securing software supply chains
play

Securing Software Supply Chains Why 3 Days Might Be Your New Normal - PowerPoint PPT Presentation

Aug 15, 2023 •45 likes •515 views

Securing Software Supply Chains Why 3 Days Might Be Your New Normal for DevSecOps Cameron Townshend Solution Architect, APJ, Sonatype Since 2000, 52% of Fortune 500 have been replaced. Established business leaders are also under attack

  1. Securing Software Supply Chains Why 3 Days Might Be Your New Normal for DevSecOps Cameron Townshend Solution Architect, APJ, Sonatype

  2. Since 2000, 52% of Fortune 500 have been replaced. Established business leaders are also under attack…

  3. Source: https://www.visualcapitalist.com/animation-top-15-global-brands-2000- 2018/ 3

  4. What is software supply chain management? A new (yet proven) way of thinking. 1. Source parts from fewer and better suppliers. 2. Use only the highest quality parts. 3. Never pass known defects downstream. 4. Continuously track location of every part. W. Edwards Deming, 1945

  5. Jez Humble, 2010

  6. Gene Kim, 2013

  8. 47% deploy multiple times per week velocity Source: 2019 DevSecOps Community Survey

  9. 59,000 data breaches have been reported to GDPR regulators since May 2018 source: DLA Piper, February 2019

  10. Business applications are under attack… 51% 43% 68% Of enterprises suffered at Of enterprise attacks are Of external attacks target least one breach in last 12 perpetrated by external web apps and known months. actors. vulnerabilities. Forrester: Best Practices for Deploying And Managing Enterprise Password Managers – Jan 2018 10

  11. Everyone has a software supply chain. (even if you don’t call it that)

  12. Demand drives 15,000 new releases every day

  13. Automation accelerates OSS downloads Source: Sonatype’s 2018 State of the Software Supply Chain Report

  15. 85% of your code is sourced from external suppliers

  16. 170,000 Java component downloads annually 3,500 unique source: 2018 State of the Software Supply Chain Report

  17. 60,660 JavaScript packages downloaded per developer per year source: npm, 2018

  18. Not all parts are created equal.

  19. We are not “building quality in”. 2016 Java Downloads NOT RELFECTIVE OF THE HARTFORD’S DATA source: 2019 State of the Software Supply Chain Report

  21. We are not “building quality in”. 2018 npm source: 2018 npm

  22. 6∑ 5∑ 4∑ 1∑ 2∑ 3∑ 1,000,000 691,000 510,000 309,000 120K 66.8K 6.2K 233 3.4 Defects targets per million for 6-sigma

  23. 170,000 java component 18,870 downloads annually 11.1% with known 3,500 vulnerabilities unique

  24. 60,660 30,936 JavaScript packages 51% with known downloaded annually vulnerabilities per developer

  26. Social normalization of deviance “People within the organization become so much accustomed to a deviant behavior that they don't consider it as deviant, despite the fact that they far exceed their own rules for elementary safety .” Diane Vaughan

  27. Breaches increased 71% 14% 24% suspect or have verified a suspect or have verified a breach related to open source breach related to open source components in the 2014 survey components in the 2019 survey source: DevSecOps Community Survey 2014 and 2019

  28. The speed of exploits has compressed 93% Sources: Gartner, IBM, Sonatype

  29. Quickly identify who is faster than their adversaries source: 2019 DevSecOps Community Survey

  30. Equifax was not alone March 7 March ’18 Apache Struts releases March 13 updated version to India’s AADHAAR Okinawa Power thwart vulnerability Japan Post CVE-2017-5638 March 9 April 13 Cisco observes "a high India Post number of exploitation events." 3 Days in March The Rest of the Story March 10 March 8 December ’17 Today NSA reveals Pentagon Equifax servers scanned by Monero Crypto Mining 65% of the Fortune 100 nation-states for download vulnerable Canada Revenue Agency vulnerable Struts versions instances Canada Statistics Struts exploit published GMO Payment Gateway to Exploit-DB.

