SlideShare ist ein Scribd-Unternehmen logo

2019 04-18 -DevSecOps-software supply chain

Als PPTX, PDF herunterladen
C
Cameron Townshend

This document summarizes Cameron Townshend's presentation on securing software supply chains. It discusses how software is increasingly comprised of open source components, with developers downloading thousands of packages annually. However, not all components are of equal quality, and many downloads contain known vulnerabilities. The document argues that organizations need greater visibility into their software bills of materials, and to automate processes to continuously identify risks from open source and remediate vulnerabilities across the entire software development lifecycle.

Technologie
1 von 49
Cameron Townshend Solution Architect, APJ, Sonatype Securing Software Supply Chains Why 3 Days Might Be Your New Normal for DevSecOps
Since 2000, 52% of Fortune 500 have been replaced. Established business leaders are also under attack…
3 Source: https://www.visualcapitalist.com/animation-top-15-global-brands-2000- 2018/
W. Edwards Deming, 1945 What is software supply chain management? A new (yet proven) way of thinking. 1. Source parts from fewer and better suppliers. 2. Use only the highest quality parts. 3. Never pass known defects downstream. 4. Continuously track location of every part.
Jez Humble, 2010
Gene Kim, 2013
47%deploy multiple times per week Source: 2019 DevSecOps Community Survey velocity
59,000 data breaches have been reported to GDPR regulators since May 2018 source: DLA Piper, February 2019
10 Business applications are under attack… Of enterprises suffered at least one breach in last 12 months. 51% Of enterprise attacks are perpetrated by external actors. 43% Of external attacks target web apps and known vulnerabilities. 68% Forrester: Best Practices for Deploying And Managing Enterprise Password Managers – Jan 2018
Everyone has a software supply chain. (even if you don’t call it that)
Demand drives 15,000 new releases every day
Automation accelerates OSS downloads Source: Sonatype’s 2018 State of the Software Supply Chain Report
85% of your code is sourced from external suppliers
170,000 Java component downloads annually 3,500 unique source: 2018 State of the Software Supply Chain Report
60,660 JavaScript packages downloaded per developer per year source: npm, 2018
Not all parts are created equal.
We are not “building quality in”. source: 2019 State of the Software Supply Chain Report NOT RELFECTIVE OF THE HARTFORD’S DATA 2016 Java Downloads
We are not “building quality in”. 2018 npm source: 2018 npm
6.2K 233 510,000 120K691,000 309,000 66.8K 3.4 1,000,000 1∑ 2∑ 3∑ 4∑ 5∑ 6∑ Defects targets per million for 6-sigma
170,000 java component downloads annually 3,500 unique 18,870 11.1% with known vulnerabilities
60,660 JavaScript packages downloaded annually per developer 30,936 51% with known vulnerabilities
Social normalization of deviance “People within the organization become so much accustomed to a deviant behavior that they don't consider it as deviant, despite the fact that they far exceed their own rules for elementary safety.” Diane Vaughan
Breaches increased 71% 24% suspect or have verified a breach related to open source components in the 2019 survey 14% suspect or have verified a breach related to open source components in the 2014 survey source: DevSecOps Community Survey 2014 and 2019
The speed of exploits has compressed 93% Sources: Gartner, IBM, Sonatype
source: 2019 DevSecOps Community Survey Quickly identify who is faster than their adversaries
March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 Today 65% of the Fortune 100 download vulnerable versions 3 Days in March March 8 NSA reveals Pentagon servers scanned by nation-states for vulnerable Struts instances Struts exploit published to Exploit-DB. March 10 Equifax Canada Revenue Agency Canada Statistics GMO Payment Gateway The Rest of the Story March 13 Okinawa Power Japan Post March 9 Cisco observes "a high number of exploitation events." March ’18 India’s AADHAAR April 13 India Post December ’17 Monero Crypto Mining Equifax was not alone
