Cameron Townshend from Sonatype discusses securing software supply chains and the need for DevSecOps. He notes that 52% of Fortune 500 companies from 2000 are no longer around and that businesses are under attack. Townshend advocates treating software development like a manufacturing process by carefully vetting all components for quality and security. He highlights statistics showing the prevalence of vulnerabilities and breaches related to open source components. Townshend argues that organizations must automate security checks and remediation to keep pace with adversaries exploiting vulnerabilities within days.
4. W. Edwards Deming, 1945
What is software supply chain management?
A new (yet proven) way of thinking.
1. Source parts from fewer and better suppliers.
2. Use only the highest quality parts.
3. Never pass known defects downstream.
4. Continuously track location of every part.
9. 59,000 data breaches
have been reported to GDPR regulators since May 2018
source: DLA Piper, February 2019
10. 10
Business applications are under attack…
Of enterprises suffered at
least one breach in last 12
months.
51%
Of enterprise attacks are
perpetrated by external
actors.
43%
Of external attacks target
web apps and known
vulnerabilities.
68%
Forrester: Best Practices for Deploying And Managing Enterprise Password Managers – Jan 2018
11. Everyone has a software supply chain.
(even if you don’t call it that)
26. Social normalization of deviance
“People within the organization become so much accustomed to a
deviant behavior that they don't consider it as deviant, despite the
fact that they far exceed their own rules for elementary safety.”
Diane Vaughan
27. Breaches increased 71%
24%
suspect or have verified a
breach related to open source
components in the 2019 survey
14%
suspect or have verified a
breach related to open source
components in the 2014 survey
source: DevSecOps Community Survey 2014 and 2019
28. The speed of exploits has compressed 93%
Sources: Gartner, IBM, Sonatype
29. source: 2019 DevSecOps Community Survey
Quickly identify who is faster than their adversaries
30. March 7
Apache Struts releases
updated version to
thwart vulnerability
CVE-2017-5638
Today
65% of the Fortune 100
download vulnerable
versions
3 Days in March
March 8
NSA reveals Pentagon
servers scanned by
nation-states for
vulnerable Struts
instances
Struts exploit published
to Exploit-DB.
March 10
Equifax
Canada Revenue Agency
Canada Statistics
GMO Payment Gateway
The Rest of the Story
March 13
Okinawa Power
Japan Post
March 9
Cisco observes "a high
number of exploitation events."
March ’18
India’s AADHAAR
April 13
India Post
December ’17
Monero Crypto Mining
Equifax was not alone
31. Complete software bill of materials (SBOM)
2019 No DevOps Practice 2019 Mature DevOps Practices
19%
50%
Source: 2019 DevSecOps Community Survey
34. 1.3 million vulnerabilities in OSS components undocumented
No corresponding CVE advisory in the public NVD database
35. July
2017
8
3
10
4
The new battlefront
Software Supply Chain Attacks
Study found credentials online affecting publishing
access to 14% of npm repository. +79,000
packages.
Malicious npm Packages “typosquatted” (40
packages for 2 weeks. Collecting env including
npm publishing credentials).
1
10 Malicious Python packages
Basic info collected and sent to
Chinese IP address
2
Golang go-bindata github id deleted and
reclaimed.
5
ssh-decorator Python Module stealing private ssh
keys.
7
npm event-stream attack on CoPay.11
Sep
2017
Homebrew repository compromised.
9
Jan
2018
Feb
2018
Mar
2018
6
Aug
2018
Conventional-changelog compromised
and turned into a Monero miner.
Blog: “I’m harvesting credit card numbers
and passwords from your site. Here’s
how.”
Backdoor discovered in npm get-cookies
module published since March.
Unauthorized publishing of mailparser.
Gentoo Linux Repository Compromised.
Malicious Eslint discovered to be stealing npm
credentials.
Aug
2017
Oct
2017
Nov
2017
Dec
2017
Apr
2018
May
2018
Jun
2018
Jul
2018
Sep
2018
Oct
2018
Nov
2018
Dec
2018
36. At what point in the development process does your
organization perform automated application analysis?
2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
43. 1. An up to date inventory of open-source components utilized in the
software
2. A process for identifying known vulnerabilities within open source
components
3. 360 degree monitoring of open source components throughout the
SDLC
4. A policy and process to immediately remediate vulnerabilities as
they become known
January 2019
source: https://blog.pcisecuritystandards.org/just-published-new-pci-software-security-standards