even faster
play

Even Faster: How Rugged DevOps & SW Supply Chains Attack - PowerPoint PPT Presentation

Oct 27, 2022 •182 likes •832 views

Even Faster: How Rugged DevOps & SW Supply Chains Attack Developer Waste Josh Corman @joshcorman @joshcorman Conclusions / Apply! Idea: A full embrace of Deming is a SW Supply Chain: Fewer/Better Suppliers Highest Quality Supply

  1. Even Faster: How Rugged DevOps & SW Supply Chains Attack Developer Waste Josh Corman @joshcorman @joshcorman

  2. Conclusions / Apply! § Idea: A full embrace of Deming is a SW Supply Chain: § Fewer/Better Suppliers § Highest Quality Supply § Traceability/Visibility throughout Manufacturing / Prom & Agile Recall § Benefits: Such rigor enables: § Even FASTER: Fewer instances of Unplanned/Unscheduled Work ( ALSO CONTEXT SWITCHES) § More EFFICIENT: Faster MTTD/MTTR § Better QUALITY/RISK: Avoid elective/avoidable complexity/risk § Urgency: It’s OpenSeason on OpenSource § And our dependence on connected tech is increasingly a public safety issue § Coming Actions: “Known Vulnerabilities” Convergence § Lawmakers, Insurers, Lawyers, etc. are converging @joshcorman

  3. Who am I? Joshua Corman @joshcorman CTO, Sonatype @joshcorman

  4. @joshcorman

  5. @joshcorman

  6. @joshcorman 6

  7. h/t @petecheslock DevOpsDays AusHn 2015 True #DevOps + Security isn’t all rainbows & unicorns. Unicorn p00p has to be worked thru @joshcorman @mortman #RSAC @joshcorman

  8. @joshcorman

  9. Rugged DevOps SESSION ID: Going Even Faster With Software Supply Chains Gene Kim Joshua Corman Researcher and Author CTO IT Revolution Press Sonatype @RealGeneKim @joshcorman #RSAC

  10. ~ Marc Marc Andreessen 2011 @joshcorman 10/23/2013 10 @joshcorman

  11. @joshcorman 11

  12. Trade Offs Costs & Benefits @joshcorman 10/23/2013 12 @joshcorman

  13. Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December) As of today, internet scans by MassScan reveal 300,000 CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM ß SIEMENS * of original 600,000 remain CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM ß SIEMENS * CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM unpatched or unpatchable CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM ß SIEMENS * CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM ß HeartBleed CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM … @joshcorman

  14. Heartbleed + (UnPatchable) Internet of Things == ___ ? In Our Homes In Our Bodies In Our Cars In Our Infrastructure @joshcorman

  15. Sarcsm: I’m shocked! @joshcorman 15

  16. @joshcorman

  17. The Rugged Ma The Ru ed Mani nifesto festo I am I m rugged... and mo more imp mportantly, my my code is ru rugged. I recogniz I ize th that t softw ftware has become a fo foundatio tion of f our mo modern world. I I recogniz ize th the awesome responsib ibility ility th that t comes with ith th this is fo foundatio tional l role le. I I recogniz ize th that t my code will ill be used in in wa ways I cannot anticipat ant pate, in n ways ays it was as no not designe ned, and and for long nger th than it it was ever in inte tended. I recogniz I ize th that t my code will ill be atta ttacked by ta tale lente ted and pe persistent nt adve adversar aries who ho thr hreat aten n our phy physical al, ec econ onom omic ic, and nation ional sec securit ity. I I recogniz ize th these ese thin ings s - a and I I c choose t to b be r rugged. I am rugged because I I I refu fuse to to be a source of f vu vulne nerability or weakne kness. I I am rugged because I I assure my code will ill support t its its mi mission. I I am rugged because my code can fa face th these challe llenges and and pe persist in n spi pite te of f th them. I I am rugged, not t because it it is is easy, but t because it it is is necessar ne ary. y... and and I am am up up for the he chal hallenge nge. @joshcorman

