Supply Chain Solutions for Modern Software Development

SUPPLY CHAIN SOLUTIONS FOR

Modern DevelopmentBrian Fox @brian_fox

INDUSTRIAL EVOLUTION

Open source usage is

EXPLODING

Yesterday’s source code is now replaced with

OPEN SOURCEcomponents

201320122011200920082007 2010

2B1B500M 4B 6B 8B 13B

4 3/19/14 Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.

17B2014

HOW DEPENDENT ON 3RD PARTIES ARE WE?

5 1/28/2016

10% Custom Written Code

Typical Application

Open Source

Cloud Services

Closed Source

90% From 3rd Parties

Components are a hidden risk

OPEN SOURCE:

QUALITY

INNOVATION

EFFICIENCY

NO CONTROLS.

OPEN ACCESS.

HACKER TARGETS.

Components are a hidden risk

spending

10 1/28/2016

attack risk

Spending and risk are

OUT OF SYNC

Host ~$10B

Data Security ~$5B

People Security ~$4B

Network Infrastructure ~$20B

Component Security~$0.4B

#1 ATTACK VECTOR LEADING TO BREACH

12 1/28/2016

When software was first being written, finding exploitable code was like

LOOKINGfor a needle in a

HAYSTACK

13 1/28/2016

Now that software is

ASSEMBLED…

One risky component,multiplied thousands of times:

ONE EASYTARGET

14 1/28/2016

1/28/2016

Java Cryptography API

CVSS v2 Base Score:

10.0 HIGH

Exploitability:

10.0

Since then

11,236organizations

downloaded it

214,484 times

Bouncy CastleCVE Date:

11/10/2007

Java HTTP implementation

CVSS v2 Base Score:

5.8 MEDIUM

Exploitability:

8.6

Since then

29,468organizations

downloaded it

3,749,193 times

HttpClientCVE Date:

11/04/2012

Web application framework

CVSS v2 Base Score:

9.3 HIGH

Exploitability:

10

Since then

4,076 organizations

downloaded it

179,050 times

Apache Struts 2

CVE Date:

07/20/2013

15 Source: Sonatype, Inc. analysis of (Maven) Central downloads and NIST National Vulnerability Database

WIDESPREAD COMPROMISE

Hackers have first mover advantage

WHY IS THIS SO HARD?

Modern software development

HAS CHANGED

Our process

HASN’T CHANGEDENOUGH

Diversity• 40,000 Projects

• 200M Classes

• 400K Components

ComplexityOne component may rely on 100s of others

VolumeTypical enterprise consumes 1,000s of components monthly

ChangeTypical component is updated 4X per year

1/28/2016

Components are like

MOLECULES not atoms.

There are massive dependencies.

19 Source: Sonatype, Inc. analysis of (Maven) Central Repository.

ChangeTypical component is updated 4X per year

1/28/2016

CHANGETypical component is updated 4X per year.

20

11 MILLION OSS USERS

674,863 OSS COMPONENTS

Source: Components: (Maven) Central Repository; Users: IDC

1/28/2016

CHANGETypical component is updated 4X per year.

21

Unlike COTS, there is no clear, effective

COMMUNICATION channel

674,863 OSS COMPONENTS

11 MILLION OSS USERS

• Has a risk been identified?

• What type of risk?

• Is a better version available?

Use of components creates a

SOFTWARE SUPPLY CHAIN

Component Selection

DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT

SELECTION

22 3/19/14

Component Selection

DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT

SELECTION

Today’s security

ISN’TWORKING

46m vulnerable

components downloaded

!

71% of apps have 1+

critical or severe

vulnerability

!

90% of

repositories have 1+ critical

vulnerability

!

23 3/19/14 Source: Sonatype, Inc. analysis based on Repository Healthchecks and Application Healthchecks used to determine component risk in repositories and applications.

THE NEW LIFECYCLE

24 1/28/2016

Impact onReleases per Year

(Cycle Time)

1-2

10-20

100-200

Plan Design Deploy OperateTestBuild

Traditional Lifecycle (Waterfall)

Plan ...