Complete software bill of materials (SBOM) 2019 No DevOps Practice 2019 Mature DevOps Practices 19% 50% Source: 2019 DevSecOps Community Survey
18,126 organizations downloading vulnerable versions of Struts Source: Sonatype Breach announced. 14
DevSecOps challenge: automate faster than evil.
1.3 million vulnerabilities in OSS components undocumented No corresponding CVE advisory in the public NVD database
July 2017 8 3 10 4 The new battlefront Software Supply Chain Attacks Study found credentials online affecting publishing access to 14% of npm repository. +79,000 packages. Malicious npm Packages “typosquatted” (40 packages for 2 weeks. Collecting env including npm publishing credentials). 1 10 Malicious Python packages Basic info collected and sent to Chinese IP address 2 Golang go-bindata github id deleted and reclaimed. 5 ssh-decorator Python Module stealing private ssh keys. 7 npm event-stream attack on CoPay.11 Sep 2017 Homebrew repository compromised. 9 Jan 2018 Feb 2018 Mar 2018 6 Aug 2018 Conventional-changelog compromised and turned into a Monero miner. Blog: “I’m harvesting credit card numbers and passwords from your site. Here’s how.” Backdoor discovered in npm get-cookies module published since March. Unauthorized publishing of mailparser. Gentoo Linux Repository Compromised. Malicious Eslint discovered to be stealing npm credentials. Aug 2017 Oct 2017 Nov 2017 Dec 2017 Apr 2018 May 2018 Jun 2018 Jul 2018 Sep 2018 Oct 2018 Nov 2018 Dec 2018
At what point in the development process does your organization perform automated application analysis? 2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
Which application security tools are used? 2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
How are you informed of InfoSec and AppSec issues? Automating security enables faster DevOps feedback loops
Automation continues to prove difficult to ignore Source: 2019 DevSecOps Community Survey 2019 No DevOps Practice 2019 Mature DevOps Practices
Trusted software supply chains are 2x more secure Source: 2018 State of the Software Supply Chain Report
I see no prospect in the long run for avoiding liability for insecure code.”“ Paul Rozenzweig Senior Fellow, R Street Institute 2018
The rising tide of regulation and software liability
1. An up to date inventory of open-source components utilized in the software 2. A process for identifying known vulnerabilities within open source components 3. 360 degree monitoring of open source components throughout the SDLC 4. A policy and process to immediately remediate vulnerabilities as they become known January 2019 source: https://blog.pcisecuritystandards.org/just-published-new-pci-software-security-standards
All Countries Show Poor Cyber Hygiene 1 in 7 Downloads 1 in 9 Downloads
“Emphasize performance of the entire system and never pass a defect downstream.”
47 1985 RMS/GNU/FSF 1990 Scrum / Linux 1995 Java / JavaScript 2000 LAMP Stack 2005 Agile Everything 2015 Rise of DevOps 2018 450B OSS components requested annually Apache Maven (9M) Central Repo (80B) Nexus Repo OSS (100K) Nexus Intelligence(8B) 4th Annual State of the Software Supply Chain Report History in motion. Writing code is out. Borrowing code is in.
Repository Pro Manage libraries, build artifacts, and release candidates across the SDLC. Say hello to the Nexus Platform. Automatically enforce open source policy and control risk across every phase of the SDLC. Auditor Examine OSS components within production apps. Firewall Automatically stop risk from entering your SDLC. Lifecycle Continuously identify risk, enforce policy, and remediate vulns across every phase of your SDLC.
ctownshend@sonatype.com
2019 04-18 -DevSecOps-software supply chain