  18. I I recogniz ize th that t softw ftware has become a fo foundatio tion of f our mo modern world. I recogniz I ize th the awesome responsib ibility ility th that t comes with ith th this is fo foundatio tional l role le. I I recogniz ize th that t my code will ill be used in in wa ways I cannot anticipat ant pate, in n ways ays it was as no not designe ned, and and for long nger th than it it was ever in inte tended. I recogniz I ize th that t my code will ill be atta ttacked by ta tale lente ted and pe persistent nt adve adversar aries who ho thr hreat aten n our phy physical al, ec econ onom omic ic, and nation ional sec securit ity. I I recogniz ize th these ese thin ings s - a and I I c choose t to b be r rugged. I I am rugged because I I refu fuse to to be a source of f vulne vu nerability or weakne kness. I I am rugged because I I assure my code will ill support t its its mi mission. @joshcorman

  19. I Am The Cavalry The Cavalry isn’t coming … It falls to us Problem Statement Mission Statement Our society is adopHng connected To ensure connected technologies with technology faster than we are able to the potenHal to impact public safety secure it . and human life are worthy of our trust . • The Why Trust, public safety, human life How EducaHon, outreach, research Who Infosec research community AutomoHve Connected Public Who Global, grass roots iniHaHve Medical Home Infrastructure What Long-term vision for cyber safety Collec9ng exisHng research, researchers, and resources Connec9ng researchers with each other, industry, media, policy, and legal Collabora9ng across a broad range of backgrounds, interests, and skillsets @joshcorman Catalyzing posiHve acHon sooner than it would have happened on its own

  20. 5-Star Framework Addressing Automotive Cyber Systems 5-Star Capabili9es « Safety by Design – AnHcipate failure and plan miHgaHon « Third-Party Collabora9on – Engage willing allies « Evidence Capture – Observe and learn from failure « Security Updates – Respond quickly to issues discovered « Segmenta9on & Isola9on – Prevent cascading failure Connec9ons and Ongoing Collabora9ons AutomoHve Policy Insurance Accident Standards Security Engineers Makers Analysts InvesHgators OrganizaHons Researchers @joshcorman h`ps://www.iamthecavalry.org/auto/5star/

  21. 5-Star Cyber Safety Formal Capacities Plain Speak 1. Safety By Design 1. Avoid Failure 2. Third Party 2. Engage Allies To Avoid Collaboration Failure 3. Evidence Capture 3. Learn From Failure 4. Security Updates 4. Respond to Failure 5. Segmentation and 5. Isolate Failure Isolation www.iamthecavalry.org @iamthecavalry

  22. h/t @petecheslock DevOpsDays AusHn 2015 True #DevOps + Security isn’t all rainbows & unicorns. Unicorn p00p has to be worked thru @joshcorman @mortman #RSAC @joshcorman

  23. SESSION ID: ASD-T07R Continuous Security: 5 Ways DevOps Improves Security Joshua Corman David Mortman Chief Security Architect & Distinguished Engineer CTO Dell Software Sonatype @mortman @joshcorman #RSAC

  24. @joshcorman

  25. @joshcorman

  26. @joshcorman

  27. Innovate! PRODUCTIVITY TIME @joshcorman

  28. @joshcorman 28

  29. ACCEPTABLE ON TIME ON BUDGET QUALITY/RISK @joshcorman

  30. @joshcorman

  31. Agile goats; not goat rodeo. “We need to be agile, but not fragile.” @RuggedSojware @joshcorman @mortman #RSAC #DevOps @joshcorman

  32. ON TIME. ON BUDGET. ACCEPTABLE QUALITY/RISK. Faster builds. More efficient. Easier compliance. Fewer interrup9ons. More profitable. Higher quality. More innova9on. More compe99ve. Built-in audit protec9on. Agile / CI @joshcorman

  33. DevOps It may feel like DevOps is Pandora’s Box, but it’s open… and hope remains. ;) @joshcorman @mortman #RSAC #DevOps @joshcorman

  34. ON TIME. ON BUDGET. ACCEPTABLE QUALITY/RISK. Faster builds. More efficient. Easier compliance. Fewer interrup9ons. More profitable. Higher quality. More innova9on. More compe99ve. Built-in audit protec9on. Agile / CI DevOps / CD @joshcorman

