Securing Software Supply Chains Why 3 Days Might Be Your New Normal - - PowerPoint PPT Presentation

securing software supply chains
SMART_READER_LITE
LIVE PREVIEW

Securing Software Supply Chains Why 3 Days Might Be Your New Normal - - PowerPoint PPT Presentation

Aug 15, 2023 45 likes •520 views

Securing Software Supply Chains Why 3 Days Might Be Your New Normal for DevSecOps Cameron Townshend Solution Architect, APJ, Sonatype Since 2000, 52% of Fortune 500 have been replaced. Established business leaders are also under attack

slide-1
SLIDE 1 Cameron Townshend Solution Architect, APJ, Sonatype

Securing Software Supply Chains

Why 3 Days Might Be Your New Normal for DevSecOps
slide-2
SLIDE 2

Since 2000, 52% of Fortune 500 have been replaced.

Established business leaders are also under attack…

slide-3
SLIDE 3 3 Source: https://www.visualcapitalist.com/animation-top-15-global-brands-2000- 2018/
slide-4
SLIDE 4
  • W. Edwards Deming, 1945

What is software supply chain management? A new (yet proven) way of thinking.

  • 1. Source parts from fewer and better suppliers.
  • 2. Use only the highest quality parts.
  • 3. Never pass known defects downstream.
  • 4. Continuously track location of every part.
slide-5
SLIDE 5

Jez Humble, 2010

slide-6
SLIDE 6

Gene Kim, 2013

slide-7
SLIDE 7
slide-8
SLIDE 8

47%

deploy multiple times per week Source: 2019 DevSecOps Community Survey

velocity

slide-9
SLIDE 9

59,000 data breaches

have been reported to GDPR regulators since May 2018 source: DLA Piper, February 2019
slide-10
SLIDE 10 10

Business applications are under attack…

Of enterprises suffered at least one breach in last 12 months.

51%

Of enterprise attacks are perpetrated by external actors.

43%

Of external attacks target web apps and known vulnerabilities.

68%

Forrester: Best Practices for Deploying And Managing Enterprise Password Managers – Jan 2018
slide-11
SLIDE 11

Everyone has a software supply chain.

(even if you don’t call it that)
slide-12
SLIDE 12

Demand drives 15,000 new releases every day

slide-13
SLIDE 13

Automation accelerates OSS downloads

Source: Sonatype’s 2018 State of the Software Supply Chain Report
slide-14
SLIDE 14
slide-15
SLIDE 15

85%

  • f your code is

sourced from external suppliers

slide-16
SLIDE 16

170,000

Java component downloads annually

3,500

unique source: 2018 State of the Software Supply Chain Report
slide-17
SLIDE 17

60,660

JavaScript packages downloaded per developer per year source: npm, 2018
slide-18
SLIDE 18

Not all parts are created equal.

slide-19
SLIDE 19

We are not “building quality in”.

source: 2019 State of the Software Supply Chain Report NOT RELFECTIVE OF THE HARTFORD’S DATA

2016 Java Downloads

slide-20
SLIDE 20
slide-21
SLIDE 21

We are not “building quality in”.

2018

npm source: 2018 npm
slide-22
SLIDE 22 6.2K 233 510,000 120K 691,000 309,000 66.8K 3.4 1,000,000

1∑

2∑

3∑ 4∑ 5∑ 6∑ Defects targets per million for 6-sigma
slide-23
SLIDE 23

170,000

java component downloads annually

3,500

unique

18,870

11.1% with known vulnerabilities
slide-24
SLIDE 24

60,660

JavaScript packages downloaded annually per developer

30,936

51% with known vulnerabilities
slide-25
SLIDE 25
slide-26
SLIDE 26

Social normalization of deviance

“People within the organization become so much accustomed to a deviant behavior that they don't consider it as deviant, despite the fact that they far exceed their own rules for elementary safety.”

