supply chain solutions for modern software development
TRANSCRIPT
SUPPLY CHAIN SOLUTIONS FOR
Modern DevelopmentBrian Fox @brian_fox
INDUSTRIAL EVOLUTION
Open source usage is
EXPLODING
Yesterday’s source code is now replaced with
OPEN SOURCEcomponents
201320122011200920082007 2010
2B1B500M 4B 6B 8B 13B
4 3/19/14 Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.
17B2014
HOW DEPENDENT ON 3RD PARTIES ARE WE?
5 1/28/2016
10% Custom Written Code
Typical Application
Open Source
Cloud Services
Closed Source
90% From 3rd Parties
Components are a hidden risk
OPEN SOURCE:
QUALITY
INNOVATION
EFFICIENCY
NO CONTROLS.
OPEN ACCESS.
HACKER TARGETS.
Components are a hidden risk
spending
10 1/28/2016
attack risk
Spending and risk are
OUT OF SYNC
Host ~$10B
Data Security ~$5B
People Security ~$4B
Network Infrastructure ~$20B
Component Security~$0.4B
#1 ATTACK VECTOR LEADING TO BREACH
12 1/28/2016
When software was first being written, finding exploitable code was like
LOOKINGfor a needle in a
HAYSTACK
13 1/28/2016
Now that software is
ASSEMBLED…
One risky component,multiplied thousands of times:
ONE EASYTARGET
14 1/28/2016
1/28/2016
Java Cryptography API
CVSS v2 Base Score:
10.0 HIGH
Exploitability:
10.0
Since then
11,236organizations
downloaded it
214,484 times
Bouncy CastleCVE Date:
11/10/2007
Java HTTP implementation
CVSS v2 Base Score:
5.8 MEDIUM
Exploitability:
8.6
Since then
29,468organizations
downloaded it
3,749,193 times
HttpClientCVE Date:
11/04/2012
Web application framework
CVSS v2 Base Score:
9.3 HIGH
Exploitability:
10
Since then
4,076 organizations
downloaded it
179,050 times
Apache Struts 2
CVE Date:
07/20/2013
15 Source: Sonatype, Inc. analysis of (Maven) Central downloads and NIST National Vulnerability Database
WIDESPREAD COMPROMISE
Hackers have first mover advantage
WHY IS THIS SO HARD?
Modern software development
HAS CHANGED
Our process
HASN’T CHANGEDENOUGH
Diversity• 40,000 Projects
• 200M Classes
• 400K Components
ComplexityOne component may rely on 100s of others
VolumeTypical enterprise consumes 1,000s of components monthly
ChangeTypical component is updated 4X per year
1/28/2016
Components are like
MOLECULES not atoms.
There are massive dependencies.
19 Source: Sonatype, Inc. analysis of (Maven) Central Repository.
ChangeTypical component is updated 4X per year
1/28/2016
CHANGETypical component is updated 4X per year.
20
11 MILLION OSS USERS
674,863 OSS COMPONENTS
Source: Components: (Maven) Central Repository; Users: IDC
1/28/2016
CHANGETypical component is updated 4X per year.
21
Unlike COTS, there is no clear, effective
COMMUNICATION channel
674,863 OSS COMPONENTS
11 MILLION OSS USERS
• Has a risk been identified?
• What type of risk?
• Is a better version available?
Use of components creates a
SOFTWARE SUPPLY CHAIN
Component Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT
SELECTION
22 3/19/14
Component Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT
SELECTION
Today’s security
ISN’TWORKING
46m vulnerable
components downloaded
!
71% of apps have 1+
critical or severe
vulnerability
!
90% of
repositories have 1+ critical
vulnerability
!
23 3/19/14 Source: Sonatype, Inc. analysis based on Repository Healthchecks and Application Healthchecks used to determine component risk in repositories and applications.
THE NEW LIFECYCLE
24 1/28/2016
Impact onReleases per Year
(Cycle Time)
1-2
10-20
100-200
Plan Design Deploy OperateTestBuild
Traditional Lifecycle (Waterfall)
Plan ...