Empfohlen

Dev Secops Software Supply Chain
Dev Secops Software Supply ChainDev Secops Software Supply Chain
Dev Secops Software Supply ChainCameron Townshend
 
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Cameron Townshend
 
Nadog dev secops_survey
Nadog dev secops_surveyNadog dev secops_survey
Nadog dev secops_surveyCurtis Yanko
 
2019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-22019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-2Cameron Townshend
 
Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys
 
The top challenges to expect in network security in 2019 survey report
The top challenges to expect in network security in 2019 survey report The top challenges to expect in network security in 2019 survey report
The top challenges to expect in network security in 2019 survey report Bricata, Inc.
 
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseDeepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseaditi agarwal
 
Open Source Insight: Balancing Agility and Open Source Security for DevOps
Open Source Insight: Balancing Agility and Open Source Security for DevOpsOpen Source Insight: Balancing Agility and Open Source Security for DevOps
Open Source Insight: Balancing Agility and Open Source Security for DevOpsBlack Duck by Synopsys
 

Empfohlen

Dev Secops Software Supply Chain
Dev Secops Software Supply ChainDev Secops Software Supply Chain
Dev Secops Software Supply ChainCameron Townshend
 
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Cameron Townshend
 
Nadog dev secops_survey
Nadog dev secops_surveyNadog dev secops_survey
Nadog dev secops_surveyCurtis Yanko
 
2019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-22019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-2Cameron Townshend
 
Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys
 
The top challenges to expect in network security in 2019 survey report
The top challenges to expect in network security in 2019 survey report The top challenges to expect in network security in 2019 survey report
The top challenges to expect in network security in 2019 survey report Bricata, Inc.
 