  31. Complete software bill of materials (SBOM) 50% 19% 2019 No DevOps Practice 2019 Mature DevOps Practices Source: 2019 DevSecOps Community Survey

  32. 18,126 organizations downloading vulnerable versions of Struts 14 Breach announced. Source: Sonatype

  33. DevSecOps challenge: automate faster than evil.

  34. 1.3 million vulnerabilities in OSS components undocumented No corresponding CVE advisory in the public NVD database

  35. The new battlefront Software Supply Chain Attacks 1 7 ssh-decorator Python Module stealing private ssh Study found credentials online affecting publishing keys. 4 access to 14% of npm repository. +79,000 Golang go-bindata github id deleted and packages. reclaimed. Malicious npm Packages “ typosquatted ” (40 packages for 2 weeks. Collecting env including 8 npm publishing credentials). Gentoo Linux Repository Compromised. 5 Conventional-changelog compromised and turned into a Monero miner. 9 2 6 Malicious Eslint discovered to be stealing npm 10 Malicious Python packages credentials. Backdoor discovered in npm get-cookies Basic info collected and sent to module published since March. Chinese IP address Unauthorized publishing of mailparser. 10 Homebrew repository compromised . 3 Blog: “I’m harvesting credit card numbers and passwords from your site. Here’s how.” 11 npm event-stream attack on CoPay. July Aug Sep Oct Nov Dec Jan Feb Mar May Jun Jul Apr Aug Sep Oct Nov Dec 2017 2017 2017 2017 2017 2017 2018 2018 2018 2018 2018 2018 2018 2018 2018 2018 2018 2018 Image by Sonatype

  36. At what point in the development process does your organization perform automated application analysis? 2019 No DevSecOps Practice 2019 Mature DevSecOps Practices

  37. Which application security tools are used? 2019 No DevSecOps Practice 2019 Mature DevSecOps Practices

  38. How are you informed of InfoSec and AppSec issues? Automating security enables faster DevOps feedback loops

  39. Automation continues to prove difficult to ignore 2019 No DevOps Practice 2019 Mature DevOps Practices Source: 2019 DevSecOps Community Survey

  40. Trusted software supply chains are 2x more secure Source: 2018 State of the Software Supply Chain Report

  41. “ I see no prospect in the long run for avoiding liability for insecure code.” Paul Rozenzweig Senior Fellow, R Street Institute 2018

  42. The rising tide of regulation and software liability

  43. 1. An up to date inventory of open-source components utilized in the software 2. A process for identifying known vulnerabilities within open source components 3. 360 degree monitoring of open source components throughout the SDLC January 2019 4. A policy and process to immediately remediate vulnerabilities as they become known source: https://blog.pcisecuritystandards.org/just-published-new-pci-software-security-standards

  44. 1 in 7 Downloads All Countries Show Poor Cyber Hygiene 1 in 9 Downloads

  45. “Emphasize performance of the entire system and never pass a defect downstream.”

  46. ctownshend@sonatype.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Securing Software Supply Chains with in in-to toto to Tobias Furuholm Combient NotPetya

Securing Software Supply Chains with in in-to toto to Tobias Furuholm Combient NotPetya

Securing Software Supply Chains with in in-to toto to Tobias Furuholm Combient NotPetya Software Supply Chain Test Code Build Package Deliver Supply chain verification with in-toto ? Layout { "_type": "layout",

269 views • 13 slides
Exploring Software Supply Chains from a Technical Debt Perspective J. Yates Monteith John D.

Exploring Software Supply Chains from a Technical Debt Perspective J. Yates Monteith John D.

Exploring Software Supply Chains from a Technical Debt Perspective J. Yates Monteith John D. McGregor Strategic Software Engineering Research Group 1 Problem: Quality in the Software Supply Chain Due diligence requires that deliveries

549 views • 15 slides
How is software made? 2 A stylized software supply chain test code build package 3

How is software made? 2 A stylized software supply chain test code build package 3

in-toto -- Securing the whole software supply chain Santiago Torres-Arias, Hammad Afzali, Lukas Phringer , Reza Curtmola, Justin Cappos How is software made? 2 A stylized software supply chain test code build package 3 Attackers can

495 views • 28 slides
Leveraging Supply Chains for Profit

Leveraging Supply Chains for Profit

Leveraging Supply Chains for Profit www.william.lawrence@uwimona.edu.jm 1. What is a supply chain? 2. Leveraging supply chains 3. Measuring supply chain

373 views • 20 slides
SUPPLY CHAIN CONFERENCE 2019 Organised by Supply Chains Connect (SCC) on 6 th Dec 2019 @ Mensvic

SUPPLY CHAIN CONFERENCE 2019 Organised by Supply Chains Connect (SCC) on 6 th Dec 2019 @ Mensvic

Presentations from SUPPLY CHAIN CONFERENCE 2019 Organised by Supply Chains Connect (SCC) on 6 th Dec 2019 @ Mensvic Hotel, Accra This compilation is the work of Supply Chains Connect (SCC) and the content therein are the sole property of the

1.34k views • 104 slides
Drivers and Constraints for OSH Im Improvement in Food and Agriculture Supply Chains A+A ILO

