Even Faster: How Rugged DevOps & SW Supply Chains Attack - - PowerPoint PPT Presentation

even faster
SMART_READER_LITE
LIVE PREVIEW

Even Faster: How Rugged DevOps & SW Supply Chains Attack - - PowerPoint PPT Presentation

Oct 27, 2022 182 likes •833 views

Even Faster: How Rugged DevOps & SW Supply Chains Attack Developer Waste Josh Corman @joshcorman @joshcorman Conclusions / Apply! Idea: A full embrace of Deming is a SW Supply Chain: Fewer/Better Suppliers Highest Quality Supply

slide-1
SLIDE 1

@joshcorman

Even Faster:

How Rugged DevOps & SW Supply Chains Attack Developer Waste

Josh Corman @joshcorman

slide-2
SLIDE 2

@joshcorman

Conclusions / Apply!

§ Idea: A full embrace of Deming is a SW Supply Chain:

§ Fewer/Better Suppliers § Highest Quality Supply § Traceability/Visibility throughout Manufacturing / Prom & Agile Recall

§ Benefits: Such rigor enables:

§ Even FASTER: Fewer instances of Unplanned/Unscheduled Work (ALSO CONTEXT SWITCHES) § More EFFICIENT: Faster MTTD/MTTR § Better QUALITY/RISK: Avoid elective/avoidable complexity/risk

§ Urgency: It’s OpenSeason on OpenSource

§ And our dependence on connected tech is increasingly a public safety issue

§ Coming Actions: “Known Vulnerabilities” Convergence

§ Lawmakers, Insurers, Lawyers, etc. are converging

slide-3
SLIDE 3

@joshcorman

Joshua Corman Who am I?

@joshcorman CTO, Sonatype

slide-4
SLIDE 4

@joshcorman

slide-5
SLIDE 5

@joshcorman

slide-6
SLIDE 6

@joshcorman

6

slide-7
SLIDE 7

@joshcorman True #DevOps + Security isn’t all rainbows & unicorns. Unicorn p00p has to be worked thru @joshcorman @mortman #RSAC

h/t @petecheslock DevOpsDays AusHn 2015

slide-8
SLIDE 8

@joshcorman

slide-9
SLIDE 9

#RSAC

SESSION ID:

Gene Kim Joshua Corman

Rugged DevOps

Going Even Faster With Software Supply Chains

CTO Sonatype @joshcorman Researcher and Author IT Revolution Press @RealGeneKim

slide-10
SLIDE 10

@joshcorman

10

10/23/2013 @joshcorman

~ Marc Marc Andreessen 2011

slide-11
SLIDE 11

@joshcorman

11

slide-12
SLIDE 12

@joshcorman

12

10/23/2013 @joshcorman

Trade Offs Costs & Benefits

slide-13
SLIDE 13

@joshcorman

Beyond Heartbleed: OpenSSL in 2014

(31 in NIST’s NVD thru December)

CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM ß SIEMENS * CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM ß SIEMENS * CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM ß SIEMENS * CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM ß HeartBleed CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM …

As of today, internet scans by MassScan reveal 300,000

  • f original 600,000 remain

unpatched or unpatchable

slide-14
SLIDE 14

@joshcorman

Heartbleed + (UnPatchable) Internet of Things == ___ ?

In Our Bodies In Our Homes In Our Infrastructure In Our Cars

slide-15
SLIDE 15

@joshcorman

Sarcsm: I’m shocked!

15

slide-16
SLIDE 16

@joshcorman

slide-17
SLIDE 17

@joshcorman

The Ru The Rugged Ma ed Mani nifesto festo

I I am m rugged... and mo more imp mportantly, my my code is ru rugged. I I recogniz ize th that t softw ftware has become a fo foundatio tion of f our mo modern world. I I recogniz ize th the awesome responsib ibility ility th that t comes with ith th this is fo foundatio tional l role le. I I recogniz ize th that t my code will ill be used in in wa ways I cannot ant anticipat pate, in n ways ays it was as no not designe ned, and and for long nger th than it it was ever in inte tended. I I recogniz ize th that t my code will ill be atta ttacked by ta tale lente ted and pe persistent nt adve adversar aries who ho thr hreat aten n our phy physical al, ec econ
  • nom
  • mic
ic, and nation ional sec securit ity. I I recogniz ize th these ese thin ings s - a and I I c choose t to b be r rugged. I I am rugged because I I refu fuse to to be a source of f vu vulne nerability or weakne kness. I I am rugged because I I assure my code will ill support t its its mi mission. I I am rugged because my code can fa face th these challe llenges and and pe persist in n spi pite te of f th them. I I am rugged, not t because it it is is easy, but t because it it is is ne necessar ary. y... and and I am am up up for the he chal hallenge nge.
slide-18
SLIDE 18

