Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige

Hier ansehen

1 von 47 Anzeige

DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape

Herunterladen, um offline zu lesen

Cameron Townshend

Today’s pace of innovation and need to out “innovate” competitors can often cause developers to bypass key portions of Gene Kim’s Three Ways of DevOps - specifically to never pass a known defect downstream and emphasize performance of the entire system.

As we embrace movements like CI, CD and Devops to cut down on release cycles - and innovate faster, we as developers must also embrace the reality that the risk landscape is too complex to leave “security” to just those with security in their title. Traditional methods do not cut it anymore – it’s time for DevSecOps.

Instinctively, we understand how critical this is. In Sonatype’s recent 2018 DevSecOps Community report, where 2,076 IT professionals were surveyed, 48% of respondents admitted that developers know application security is important, but they don’t have the time to spend on it.

Done properly, DevSecOps practices shouldn’t interrupt the DevOps pipeline - but instead aid it - preventing costly rebuilds and build breaks, down the road. By creating automated governance and compliance guardrails that are embedded early and throughout the software development lifecycle, developers have transparent access to digital guardrails integrated within our native tools — an approach that ensures security is being built in without slowing us down. These instant feedback loops detailing good or bad components have been shown to increase developer productivity by as much as 48%.

Over time, this approach ensures developers procure the best components from the best suppliers, while continuously tracking components across the entire lifecycle.

Attendees of this session will walk away with:
Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks
Key insights from 2,076 of their peers who participated in the 2018 DevSecOps community report - including where most mature DevOps practices are focusing their security efforts
A walkthrough of how security principles have been embedded in a CICD pipeline and what standards for implementation are beginning to follow suite

Cameron Townshend

Today’s pace of innovation and need to out “innovate” competitors can often cause developers to bypass key portions of Gene Kim’s Three Ways of DevOps - specifically to never pass a known defect downstream and emphasize performance of the entire system.

As we embrace movements like CI, CD and Devops to cut down on release cycles - and innovate faster, we as developers must also embrace the reality that the risk landscape is too complex to leave “security” to just those with security in their title. Traditional methods do not cut it anymore – it’s time for DevSecOps.

Instinctively, we understand how critical this is. In Sonatype’s recent 2018 DevSecOps Community report, where 2,076 IT professionals were surveyed, 48% of respondents admitted that developers know application security is important, but they don’t have the time to spend on it.

Done properly, DevSecOps practices shouldn’t interrupt the DevOps pipeline - but instead aid it - preventing costly rebuilds and build breaks, down the road. By creating automated governance and compliance guardrails that are embedded early and throughout the software development lifecycle, developers have transparent access to digital guardrails integrated within our native tools — an approach that ensures security is being built in without slowing us down. These instant feedback loops detailing good or bad components have been shown to increase developer productivity by as much as 48%.

Over time, this approach ensures developers procure the best components from the best suppliers, while continuously tracking components across the entire lifecycle.

Attendees of this session will walk away with:
Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks
Key insights from 2,076 of their peers who participated in the 2018 DevSecOps community report - including where most mature DevOps practices are focusing their security efforts
A walkthrough of how security principles have been embedded in a CICD pipeline and what standards for implementation are beginning to follow suite

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape (20)

Anzeige

Weitere von DevSecCon (20)

Aktuellste (20)

