Continuous Acceleration with a Software Supply Chain Approach
•Télécharger en tant que PPTX, PDF•
1 j'aime•734 vues
How borrowing Supply Chain Principles can help the software development industry.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Continuous Acceleration with a Software Supply Chain Approach
Similaire à Continuous Acceleration with a Software Supply Chain Approach (20)
Plus de Sonatype
Plus de Sonatype (20)
Dernier
Dernier (20)
Continuous Acceleration with a Software Supply Chain Approach
- 1. @RealGeneKim CONTINUOUS ACCELERATION with a Software Supply Chain Approach Gene Kim & Josh Corman Ask questions on Twitter during the webinar using #sonatype
- 2. @joshcorman @RealGeneKim Josh Corman Sonatype @joshcorman Gene Kim IT Revolution Press @RealGeneKim Sonatype CTO & Co - Founder of Rugged Software, I am The Cavalry CTO, Researcher & Author ‘The Phoenix Project’ , ‘Visible Ops’ Source: 2014 Sonatype Open Source and Application Security SurveyAsk questions on Twitter during the webinar using #sonatype
- 3. @joshcorman @RealGeneKim Session ID: Session Classification: Josh Corman, Gene Kim VERY ROUGH 1ST Draft Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed… CLD-106 Intermediate
- 4. @joshcorman @RealGeneKim Ask questions on Twitter during the webinar using #sonatype
- 5. @joshcorman @RealGeneKim Ask questions on Twitter during the webinar using #sonatype
- 6. @joshcorman @RealGeneKim Ask questions on Twitter during the webinar using #sonatype
- 7. #RSAC SESSION ID: Gene Kim Joshua Corman Rugged DevOps Going Even Faster With Software Supply Chains CTO Sonatype @joshcorman Researcher and Author IT Revolution Press @RealGeneKim
- 8. @joshcorman @RealGeneKim 9 10/23/2013 ~ Marc Marc Andreessen 2011
- 11. @joshcorman @RealGeneKim Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December) CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SEIMENS * CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SEIMENS * CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SEIMENS * CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleed CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM … As of today, internet scans by MassScan reveal 300,000 of original 600,000 remain unpatched or unpatchable
- 12. @joshcorman @RealGeneKim Heartbleed + (UnPatchable) Internet of Things == ___ ? In Our Bodies In Our Homes In Our InfrastructureIn Our Cars
- 17. @joshcorman @RealGeneKim •The The Cavalry isn’t coming… It falls to us Problem Statement Our society is adopting connected technology faster than we are able to secure it. Mission Statement To ensure connected technologies with the potential to impact public safety and human life are worthy of our trust. Collecting existing research, researchers, and resources Connecting researchers with each other, industry, media, policy, and legal Collaborating across a broad range of backgrounds, interests, and skillsets Catalyzing positive action sooner than it would have happened on its own Why Trust, public safety, human life How Education, outreach, research Who Infosec research community Who Global, grass roots initiative WhatLong-term vision for cyber safety Medical Automotive Connected Home Public Infrastructure I Am The Cavalry
- 18. @joshcorman @RealGeneKim Our Goals Play Mad Chemists The Best & Brightest of DevOps The Best & Brightest of Security Cause High Value / High Connection Merge our Tribes for Mutual Awesomeness Catalyze New Patterns and Solutions
- 19. #RSAC SESSION ID: Where We’ve Been
- 21. @RealGeneKim
- 22. @RealGeneKim
- 23. @RealGeneKim IT Ops And Dev At War 24
- 24. @RealGeneKim
- 25. @RealGeneKim 10 deploys per day Dev & ops cooperation at Flickr John Allspaw & Paul Hammond Velocity 2009 Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
- 26. @RealGeneKim Dev and Ops Source: John Allspaw (@allspaw) and Paul Hammond (@ph)
- 27. @RealGeneKimSource: Theo Schlossnagle (@postwait) DevOps is incomplete, is interpreted wrong, and is too isolated
- 28. @RealGeneKim .*Ops Source: Theo Schlossnagle (@postwait)
- 29. @RealGeneKim ^(?<dept>.+)Ops$ Source: Theo Schlossnagle (@postwait)
- 30. @RealGeneKim Justin Collins, Neil Matatall & Alex Smolen from Twitter *
- 31. @RealGeneKim High Performers Are More Agile 30x 8,000x more frequent deployments faster lead times than their peers Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic
- 32. @RealGeneKim High Performers Are More Reliable 2x 12x the change success rate faster mean time to recover (MTTR) Source: Puppet Labs 2013 State Of DevOps: http://puppetlabs.com/2013-state-of-devops-infographic
- 33. @RealGeneKim High Performers Win In The Marketplace 2x 50%more likely to exceed profitability, market share & productivity goals higher market capitalization growth over 3 years* Source: Puppet Labs 2014 State Of DevOps
- 35. #RSAC SESSION ID: Why It’s “Go Time”
- 37. @joshcorman @RealGeneKim New engineer to John Allspaw: “Is it okay for me to make this change?” John Allspaw: “I don’t know. Is it?”