@joshcorman

I I recogniz ize th that t softw ftware has become a fo foundatio tion of f our mo modern world. I I recogniz ize th the awesome responsib ibility ility th that t comes with ith th this is fo foundatio tional l role le. I I recogniz ize th that t my code will ill be used in in wa ways I cannot ant anticipat pate, in n ways ays it was as no not designe ned, and and for long nger th than it it was ever in inte tended. I I recogniz ize th that t my code will ill be atta ttacked by ta tale lente ted and pe persistent nt adve adversar aries who ho thr hreat aten n our phy physical al, ec econ

  • nom
  • mic

ic, and nation ional sec securit ity. I I recogniz ize th these ese thin ings s - a and I I c choose t to b be r rugged. I I am rugged because I I refu fuse to to be a source of f vu vulne nerability or weakne kness. I I am rugged because I I assure my code will ill support t its its mi mission.

slide-19
SLIDE 19

@joshcorman

  • The

The Cavalry isn’t coming… It falls to us

Problem Statement

Our society is adopHng connected technology faster than we are able to secure it.

Mission Statement

To ensure connected technologies with the potenHal to impact public safety and human life are worthy of our trust. Collec9ng exisHng research, researchers, and resources Connec9ng researchers with each other, industry, media, policy, and legal Collabora9ng across a broad range of backgrounds, interests, and skillsets Catalyzing posiHve acHon sooner than it would have happened on its own Why Trust, public safety, human life How EducaHon, outreach, research Who Infosec research community Who Global, grass roots iniHaHve What Long-term vision for cyber safety

Medical AutomoHve Connected Home Public Infrastructure

I Am The Cavalry

slide-20
SLIDE 20

@joshcorman

Connec9ons and Ongoing Collabora9ons 5-Star Capabili9es

« Safety by Design – AnHcipate failure and plan miHgaHon « Third-Party Collabora9on – Engage willing allies « Evidence Capture – Observe and learn from failure « Security Updates – Respond quickly to issues discovered « Segmenta9on & Isola9on – Prevent cascading failure

Addressing Automotive Cyber Systems

AutomoHve Engineers Security Researchers Policy Makers Insurance Analysts Accident InvesHgators Standards OrganizaHons

h`ps://www.iamthecavalry.org/auto/5star/

5-Star Framework

slide-21
SLIDE 21

www.iamthecavalry.org @iamthecavalry

5-Star Cyber Safety

Formal Capacities

  • 1. Safety By Design
  • 2. Third Party

Collaboration

  • 3. Evidence Capture
  • 4. Security Updates
  • 5. Segmentation and

Isolation Plain Speak

  • 1. Avoid Failure
  • 2. Engage Allies To Avoid

Failure

  • 3. Learn From Failure
  • 4. Respond to Failure
  • 5. Isolate Failure
slide-22
SLIDE 22

@joshcorman True #DevOps + Security isn’t all rainbows & unicorns. Unicorn p00p has to be worked thru @joshcorman @mortman #RSAC

h/t @petecheslock DevOpsDays AusHn 2015

slide-23
SLIDE 23

#RSAC

SESSION ID:

David Mortman Joshua Corman

Continuous Security: 5 Ways DevOps Improves Security

ASD-T07R

CTO Sonatype @joshcorman Chief Security Architect & Distinguished Engineer Dell Software @mortman

slide-24
SLIDE 24

@joshcorman

slide-25
SLIDE 25

@joshcorman

slide-26
SLIDE 26

@joshcorman

slide-27
SLIDE 27

@joshcorman

Innovate!

PRODUCTIVITY TIME

slide-28
SLIDE 28

@joshcorman

28

slide-29
SLIDE 29

@joshcorman

ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK

slide-30
SLIDE 30

@joshcorman

slide-31
SLIDE 31

@joshcorman Agile goats; not goat rodeo. “We need to be agile, but not fragile.” @RuggedSojware @joshcorman @mortman #RSAC #DevOps

slide-32
SLIDE 32

@joshcorman

ON TIME. Faster builds. Fewer interrup9ons. More innova9on. ON BUDGET. More efficient. More profitable. More compe99ve. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protec9on.