Diane Vaughan

slide-27
SLIDE 27

Breaches increased 71%

24%

suspect or have verified a breach related to open source components in the 2019 survey

14%

suspect or have verified a breach related to open source components in the 2014 survey source: DevSecOps Community Survey 2014 and 2019
slide-28
SLIDE 28

The speed of exploits has compressed 93%

Sources: Gartner, IBM, Sonatype
slide-29
SLIDE 29 source: 2019 DevSecOps Community Survey

Quickly identify who is faster than their adversaries

slide-30
SLIDE 30 March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 Today 65% of the Fortune 100 download vulnerable versions 3 Days in March March 8 NSA reveals Pentagon servers scanned by nation-states for vulnerable Struts instances Struts exploit published to Exploit-DB. March 10 Equifax Canada Revenue Agency Canada Statistics GMO Payment Gateway The Rest of the Story March 13 Okinawa Power Japan Post March 9 Cisco observes "a high number of exploitation events." March ’18 India’s AADHAAR April 13 India Post December ’17 Monero Crypto Mining

Equifax was not alone

slide-31
SLIDE 31

Complete software bill of materials (SBOM)

2019 No DevOps Practice 2019 Mature DevOps Practices

19% 50%

Source: 2019 DevSecOps Community Survey
slide-32
SLIDE 32

18,126 organizations downloading vulnerable versions of Struts

Source: Sonatype Breach announced.

14

slide-33
SLIDE 33

DevSecOps challenge: automate faster than evil.

slide-34
SLIDE 34

1.3 million vulnerabilities in OSS components undocumented

No corresponding CVE advisory in the public NVD database

slide-35
SLIDE 35 July 2017

8 3

10

4

The new battlefront

Software Supply Chain Attacks Study found credentials online affecting publishing access to 14% of npm repository. +79,000 packages. Malicious npm Packages “typosquatted” (40 packages for 2 weeks. Collecting env including npm publishing credentials).

1

10 Malicious Python packages Basic info collected and sent to Chinese IP address

2

Golang go-bindata github id deleted and reclaimed.

5

ssh-decorator Python Module stealing private ssh keys.

7

npm event-stream attack on CoPay.

11

Sep 2017 Homebrew repository compromised.

9

Jan 2018 Feb 2018 Mar 2018

6

Aug 2018 Image by Sonatype Conventional-changelog compromised and turned into a Monero miner. Blog: “I’m harvesting credit card numbers and passwords from your site. Here’s how.” Backdoor discovered in npm get-cookies module published since March. Unauthorized publishing of mailparser. Gentoo Linux Repository Compromised. Malicious Eslint discovered to be stealing npm credentials. Aug 2017 Oct 2017 Nov 2017 Dec 2017 Apr 2018 May 2018 Jun 2018 Jul 2018 Sep 2018 Oct 2018 Nov 2018 Dec 2018
slide-36
SLIDE 36

At what point in the development process does your

  • rganization perform automated application analysis?
2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
slide-37
SLIDE 37

Which application security tools are used?

2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
slide-38
SLIDE 38

How are you informed of InfoSec and AppSec issues?

Automating security enables faster DevOps feedback loops
slide-39
SLIDE 39

Automation continues to prove difficult to ignore

Source: 2019 DevSecOps Community Survey 2019 No DevOps Practice 2019 Mature DevOps Practices
slide-40
SLIDE 40

Trusted software supply chains are 2x more secure

Source: 2018 State of the Software Supply Chain Report
slide-41
SLIDE 41

I see no prospect in the long run for avoiding liability for insecure code.”

Paul Rozenzweig Senior Fellow, R Street Institute 2018

slide-42
SLIDE 42

The rising tide of regulation and software liability

slide-43
SLIDE 43
  • 1. An up to date inventory of open-source components utilized in the
software
  • 2. A process for identifying known vulnerabilities within open source
components
  • 3. 360 degree monitoring of open source components throughout the
SDLC
  • 4. A policy and process to immediately remediate vulnerabilities as
they become known January 2019 source: https://blog.pcisecuritystandards.org/just-published-new-pci-software-security-standards
slide-44
SLIDE 44

All Countries Show Poor Cyber Hygiene

1 in 7 Downloads 1 in 9 Downloads
slide-45
SLIDE 45

“Emphasize performance of the entire system and never pass a defect downstream.”

slide-46
SLIDE 46

ctownshend@sonatype.com

slide-47
SLIDE 47