- 38. @joshcorman @RealGeneKim One Of The Highest Predictors Of Performance Source: Typology Of Organizational Culture (Westrum, 2004)
- 39. @joshcorman @RealGeneKim One Of The Highest Predictors Of Performance Source: Typology Of Organizational Culture (Westrum, 2004)
- 40. @joshcorman @RealGeneKim DevOps Enterprise: Lessons Learned On Oct 21-23, we held the DevOps Enterprise Summit, a conference for horses, by horses Speakers included fifty leaders from: Macy’s, Disney, Target, GE Capital, Blackboard, Nordstrom, Telstra, US Department of Homeland Security, CSG, Raytheon, IBM, Ticketmaster, MITRE, Marks and Spencer, Barclays Capital, Microsoft, Nationwide Insurance, Capital One, Gov.UK, Fidelity, Rally Software, Neustar, Walmart, PNC, ADP, …
- 41. @joshcorman @RealGeneKim The most popular and talked-about presentation at DevOps Enterprise 2014? Mark Schwartz, CIO, US Citizenship and Immigration Services, Department of Homeland Security
- 42. @joshcorman @RealGeneKim Observations They were using the same technical practices and getting the same sort of metrics as the unicorns Target: 10+ deploys per day, < 10 incidents per month Capital One: 100s of deploys per day, lead time of minutes Macy’s: 1,500 manual tests every 10 days, now 100Ks automated tests run daily Nationwide Insurance: Retirement Plans app (COBOL on mainframe) Raytheon: testing and certification from months to a day US CIS: security and compliance testing run every code commit
- 43. @joshcorman @RealGeneKim Observations The transformation stories are among the most courageous I’ve ever heard – Often the transformation leader was putting themselves in personal jeopardy Why? Absolute clarity and conviction that it was the right thing for the organization *
- 44. @RealGeneKim Capital One: DevOpsSec Source: Tapabrata Pal, Capital One *
- 45. @joshcorman @RealGeneKim Heather Mickman, Target, Inc. Abolished the TEP-LARB process As a result, she won the Lifetime Achievement Award from her grateful team
- 46. @joshcorman @RealGeneKim What About Infosec? Ed Bellis Former CISO of Orbitz VP Information Security at Bank of America Currently CEO of Risk I/O
- 47. @joshcorman @RealGeneKim Risk I/O DevOps By the Numbers Small & Frequent Commits • Average between 75 & 125 commits commits to Master/week • Simplicity is your friend
- 48. @joshcorman @RealGeneKim Risk I/O DevOps By the Numbers Small & Frequent Commits • Average between 75 & 125 commits commits to Master/week • Simplicity is your friend Security Automation at Risk I/O Chef All the Things! Test All the Things! (including security) Static + Dynamic Throughout Continuous Integration via CircleCI Open-Sourced Cookbooks ModSecurity (airbag) Nessus (air bag ctrl) Nmap (brakes) SSH iptables (shoulder belt) encrypted volumes Duo 2FA openVPN ChatOps = Slack + graphite + logstash + sensu + pagerduty
- 49. @RealGeneKim The DevOps Audit Defense Toolkit http://bit.ly/DevOpsAudit James DeLuccia IV Jeff Gallimore Gene Kim Byron Miller
- 50. @RealGeneKim
- 51. @RealGeneKim “deploys / day” “deploys / day / dev”
- 52. #RSAC SESSION ID: Where We Want To Go
- 54. @joshcorman @RealGeneKim73 2/1/2016 X Axis: Time (Days) following initial HeartBleed disclosure and patch availability Y Axis: Number of products included in the vendor vulnerability disclosure Z Axis (circle size): Exposure as measured by the CVE CVSS score COMMERCIAL RESPONSES TO OPENSSL
- 55. @joshcorman @RealGeneKim https://www.usenix.org/system/files/login/articles/15_geer_0.pdf For the 41% 390 days CVSS 10s 224 days
- 56. @joshcorman @RealGeneKim True Costs & Least Cost Avoiders ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech
- 58. @joshcorman @RealGeneKim ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK
- 60. @joshcorman @RealGeneKim ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection.
