2. @joshcorman
@RealGeneKim
Josh Corman
Sonatype
@joshcorman
Gene Kim
IT Revolution Press
@RealGeneKim
Sonatype CTO &
Co - Founder of
Rugged Software,
I am The Cavalry
CTO, Researcher & Author
‘The Phoenix Project’ ,
‘Visible Ops’
Source: 2014 Sonatype Open Source and Application Security SurveyAsk questions on Twitter during the webinar using #sonatype
17. @joshcorman
@RealGeneKim
•The
The Cavalry isn’t coming… It falls to us
Problem Statement
Our society is adopting connected
technology faster than we are able to
secure it.
Mission Statement
To ensure connected technologies with
the potential to impact public safety
and human life are worthy of our trust.
Collecting existing research, researchers, and resources
Connecting researchers with each other, industry, media, policy, and legal
Collaborating across a broad range of backgrounds, interests, and skillsets
Catalyzing positive action sooner than it would have happened on its own
Why Trust, public safety, human life
How Education, outreach, research
Who Infosec research community
Who Global, grass roots initiative
WhatLong-term vision for cyber safety
Medical Automotive
Connected
Home
Public
Infrastructure
I Am The Cavalry
18. @joshcorman
@RealGeneKim
Our Goals
Play Mad Chemists
The Best & Brightest of DevOps
The Best & Brightest of Security
Cause High Value / High Connection
Merge our Tribes for Mutual Awesomeness
Catalyze New Patterns and Solutions
25. @RealGeneKim
10 deploys per day
Dev & ops cooperation at Flickr
John Allspaw & Paul Hammond
Velocity 2009
Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
31. @RealGeneKim
High Performers Are More Agile
30x 8,000x
more frequent
deployments
faster lead times
than their peers
Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic
32. @RealGeneKim
High Performers Are More Reliable
2x 12x
the change
success rate
faster mean time
to recover (MTTR)
Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic
33. @RealGeneKim
High Performers Win In The Marketplace
2x 50%more likely to
exceed profitability,
market share &
productivity goals
higher market
capitalization growth
over 3 years*
Source: Puppet Labs 2014 State Of DevOps
40. @joshcorman
@RealGeneKim
DevOps Enterprise: Lessons Learned
On Oct 21-23, we held the DevOps Enterprise
Summit, a conference for horses, by horses
Speakers included fifty leaders from:
Macy’s, Disney, Target, GE Capital, Blackboard,
Nordstrom, Telstra, US Department of Homeland
Security, CSG, Raytheon, IBM, Ticketmaster, MITRE,
Marks and Spencer, Barclays Capital, Microsoft,
Nationwide Insurance, Capital One, Gov.UK, Fidelity,
Rally Software, Neustar, Walmart, PNC, ADP, …
41. @joshcorman
@RealGeneKim
The most popular and talked-about
presentation at DevOps Enterprise 2014?
Mark Schwartz, CIO,
US Citizenship and Immigration Services,
Department of Homeland Security
42. @joshcorman
@RealGeneKim
Observations
They were using the same technical practices and
getting the same sort of metrics as the unicorns
Target: 10+ deploys per day, < 10 incidents per month
Capital One: 100s of deploys per day, lead time of minutes
Macy’s: 1,500 manual tests every 10 days, now 100Ks
automated tests run daily
Nationwide Insurance: Retirement Plans app (COBOL on
mainframe)
Raytheon: testing and certification from months to a day
US CIS: security and compliance testing run every code
commit
43. @joshcorman
@RealGeneKim
Observations
The transformation stories are among the most
courageous I’ve ever heard –
Often the transformation leader was putting themselves
in personal jeopardy
Why? Absolute clarity and conviction that it was the
right thing for the organization
*
47. @joshcorman
@RealGeneKim
Risk I/O DevOps By the Numbers
Small & Frequent Commits
• Average between 75 & 125
commits commits to Master/week
• Simplicity is your friend
48. @joshcorman
@RealGeneKim
Risk I/O DevOps By the Numbers
Small & Frequent Commits
• Average between 75 & 125
commits commits to Master/week
• Simplicity is your friend
Security Automation at Risk I/O
Chef All the Things!
Test All the Things! (including security)
Static + Dynamic Throughout
Continuous Integration via CircleCI
Open-Sourced Cookbooks
ModSecurity
(airbag)
Nessus (air bag ctrl) Nmap
(brakes)
SSH
iptables
(shoulder belt)
encrypted volumes Duo 2FA openVPN
ChatOps = Slack + graphite + logstash + sensu + pagerduty
49. @RealGeneKim
The DevOps Audit Defense Toolkit
http://bit.ly/DevOpsAudit
James DeLuccia IV
Jeff Gallimore
Gene Kim
Byron Miller
54. @joshcorman
@RealGeneKim73 2/1/2016
X Axis: Time (Days) following initial HeartBleed disclosure and patch availability
Y Axis: Number of products included in the vendor vulnerability disclosure
Z Axis (circle size): Exposure as measured by the CVE CVSS score
COMMERCIAL RESPONSES TO OPENSSL
56. @joshcorman
@RealGeneKim
True Costs & Least Cost Avoiders
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
60. @joshcorman
@RealGeneKim
ON TIME.