  35. SW Supply Chains @joshcorman

  36. ON TIME. ON BUDGET. ACCEPTABLE QUALITY/RISK. Faster builds. More efficient. Easier compliance. Fewer interrup9ons. More profitable. Higher quality. More innova9on. More compe99ve. Built-in audit protec9on. Agile / CI DevOps / CD SW Supply Chain @joshcorman

  37. Comparing the Prius and the Volt Toyota Toyota Chevy Advantage Prius Volt Unit Cost 61% $24,200 $39,900 Units Sold 13x 23,294 1,788 In-House 50% 27% 54% ProducHon 16% Plant Suppliers 125 800 (10x per) Firm-Wide 4% 224 5,500 Suppliers @joshcorman

  38. Embrace proven supply chain principles @joshcorman

  39. Software Supply Chain Hygiene Use better & fewer Use higher Track what you use suppliers quality parts and where @joshcorman

  40. Open source usage is EXPLODING Yesterday’s source code is now replaced with OPEN SOURCE components 2014 2007 2008 2009 2010 2011 2012 2013 1B 2B 4B 6B 8B 13B 17B 500M @joshcorman 40 Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Faster Haskell Neil Mitchell www.cs.york.ac.uk/~ndm The Goal Make Haskell faster

Faster Haskell Neil Mitchell www.cs.york.ac.uk/~ndm The Goal Make Haskell faster

Faster Haskell Neil Mitchell www.cs.york.ac.uk/~ndm The Goal Make Haskell faster Reduce the runtime But keep high-level declarative style Full automatic - no special functions Different from foldr/build,

478 views • 24 slides
FASTER TRANSFORMER Bo Yang Hsueh, 2019/12/18 AGENDA What is Faster Transformer Introduce the

FASTER TRANSFORMER Bo Yang Hsueh, 2019/12/18 AGENDA What is Faster Transformer Introduce the

FASTER TRANSFORMER Bo Yang Hsueh, 2019/12/18 AGENDA What is Faster Transformer Introduce the Transformer and Faster Transformer 1.0 New Features in Faster Transformer 2.0 Introduce the Faster Transformer 2.0 Faster Transformer 2.0 performance

932 views • 55 slides
Faster Code Nicolas Limare 2014/11/19 faster? one task vs many speeds one operation vs many

Faster Code Nicolas Limare 2014/11/19 faster? one task vs many speeds one operation vs many

Faster Code Nicolas Limare 2014/11/19 faster? one task vs many speeds one operation vs many algos one algo vs many codes one code vs many binaries one binary vs many runs We want faster runs for the same operation. why go fast?

620 views • 17 slides
Water Rights Accounting New Accounting Model New Technology: 1979 versus 2011 Faster

Water Rights Accounting New Accounting Model New Technology: 1979 versus 2011 Faster

Water Rights Accounting New Accounting Model New Technology: 1979 versus 2011 Faster processors Faster graphics Larger, faster, memory Larger, faster, disk storage Common Application Use single application to build and

585 views • 33 slides
SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange. Hwajeong Seo (Hansung University), Zhe Liu (Nanjing University of Aeronautics and Astronautics), Patrick Longa (Microsoft Research), Zhi

593 views • 36 slides
FASTER Overview Aspa Tzeletopoulou Alexios Vlachopoulos 833507 FASTER

FASTER Overview Aspa Tzeletopoulou Alexios Vlachopoulos 833507 FASTER

FASTER Overview Aspa Tzeletopoulou Alexios Vlachopoulos 833507 FASTER H2020-SU-SEC-2018-2019-2020/H2020-SU-SEC-2018 1 Project funded by: EUROPEAN UNION - Research Executive Agency (REA) Project Information First responder Advanced

312 views • 14 slides
WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER

WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER

WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER 1 . 2 WRITING FASTER PYTHON @SebaWitowski 1 . 3 PYTHON WAS NOT MADE TO BE FAST... ...BUT TO MAKE DEVELOPERS FAST. 2 . 1 It was nice to