- 62. @joshcorman @RealGeneKim ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. Agile / CI
- 64. @joshcorman @RealGeneKim ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. DevOps / CD Agile / CI
- 66. @joshcorman @RealGeneKim ON TIME. Faster builds. Fewer interruptions. More innovation. ON BUDGET. More efficient. More profitable. More competitive. ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-in audit protection. SW Supply Chain DevOps / CD Agile / CI
- 68. @joshcorman @RealGeneKim Toyota Advantage Toyota Prius Chevy Volt Unit Cost 61% $24,200 $39,900 Units Sold 13x 23,294 1,788 In-House Production 50% 27% 54% Plant Suppliers 16% (10x per) 125 800 Firm-Wide Suppliers 4% 224 5,500 Comparing the Prius and the Volt
- 70. @joshcorman @RealGeneKim H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014” Elegant Procurement Trio 1) Ingredients: Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk: …and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY) 3) Remediation: …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
- 71. #RSAC SESSION ID: Go Forth… …and be Rugged @joshcorman @RealGeneKim @RuggedSoftware
- 73. @joshcorman @RealGeneKim ACCORDING TO ADOBE Ask questions on Twitter during the webinar using #sonatype
- 74. @joshcorman @RealGeneKim ACCORDING TO IBM Ask questions on Twitter during the webinar using #sonatype
- 75. @joshcorman @RealGeneKim ACCORDING TO DOCKER Ask questions on Twitter during the webinar using #sonatype
- 76. @joshcorman @RealGeneKim ACCORDING TO CISCO Ask questions on Twitter during the webinar using #sonatype
- 77. @joshcorman @RealGeneKim Current approaches AREN’T WORKING Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION 75% Lack meaningful controls over components in apps 27 Different versions of the same component downloaded 95% Inefficient sourcing: Components are not downloaded to caching repositories 63% Don’t track components used in production 24 Critical or severe vulnerabilities per app 4 Avg of strong copyleft licensed components per app Ask questions on Twitter during the webinar using #sonatype
- 78. @joshcorman @RealGeneKim Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION PUBLIC REPOSITORIES NEXUS LIFECYCLE PRECIOUSLY IDENTIFY COMPONENTS & RISKS REMEDIATE EARLY IN DEVEOPMENT AUTOMATE POLICY ACROSS THE SDLC MANAGE RISK WITH CONSOLIDATED DASHBOARD CONTINUOUSLY MONITOR APPS FOR NEW RISKS Ask questions on Twitter during the webinar using #sonatype
- 79. @joshcorman @RealGeneKim Ask questions on Twitter during the webinar using #sonatype Full day of videos Assessments Available http://www.sonatype.org/nexus/
- 80. @joshcorman @RealGeneKim Continuous Acceleration with a Software Supply Chain Approach Gene Kim Josh Corman @RealGeneKim @joshcorman Source: 2014 Sonatype Open Source and Application Security SurveyAsk questions on Twitter during the webinar using #sonatype
Notes de l'éditeur
- We are in the business of open source governance, management and compliance (add in slide or on cover slide) Your Company Runs on Software – it must be trusted
- Gene and I realized back in 2011 that DevOps was a game changer and that Security as we knew it was not going to survive. My Rugged Software Manifesto and movement and our shored beliefs of culture and incentives compelled us to marry the tribes for mutual benefit.
- Gene and I realized back in 2011 that DevOps was a game changer and that Security as we knew it was not going to survive. My Rugged Software Manifesto and movement and our shored beliefs of culture and incentives compelled us to marry the tribes for mutual benefit.
