargeinsurerdatabase(10.3millionrecords).IAWPonemonreport,commissionedbyIDExperts,esJmatesthatdatabreachescostthehealthcare…...

79%

Theywerehitwith2ormoredatabreaches

ofhealthorganizaJonssay

Averagecostofadatabreach

$6.2B

45%

Werehitwithmorethan5breaches

CenturionTechnologiesConsulJng

•  Whatcomponentsarebeingused?•  Whichcomponentshaveknown

vulnerabiliJes?•  IfwefindaVulnerabilitywhichapplicaJonis

atrisk?

Most Organiza3ons Can’t Answer These Ques3ons

CenturionTechnologiesConsulJng

Dr. William Edwards Deming - Father of Quality •  Born14Oct1900SiouxCity,Iowa•  BSEE-Wyoming1921•  MSColorado1925•  PHDYale1928MathemaJcalPhysics•  Died20Dec1993

1900-1993

Manufacturescouldchooseanysupplier.

Anypartcouldbechosen.

ThereisnoInventory.

ThereisnoQuality

Controlfromcartocar.

Embrace 14 Deming Points (Supply Chain Principles)

1.  Constancyofpurposefromimproving.2.  Adoptthenewphilosophy.3.  CeasedependencemassinspecJon.4.  EndthepracJceofawardingbusinesson

pricealone;instead,minimizetotalcostbyworkingwithasinglesupplier.

5.  Improveconstantlyandforever.6.  InsJtutetrainingonthejob.7.  AdoptandinsJtuteleadership.

CenturionTechnologiesConsulJng

Dr. William Edwards Deming

CenturionTechnologiesConsulJng

Embrace 14 Deming Points (Supply Chain Principles)

8.  DriveoutFear9.  Breakdownbarrierbetweendepartments.10.Eliminatenumericalquotesfortheworkforceandnumericalgoalsformanagement.11.Removebarriersthatrobpeopleofworkmanship.12.PermitPrideofWorkmanship13.VigorousEducaJon14.TransformaJoniseveryone’sjob.

CenturionTechnologiesConsulJng

What’s in a So9ware Supply Chain?

SuppliersOpenSourceProjects

WarehousesComponentRepositories

ManufacturesSo[wareDevelopmentTeams

FinishedGoodsSo[wareApplicaJons

FlowofOpenSourceComponentsthrumodernso[warefactories CenturionTechnologiesConsulJng

“MAKINGINVISIBLETHINGSVISIBLE”

2016 State of the So9ware Supply Chain

3000organizaJons25,000applicaJons

CenturionTechnologiesConsulJng

Massive Gains in Produc3vity

80%-90%ofatypicalapplicaJonsiscomposedofcomponents(106)

Components

OriginalCode

SOFTWAREISMANUFACTUREDFROMPARTS

CenturionTechnologiesConsulJng

Parts have 2 Big Weaknesses

1)PartsarenotCreatedEqual2)PartsageandgrowstaleQuickly

25,000applicaJonsdemonstratedthat6.8%ofcomponentsinusehadaknownsecuritydefect.However,becauseasinglecomponentmaycontainmulJplevulnerabiliJesaverageapplicaJonconsisJngof106components—ofwhich6.8%areknownbadcouldcontainnumerousuniquevulnerabiliJes.

Agile

DevOps

Lean

So[wareFactories

OpenSource

Accelera3on

Sprint

Improve Communica3ons, Improve Processes

SuppliersOpenSourceProjects

WarehousesComponentRepositories

ManufacturesSo[wareDevelopmentTeams

FinishedGoodsSo[wareApplicaJons

ReleaseUpdates14xperyear

EsJmated>125KinusetodayComponentversionsolderthan2yrsaccountedfor80%oftherisk

Automate Your Supply Chain Management with 3 Proven Principles

1.Usefewerandbeaersuppliers2.Usethebestpartsfromthosesuppliers3.  ConJnuouslytrackandtracethepreciselocaJonofeverycomponent

CenturionTechnologiesConsulJng

References

•  Experian3rdAnnual2016DataBreachIndustryForecast•  Verizon2015/2016DataBreachInvesJgaJonsReport•  Sonatype2016So[wareSupplyChainReport(2ndreport)•  Cisco2015SecurityReportIngridCenturionCenturionTechnologiesConsulJngLLCTwiaer:@CTC_LLCTwiaer:@IngridCenturio3LINKEDINFACEBOOK

CenturionTechnologiesConsulJng

IngridCenturionCenturionTechnologiesConsulJngLLCWWW.CENTURIONTECHNOLOGIES-LLC.COMTwiaer:@CTC_LLCTwiaer:@IngridCenturio3LINKEDINFACEBOOK

CenturionTechnologiesConsulJng

THANK YOU