Agile / CI

slide-33
SLIDE 33

@joshcorman

DevOps

It may feel like DevOps is Pandora’s Box, but it’s open… and hope remains. ;) @joshcorman @mortman #RSAC #DevOps

slide-34
SLIDE 34

@joshcorman

ON TIME. Faster builds. Fewer interrup9ons. More innova9on. ON BUDGET. More efficient. More profitable. More compe99ve. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protec9on.

DevOps / CD Agile / CI

slide-35
SLIDE 35

@joshcorman

SW Supply Chains

slide-36
SLIDE 36

@joshcorman

ON TIME. Faster builds. Fewer interrup9ons. More innova9on. ON BUDGET. More efficient. More profitable. More compe99ve. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protec9on.

SW Supply Chain DevOps / CD Agile / CI

slide-37
SLIDE 37

@joshcorman

Toyota Advantage Toyota Prius Chevy Volt Unit Cost 61% $24,200 $39,900 Units Sold 13x 23,294 1,788 In-House ProducHon 50% 27% 54% Plant Suppliers 16% (10x per) 125 800 Firm-Wide Suppliers 4% 224 5,500

Comparing the Prius and the Volt

slide-38
SLIDE 38

@joshcorman

Embrace proven supply chain principles

slide-39
SLIDE 39

@joshcorman

Software Supply Chain Hygiene

Use higher quality parts Use better & fewer suppliers Track what you use and where

slide-40
SLIDE 40

@joshcorman

Open source usage is

EXPLODING

Yesterday’s source code is now replaced with OPEN SOURCE components

40

Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.

2013 2012 2011 2009 2008 2007 2010

2B 1B

500M

4B 6B 8B 13B 17B

2014

slide-41
SLIDE 41

@joshcorman

41

Now that sojware is

ASSEMBLED…

Our shared value becomes

  • ur shared a`ack surface

THINK LIKE AN ATTACKER

slide-42
SLIDE 42

@joshcorman

One risky component, now affects thousands of vicHms

ONE EASY TARGET

42

THINK LIKE AN ATTACKER

slide-43
SLIDE 43

@joshcorman

Global Bank Sojware Provider Sojware Provider’s Customer State University Three-Le`er Agency Large Financial Exchange Hundreds of Other Sites

STRUTS

slide-44
SLIDE 44

@joshcorman

w/many eyeballs, all bugs are??? Struts

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

10.0 9.0 8.0 7.0 6.0 5.0 4.0 3.0 2.0 1.0

CVE-2005-3745 CVE-2006-1546 CVE-2006-1547 CVE-2006-1548 CVE-2008-6504 CVE-2008-6505 CVE-2008-2025 CVE-2007-6726 CVE-2008-6682 CVE-2010-1870 CVE-2011-2087 CVE-2011-1772 CVE-2011-2088 CVE-2011-5057 CVE-2012-0392 CVE-2012-0391 CVE-2012-0393 CVE-2012-0394 CVE-2012-1006 CVE-2012-1007 CVE-2012-0838 CVE-2012-4386 CVE-2012-4387 CVE-2013-1966 CVE-2013-2115 CVE-2013-1965 CVE-2013-2134 CVE-2013-2135 CVE-2013-2248 CVE-2013-2251 CVE-2013-4316 CVE-2013-4310 CVE-2013-6348 CVE-2014-0094

CVSS Latent 7-11 yrs

slide-45
SLIDE 45

@joshcorman

In 2013, 4,000

  • rganizaHons downloaded

a version of Bouncy Castle with a level 10 vulnerability

20,000 TIMES …

Into XXX,XXX ApplicaHons…

SEVEN YEARS

ajer the vulnerability was fixed

NATIONAL CYBER AWARENESS SYSTEM

Original Notification Date:

03/30/2009

CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0

BOUNCY CASTLE

slide-46
SLIDE 46

@joshcorman

In December 2013,

6,916 DIFFERENT

  • rganizaHons downloaded

a version of h`pclient with broken ssl validaHon (cve-2012-5783)

66,824 TIMES …

More than ONE YEAR

AFTER THE ALERT

NATIONAL CYBER AWARENESS SYSTEM

Original Release Date:

11/04/2012

CVE-2012-5783 Apache Commons HttpClient 3.x CVSS v2 Base Score: 5.8 MEDIUM Impact Subscore: 4.9 Exploitability Subscore: 8.6

HTTPCLIENT 3.X

slide-47
SLIDE 47

@joshcorman

47

Current approaches

AREN’T WORKING

TAKE COSTS OUT OF YOUR SUPPLY CHAIN Component Selection

DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION

228K

Unique components downloaded per company

!

