does14 - joshua corman - sonatype
DESCRIPTION
DevOps Will Save The World! : Public Safety, Public Policy, and DevOps In Context Joshua Corman, CTO, Sonatype Link to video: https://www.youtube.com/watch?v=K-hskShNyooTRANSCRIPT
DevOps Will Save The World!Public Safety, Public Policy, and DevOpsin ContextJoshua Corman, Sonatype CTO
Oct 23, 2014 DevOps Enterprise Summit #DOES14
2 10/23/2013 @joshcorman~ Marc Marc Andreessen 2011
3 10/23/2013 @joshcorman
4 10/23/2013 @joshcorman
Trade Offs
Costs & Benefits
5 10/23/2013 @joshcorman
INDUSTRIAL EVOLUTION
THE REAL IMPLICATIONS OF HEARTBLEED
BEYOND HEARTBLEED: OPENSSL IN 2014 (17 IN NIST’S NVD THRU JULY 25)
8 11/14/2014
CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SEIMENS *CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUMCVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUMCVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGHCVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUMCVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUMCVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleedCVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUMCVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUMCVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOWCVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM
As of today, internet scans
by MassScan reveal
300,000 of original
600,000 remain
unpatched or unpatchable
HEARTBLEED + (UNPATCHABLE) INTERNET OF THINGS == ___ ?
In Our Bodies In Our Homes
In Our InfrastructureIn Our Cars
•The
The Cavalry isn’t coming… It falls to usProblem Statement
Our society is adopting connected technology faster than we are able to secure it.
Mission StatementTo ensure connected technologies with the potential to impact public safety and human life are worthy of our trust.
Collecting existing research, researchers, and resourcesConnecting researchers with each other, industry, media, policy, and legal
Collaborating across a broad range of backgrounds, interests, and skillsetsCatalyzing positive action sooner than it would have happened on its own
Why Trust, public safety, human lifeHow Education, outreach, researchWho Infosec research community Who Global, grass roots initiative
WhatLong-term vision for cyber safety Medical Automotive
ConnectedHome
PublicInfrastructure
I Am The Cavalry
Connections and Ongoing Collaborations
5-Star Capabilities Safety by Design – Anticipate failure and plan mitigation Third-Party Collaboration – Engage willing allies Evidence Capture – Observe and learn from failure Security Updates – Respond quickly to issues discovered Segmentation & Isolation – Prevent cascading failure
Addressing Automotive Cyber Systems
AutomotiveEngineers
SecurityResearchers
PolicyMakers
InsuranceAnalysts
AccidentInvestigators
StandardsOrganizations
https://www.iamthecavalry.org/auto/5star/
5-Star Framework
Sign and share the petitionhttp://bit.ly/5starauto
SW SUPPLY CHAIN IN CONTEXT OF CYBERSECURITY BIG PICTURE
KEY QUESTIONS
Where are Attackers most focused?
Where are Defenders most focused?
Which Activities have the most security impact?
-2014 Verizon Data Breach Investigations Report
MOST ATTACKED: WEAK SOFTWARE IS #1 ATTACK VECTOR
spending
19 11/14/2014 Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary
Software Security gets LEAST $ but MOST attacker focus
Host Security ~$10B
Data Security ~$5B
People Security ~$4B
Network Security ~$20B
SoftwareSecurity~$0.5B
LEAST SPENDING/PRIORITY: WEAK SOFTWARE
spending
20 11/14/2014
attack risk
Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary
Host Security ~$10B
Data Security ~$5B
People Security ~$4B
Network Security ~$20B
Software Security~$0.5B
Assembled 3rd Party & OpenSourceComponents
~90% of most applications
Almost No Spending
Written Code Scanning
Software Security gets LEAST $ but MOST attacker focus LEAST SPENDING/PRIORITY: WEAK SW
Worse, within Software, existing dollars go to the 10% written
Defensible Infrastructure10%
Written
Operational Excellence
Situational Awareness
Counter-measures
The software & hardware we
build, buy, and deploy. 90% of
software is assembled from 3rd
party & Open Source
MOST IMPACT: BUY/BUILD DEFENSIBLE SOFTWARE
IS IT OPEN SEASON ON OPEN SOURCE?