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseDeepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseaditi agarwal
 
Open Source Insight: Balancing Agility and Open Source Security for DevOps
Open Source Insight: Balancing Agility and Open Source Security for DevOpsOpen Source Insight: Balancing Agility and Open Source Security for DevOps
Open Source Insight: Balancing Agility and Open Source Security for DevOpsBlack Duck by Synopsys
 
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing ScamOpen Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing ScamBlack Duck by Synopsys
 
IEEE ANDROID APPLICATION 2016 TITLE AND ABSTRACT
IEEE ANDROID APPLICATION 2016 TITLE AND ABSTRACTIEEE ANDROID APPLICATION 2016 TITLE AND ABSTRACT
IEEE ANDROID APPLICATION 2016 TITLE AND ABSTRACTtsysglobalsolutions
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Ernest Staats
 
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...Black Duck by Synopsys
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
 
10 things you should know about cybersecurity
10 things you should know about cybersecurity10 things you should know about cybersecurity
10 things you should know about cybersecurityUnited Technology Group (UTG)
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thUnited Technology Group (UTG)
 
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone UnderwearThe Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone UnderwearBob Wall
 
ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA
 
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...Black Duck by Synopsys
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security Ioannis Aligizakis, M.Sc.
 
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...Black Duck by Synopsys
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat ReportKim Jensen
 
Reinforcing the Revolution: The Promise and Perils of Digital Transformation
Reinforcing the Revolution: The Promise and Perils of Digital TransformationReinforcing the Revolution: The Promise and Perils of Digital Transformation
Reinforcing the Revolution: The Promise and Perils of Digital TransformationProofpoint
 
CSS Trivia
CSS TriviaCSS Trivia
CSS TriviaAlert Logic
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
2015 August - Intel Security McAfee Labs Quarterly Threat Report
2015 August - Intel Security McAfee Labs Quarterly Threat Report2015 August - Intel Security McAfee Labs Quarterly Threat Report
2015 August - Intel Security McAfee Labs Quarterly Threat ReportMatthew Rosenquist
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionEoin Keary
 
Hii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsHii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsAnatoliy Tkachev
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Black Duck by Synopsys
 

Weitere ähnliche Inhalte

Was ist angesagt?

Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing ScamOpen Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing ScamBlack Duck by Synopsys
 
IEEE ANDROID APPLICATION 2016 TITLE AND ABSTRACT
IEEE ANDROID APPLICATION 2016 TITLE AND ABSTRACTIEEE ANDROID APPLICATION 2016 TITLE AND ABSTRACT
IEEE ANDROID APPLICATION 2016 TITLE AND ABSTRACTtsysglobalsolutions
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Ernest Staats
 
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...Black Duck by Synopsys
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thUnited Technology Group (UTG)
 
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone UnderwearThe Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone UnderwearBob Wall
 
ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA
 
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...Black Duck by Synopsys
 
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...Black Duck by Synopsys
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat ReportKim Jensen
 
Reinforcing the Revolution: The Promise and Perils of Digital Transformation
Reinforcing the Revolution: The Promise and Perils of Digital TransformationReinforcing the Revolution: The Promise and Perils of Digital Transformation
Reinforcing the Revolution: The Promise and Perils of Digital TransformationProofpoint
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
2015 August - Intel Security McAfee Labs Quarterly Threat Report
2015 August - Intel Security McAfee Labs Quarterly Threat Report2015 August - Intel Security McAfee Labs Quarterly Threat Report
2015 August - Intel Security McAfee Labs Quarterly Threat ReportMatthew Rosenquist
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionEoin Keary
 
Hii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsHii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsAnatoliy Tkachev
 

Was ist angesagt? (20)

Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing ScamOpen Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
 
IEEE ANDROID APPLICATION 2016 TITLE AND ABSTRACT
IEEE ANDROID APPLICATION 2016 TITLE AND ABSTRACTIEEE ANDROID APPLICATION 2016 TITLE AND ABSTRACT
IEEE ANDROID APPLICATION 2016 TITLE AND ABSTRACT
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3
 
