Embed Size (px)
Citation preview
The Illusion of ControlSeven Deadly Wastes in Your DevOps Practice
Matthew BarkerTechnical Directory and DevOpsSec Advocate @[email protected]://www.sonatype.com/assessments/application-health-check/start
1
Where’s That Software Supply Chain?
2
3
It is not necessary to change. Survival is not mandatory.
Edwards Deming
Use the highestquality parts
Use fewer and better suppliers
Track what you use and where
Supply Chain Principles
1 2 3
106,000Organizations Analyzed
Source: 2015 State of the Software Supply Chain Report
Quality?
Security?
Maintainability?
Repeatability?
Raw innovation Innovation at
any cost
Net innovation Net value to the
organization
We all have aSOFTWARE SUPPLY CHAIN
POLLING QUESTION
What percent of modern apps are composed of open source components?
8
a. 10 - 20%b. 50 - 60%c. 80 - 90%
How Dependent on 3rd Parties Are We?
10% Custom Written CodeTypical Application
Open Source
Cloud Services
Closed Source
90% From 3rd Parties
We all have aSOFTWARE SUPPLY CHAIN
11 MILLION OSS USERS
1,109,005 OSS COMPONENTS
121,341 SUPPLIERS
CHANGE: Typical component is updated 3 – 4x per year
Source: 2015 State of the Software Supply Chain Report
POLLING QUESTION
On the average, how many open source suppliers do companies work with?
12
a. 5,372b. 7,601
c. 15,118
Suppliers Serving Manufacturers
Source: 2015 State of the Software Supply Chain Report
Orders(downloads)
Suppliers(artifacts)
Parts(versions)
Year Average 240,757 7,601 18,614
59% never repaired
41% 390 days (median 265 days). CVSS 10s 224 days
<7The best were remediated in under a week.
Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
@sonatype
We all have aSOFTWARE SUPPLY CHAIN
Sample of Open Source Repositories
2014Volume of Download Requests
Central.sonatype.org 17,213,084,947Npmjs.org 15,460,748,856NuGetGallery.com 280,124,916Bintray.com 250,000,000
Source: 2015 State of the Software Supply Chain Report
Source: 2015 State of the Software Supply Chain Report
PublicRepos
Local Repo
Build Tool
Public Repos
Build ToolPATTERN #1
PATTERN #2
POLLING QUESTION
What percent of components are sourced from public repositories vs.
local repositories?
18
a. 15%b. 35%c. 95%
PublicRepos
Local Repo
Build Tool
Public Repos
Build Tool
Source: 2015 State of the Software Supply Chain Report
95%of downloads
5%of downloads
20
We all have aSOFTWARE SUPPLY CHAIN
POLLING QUESTION
What percent of organizations do not have a policy governing quality and
integrity of components?
21
a. 25%b. 55%c. 95%
Half of organizations continue to run without an open source policy.
Q: Does your organization have an open source policy?
Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey
1-in-10 had or suspected an open source related breachin the past 12 months
Average downloads
# of known vulnerabilities
% of known vulnerabilities
% known vulnerabilities (2013 or older)
240K 15K 7.5% 66.3%
Download Volumes of Old CVEs
Source: 2015 State of the Software Supply Chain Report
Source: 2015 State of the Software Supply Chain Report
27Average Number of Outdated
Versions Downloaded
For the top 100 components:
We all have aSOFTWARE SUPPLY CHAIN
1,500+Applications Analyzed
The Average Application Contains:
106 components
24 known
vulnerabilities
9restrictive licenses
Some really bad components in our applications
Java Cryptography APICVSS v2 Base Score:
10.0 HIGHExploitability:
10.0
Since then 11,236 organizations
downloaded it214,484 times
Bouncy CastleCVE Date:
11/10/2007
Java HTTP implementationCVSS v2 Base Score:
5.8 MEDIUMExploitability:
8.6
Since then 29,468 organizations
downloaded it3,749,193 times
HttpClientCVE Date:
11/04/2012
Web application frameworkCVSS v2 Base Score:
9.3 HIGHExploitability:
10
Since then 4,076 organizations
downloaded it179,050 times
Apache Struts 2
CVE Date:07/20/2013
Source: Sonatype, Inc. analysis of (Maven) Central downloads and NIST National Vulnerability Database
30
SEVEN DEADLY DEVOPS WASTES
31
Most DevOps deadly sins are caused byGO FAST AT ANY COST
32
WASTE NUMBER 1:Ignore your software supply chain
33
WASTE NUMBER 2:Use any supplier and many
component versions
34
WASTE NUMBER 3:Fail to use a local repository
manager
35
LicenseFeatures
WASTE NUMBER 4:Choose components irrespective of
quality or risk
36
WASTE NUMBER 5:Depend on a manual component
approval process
37
WASTE NUMBER 6:Fail to track component usage
38
?
… AND THE LAST DEADLY WASTE:Fail to monitor your released
applications
Use the highestquality parts
Use fewer and better suppliers
Track what you use and where
Supply Chain Principles
1 2 3
ZTTR (Zero Time to Remediation)
1
Use fewer and better suppliers
Choose quality components
@matthewabq
2
bit.ly/softwareBOM
3Track what you use and where
John WillisDevOps Days Core
Organizer
Gareth RushgrovePuppet Labs
Nigel SimpsonF-100 Entertainment Giant
@matthewabq