23 11/14/2014
Now that software is
ASSEMBLED…Our shared value becomes
our shared attack surface
THINK LIKE AN ATTACKER
One risky component,now affects thousands of victims
ONE EASYTARGET
24 11/14/2014
THINK LIKE AN ATTACKER
-
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Req
ue
sts
in
Mill
ion
s
13 BillionRequests in 2013
Growth Drivers
Mobile Cloud
Web Apps Big Data
Component Usage Has Exploded
25
OPEN SOURCE USAGE IS EXPLODING
Global Bank
Software ProviderSoftware
Provider’s CustomerState University
Three-LetterAgency
Large FinancialExchange
Hundreds of Other Sites
STRUTS
W/MANY EYEBALLS, ALL BUGS ARE SHALLOW? STRUTS
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
10.0
9.0
8.0
7.0
6.0
5.0
4.0
3.0
2.0
1.0
CVE-2005-3745
CVE-2006-1546CVE-2006-1547
CVE-2006-1548 CVE-2008-6504CVE-2008-6505
CVE-2008-2025CVE-2007-6726CVE-2008-6682
CVE-2010-1870
CVE-2011-2087
CVE-2011-1772
CVE-2011-2088CVE-2011-5057
CVE-2012-0392CVE-2012-0391
CVE-2012-0393
CVE-2012-0394
CVE-2012-1006CVE-2012-1007
CVE-2012-0838
CVE-2012-4386
CVE-2012-4387
CVE-2013-1966CVE-2013-2115CVE-2013-1965
CVE-2013-2134CVE-2013-2135
CVE-2013-2248
CVE-2013-2251CVE-2013-4316
CVE-2013-4310
CVE-2013-6348CVE-2014-0094
CVSS
Latent 7-11 yrs
In 2013, 4,000organizations downloaded a version of Bouncy Castle
with a level 10 vulnerability
20,000 TIMES …Into XXX,XXX Applications…
SEVEN YEARSafter the vulnerability was fixed
NATIONAL CYBER AWARENESS SYSTEM
Original Notification Date:
03/30/2009CVE-2007-6721
Bouncy Castle Java Cryptography API
CVSS v2 Base Score: 10.0 HIGH
Impact Subscore: 10.0
Exploitability Subscore: 10.0
BOUNCY CASTLE
In December 2013,
6,916 DIFFERENTorganizations downloaded
a version of httpclient with broken ssl validation (cve-2012-5783)
66,824 TIMES …
More than ONE YEAR AFTER THE ALERT
NATIONAL CYBER AWARENESS SYSTEM
Original Release Date:
11/04/2012
CVE-2012-5783
Apache Commons HttpClient 3.x
CVSS v2 Base Score: 5.8 MEDIUM
Impact Subscore: 4.9
Exploitability Subscore: 8.6
HTTPCLIENT 3.X
IS IT TIME FOR A SOFTWARE SUPPLY CHAIN?
ELEGANT PROCUREMENT TRIO
31 11/14/2014
1) Ingredients: Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions)
2) Hygiene & Avoidable Risk:…and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY)
3) Remediation: …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
In 2013, 4,000organizations downloaded a version of Bouncy Castle
with a level 10 vulnerability
20,000 TIMES …Into XXX,XXX Applications…
SEVEN YEARSafter the vulnerability was fixed
NATIONAL CYBER AWARENESS SYSTEM
Original Notification Date:
03/30/2009CVE-2007-6721
Bouncy Castle Java Cryptography API
CVSS v2 Base Score: 10.0 HIGH
Impact Subscore: 10.0
Exploitability Subscore: 10.0
PROCUREMENT TRIO + BOUNCY CASTLE
APPLICATIONPLATFORMS &
TOOLSCOMPONENT
VERSIONCOMPONENTSPROJECTS
DELIVERYINTEGRATIONSELECTIONSUPPLYSUPPLIER
OPTIMIZATION(MONITORING)
Supply Chain Management
INDUSTRIAL EVOLUTION
35 10/23/2013 @joshcorman
Toyota’s Transformation of the Automobile Industry: v4L
36
• Comparing the XXXX and Prius
• $39,900 versus $24,200
• 1,788 units versus 23,294
• Plant suppliers: 125 versus 800
• Firm-wide suppliers: 224 versus 5,500
• In-house production: 27% versus 54%
Toyota’s Transformation of the Automobile Industry: v4L
37
• Variety of products offered
• Velocity of product flow
• Variability of outcomes against forecast
• Visibility of processes to enable learning
Toyota’s Transformation of the Automobile Industry: v4L
38
• Variety of software produced
• Velocity of software delivery
• Variability of outcomes against forecast
• Visibility of processes to enable learning
The ‘L’ in v4L
39
Create Awareness (transparency)
“Unless problems are seen, they will not be solved. Systems need to be in place to report ideas, problems, deviations, and potential issues with no delay.”
Establish capability (empower)
“Unless someone is capable of solving a problem that might arise within the boundaries set for him or her, that person will be unable to contribute to the problem solving process.”
Make action protocols (govern)
“Actions have to be taken within a set of constraints, and they must conform to certain standards.”
Generate system-level awareness (monitor)
“As experience with solving problems is obtained, greater awareness of other areas that might be affected needs to be created.”