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
 
10 things you should know about cybersecurity
10 things you should know about cybersecurity10 things you should know about cybersecurity
10 things you should know about cybersecurity
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
 
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone UnderwearThe Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
 
ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017
 
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security
 
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat Report
 
Reinforcing the Revolution: The Promise and Perils of Digital Transformation
Reinforcing the Revolution: The Promise and Perils of Digital TransformationReinforcing the Revolution: The Promise and Perils of Digital Transformation
Reinforcing the Revolution: The Promise and Perils of Digital Transformation
 
CSS Trivia
CSS TriviaCSS Trivia
CSS Trivia
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
 
Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
2015 August - Intel Security McAfee Labs Quarterly Threat Report
2015 August - Intel Security McAfee Labs Quarterly Threat Report2015 August - Intel Security McAfee Labs Quarterly Threat Report
2015 August - Intel Security McAfee Labs Quarterly Threat Report
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
 
Hii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsHii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutions
 

Ähnlich wie 2019 04-18 -DevSecOps-software supply chain

DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Black Duck by Synopsys
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
We are excited to announce that our new State of Software Security (SOSS) rep...
We are excited to announce that our new State of Software Security (SOSS) rep...We are excited to announce that our new State of Software Security (SOSS) rep...
We are excited to announce that our new State of Software Security (SOSS) rep...Ampliz
 
The State of Software Security 2022 SOSS - Solution
The State of Software Security 2022 SOSS - SolutionThe State of Software Security 2022 SOSS - Solution
The State of Software Security 2022 SOSS - SolutionNeelKamalSingh8
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
eb-The-State-of-API-Security.pdf
eb-The-State-of-API-Security.pdfeb-The-State-of-API-Security.pdf
eb-The-State-of-API-Security.pdfSajid Ali
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Need Of security in DevOps
Need Of security in DevOpsNeed Of security in DevOps
Need Of security in DevOpsManasi Mali
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco Security
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
ScotSecure 2020
ScotSecure 2020ScotSecure 2020
ScotSecure 2020Ray Bugg
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyserTim Youm
 
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...Black Duck by Synopsys
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
 
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Dana Gardner
 

Ähnlich wie 2019 04-18 -DevSecOps-software supply chain (20)

DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
We are excited to announce that our new State of Software Security (SOSS) rep...
We are excited to announce that our new State of Software Security (SOSS) rep...We are excited to announce that our new State of Software Security (SOSS) rep...
We are excited to announce that our new State of Software Security (SOSS) rep...
 
The State of Software Security 2022 SOSS - Solution
The State of Software Security 2022 SOSS - SolutionThe State of Software Security 2022 SOSS - Solution
The State of Software Security 2022 SOSS - Solution
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
Infosecurity Europe - Infographic
Infosecurity Europe - InfographicInfosecurity Europe - Infographic
Infosecurity Europe - Infographic
 
eb-The-State-of-API-Security.pdf
eb-The-State-of-API-Security.pdfeb-The-State-of-API-Security.pdf
eb-The-State-of-API-Security.pdf
 
Emerging Trends in Application Security
Emerging Trends in Application Security Emerging Trends in Application Security
Emerging Trends in Application Security
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Need Of security in DevOps
Need Of security in DevOpsNeed Of security in DevOps
Need Of security in DevOps
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security Report
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
ScotSecure 2020
ScotSecure 2020ScotSecure 2020
ScotSecure 2020
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyser
 
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
 
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...
 

Kürzlich hochgeladen

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Kürzlich hochgeladen (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