- Over the years our Tribe has grown…
- An in 2015 We now Merge with the broader DevOps leadership community… with a full day 700 person Rugged DevOps workshop… at this year’s RSAC Gene is realizing the mad chemistry we’ve done… Jez is asking what the heck am I getting myself into ;)
- My name is Gene Kim. My area of passion started when I was the CTO and founder of Tripwire in 1999. I started keeping a list that we called “Gene’s list of people with great kung fu.” These were the organizations that simutaneously… In the next 25 minutes, I’m really excited to share with you some of my key learnings, which I’m hoping that will not only be applicable to you, but that you’ll be able to put into practice right away, and get some amazing results. But let me tell you how my journey began…
- http://www.caida.org/research/security/code-red/coderedv2_analysis.xml#animations
- NIST’s NVD (National Vulnerability Database_ http://web.nvd.nist.gov/view/vuln/search-results?query=OpenSSL&search_type=all&cves=on SEIMENS was affected by 4 OpenSSL flaws beyond HeartBleed. One from 2010 http://www.scmagazine.com/siemens-industrial-products-impacted-by-four-openssl-vulnerabilities/article/361997/ “Several Siemens products used for process and network control and monitoring in critical infrastructure sectors are affected by four vulnerabilities in the company's OpenSSL cryptographic software library. The vulnerabilities – CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470 – can be exploited remotely, and fairly easily, to hijack a session as part of a man-in-the-middle attack or to crash the web server of the product, according to a Thursday ICS-CERT post. Siemens has already issued updates for APE versions prior to version 2.0.2 and WinCC OA (PVSS), but has only issued temporary mitigations for CP1543-1, ROX 1, ROX 2, and S7-1500. The products are typically used in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors, according to the post.”
- www.ruggedsoftware.org https://www.ruggedsoftware.org/documents/
- www.ruggedsoftware.org https://www.ruggedsoftware.org/documents/ “I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security“
- [ picture of messy data center ] Ten minutes into Bill’s first day on the job, he has to deal with a payroll run failure. Tomorrow is payday, and finance just found out that while all the salaried employees are going to get paid, none of the hourly factory employees will. All their records from the factory timekeeping systems were zeroed out. Was it a SAN failure? A database failure? An application failure? Interface failure? Cabling error?
- Source: http://biobreak.wordpress.com/2010/10/07/games-evangelism-dos-and-donts/
- There are many ways to react to this: like, fear, horror, trying to become invisible… All understandable, given the circumstances… Because infosec can no longer take 4 weeks to turn around a security review for application code, or take 6 weeks to turnaround a firewall change. But, on the other hand, I think it’s will be the best thing to ever happen to infosec in the past 20 years. We’re calling this Rugged DevOps, because it’s a way for infosec to integrate into the DevOps process, and be welcomed. And not be viewed as the shrill hysterical folks who slow the business down.
- My name is Gene Kim. My area of passion started when I was the CTO and founder of Tripwire in 1999. I started keeping a list that we called “Gene’s list of people with great kung fu.” These were the organizations that simutaneously… In the next 25 minutes, I’m really excited to share with you some of my key learnings, which I’m hoping that will not only be applicable to you, but that you’ll be able to put into practice right away, and get some amazing results. But let me tell you how my journey began…
- My name is Gene Kim. My area of passion started when I was the CTO and founder of Tripwire in 1999. I started keeping a list that we called “Gene’s list of people with great kung fu.” These were the organizations that simutaneously… In the next 25 minutes, I’m really excited to share with you some of my key learnings, which I’m hoping that will not only be applicable to you, but that you’ll be able to put into practice right away, and get some amazing results. But let me tell you how my journey began…