Faster builds.
Fewer interruptions.
More innovation.
ON BUDGET.
More efficient.
More profitable.
More competitive.
ACCEPTABLE QUALITY/RISK.
Easier compliance.
Higher quality.
Built-in audit protection.
62. @joshcorman
@RealGeneKim
ON TIME.
Faster builds.
Fewer interruptions.
More innovation.
ON BUDGET.
More efficient.
More profitable.
More competitive.
ACCEPTABLE QUALITY/RISK.
Easier compliance.
Higher quality.
Built-in audit protection.
Agile / CI
64. @joshcorman
@RealGeneKim
ON TIME.
Faster builds.
Fewer interruptions.
More innovation.
ON BUDGET.
More efficient.
More profitable.
More competitive.
ACCEPTABLE QUALITY/RISK.
Easier compliance.
Higher quality.
Built-in audit protection.
DevOps / CD
Agile / CI
66. @joshcorman
@RealGeneKim
ON TIME.
Faster builds.
Fewer interruptions.
More innovation.
ON BUDGET.
More efficient.
More profitable.
More competitive.
ACCEPTABLE QUALITY/RISK.
Easier compliance.
Higher quality.
Built-in audit protection.
SW Supply Chain
DevOps / CD
Agile / CI
70. @joshcorman
@RealGeneKim
H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”
Elegant Procurement Trio
1) Ingredients:
Anything sold to $PROCURING_ENTITY must provide a Bill of
Materials of 3rd Party and Open Source Components (along with
their Versions)
2) Hygiene & Avoidable Risk:
…and cannot use known vulnerable components for which a
less vulnerable component is available (without a written and
compelling justification accepted by $PROCURING_ENTITY)
3) Remediation:
…and must be patchable/updateable – as new vulnerabilities will
inevitably be revealed
77. @joshcorman
@RealGeneKim
Current approaches
AREN’T WORKING
Component
Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTION
COMPONENT
SELECTION
75%
Lack meaningful
controls over
components in
apps
27
Different versions
of the same
component
downloaded
95%
Inefficient sourcing:
Components are not
downloaded to caching
repositories
63%
Don’t track
components
used in
production
24
Critical or severe
vulnerabilities
per app
4
Avg of strong
copyleft licensed
components per
app
Ask questions on Twitter during the webinar using #sonatype
78. @joshcorman
@RealGeneKim
Component
Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTION
COMPONENT
SELECTION
PUBLIC
REPOSITORIES
NEXUS LIFECYCLE
PRECIOUSLY
IDENTIFY
COMPONENTS
& RISKS
REMEDIATE
EARLY IN
DEVEOPMENT
AUTOMATE
POLICY ACROSS
THE SDLC
MANAGE RISK
WITH
CONSOLIDATED
DASHBOARD
CONTINUOUSLY
MONITOR
APPS FOR
NEW RISKS
Ask questions on Twitter during the webinar using #sonatype
80. @joshcorman
@RealGeneKim
Continuous Acceleration with
a Software Supply Chain
Approach
Gene Kim Josh Corman
@RealGeneKim @joshcorman
Source: 2014 Sonatype Open Source and Application Security SurveyAsk questions on Twitter during the webinar using #sonatype
Notes de l'éditeur
We are in the business of open source governance, management and compliance (add in slide or on cover slide)
Your Company Runs on Software – it must be trusted
Gene and I realized back in 2011 that DevOps was a game changer and that Security as we knew it was not going to survive.My Rugged Software Manifesto and movement and our shored beliefs of culture and incentives compelled us to marry the tribes for mutual benefit.
Gene and I realized back in 2011 that DevOps was a game changer and that Security as we knew it was not going to survive.My Rugged Software Manifesto and movement and our shored beliefs of culture and incentives compelled us to marry the tribes for mutual benefit.
Over the years our Tribe has grown…
An in 2015 We now Merge with the broader DevOps leadership community… with a full day 700 person Rugged DevOps workshop… at this year’s RSAC
Gene is realizing the mad chemistry we’ve done… Jez is asking what the heck am I getting myself into ;)
My name is Gene Kim. My area of passion started when I was the CTO and founder of Tripwire in 1999. I started keeping a list that we called “Gene’s list of people with great kung fu.” These were the organizations that simutaneously…
In the next 25 minutes, I’m really excited to share with you some of my key learnings, which I’m hoping that will not only be applicable to you, but that you’ll be able to put into practice right away, and get some amazing results.
But let me tell you how my journey began…
NIST’s NVD (National Vulnerability Database_http://web.nvd.nist.gov/view/vuln/search-results?query=OpenSSL&search_type=all&cves=on
SEIMENS was affected by 4 OpenSSL flaws beyond HeartBleed. One from 2010
http://www.scmagazine.com/siemens-industrial-products-impacted-by-four-openssl-vulnerabilities/article/361997/
“Several Siemens products used for process and network control and monitoring in critical infrastructure sectors are affected by four vulnerabilities in the company's OpenSSL cryptographic software library.