2019 04-18 -DevSecOps-software supply chain

  • 1. Cameron Townshend Solution Architect, APJ, Sonatype Securing Software Supply Chains Why 3 Days Might Be Your New Normal for DevSecOps
  • 2. Since 2000, 52% of Fortune 500 have been replaced. Established business leaders are also under attack…
  • 4. W. Edwards Deming, 1945 What is software supply chain management? A new (yet proven) way of thinking. 1. Source parts from fewer and better suppliers. 2. Use only the highest quality parts. 3. Never pass known defects downstream. 4. Continuously track location of every part.
  • 7.
  • 8. 47%deploy multiple times per week Source: 2019 DevSecOps Community Survey velocity
  • 9. 59,000 data breaches have been reported to GDPR regulators since May 2018 source: DLA Piper, February 2019
  • 10. 10 Business applications are under attack… Of enterprises suffered at least one breach in last 12 months. 51% Of enterprise attacks are perpetrated by external actors. 43% Of external attacks target web apps and known vulnerabilities. 68% Forrester: Best Practices for Deploying And Managing Enterprise Password Managers – Jan 2018
  • 11. Everyone has a software supply chain. (even if you don’t call it that)
  • 12. Demand drives 15,000 new releases every day
  • 13. Automation accelerates OSS downloads Source: Sonatype’s 2018 State of the Software Supply Chain Report
  • 14.
  • 15. 85% of your code is sourced from external suppliers
  • 16. 170,000 Java component downloads annually 3,500 unique source: 2018 State of the Software Supply Chain Report
  • 17. 60,660 JavaScript packages downloaded per developer per year source: npm, 2018
  • 18. Not all parts are created equal.
  • 19. We are not “building quality in”. source: 2019 State of the Software Supply Chain Report NOT RELFECTIVE OF THE HARTFORD’S DATA 2016 Java Downloads
  • 20.
  • 21. We are not “building quality in”. 2018 npm source: 2018 npm
  • 22. 6.2K 233 510,000 120K691,000 309,000 66.8K 3.4 1,000,000 1∑ 2∑ 3∑ 4∑ 5∑ 6∑ Defects targets per million for 6-sigma
  • 24. 60,660 JavaScript packages downloaded annually per developer 30,936 51% with known vulnerabilities
  • 25.
  • 26. Social normalization of deviance “People within the organization become so much accustomed to a deviant behavior that they don't consider it as deviant, despite the fact that they far exceed their own rules for elementary safety.” Diane Vaughan
  • 27. Breaches increased 71% 24% suspect or have verified a breach related to open source components in the 2019 survey 14% suspect or have verified a breach related to open source components in the 2014 survey source: DevSecOps Community Survey 2014 and 2019
  • 28. The speed of exploits has compressed 93% Sources: Gartner, IBM, Sonatype
  • 29. source: 2019 DevSecOps Community Survey Quickly identify who is faster than their adversaries
  • 30. March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 Today 65% of the Fortune 100 download vulnerable versions 3 Days in March March 8 NSA reveals Pentagon servers scanned by nation-states for vulnerable Struts instances Struts exploit published to Exploit-DB. March 10 Equifax Canada Revenue Agency Canada Statistics GMO Payment Gateway The Rest of the Story March 13 Okinawa Power Japan Post March 9 Cisco observes "a high number of exploitation events." March ’18 India’s AADHAAR April 13 India Post December ’17 Monero Crypto Mining Equifax was not alone
  • 31. Complete software bill of materials (SBOM) 2019 No DevOps Practice 2019 Mature DevOps Practices 19% 50% Source: 2019 DevSecOps Community Survey
  • 32. 18,126 organizations downloading vulnerable versions of Struts Source: Sonatype Breach announced. 14
  • 33. DevSecOps challenge: automate faster than evil.
  • 34. 1.3 million vulnerabilities in OSS components undocumented No corresponding CVE advisory in the public NVD database
  • 35. July 2017 8 3 10 4 The new battlefront Software Supply Chain Attacks Study found credentials online affecting publishing access to 14% of npm repository. +79,000 packages. Malicious npm Packages “typosquatted” (40 packages for 2 weeks. Collecting env including npm publishing credentials). 1 10 Malicious Python packages Basic info collected and sent to Chinese IP address 2 Golang go-bindata github id deleted and reclaimed. 5 ssh-decorator Python Module stealing private ssh keys. 7 npm event-stream attack on CoPay.11 Sep 2017 Homebrew repository compromised. 9 Jan 2018 Feb 2018 Mar 2018 6 Aug 2018 Conventional-changelog compromised and turned into a Monero miner. Blog: “I’m harvesting credit card numbers and passwords from your site. Here’s how.” Backdoor discovered in npm get-cookies module published since March. Unauthorized publishing of mailparser. Gentoo Linux Repository Compromised. Malicious Eslint discovered to be stealing npm credentials. Aug 2017 Oct 2017 Nov 2017 Dec 2017 Apr 2018 May 2018 Jun 2018 Jul 2018 Sep 2018 Oct 2018 Nov 2018 Dec 2018
  • 36. At what point in the development process does your organization perform automated application analysis? 2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
  • 37. Which application security tools are used? 2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
  • 38. How are you informed of InfoSec and AppSec issues? Automating security enables faster DevOps feedback loops
  • 39. Automation continues to prove difficult to ignore Source: 2019 DevSecOps Community Survey 2019 No DevOps Practice 2019 Mature DevOps Practices
  • 40. Trusted software supply chains are 2x more secure Source: 2018 State of the Software Supply Chain Report
  • 41. I see no prospect in the long run for avoiding liability for insecure code.”“ Paul Rozenzweig Senior Fellow, R Street Institute 2018
  • 42. The rising tide of regulation and software liability
  • 43. 1. An up to date inventory of open-source components utilized in the software 2. A process for identifying known vulnerabilities within open source components 3. 360 degree monitoring of open source components throughout the SDLC 4. A policy and process to immediately remediate vulnerabilities as they become known January 2019 source: https://blog.pcisecuritystandards.org/just-published-new-pci-software-security-standards
  • 44. All Countries Show Poor Cyber Hygiene 1 in 7 Downloads 1 in 9 Downloads
  • 45. “Emphasize performance of the entire system and never pass a defect downstream.”
  • 46. 47 1985 RMS/GNU/FSF 1990 Scrum / Linux 1995 Java / JavaScript 2000 LAMP Stack 2005 Agile Everything 2015 Rise of DevOps 2018 450B OSS components requested annually Apache Maven (9M) Central Repo (80B) Nexus Repo OSS (100K) Nexus Intelligence(8B) 4th Annual State of the Software Supply Chain Report History in motion. Writing code is out. Borrowing code is in.
  • 47. Repository Pro Manage libraries, build artifacts, and release candidates across the SDLC. Say hello to the Nexus Platform. Automatically enforce open source policy and control risk across every phase of the SDLC. Auditor Examine OSS components within production apps. Firewall Automatically stop risk from entering your SDLC. Lifecycle Continuously identify risk, enforce policy, and remediate vulns across every phase of your SDLC.