Drivers and Constraints for OSH Im Improvement in Food and Agriculture Supply Chains A+A ILO

Drivers and Constraints for OSH Im Improvement in Food and Agriculture Supply Chains A+A ILO International Occupational Safety and Health Conference 2017 OSH in Global Supply chains Dusseldorf, 19 October 2017 Lou Tessier - ILO - LABADMIN/OSH

122 views • 8 slides
RAY SCHRAFF Hyland Software, USA 9 th Global Supply Chain and Logistics Summit 16 Nov 2016

RAY SCHRAFF Hyland Software, USA 9 th Global Supply Chain and Logistics Summit 16 Nov 2016

Presentation Title Documentation Automation for Optimal Supply Chains Presented by: RAY SCHRAFF Hyland Software, USA 9 th Global Supply Chain and Logistics Summit 16 Nov 2016 www.sclgsummit.org Data is the New Oil 9 th Global Supply Chain

426 views • 13 slides
Supply Chain Management in the New World How will the Global Pandemic Impact Supply Chains?

Supply Chain Management in the New World How will the Global Pandemic Impact Supply Chains?

Supply Chain Management in the New World How will the Global Pandemic Impact Supply Chains? Kenneth J. Petersen Helen Robson Walton Endowed Chair Director, Division of Marketing & Supply Chain Management Price College of Business

892 views • 51 slides
Overview of U.S. agrifood supply chains ECONOMIC CHARACTERISTICS OF THE AGRIFOOD SUPPLY

Overview of U.S. agrifood supply chains ECONOMIC CHARACTERISTICS OF THE AGRIFOOD SUPPLY

OBJECTIVE Overview of U.S. agrifood supply chains ECONOMIC CHARACTERISTICS OF THE AGRIFOOD SUPPLY CHAIN Describe seven specific Michael Boland, Ph.D. Director of University of Minnesota characteristics that are different from Food

164 views • 5 slides
Rise of the Enabling Environment for Responsible Supply Chains recent trends and practices round

Rise of the Enabling Environment for Responsible Supply Chains recent trends and practices round

Rise of the Enabling Environment for Responsible Supply Chains recent trends and practices round the globe 20 November 2018 Responsible Supply Chains in Asia Project Launch and Stakeholders Engagement at Hotel Sofitel, Manila, Philippines

623 views • 30 slides
Supply Chains, Global Supply World Bioenergy Association Webinar Pyrolysis Oil Markets &

Supply Chains, Global Supply World Bioenergy Association Webinar Pyrolysis Oil Markets &

EU/US/Japanese Markets, Supply Chains, Global Supply World Bioenergy Association Webinar Pyrolysis Oil Markets & Growth in Global Supply Jan 31, 2017 Douglas Bradley- President, Climate Change Solutions 402 Third Avenue, Ottawa,

395 views • 27 slides
The Governance Gap in Supply Chains of Foreign Mul8na8onal Corpora8ons (MNCs) in China Dr Qingxiu

The Governance Gap in Supply Chains of Foreign Mul8na8onal Corpora8ons (MNCs) in China Dr Qingxiu

In Indic icator ors an s and Me Metrics f rics for S or Socially In ocially Inclu clusiv sive e Waste Manageme ment and Resource Effic fficiency (WM&RE) in Supply Chains: Measuring and ReporAng to Emb mbed Sustainability in

425 views • 25 slides
5/16/2019 The Circular Economy Drives Value Creation LINEAR CIRCULAR Circular supply chains

5/16/2019 The Circular Economy Drives Value Creation LINEAR CIRCULAR Circular supply chains

5/16/2019 The Circular Economy Drives Value Creation LINEAR CIRCULAR Circular supply chains reduce costs, increase efficiency and Linear supply chains are costly, susceptible to volatility and harmful to our environment. create a sustainable

266 views • 11 slides
Hyperbolic Models for Large Supply Chains Christian Ringhofer (Arizona State University)

Hyperbolic Models for Large Supply Chains Christian Ringhofer (Arizona State University)

Hyperbolic Models for Large Supply Chains Christian Ringhofer (Arizona State University) Hyperbolic Models for Large Supply Chains p. 1/4 Introduction Topic: Overview of conservation law (traffic - like) models for large supply chains.