The vulnerabilities – CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470 – can be exploited remotely, and fairly easily, to hijack a session as part of a man-in-the-middle attack or to crash the web server of the product, according to a Thursday ICS-CERT post.
Siemens has already issued updates for APE versions prior to version 2.0.2 and WinCC OA (PVSS), but has only issued temporary mitigations for CP1543-1, ROX 1, ROX 2, and S7-1500.
The products are typically used in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors, according to the post.”
www.ruggedsoftware.org
https://www.ruggedsoftware.org/documents/
“I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security“
[ picture of messy data center ] Ten minutes into Bill’s first day on the job, he has to deal with a payroll run failure. Tomorrow is payday, and finance just found out that while all the salaried employees are going to get paid, none of the hourly factory employees will. All their records from the factory timekeeping systems were zeroed out.Was it a SAN failure? A database failure? An application failure? Interface failure? Cabling error?
There are many ways to react to this: like, fear, horror, trying to become invisible… All understandable, given the circumstances…
Because infosec can no longer take 4 weeks to turn around a security review for application code, or take 6 weeks to turnaround a firewall change.
But, on the other hand, I think it’s will be the best thing to ever happen to infosec in the past 20 years. We’re calling this Rugged DevOps, because it’s a way for infosec to integrate into the DevOps process, and be welcomed. And not be viewed as the shrill hysterical folks who slow the business down.
My name is Gene Kim. My area of passion started when I was the CTO and founder of Tripwire in 1999. I started keeping a list that we called “Gene’s list of people with great kung fu.” These were the organizations that simutaneously…
In the next 25 minutes, I’m really excited to share with you some of my key learnings, which I’m hoping that will not only be applicable to you, but that you’ll be able to put into practice right away, and get some amazing results.
But let me tell you how my journey began…
My name is Gene Kim. My area of passion started when I was the CTO and founder of Tripwire in 1999. I started keeping a list that we called “Gene’s list of people with great kung fu.” These were the organizations that simutaneously…
In the next 25 minutes, I’m really excited to share with you some of my key learnings, which I’m hoping that will not only be applicable to you, but that you’ll be able to put into practice right away, and get some amazing results.
But let me tell you how my journey began…
Qualitative takeaways:
Virtually all major (and not so major) software vendors are building on a stack of open source (including security vendors).
The breadth of use across some vendors, IBM most notably is remarkably high (open source is not just in a few rogue products).
New discoveries are getting more serious over time.
New discoveries are getting less vendor attention (fewer vendor disclosures) despite their being more serious.
Vendors are responding to new discoveries at a somewhat slower pace.
The significant increase in product disclosures after the later OpenSSL disclosures, which affect all versions of OpenSSL not just versions 1.0.1 or later, implies that many vendors and products were using old libraries (version 0.9.8 was first released in July, 2005).
Total disclosures: 227
Total product instances affected by disclosures: 2,513
Mean time to repair: 35.8
Median time to repair: 22.0
Deming has sage advice for us… but he has more than that… Deming may be the key to changing our fate……more on this later…
See also Josh’s RSA Europe Keynote Video:
Survival Isn’t Mandatory: Challenges and Opportunities of DevOps
http://youtu.be/m4Y_K7MXQxQ
Incentives Incentivize – Any strategy that requires human nature to change is likely to fail
The Eternal Essence of SW Developers is to be “On Time. On Budget. With Acceptable Quality/Risk”
Which translates into Go Faster,. Be more Efficient. Manage Quality.” In that order…
IMG SRC = https://www.flickr.com/photos/opensourceway/4862920379/in/photolist-8pHJNP-9YLxpV-bZwfxo-4cv2XJ-6u2Sii-6u2Sbv-6u2RPV-7TCwgh-7DhXvU-8bpC9J-f119g-6V7UHx-63Bo2R-bwS9ux-7svgys-755bHf-9YLxvr-4R4GZV-dhtwk7-6V69PL-8nuXRE-c8Hc9m-9RTeA4-5HhfEX-8Vnaei-aFf72q-pgL6BQ-6n9a5w-6n98H1-6n99vN-6n4YQe-751hbP-4PLgno-M3uTP-9YPru5-BAPs6-8JMvEe-6t2Jfa-k9ZQVz-eF7qWf-6VbWPN-4UKjC3-7z4qGQ-jAC6Ap-9YLuSK-9YLuLD-9YLwYr-5zUdBo-64ooGC-9YLvPx
Comparing Toyota and General Motors
JOSH: Bring up:
Healthcare.gov
81 versions of Spring vs 1
15% Innovation lift at Insurer
MTTD 6 minutes versus 6 weeks
Bouncy Castle – CVSS 10 – 2009 -- Since then
11,236
organizations
downloaded it
214,484
times
httpClient
Since then
29,468
organizations
downloaded it
3,749,193
times
Early and Ongoing Vulnerability Identification
Provide tools throughout the development lifecycle to identify potential issues as early as possible to build a secure software supply pipeline
Understand and Remediate
Monitor high risk franchise applications to determine vulnerabilities included in application components
Implement an *Application VTM* type process to look at internally consumed products like we do in the VTM cycle