Learn

Deploy

Learn

Operate

Agile Dev

Learn

Plan ...Operate Operate

Modern Lifecycle (+DevOps, Continuous *)

Cycle Time: Months-Years

Cycle Time: Days-Weeks

Cycle Time: Minutes-Hours

THE NEW LIFECYCLE

25 1/28/2016

Traditional Lifecycle (Waterfall)

Plan Design Deploy OperateTestBuild

Plan

Agile Dev

...

Learn

Learn

Deploy

Learn

Plan ...

Modern Lifecycle (Continuous *)

Operate

Operate

Governance?

Operate

Manual

Manual + Point Tools

Cycle Time: Months-Years

Cycle Time: Days-Weeks

Cycle Time: Minutes-Hours

Policy-Driven Automation

New

Approach

CYCLE TIME SQUEEZE

26 1/28/2016

• Work Arounds

• Batch Scans

• Rework

• Exposure

Legacy Governance

Cycle Time:

Min-Hours

If it does not fit,It does not get done.

Go Fast OR Sleep at Night

But, Solutions are Designed for Yesterday’s Security War…

RISK IN COMPONENTS

Component usage

has exploded

Applications are the

primary vector of attack

There is a proliferation

of flawed components

Current approaches can’t handle

the complexity

THOUGHT LEADERS ARE TAKING ACTION

5/28/14

We are not the first INDUSTRYto

face this CHALLENGE

HOW NOT TO SOLVE THIS PROBLEM

What not to do

ANTI-PATTERNS

Cut the cord!

What not to do

ANTI-PATTERNS

Lock the doors!

What not to do

ANTI-PATTERNS

Point fingers!

What not to do

HOPE IS NOT A STRATEGY

There is no problem here!

MODERN SOFTWARE PRACTICESREQUIRE A MODERN APPROACH TO GOVERNANCE

35

FAST SO IT CAN BE

CONTINUOUS

AUTOMATE

1. Humans define policy

2. Machines automate the implementation of policy

3. Humans manage exceptions

CYCLE TIME SYNERGY

38 1/28/2016

• No Interruption

• Entire Lifecycle

• Solve Early

• Avoid ReworkCycle Time:

Min-Hours

Continuous Governance for Continuous Delivery

Go Fast AND Sleep at Night

PRECISE

BE SPECIFIC

40

No Noise!• There is a world of difference

between saying "Struts is approved"

and saying "Struts 2.3.16.1 is good

and Struts 2.3.15.0 ANY OLDER

VERSION will get your system

owned“

Dev Teams Shouldn’t Deal with Noise

Scan found 50,313 “issues”

Real issue count: 204

CONTEXTUAL

WHY CONTEXT MATTERS

• SQL Injection vulnerabilities don't affect applications without databases.

• CopyLeft may not be a problem for internal applications or services.

• I need information that applies to my application.

CONTEXTUAL

44

Consume information and apply policy in the context of your

applications, organizations and enterprise via hierarchal policy

and reporting

ACTIONABLE

POLICIES ENSURE DEVELOPERS START WITH RIGHT COMPONENTS

“I can quickly pick the best component from the start, eliminating downstream rework.”Lead Developer

Analyze all components from within your IDE

License, Security and Architecture data for each component, evaluated against your policy

PROVIDE A SOLUTION

• Now that you've told me about a problem, tell me what I can do to fix it.

• Suggest alternatives.

• Even if I don't completely understand the risk,

if you show me an easy fix, I will take it.

EASY TO CONSUME

48

Provide stakeholders actionable, easy to consume

information to remediate problems

ACROSS THE LIFECYCLE

50 3/19/14

If you’re not using secure

COMPONENTSyou’re not building secure

APPLICATIONS

Component Selection

DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT

SELECTION

3/19/14

Applications don’t age,

THEY ROTLIKE MILK

We make it EASY to create

TRUSTED APPLICATIONS and keep them that way

OVER TIME