Anzeige

DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape

  1. 1. Cameron Townshend Solution Architect, APJ, Sonatype Securing Software Supply Chains Why 3 Days Might Be Your New Normal for DevSecOps
  2. 2. Since 2000, 52% of Fortune 500 have been replaced. Established business leaders are also under attack…
  3. 3. 3
  4. 4. W. Edwards Deming, 1945 What is software supply chain management? A new (yet proven) way of thinking. 1. Source parts from fewer and better suppliers. 2. Use only the highest quality parts. 3. Never pass known defects downstream. 4. Continuously track location of every part.
  5. 5. Jez Humble, 2010
  6. 6. Gene Kim, 2013
  7. 7. 47%deploy multiple times per week Source: 2019 DevSecOps Community Survey velocity
  8. 8. 59,000 data breaches have been reported to GDPR regulators since May 2018 source: DLA Piper, February 2019
  9. 9. 10 Business applications are under attack… Of enterprises suffered at least one breach in last 12 months. 51% Of enterprise attacks are perpetrated by external actors. 43% Of external attacks target web apps and known vulnerabilities. 68% Forrester: Best Practices for Deploying And Managing Enterprise Password Managers – Jan 2018
  10. 10. Everyone has a software supply chain. (even if you don’t call it that)
  11. 11. Demand drives 15,000 new releases every day
  12. 12. Automation accelerates OSS downloads Source: Sonatype’s 2018 State of the Software Supply Chain Report
  13. 13. 85% of your code is sourced from external suppliers
  14. 14. 170,000 Java component downloads annually 3,500 unique source: 2018 State of the Software Supply Chain Report
  15. 15. 60,660 JavaScript packages downloaded per developer per year source: npm, 2018
  16. 16. Not all parts are created equal.
  17. 17. We are not “building quality in”. source: 2019 State of the Software Supply Chain Report NOT RELFECTIVE OF THE HARTFORD’S DATA 2016 Java Downloads
  18. 18. We are not “building quality in”. 2018 npm source: 2018 npm
  19. 19. 6.2K 233 510,000 120K691,000 309,000 66.8K 3.4 1,000,000 1∑ 2∑ 3∑ 4∑ 5∑ 6∑ Defects targets per million for 6-sigma
  20. 20. 170,000 java component downloads annually 3,500 unique 18,870 11.1% with known vulnerabilities
  21. 21. 60,660 JavaScript packages downloaded annually per developer 30,936 51% with known vulnerabilities
  22. 22. Social normalization of deviance “People within the organization become so much accustomed to a deviant behavior that they don't consider it as deviant, despite the fact that they far exceed their own rules for elementary safety.” Diane Vaughan
  23. 23. Breaches increased 71% 24% suspect or have verified a breach related to open source components in the 2019 survey 14% suspect or have verified a breach related to open source components in the 2014 survey source: DevSecOps Community Survey 2014 and 2019
  24. 24. The speed of exploits has compressed 93% Sources: Gartner, IBM, Sonatype
  25. 25. source: 2019 DevSecOps Community Survey Quickly identify who is faster than their adversaries
  26. 26. March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 Today 65% of the Fortune 100 download vulnerable versions 3 Days in March March 8 NSA reveals Pentagon servers scanned by nation-states for vulnerable Struts instances Struts exploit published to Exploit-DB. March 10 Equifax Canada Revenue Agency Canada Statistics GMO Payment Gateway The Rest of the Story March 13 Okinawa Power Japan Post March 9 Cisco observes "a high number of exploitation events." March ’18 India’s AADHAAR April 13 India Post December ’17 Monero Crypto Mining Equifax was not alone
  27. 27. Complete software bill of materials (SBOM) 2019 No DevOps Practice 2019 Mature DevOps Practices 19% 50% Source: 2019 DevSecOps Community Survey
  28. 28. 18,126 organizations downloading vulnerable versions of Struts Source: Sonatype Breach announced. 14
  29. 29. DevSecOps challenge: automate faster than evil.
  30. 30. 1.3 million vulnerabilities in OSS components undocumented No corresponding CVE advisory in the public NVD database
  31. 31. July 2017 8 3 10 4 The new battlefront Software Supply Chain Attacks Study found credentials online affecting publishing access to 14% of npm repository. +79,000 packages. Malicious npm Packages “typosquatted” (40 packages for 2 weeks. Collecting env including npm publishing credentials). 1 10 Malicious Python packages Basic info collected and sent to Chinese IP address 2 Golang go-bindata github id deleted and reclaimed. 5 ssh-decorator Python Module stealing private ssh keys. 7 npm event-stream attack on CoPay.11 Sep 2017 Homebrew repository compromised. 9 Jan 2018 Feb 2018 Mar 2018 6 Aug 2018 Conventional-changelog compromised and turned into a Monero miner. Blog: “I’m harvesting credit card numbers and passwords from your site. Here’s how.” Backdoor discovered in npm get-cookies module published since March. Unauthorized publishing of mailparser. Gentoo Linux Repository Compromised. Malicious Eslint discovered to be stealing npm credentials. Aug 2017 Oct 2017 Nov 2017 Dec 2017 Apr 2018 May 2018 Jun 2018 Jul 2018 Sep 2018 Oct 2018 Nov 2018 Dec 2018
  32. 32. At what point in the development process does your organization perform automated application analysis? 2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
  33. 33. Which application security tools are used? 2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
  34. 34. How are you informed of InfoSec and AppSec issues? Automating security enables faster DevOps feedback loops
  35. 35. Automation continues to prove difficult to ignore Source: 2019 DevSecOps Community Survey 2019 No DevOps Practice 2019 Mature DevOps Practices
  36. 36. Trusted software supply chains are 2x more secure Source: 2018 State of the Software Supply Chain Report
  37. 37. I see no prospect in the long run for avoiding liability for insecure code.”“ Paul Rozenzweig Senior Fellow, R Street Institute 2018
  38. 38. The rising tide of regulation and software liability
  39. 39. 1. An up to date inventory of open-source components utilized in the software 2. A process for identifying known vulnerabilities within open source components 3. 360 degree monitoring of open source components throughout the SDLC 4. A policy and process to immediately remediate vulnerabilities as they become known January 2019 source: https://blog.pcisecuritystandards.org/just-published-new-pci-software-security-standards
  40. 40. All Countries Show Poor Cyber Hygiene 1 in 7 Downloads 1 in 9 Downloads
  41. 41. “Emphasize performance of the entire system and never pass a defect downstream.”
  42. 42. ctownshend@sonatype.com

×