securing software supply chains - apistek...source: 2019 devsecops community survey velocity. 59,000...
TRANSCRIPT
![Page 1: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/1.jpg)
Cameron Townshend
Solution Architect, APJ, Sonatype
Securing Software Supply ChainsWhy 3 Days Might Be Your New Normal for DevSecOps
![Page 2: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/2.jpg)
Since 2000, 52% of Fortune 500 have been replaced.
Established
business
leaders are
also under
attack…
![Page 3: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/3.jpg)
3
Source: https://www.visualcapitalist.com/animation-top-15-global-brands-2000-2018/
![Page 4: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/4.jpg)
W. Edwards Deming, 1945
What is software supply chain management?
A new (yet proven) way of thinking.
1. Source parts from fewer and better suppliers.
2. Use only the highest quality parts.
3. Never pass known defects downstream.
4. Continuously track location of every part.
![Page 5: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/5.jpg)
Jez Humble, 2010
![Page 6: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/6.jpg)
Gene Kim, 2013
![Page 7: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/7.jpg)
![Page 8: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/8.jpg)
47%deploy multiple
times per week
Source: 2019 DevSecOps Community Survey
velocity
![Page 9: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/9.jpg)
59,000 data breaches have been reported to GDPR regulators since May 2018
source: DLA Piper, February 2019
![Page 10: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/10.jpg)
10
Business applications are under attack…
Of enterprises suffered at
least one breach in last 12
months.
51%Of enterprise attacks are
perpetrated by external
actors.
43%Of external attacks target
web apps and known
vulnerabilities.
68%
Forrester: Best Practices for Deploying And Managing Enterprise Password Managers – Jan 2018
![Page 11: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/11.jpg)
Everyone has a software supply chain.(even if you don’t call it that)
![Page 12: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/12.jpg)
Demand drives 15,000 new releases every day
![Page 13: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/13.jpg)
Automation accelerates OSS downloads
Source: Sonatype’s 2018 State of the Software Supply Chain Report
![Page 14: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/14.jpg)
![Page 15: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/15.jpg)
85%of your code is
sourced from external
suppliers
![Page 16: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/16.jpg)
170,000Java component
downloads annually
3,500unique
source: 2018 State of the Software Supply Chain Report
![Page 17: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/17.jpg)
60,660JavaScript packages
downloaded per developer
per year
source: npm, 2018
![Page 18: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/18.jpg)
Not all parts are created equal.
![Page 19: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/19.jpg)
We are not “building quality in”.
source: 2019 State of the Software Supply Chain Report
NOT RELFECTIVE OF THE HARTFORD’S DATA
2016 Java Downloads
![Page 20: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/20.jpg)
![Page 21: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/21.jpg)
We are not “building quality in”.
2018npm
source: 2018 npm
![Page 22: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/22.jpg)
6.2K
233
510,000 120K691,000 309,000 66.8K
3.4
1,000,000
1∑ 2∑ 3∑
4∑
5∑
6∑
Defects targets per million for 6-sigma
![Page 23: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/23.jpg)
170,000java component
downloads annually
3,500unique
18,87011.1% with known
vulnerabilities
![Page 24: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/24.jpg)
60,660JavaScript packages
downloaded annually
per developer
30,93651% with known
vulnerabilities
![Page 25: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/25.jpg)
![Page 26: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/26.jpg)
Social normalization of deviance
“People within the organization become so much accustomed to a
deviant behavior that they don't consider it as deviant, despite the
fact that they far exceed their own rules for elementary safety.”
Diane Vaughan
![Page 27: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/27.jpg)
Breaches increased 71%
24%suspect or have verified a
breach related to open source
components in the 2019 survey
14%suspect or have verified a
breach related to open source
components in the 2014 survey
source: DevSecOps Community Survey 2014 and 2019
![Page 28: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/28.jpg)
The speed of exploits has compressed 93%
Sources: Gartner, IBM, Sonatype
![Page 29: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/29.jpg)
source: 2019 DevSecOps Community Survey
Quickly identify who is faster than their adversaries
![Page 30: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/30.jpg)
March 7Apache Struts releases
updated version to
thwart vulnerability
CVE-2017-5638
Today
65% of the Fortune 100
download vulnerable versions
3 Days in March
March 8NSA reveals Pentagon
servers scanned by
nation-states for
vulnerable Struts
instances
Struts exploit published
to Exploit-DB.