451 views • 43 slides
NEW PRODUCT LAUNCH: ATR-500 ADJUSTABLE TRAY ROLLER Part Number: ATR-500 FASTER Installs faster

NEW PRODUCT LAUNCH: ATR-500 ADJUSTABLE TRAY ROLLER Part Number: ATR-500 FASTER Installs faster

NEW PRODUCT LAUNCH: ATR-500 ADJUSTABLE TRAY ROLLER Part Number: ATR-500 FASTER Installs faster than standard cable rollers SAFER Enables secure vertical rise and drop of cable SMARTER Handles tray rung spacing from 10 to 20- 1/4

607 views • 9 slides
Faster Cover Trees Mike Izbicki and Christian R. Shelton UC Riverside Izbicki and Shelton (UC

Faster Cover Trees Mike Izbicki and Christian R. Shelton UC Riverside Izbicki and Shelton (UC

Faster Cover Trees Mike Izbicki and Christian R. Shelton UC Riverside Izbicki and Shelton (UC Riverside) Faster Cover Trees July 7, 2015 1 / 21 Outline Why care about faster cover trees? Making cover trees faster. Experimental setup

465 views • 23 slides
10-20x Faster 10-20x Faster Software Builds Software Builds John Ousterhout 2307 Leghorn

10-20x Faster 10-20x Faster Software Builds Software Builds John Ousterhout 2307 Leghorn

10-20x Faster 10-20x Faster Software Builds Software Builds John Ousterhout 2307 Leghorn Street Mountain View, CA 94043 www.electric-cloud.com Overview Overview Slow builds impact almost all medium/large development teams Electric Cloud

716 views • 32 slides
Memory Hierarchy & Caching Use several levels of faster and faster memory to hide delay of

Memory Hierarchy & Caching Use several levels of faster and faster memory to hide delay of

7a.1 7a.2 Memory Hierarchy & Caching Use several levels of faster and faster memory to hide delay of upper levels EE 457 Unit 7a Unit of Transfer: Word, Half, or Byte (LW, LH, LB or SW, SH, SB) Registers L1 Cache ~ 1ns Cache and

492 views • 10 slides
Get to ASICs Faster Get to ASICs Faster A Novel Mixed Signal Design Methodology Dr Greg

Get to ASICs Faster Get to ASICs Faster A Novel Mixed Signal Design Methodology Dr Greg

February 24-26, 2009 Get to ASICs Faster Get to ASICs Faster A Novel Mixed Signal Design Methodology Dr Greg Tumbush: Tumbush Enterprises Dr. Greg Tumbush: Tumbush Enterprises ON Semiconductor: Gareth Weale, Dustin Griesdorf, , , Alaa

447 views • 20 slides
Faster cancer treatment November 2012 PREPARED BY Faster cancer treatment patient pathway

Faster cancer treatment November 2012 PREPARED BY Faster cancer treatment patient pathway

Faster cancer treatment November 2012 PREPARED BY Faster cancer treatment patient pathway approach that covers surgical and non-surgical cancer treatment measured by three indicators: DHBs are expected to provide baseline

294 views • 11 slides
Making State Government Simpler, Faster, Better, and Less Costly Michael Buerger and Rich

Making State Government Simpler, Faster, Better, and Less Costly Michael Buerger and Rich

Making State Government Simpler, Faster, Better, and Less Costly Michael Buerger and Rich Martinski February 10, 2014 SIMPLER. FASTER. BETTER. LESS COSTLY. SIMPLER. FASTER. BETTER. LESS COSTLY. 7 Steps to Implementing Lean

910 views • 37 slides
RCRA Brownbag Session Faster Cleanup and Faster Reuse at RCRA Corrective Action Sites and PCB

RCRA Brownbag Session Faster Cleanup and Faster Reuse at RCRA Corrective Action Sites and PCB

RCRA Brownbag Session Faster Cleanup and Faster Reuse at RCRA Corrective Action Sites and PCB Cleanup Sites Steve Armann, Manager, US EPA Region 9 Joseph Kelly, Project Manager US EPA Region 5 10/3/2018 1 U.S. Environmental Protection Agency