75%

Lack meaningful controls over components in apps

!

X

Average number of suppliers per company

!

48

Different versions

  • f the same

component downloaded

!

slide-48
SLIDE 48

@joshcorman

Product Vulnerability Disclosures Following the HeartBleed Announcement (Circle Size Indicates CVSS Severity Score) F5 New OpenSSL Disclosures (Both CVSS Level 10) Here IBM Cisco IBM McAfee Initial 'HeartBleed' OpenSSL Disclosure (CVSS Level 5 (underscored)) Number of Products Included in Announcement 10 20 30 40 50 60 70 80 90 100 110 120 Days Since HeartBeed Announcement 10 20 30 40 50 60 70 80 90 100 110 120

X Axis: Time (Days) following iniHal HeartBleed disclosure and patch availability Y Axis: Number of products included in the vendor vulnerability disclosure Z Axis (circle size): Exposure as measured by the CVE CVSS score

COMMERCIAL RESPONSES TO OPENSSL

Who Wants a Data Viz?

slide-49
SLIDE 49

@joshcorman

h`ps://www.usenix.org/system/files/login/arHcles/15_geer_0.pdf

For the 41% 390 days CVSS 10s 224 days

slide-50
SLIDE 50

@joshcorman

ACME Enterprise Bank Retail Manufacturing BioPharma EducaHon High Tech Enterprise Bank Retail Manufacturing BioPharma EducaHon High Tech Enterprise Bank Retail Manufacturing BioPharma EducaHon High Tech

TRUE COSTS (& LEAST COST AVOIDERS)

slide-51
SLIDE 51

@joshcorman

51

slide-52
SLIDE 52

@joshcorman

H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”

§ Elegant Procurement Trio 1) Ingredients: § Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk: § …and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY) 3) Remediation: § …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed

slide-53
SLIDE 53

@joshcorman

In 2013, 4,000

  • rganizaHons downloaded

a version of Bouncy Castle with a level 10 vulnerability

20,000 TIMES …

Into XXX,XXX ApplicaHons…

SEVEN YEARS

ajer the vulnerability was fixed

NATIONAL CYBER AWARENESS SYSTEM

Original Notification Date:

03/30/2009

CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0

PROCUREMENT TRIO + BOUNCY CASTLE

slide-54
SLIDE 54

TWO LITTLE WORDS

slide-55
SLIDE 55

KNOWN VULNERABILITIES

slide-56
SLIDE 56

@joshcorman

Hot off the presses 2015 VZ DBIR

slide-57
SLIDE 57

@joshcorman

57

slide-58
SLIDE 58

@joshcorman

58

SW Supply Chain Intelligence Goes Here

slide-59
SLIDE 59

@joshcorman

Software Supply Chain Hygiene

Use higher quality parts Use better & fewer suppliers Track what you use and where

slide-60
SLIDE 60

1) Less Unplanned /Unscheduled Work (and painful Context Switching) 2) Fewer Service Interruptions and Break-Fixes 3) Faster MTTI/MTTR when things do go wrong > 30% Boost

slide-61
SLIDE 61

@joshcorman

Conclusions / Apply!

§ Idea: A full embrace of Deming is a SW Supply Chain:

§ Fewer/Better Suppliers § Highest Quality Supply § Traceability/Visibility throughout Manufacturing / Prom & Agile Recall

§ Benefits: Such rigor enables:

§ Even FASTER: Fewer instances of Unplanned/Unscheduled Work (ALSO CONTEXT SWITCHES) § More EFFICIENT: Faster MTTD/MTTR § Better QUALITY/RISK: Avoid elective/avoidable complexity/risk

§ Urgency: It’s OpenSeason on OpenSource

§ And our dependence on connected tech is increasingly a public safety issue

§ Coming Actions: “Known Vulnerabilities” Convergence

§ Lawmakers, Insurers, Lawyers, etc. are converging

slide-62
SLIDE 62

@joshcorman

slide-63
SLIDE 63

@joshcorman

slide-64
SLIDE 64

@joshcorman

Even Faster:

How Rugged DevOps & SW Supply Chains Attack Developer Waste

Josh Corman @joshcorman