strengthening cyber resilience with software supply chain visibility
TRANSCRIPT
STRENGTHENING CYBER RESILIENCE WITHSoftware Supply Chain VisibilityJoe Jarzombek, Director, Software & Supply Chain Assurance at DHSJoshua Corman, CTO at Sonatype
FEATURED SPEAKERS
JOE JARZOMBEK, DIRECTOR OF SOFTWARE & SUPPLY CHAIN ASSURANCE, DHS JOSHUA CORMAN, CTO
Served in Office Secretary of Defense
Retired US Air Force Lt. Col., PD
Co-founder of Rugged Software
Previously w/ Akamai & 451 Group
Trusted Security Professional @joshcorman
PMP & CSSLP [email protected]
Members of (ISC)2 ASAC
Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December)
3
CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SEIMENS *CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUMCVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUMCVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGHCVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUMCVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUMCVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleedCVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUMCVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUMCVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOWCVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM…
As of today, internet scans by MassScan
reveal 300,000 of original 600,000 remain
unpatched or unpatchable
National DefenseCommerce & Standards
Public-Private Collaboration Efforts for Security Automation, Software Assurance, and Supply Chain Risk Management
Homeland Security
General Services
Next SSCA WG week of 1 June 2015 at MITRE in McLean, Virginia
Gaining confidence in ICT/software-based cyber technologies
• Dependencies on technology are greater then ever
• Possibility of disruption is greater than ever because hardware/ software / services vulnerable
• Loss of confidence alone can lead to stakeholder actions that disrupt critical business activities
Services• Managed
Security• Information
Services Software• Financial Systems• Human Resources
Hardware• Database Servers• Networking Equipment
Internet• Domain Name System• Web Hosting
Control Systems• SCADA• PCS• DCS
Cyber Infrastructure Cyber
Assets
• Agriculture and Food• Energy• Transportation• Chemical Industry• Postal and Shipping
• Water• Public Health• Telecommunications• Banking and Finance• Key Assets
Critical Infrastructure / Key Resources Sectors
• Railroad Tracks
• Highway Bridges
• Pipelines• Ports• Cable• Fiber
• FDIC Institutions• Chemical Plants• Delivery Sites• Nuclear power plants• Government Facilities• Dams
Physical Infrastructure
• Reservoirs Treatment plants
• Farms• Food Processing
Plants• Hospitals• Power Plants• Production Sites Physical
Assets
Interdependencies Between Physical & Cyber Capabilities – Convergence of Safety, Security and Resilience Considerations
In an era riddled with asymmetric cyber attacks, claims about system reliability and safety must include provisions for built-in security of the enabling software
High Reliance on ICT/Software Built-in Security enables Resilience
Critical security controls aligned with missionAutomated continuous diagnostics and mitigation
© 2012 MITRE
Cross-site Scripting (XSS) Attack (CAPEC-86)
Improper Neutralization of Input During Web Page Generation (CWE-79)
Security Feature
SQL Injection Attack
(CAPEC-66)
Improper Neutralization of Special Elements used in an SQL Command (CWE-89)
7
Exploitable Software Weaknesses (CWEs) are exploit targets/vectors for future Zero-Day Attacks
Known weaknesses plague the security threat landscape
Many of the biggest security risks are issues known about for decades, leaving organizations unnecessarily exposed; organizations must employ fundamental security tactics to address known vulnerabilities to eliminate significant amounts of risk. 44 % of known breaches come from vulnerabilities that are
2-4 years old. Server misconfigurations were the number one vulnerability. Additional avenues of attack were introduced via connected
devices. The primary causes of commonly exploited software
vulnerabilities are defects, bugs, and logic flaws.
Defects
IntentionalVulnerabilities
UnintentionalVulnerabilities
Software Assurance Addresses Exploitable Software: Outcomes of non-secure practices and/or malicious intent
EXPLOITABLE SOFTWARE
Exploitation potential of vulnerability is independent of “intent”
*Intentional vulnerabilities: spyware & malicious logic deliberately imbedded (might not be considered defects)
Malware
‘High quality’ can reduce security flaws attributable to defects; yet traditional S/W quality assurance does not address intentional malicious behavior in software
Software Assurance (SwA) is the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software throughout the life cycle.*
From CNSS Instruction 4009 “National Information Assurance Glossary” (26APR2010)
Increased risk from supply chain due to: Increasing dependence on commercial ICT
for mission critical systems Increasing reliance on globally-sourced ICT
hardware, software, and services Varying levels of development/outsourcing controls Lack of transparency in process chain of custody Varying levels of acquisition ‘due-diligence”
Residual risk passed to end-user enterprise Defective and Counterfeit products Tainted products with malware, exploitable
weaknesses and vulnerabilities Growing technological sophistication among
our adversaries Internet enables adversaries to probe, penetrate, and
attack us remotely Supply chain attacks can exploit products and
processes throughout the lifecycle
SwA & SCRM Imperative
Risk Management (Enterprise <=> Project):Shared Processes & Practices Different Focuses
Enterprise-Level: Regulatory compliance Changing threat environment Business Case
Program/Project-Level: Cost Schedule Performance
Who makes risk decisions?Who determines ‘fitness for use’ for ‘technically acceptable’ criteria?Who “owns” residual risk from tainted/counterfeit products?