March 10
Equifax
Canada Revenue Agency
Canada Statistics
GMO Payment Gateway
The Rest of the Story
March 13Okinawa Power
Japan Post
March 9Cisco observes "a high
number of exploitation events."
March ’18India’s AADHAAR
April 13India Post
December ’17
Monero Crypto Mining
Equifax was not alone
![Page 31: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/31.jpg)
Complete software bill of materials (SBOM)
2019 No DevOps Practice 2019 Mature DevOps Practices
19%
50%
Source: 2019 DevSecOps Community Survey
![Page 32: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/32.jpg)
18,126 organizations downloading vulnerable versions of Struts
Source: Sonatype
Breach
announced.
14
![Page 33: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/33.jpg)
DevSecOps challenge: automate faster than evil.
![Page 34: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/34.jpg)
1.3 million vulnerabilities in OSS components undocumentedNo corresponding CVE advisory in the public NVD database
![Page 35: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/35.jpg)
July
2017
8
310
4
The new battlefrontSoftware Supply Chain Attacks
Study found credentials online affecting publishing
access to 14% of npm repository. +79,000
packages.
Malicious npm Packages “typosquatted” (40
packages for 2 weeks. Collecting env including
npm publishing credentials).
1
10 Malicious Python packages
Basic info collected and sent to
Chinese IP address
2
Golang go-bindata github id deleted and
reclaimed.
5
ssh-decorator Python Module stealing private ssh
keys.7
npm event-stream attack on CoPay.11
Sep
2017
Homebrew repository compromised.
9
Jan
2018
Feb
2018Mar
2018
6
Aug
2018
Image by Sonatype
Conventional-changelog compromised
and turned into a Monero miner.
Blog: “I’m harvesting credit card numbers
and passwords from your site. Here’s
how.”
Backdoor discovered in npm get-cookies
module published since March.
Unauthorized publishing of mailparser.
Gentoo Linux Repository Compromised.
Malicious Eslint discovered to be stealing npm
credentials.
Aug
2017
Oct
2017
Nov
2017
Dec
2017Apr
2018
May
2018
Jun
2018
Jul
2018Sep
2018
Oct
2018
Nov
2018Dec
2018
![Page 36: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/36.jpg)
At what point in the development process does your
organization perform automated application analysis?
2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
![Page 37: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/37.jpg)
Which application security tools are used?
2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
![Page 38: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/38.jpg)
How are you informed of InfoSec and AppSec issues?
Automating security
enables faster DevOps
feedback loops
![Page 39: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/39.jpg)
Automation continues to prove difficult to ignore
Source: 2019 DevSecOps Community Survey
2019 No DevOps Practice 2019 Mature DevOps Practices
![Page 40: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/40.jpg)
Trusted software supply chains are 2x more secure
Source: 2018 State of the Software Supply Chain Report
![Page 41: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/41.jpg)
I see no prospect in the long run for avoiding liability for
insecure code.”“Paul Rozenzweig
Senior Fellow, R Street Institute
2018
![Page 42: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/42.jpg)
The rising tide of regulation and software liability
![Page 43: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/43.jpg)
1. An up to date inventory of open-source components utilized in the
software
2. A process for identifying known vulnerabilities within open source
components
3. 360 degree monitoring of open source components throughout the
SDLC
4. A policy and process to immediately remediate vulnerabilities as
they become known
January 2019
source: https://blog.pcisecuritystandards.org/just-published-new-pci-software-security-standards
![Page 44: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/44.jpg)
All Countries Show Poor Cyber Hygiene
1 in 7
Downloads
1 in 9
Downloads
![Page 45: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/45.jpg)
“Emphasize performance of the entire system and never pass a defect downstream.”
![Page 47: Securing Software Supply Chains - Apistek...Source: 2019 DevSecOps Community Survey velocity. 59,000 data breaches have been reported to GDPR regulators since May 2018 ... CVE-2017-5638](https://reader033.vdocuments.site/reader033/viewer/2022051823/5fedc1d4b1c7dc023a63f6ed/html5/thumbnails/47.jpg)