Learn
Deploy
Learn
Operate
Agile Dev
Learn
Plan ...Operate Operate
Modern Lifecycle (+DevOps, Continuous *)
Cycle Time: Months-Years
Cycle Time: Days-Weeks
Cycle Time: Minutes-Hours
THE NEW LIFECYCLE
25 1/28/2016
Traditional Lifecycle (Waterfall)
Plan Design Deploy OperateTestBuild
Plan
Agile Dev
...
Learn
Learn
Deploy
Learn
Plan ...
Modern Lifecycle (Continuous *)
Operate
Operate
Governance?
Operate
Manual
Manual + Point Tools
Cycle Time: Months-Years
Cycle Time: Days-Weeks
Cycle Time: Minutes-Hours
Policy-Driven Automation
New
Approach
CYCLE TIME SQUEEZE
26 1/28/2016
• Work Arounds
• Batch Scans
• Rework
• Exposure
Legacy Governance
Cycle Time:
Min-Hours
If it does not fit,It does not get done.
Go Fast OR Sleep at Night
But, Solutions are Designed for Yesterday’s Security War…
RISK IN COMPONENTS
Component usage
has exploded
Applications are the
primary vector of attack
There is a proliferation
of flawed components
Current approaches can’t handle
the complexity
THOUGHT LEADERS ARE TAKING ACTION
5/28/14
We are not the first INDUSTRYto
face this CHALLENGE
HOW NOT TO SOLVE THIS PROBLEM
What not to do
ANTI-PATTERNS
Cut the cord!
What not to do
ANTI-PATTERNS
Lock the doors!
What not to do
ANTI-PATTERNS
Point fingers!
What not to do
HOPE IS NOT A STRATEGY
There is no problem here!
MODERN SOFTWARE PRACTICESREQUIRE A MODERN APPROACH TO GOVERNANCE
35
FAST SO IT CAN BE
CONTINUOUS
AUTOMATE
1. Humans define policy
2. Machines automate the implementation of policy
3. Humans manage exceptions
CYCLE TIME SYNERGY
38 1/28/2016
• No Interruption
• Entire Lifecycle
• Solve Early
• Avoid ReworkCycle Time:
Min-Hours
Continuous Governance for Continuous Delivery
Go Fast AND Sleep at Night
PRECISE
BE SPECIFIC
40
No Noise!• There is a world of difference
between saying "Struts is approved"
and saying "Struts 2.3.16.1 is good
and Struts 2.3.15.0 ANY OLDER
VERSION will get your system
owned“
Dev Teams Shouldn’t Deal with Noise
Scan found 50,313 “issues”
Real issue count: 204
CONTEXTUAL
WHY CONTEXT MATTERS
• SQL Injection vulnerabilities don't affect applications without databases.
• CopyLeft may not be a problem for internal applications or services.
• I need information that applies to my application.
CONTEXTUAL
44
Consume information and apply policy in the context of your
applications, organizations and enterprise via hierarchal policy
and reporting
ACTIONABLE
POLICIES ENSURE DEVELOPERS START WITH RIGHT COMPONENTS
“I can quickly pick the best component from the start, eliminating downstream rework.”Lead Developer
Analyze all components from within your IDE
License, Security and Architecture data for each component, evaluated against your policy
PROVIDE A SOLUTION
• Now that you've told me about a problem, tell me what I can do to fix it.
• Suggest alternatives.
• Even if I don't completely understand the risk,
if you show me an easy fix, I will take it.
EASY TO CONSUME
48
Provide stakeholders actionable, easy to consume
information to remediate problems
ACROSS THE LIFECYCLE
50 3/19/14
If you’re not using secure
COMPONENTSyou’re not building secure
APPLICATIONS
Component Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT
SELECTION
3/19/14
Applications don’t age,
THEY ROTLIKE MILK
We make it EASY to create
TRUSTED APPLICATIONS and keep them that way
OVER TIME