794 views • 41 slides
The Future of Supply Chains in Asia PBEC Webinar Dialogue Series 2020 A reality check for

The Future of Supply Chains in Asia PBEC Webinar Dialogue Series 2020 A reality check for

The Future of Supply Chains in Asia PBEC Webinar Dialogue Series 2020 A reality check for Asia-Pacific Supply Chains Ben Simpfendorfer Barrett Bingley Ritesh Kumar Singh Alex Capri Anne Petterd Fatya Mamcu Senior Fellow and

277 views • 4 slides
Supply Chain Rebuild your supply chains to ensure timely access to all inputs your business

Supply Chain Rebuild your supply chains to ensure timely access to all inputs your business

Supply Chain Rebuild your supply chains to ensure timely access to all inputs your business requires In partnership with www.b3cmsme.org 1 Key questions to be addressed Why do we need to focus on supply chain? 1 Which component(s) of

591 views • 12 slides
6/25/2019 1 2 3 1 6/25/2019 MISSION Common struggles Affects of those struggles

6/25/2019 1 2 3 1 6/25/2019 MISSION Common struggles Affects of those struggles

6/25/2019 1 2 3 1 6/25/2019 MISSION Common struggles Affects of those struggles Protect your fortune 4 5 POLL #1 6 2 6/25/2019 EARLY EDUCATOR PAIN POINTS (Struggles) Time Resources Expertise 7 TIME Lack

176 views • 16 slides
Objectives Review Servlets Deployment Configuration Sessions, Cookies Handling

Objectives Review Servlets Deployment Configuration Sessions, Cookies Handling

Objectives Review Servlets Deployment Configuration Sessions, Cookies Handling multiple requests Apr 29, 2019 Sprenkle - CS335 1 Servlets Review What application do we need to execute servlets? What class do all web

330 views • 29 slides
and Unique Fundraising Experiences Featured Presenters Gene Caffrey, Greater Carolinas

and Unique Fundraising Experiences Featured Presenters Gene Caffrey, Greater Carolinas

Fueling the Movement Unforgettable and Unique Fundraising Experiences Featured Presenters Gene Caffrey, Greater Carolinas Chapter Jeff Zaniker, Indiana State Chapter Kurt Lorch, Indiana State Chapter Mark Solari, South

315 views • 30 slides
Functional Programming Pete Graham @petexgraham My Functional Programming Timeline Learned

Functional Programming Pete Graham @petexgraham My Functional Programming Timeline Learned

Functional Programming Pete Graham @petexgraham My Functional Programming Timeline Learned Haskell at University. Forgot it. Something strange happened... Functional Programming Renaissance 1. What is it? 2. Why learn Functional

559 views • 17 slides
UPCOMING MEETINGS SPECIAL EVENT: July 30 Tour of KC Care Date: July 9, 2019 Sign up today!

UPCOMING MEETINGS SPECIAL EVENT: July 30 Tour of KC Care Date: July 9, 2019 Sign up today!

UPCOMING MEETINGS SPECIAL EVENT: July 30 Tour of KC Care Date: July 9, 2019 Sign up today! Time: 11:00 am - 1:00 pm More information on next slide. Location: Liberty Hospital Education Center Phyllis Fulk Date: Tuesday, August 13, 2019

351 views • 21 slides
US Army War College Fellowship Cyber Defense/Offense Dr. Bill Young Department of Computer

US Army War College Fellowship Cyber Defense/Offense Dr. Bill Young Department of Computer

US Army War College Fellowship Cyber Defense/Offense Dr. Bill Young Department of Computer Science University of Texas at Austin Last updated: February 27, 2013 at 11:16 Dr. Bill Young: 1 Cyber Defense/Offense Some Sources Jeffrey Carr,

936 views • 60 slides
HYPER-TARGETED USER EXPERIENCES BY COLIN EAGAN, M.S. PLEASED TO MEET YOU. COLIN EAGAN

HYPER-TARGETED USER EXPERIENCES BY COLIN EAGAN, M.S. PLEASED TO MEET YOU. COLIN EAGAN

ITS GETTING PERSONAL // THE RISE OF HYPER-TARGETED USER EXPERIENCES BY COLIN EAGAN, M.S. PLEASED TO MEET YOU. COLIN EAGAN EXPERIENCE MANAGER | ICF INTERNATIONAL @colineags #uxdc2015 (Todays Topic) TODAY WE WILL: EXPLORE AN EXCITING

1.53k views • 98 slides
Internet Technologies 8- Java Server Pages F. Ricci 2010/2011 Content p Need and benefits

Internet Technologies 8- Java Server Pages F. Ricci 2010/2011 Content p Need and benefits

Internet Technologies 8- Java Server Pages F. Ricci 2010/2011 Content p Need and benefits for JSP p Comparing JSP to other technologies p JSP lifecycle p Dynamic code and good JSP design p JSP expressions: <%= %> p

918 views • 61 slides

More recommend