* “Tainted” products are those that are corrupted with malware, or exploitable weaknesses & vulnerabilities that put users at risk
COUNTERFEIT
AUTHENTIC
• Enable ‘scalable’ detection and reporting of tainted ICT components • Leverage/mature related existing
standardization efforts• Provide Taxonomies, schema &
structured representations with defined observables & indicators for conveying information:o Tainted constructs:
Malicious logic/malware (MAEC), Exploitable Weaknesses (CWE); Vulnerabilities (CVE)
o Attack Patterns (CAPEC)• Catalogue Diagnostic Methods, Controls,
Countermeasures, & Mitigation Practices• Publicly reported weaknesses and
vulnerabilities with patches accessible via National Vulnerability Database (NVD) sponsored by DHS & hosted by NIST *Text demonstrates examples of overlap
DEFECTIVE
Exploitable weakness
Malware
Unpatched Vulnerability
Exploitable weakness
Unpatched Vulnerability
Components can become tainted intentionally or unintentionally throughout the supply chain, SDLC, and in Ops & sustainment
TAINTED[exploitable weakness, vulnerability, or malicious construct]
SSCA Focus on Tainted Components Mitigating risks attributable to exploitable non-conforming constructs in ICT“Tainted” products are those that are corrupted with malware, or exploitable weaknesses & vulnerabilities that put users at risk
Defensible Infrastructure10%
Written
Operational Excellence
Situational Awareness
Counter-measures
The software & hardware we build, buy, and deploy. 90% of software is assembled from 3rd
party & Open Source
MOST IMPACT: BUY/BUILD DEFENSIBLE SOFTWARE
IS IT OPEN SEASON ON OPEN SOURCE?
Global Bank
Software Provider
Software Provider’s Customer
State University
Three-LetterAgency
Large FinancialExchange
Hundreds of Other Sites
With many eyeballs, all bugs are SHALLOW?
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
10.0
9.0
8.0
7.0
6.0
5.0
4.0
3.0
2.0
1.0
CVE-2005-3745
CVE-2006-1546CVE-2006-1547
CVE-2006-1548 CVE-2008-6504CVE-2008-6505
CVE-2008-2025CVE-2007-6726CVE-2008-6682
CVE-2010-1870
CVE-2011-2087
CVE-2011-1772
CVE-2011-2088CVE-2011-5057
CVE-2012-0392CVE-2012-0391
CVE-2012-0393
CVE-2012-0394
CVE-2012-1006CVE-2012-1007
CVE-2012-0838
CVE-2012-4386
CVE-2012-4387
CVE-2013-1966CVE-2013-2115CVE-2013-1965
CVE-2013-2134CVE-2013-2135
CVE-2013-2248
CVE-2013-2251CVE-2013-4316
CVE-2013-4310
CVE-2013-6348
CVE-2014-0094
Latent 7-11 yrs
APPLYING A SOFTWARE SUPPLY CHAIN
Toyota’s Transformation of the Automobile Industry: v4L
18
• Variety of software produced
• Velocity of software delivery
• Variability of outcomes against forecast
• Visibility of processes to enable learning
Software Supply Chain Principles
Guidelines for Software Providers
19
1) Ingredients: Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions)
2) Hygiene & Avoidable Risk:…and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY)
3) Remediation: …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
IMPLICATIONS OF POTENTIAL LEGISLATION
Cyber Supply Chain Management & Transparency Act
Other DHS or Government Initiatives?
Software Assurance Marketplace (SWAMP) - http://www.dhs.gov/science-and-technology/csd-swamp
Carwash - http://www.atarc.org/wp-content/uploads/2014/03/Carwash.pdf
Common Weakness Enumeration - http://cwe.mitre.org/
National Vulnerability Database - https://nvd.nist.gov/
TAKE ACTION
Immediately Check Federal Software Applications for Open Source Vulnerabilities
http://www.sonatype.com/application-health-check
STRENGTHEN CYBER RESILIENCE WITH SOFTWARE SUPPLY CHAIN VISIBILITY