249 views • 14 slides
Quantum Computing, At First Glance, This . . . Here We Come! Making Lemonade . . . Fast Search

Quantum Computing, At First Glance, This . . . Here We Come! Making Lemonade . . . Fast Search

Faster, Faster, Faster: . . . Blame It on Einsteins . . . Honey, I Shrunk the . . . Why Is Micro-World . . . Quantum Computing, At First Glance, This . . . Here We Come! Making Lemonade . . . Fast Search Vladik Kreinovich End of

566 views • 25 slides
Locking Up the Case Walter Energy July 15, 2015 chapter 11 filing Pre-petition funded

Locking Up the Case Walter Energy July 15, 2015 chapter 11 filing Pre-petition funded

Locking Up the Case Walter Energy July 15, 2015 chapter 11 filing Pre-petition funded debt obligations of $3.153 billion, consisting of: $978.2 first lien term loans and $73 million in letter of credit commitments o $970 million of

406 views • 18 slides
Cryptography Intro and RSA Well, a gentle intro to cryptography, followed by a description of

Cryptography Intro and RSA Well, a gentle intro to cryptography, followed by a description of

Cryptography Intro and RSA Well, a gentle intro to cryptography, followed by a description of public key crypto and RSA. Fall 2018 CS 222: Discrete Structures 1 Definition Cryptology is the study of secret writing Concerned with

681 views • 54 slides
Exporting Non- Exportable RSA Keys March 18, 2011 Jason Geffner Principal Security Consultant

Exporting Non- Exportable RSA Keys March 18, 2011 Jason Geffner Principal Security Consultant

NGS Secure Black Hat Europe 2011 Exporting Non- Exportable RSA Keys March 18, 2011 Jason Geffner Principal Security Consultant & Account Manager jason.geffner@ngssecure.com NCC Group Plc, Manchester Technology Centre, Oxford Road,

934 views • 34 slides
HOST RSA ECE 495/595 RSA (material drawn from Avi Kak (kak@purdue.edu) Lecture 12, Lecture

HOST RSA ECE 495/595 RSA (material drawn from Avi Kak (kak@purdue.edu) Lecture 12, Lecture

HOST RSA ECE 495/595 RSA (material drawn from Avi Kak (kak@purdue.edu) Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto. protocols The RSA algorithm is based on the following property of positive

530 views • 19 slides
A Canadian Perspective on the IAEAs State-level Concept Presented by Patrick Burton Senior

A Canadian Perspective on the IAEAs State-level Concept Presented by Patrick Burton Senior

IAEA Symposium on International Safeguards: Linking Strategy, Implementation and People Vienna, October 20-24, 2014 A Canadian Perspective on the IAEAs State-level Concept Presented by Patrick Burton Senior Safeguards Advisor Canadian

736 views • 24 slides
Overview of the Development and Discussion on Evolving Safeguards Implementation Jill N. Cooley

Overview of the Development and Discussion on Evolving Safeguards Implementation Jill N. Cooley

Overview of the Development and Discussion on Evolving Safeguards Implementation Jill N. Cooley Department of Safeguards IAEA International Atomic Energy Agency Contents Key Developments in Safeguards Implementation for the State as a

663 views • 17 slides
Security Hands-on @ Pavilion Automate Security Operations with Phantom & Splunk Splunk |

Security Hands-on @ Pavilion Automate Security Operations with Phantom & Splunk Splunk |

Security Hands-on @ Pavilion Automate Security Operations with Phantom & Splunk Splunk | Security Markets September 26 | Washington, DC The Leader in Security Automation & Orchestration Phantom Community Growing Larger Each Day

450 views • 8 slides
Cryptographic Properties and Applications of Bipermutive Cellular Automata Luca Mariot

Cryptographic Properties and Applications of Bipermutive Cellular Automata Luca Mariot

Cryptographic Properties and Applications of Bipermutive Cellular Automata Luca Mariot Dipartimento di Informatica, Sistemistica e Comunicazione, Universit degli Studi Milano - Bicocca, l.mariot@campus.unimib.it Nice, April 16, 2014 Luca

826 views • 56 slides

More recommend