- Qualitative takeaways: Virtually all major (and not so major) software vendors are building on a stack of open source (including security vendors). The breadth of use across some vendors, IBM most notably is remarkably high (open source is not just in a few rogue products). New discoveries are getting more serious over time. New discoveries are getting less vendor attention (fewer vendor disclosures) despite their being more serious. Vendors are responding to new discoveries at a somewhat slower pace. The significant increase in product disclosures after the later OpenSSL disclosures, which affect all versions of OpenSSL not just versions 1.0.1 or later, implies that many vendors and products were using old libraries (version 0.9.8 was first released in July, 2005). Total disclosures: 227 Total product instances affected by disclosures: 2,513 Mean time to repair: 35.8 Median time to repair: 22.0
- Deming has sage advice for us… but he has more than that… Deming may be the key to changing our fate… …more on this later… See also Josh’s RSA Europe Keynote Video: Survival Isn’t Mandatory: Challenges and Opportunities of DevOps http://youtu.be/m4Y_K7MXQxQ
- Incentives Incentivize – Any strategy that requires human nature to change is likely to fail The Eternal Essence of SW Developers is to be “On Time. On Budget. With Acceptable Quality/Risk” Which translates into Go Faster,. Be more Efficient. Manage Quality.” In that order… IMG SRC = https://www.flickr.com/photos/opensourceway/4862920379/in/photolist-8pHJNP-9YLxpV-bZwfxo-4cv2XJ-6u2Sii-6u2Sbv-6u2RPV-7TCwgh-7DhXvU-8bpC9J-f119g-6V7UHx-63Bo2R-bwS9ux-7svgys-755bHf-9YLxvr-4R4GZV-dhtwk7-6V69PL-8nuXRE-c8Hc9m-9RTeA4-5HhfEX-8Vnaei-aFf72q-pgL6BQ-6n9a5w-6n98H1-6n99vN-6n4YQe-751hbP-4PLgno-M3uTP-9YPru5-BAPs6-8JMvEe-6t2Jfa-k9ZQVz-eF7qWf-6VbWPN-4UKjC3-7z4qGQ-jAC6Ap-9YLuSK-9YLuLD-9YLwYr-5zUdBo-64ooGC-9YLvPx
- Waterfall -> Agile -> DevOps -> SW Supply Chains Creative Commons https://www.flickr.com/photos/edwarddalmulder/16007135379
- Waterfall -> Agile -> DevOps -> SW Supply Chains Bring up Agile Manifesto – why it got Adoption/Motivational Aligment… Rugged Manifesto IMG SRC = https://www.flickr.com/photos/spam/3793946621/in/photolist-6MfY9M-pibhYF-4pewTp-5r6nyV-9dQpr8-4KHaSk-7GpW1s-aghWN5-qKUeyx-3paWa5-pTBrTu-oWLEkK-fBgcPD-dTGid3-d9Wqz3-cX8kCE-8djLzu-aghWX1-gG5tkQ-oES1PD-67gTBy-ccZ3iL-dDSEQW-qqZViu-DWdGA-6ZR48F-dtySAq-uxgZq-GGsSn-aghWK1-8VBRBX-yNrLX-7PQWEZ-7HC962-7xbdLo-aPMVLp-8s5w6E-aghWM9-agfcea-8bB8gn-dTGhjY-dnp9es-qth42k-5sXSCT-mDbZND-4MAAEZ-fKh9sA-pww9X8-8Qsyys-9MpqGa Creative Commons
- Waterfall -> Agile -> DevOps -> SW Supply Chains IMG SRC = https://www.flickr.com/photos/psd/8634021085/in/photolist-c3BfF9-9M9wdC-e9XBEv-nfWJyu-nP7Kpu-nQSeD8-nRai9p-nSWNhM-nStWnY-nA8njq-nSjUtV-i8j8nr-9bfKQs-9bfKod-9bfJVJ-9bcAi4-9bfJ39-rc2ry5-bByrik-cnMSNq-i8jk14-nebFtv-nebFb6-nvFrhD-dMajYn-d7gLpU-nvpMUQ-pjoDDE-d7gCq9-dXCzrc-dXKmus-dXDDfp-dXDD4D-dXKjLN-dXKngf-dXDCKz-dXDDVP-dXKm33-dXDBBX-dXDDsP-dXKiis-dXKmZq-dXDCcD-dXDBXV-dXDFfT-dXKi3L-dhg27j-nyiAKG-pSip9A-dkdPkb Creative Commons
- Waterfall -> Agile -> DevOps -> SW Supply Chains Creative Commons https://www.flickr.com/photos/fordapa/3886403372
- Waterfall -> Agile -> DevOps -> SW Supply Chains Creative Commons https://www.flickr.com/photos/eulothg/4270340730
- Comparing Toyota and General Motors JOSH: Bring up: Healthcare.gov 81 versions of Spring vs 1 15% Innovation lift at Insurer MTTD 6 minutes versus 6 weeks
- Bouncy Castle – CVSS 10 – 2009 -- Since then 11,236 organizations downloaded it 214,484 times httpClient Since then 29,468 organizations downloaded it 3,749,193 times
- Early and Ongoing Vulnerability Identification Provide tools throughout the development lifecycle to identify potential issues as early as possible to build a secure software supply pipeline Understand and Remediate Monitor high risk franchise applications to determine vulnerabilities included in application components Implement an *Application VTM* type process to look at internally consumed products like we do in the VTM cycle