Hinweis der Redaktion

  1. The trend for companies to change can be seen here. Since 2010 to 2018 the top 10 brands has changed dramatically. We now see that the 4 most popular brands in the world are all tech companies and their dramatic growth has been driven by Software and Open Source Software. Apple, Google, Amazon and Microsoft.
  2. It hardly seemed like the start of a revolution, but oh boy, it was in 1945, when W. Edwards Deming started advising Japanese manufacturers to detect and fix defects at the beginning of the manufacturing process. Within five years, companies Mitsubishi and Toyota Motor Co. had become disciples. By the 1960, Deming’s TQM practices were an intrinsic part of the Japanese culture and were playing rise to their global dominance. In 1981, Ford adopted these principles and within 6 years became the most profitable US auto manufacturer Now tied into high-performance production processes, six-sigma manufacturing today aims a defect rate goal of 3.4 parts per million. “Cease dependence on mass inspection.” Emphasize performance of the entire system and never pass a defect downstream Inspection does not improve quality. Nor guarantee quality. Inspection is too late. Harold F. Dodge: “You cannot inspect quality into a product” Automatic inspection and recording require constant vigil.
  3. It was then no mistake in 2010, when Jez Humble and Dave Farley advised people to “Build Quality In” in their seminal book “Continuous Delivery” Build quality in If you are going to be fast you have to build quality in as people heard about and strove to achieve Allspaw’s 10 deploys a day. Feedback from releases Single object is built, tested and deployed, you do not build for each environment You learn from releases – share story of MunichRe 2 releases a year and both were disasters, my failure at the CAB
  4. It hardly seemed like the start of a revolution three years later when Gene Kim shared the Three Ways of DevOps inside The Phoenix Project, with the first way being The principles of Flow, which accelerate the delivery of work from Development to Operations to our customers “Emphasize performance of the entire system end-to-end and never pass a defect downstream.” The principles of Feedback, which enable us to create ever safer system of work; The principles of Continual Learning and experimentation, which foster a high-trust culture and a scientific approach to organizational improvement as part of our daily work.
  5. Since then, the quest for speed in software manufacturing has been a holy grail. In our 2019 DevSecOps community survey of 5,500 people, 47% reported their ability to deploy multiple times a week.
  6. We’ve forgotten something along the way. The European Union has reported 59,000 report data breaches since GDPR started in may 2018 People attacking applications Crack in the system
  7. Everyone uses the software supply chain. You rely on suppliers that are writing code for you and do you know what they have written?
  8. There's a really interesting site out there called moduleaccounts.com. It has a simple value, it keeps track of the number of different components, or packages that are available across the different development languages, from pipi, to nuget, to bower, to maven, components, etc. And it shows the increase in the number of these components that are available to the developer ecosystem, or the developer population, over time. We used some data from that site to see that over a thousand new open-source projects were created each day. People delivering a new kind of software, a new kind of component. Then, from the general population of all open-source projects worldwide, we were able to estimate that ten thousand new versions of components are introduced every day. There's this huge supply of components entering the ecosystem, and available to our software supply chains. When we look at the central repository that Sonatype manages, of maven style or java open-source components, we looked across 380 thousand open-source projects, and found that on average those projects were releasing fourteen new versions of their components every year. That's great from a supply chain aspect, that the suppliers are very active, actively releasing new software, actively releasing new innovations, and actively improving the software that they're making available to developers worldwide.  
  9. This is from the State of the Software Supply Chain report Supply - Sonatype runs Maven Central. We saw 146B downloads from Maven Central in 2018. That is almost 100% increase from 2017 figure of 87 B
  10. Laurie Voss f 6M developers downloaded 7B Javascript Supply - NPM saw 7B downloads per week. That is 350B downloads per year.
  11. Demand - In a modern application we see that 85% of the code is now sourced from 3rd parties. Move faster by standing on the shoulders of others
  12. Demand - The average firm downloads 170,000 components annually. 3500 unique different external suppliers?
  13. Demand - Npm advises us that the average Javascript developer downloads 60,660 separate java packages per year
  14. There’s a reason why new components come out
  15. Java - We found that 5.5% of all downloads were known vulnerable versions in 2016
  16. It’s actually gotten worse. 1 in 10 of downloads had a known vulnerability when they were downloaded Are you doing 3ways of devops. You’re not paying attention to this. 6sigma – 3.4 parts per million
  17. NPM – advised that 51% of their downloads in October 2018 are vulnerable. Get the exact source Laurie Voss
  18. 6sigma says that in manufacturing you will have 3.4 defects per million
  19. 170,000 * 11.1% = 18870 vulnerable libraries
  20. 66600 * 51% = 30,936
  21. Give example of the Challenger space shuttle tragedy Oring
  22. Between 2014 and 2019 we saw 71% increase in breaches from open source libraries Heartbleed 2014 – CVSS score of 5 2019 – struts was a CVSS score of 9
  23. Attack window has shrunk from 45 days to 3days
  24. Leading organisations can release a feature or a patch multiple times a week.
  25. Struts 2 attacks CVE published – new version published in March Struts exploit published to Explout-db Struts has a well known signature 65% of global 100 are still downloading vulnerable versions of Struts
  26. Visibility is the starting point. Do you have a complete Bill of Materials Are we using struts And where is it
  27. Struts 2 download behavior has not changed. The vulnerable version is still being downloaded
  28. Ever since 2009 when John Aspaw shared Etsy’s practice of 10 deploys a day, the rest of the development industry has been trying to catch up.
  29. 11 – 200,000 malicious event-stream downloaded Nov 2018
  30. Do you have a Open Source Governance Policy and do you follow it? Devops – automation is hard to ignore. Once you surface this to the developer.
  31. In the 2018 State of the software Supply Chain We analysed 60000 application We found 11.7% flowing in unmanaged In managed supply chain we saw 6.1% so we improved 50%
  32. You are not allowed to put known defective parts in to a manufacturing process and ship it to customers. But it is not illegal to ship to a customer.
  33. OWASP top 10 developed a number of years ago as a starting point -FDA requires a BOM for any approval -PCI – requires BOM -Singapore -MAS
  34. The new standard requires organizations to govern their use of open source software, and it states that any application utilized as part of the payment process, must be secure by design. https://blog.sonatype.com/hygiene-for-open-source-softwareis-now-a-pci-requirement
  35. “Cease dependence on mass inspection.” Inspection does not improve quality. Nor guarantee quality. Inspection is too late. Harold F. Dodge: “You cannot inspect quality into a product” Automatic inspection and recording require constant vigil.