Core Principles
Create Awareness
40
Empower
Govern
Monitor
41 11/14/2014
Compound Project Consumer“Part”
Discovery Repair Discovery Repair Aware Recovery
AirbagAirbagAirbag
Car X
AirbagAirbag
Alex’s Jaguar
42 11/14/2014
Compound Project Consumer“Part”
AirbagAirbagAirbag
Car X
AirbagAirbag
Alex’s Jaguar
StrutsAirbagAirbag
Bank of X…
AirbagAirbag
Sally Bank Customer
StrutsAirbagAirbag
IBM WebSphere
AirbagAirbag
Bank of X…
Bouncy CastleAirbagAirbag
20,000 Applications
AirbagAirbag
x ??? Users
Discovery Repair Discovery Repair Aware Recovery
TRUE COSTS & LEAST COST AVOIDERS: DOWNSTREAM
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
44 11/14/2014
Compound Parts ProductPart (Bolt) End Consumer
Discovery Repair Discovery Repair Aware Recovery Aware Recovery
Foo_0
IBM WebSphere
Bank of X.com
Foo_1
Foo_2
Foo_3
Foo_4
Foo_5
Foo_6
Foo_7
Foo_8
Foo_9
Foo_ 10
Foo_11
Foo_0
Foo_1
Foo_2
Foo_3
Foo_4
Foo_5
Foo_6
Foo_7
Foo_8
Foo_9
Foo_ 10
Foo_11
Foo_0
Foo_1
Foo_2
Foo_3
Foo_4
Foo_5
Foo_6
Foo_7
Foo_8
Foo_9
Foo_ 10
Foo_11
Struts 2
45 11/14/2014
X Axis: Time (Days) following initial HeartBleed disclosure and patch availability
Y Axis: Number of products included in the vendor vulnerability disclosure
Z Axis (circle size): Exposure as measured by the CVE CVSS score
COMMERCIAL RESPONSES TO OPENSSL
How can we choose the best components
FROM THE START?
Shift Upstream = ZTTR (Zero Time to Remediation)
Analyze all components from within your IDE
License, Security and Architecture data for each component, evaluated against your policy
@joshcorman@451wendy
MANUAL POLICIES CAN’T WORK AT DEVOPS SPEED OR ENTERPRISE SCALE
4711/14/2014
If you’re not using secure
COMPONENTSyou’re not building secure
APPLICATIONS
Component Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT
SELECTION
Component Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT
SELECTION
Today’s approaches
AREN’T WORKING
46m vulnerable
components downloaded
!
71% of apps have 1+
critical or severe
vulnerability
!
90% of
repositories have 1+ critical
vulnerability
!
RUGGED DEVOPS AND GENE’S “THREE WAYS”
1) Systems Thinking
2) Amplify Feedback Loops
3) Culture of Continuous Experimentation & Learning
ADOPT A "DEVSECOPS" MINDSET
Policies, Models, Templates
IT Operations Intelligence and Security Intelligence
Requirements
PreventIssues
DetectIssues
Remediate/Change
BuildAssemble
Test
Deploy
PredictIssues
Monitoring and Analytics
Source: Neil MacDonald Gartner
52 10/23/2013 @joshcorman
Defensible Infrastructure
Operational Excellence
Situational Awareness
Counter-measures
DevOps
DevOps
DevOps
FURTHER RESOURCES
1. AS OPEN SOURCE USAGE EXPANDS, SO DO THE RISKS
2. SECURITY BUDGETS ARE OUT OF SYNC WITH RISK AND REALITY
3. PARETO PRINCIPLE 2.0? (THE “90/10” RULE): LOW EFFORT AND BIG GAINS
4. YOU USE A SOFTWARE SUPPLY CHAIN. HOW WELL DO YOU MANAGE IT?
5. EMPOWER YOUR DEVELOPERS. THEY’RE YOUR FRONT LINE DEFENSE
6. MANUAL POLICIES JUST DON’T WORK IN A SECURE DEVELOPMENT LIFECYCLE
7. AGILE DEVELOPMENT REQUIRES AGILE SECURITY
54
“Sonatype presents a rare opportunity to do something concrete in the application security space. One of the 1st tools that comes close to remediation not just scan results and recommendations.”
-- Wendy Nather
https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
For the 41%
390 days (median 265
days). CVSS 10s 224 days.
• Summary: The number of components
analyzed, including security issues and
licenses used
• Bill of Materials: A complete list of the
components used in your application
• Security Analysis: Known security threats by
vulnerability and severity level
• Quality Analysis: Details component age,
fingerprint verification & adherence to policies
• License Analysis: License descriptors for
every component & license implication for your
application
SAMPLE OPEN SOURCE VISIBILITY REPORT:
A FINAL THOUGHT…
60
THANK YOU
@JOSHCORMAN
@SONATYPE
6111/14/2014