Securing Modern Applications: The Data Behind DevSecOps
Download as PPTX, PDF1 like620 views
The document discusses the vulnerabilities and cybersecurity issues related to modern application development, particularly via DevSecOps practices. It highlights the prevalence of open source components, the frequency of exploitation events, and emphasizes the need for proactive security measures, including creating a software bill of materials (BOM) and integrating security checks throughout the development process. Key statistics on component vulnerabilities and repair times underscore the urgency of improved cybersecurity hygiene.
Securing Modern Applications: The Data Behind DevSecOps
- 1. Securing Modern Applications: The Data Behind DevSecOps Ilkka Turunen, Global Director - Solutions Architecture @llkkaT
- 2. Large Scale Exploit March 10 Equifax applications breached through Struts2 vulnerability AprMar May Jun Jul Aug Sept March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 July 29 Breach is discovered by Equifax. Probe Crisis Management
- 3. @llkkaT
- 4. Say Hello to Your Software Supply Chain…
- 5. 1,096 new projects per day 10,000 new versions per day 14x releases per year • 3M npm components • 2M Java components • 900K NuGet components • 870K PyPI components
- 8. 80% to 90% of modern apps consist of assembled components.
- 10. 80% to 90% of modern operations consist of assembled containers. Containers Hand-built applications and infrastructure
- 11. NOT ALL PARTS ARE CREATED EQUAL @devstefops
- 12. 233 days MeanTTR 119 days MedianTTR 122,802 components with known vulnerabilities 19,445 15.8% fixed the vulnerability TIME TO REPAIR OSS COMPONENTS
- 13. 0 days MeanTTR CVE ID: CVE-2017- 5638 March 7 Apache fixed the vulnerability March 7 APACHE STRUTS2 MEAN TIME TO REPAIR
- 14. 170,000 Java component downloads annually 3,500 unique 18,870 11.1% with known vulnerabilities 7,500 ORGANIZATIONS ANALYZED @devstefops
- 15. March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 Today 8,780 continue to download vulnerable versions of Struts 57% of the Fortune 100 3 Days in March March 8 NSA reveals Pentagon servers scanned by nation-states for vulnerable Struts instances Struts exploit published to Exploit-DB. March 10 Equifax Canada Revenue Agency Canada Statistics GMO Payment Gateway The Rest of the Story March 13 Okinawa Power Japan Post March 9 Cisco observes "a high number of exploitation events." March ’18 India’s AADHAAR EQUIFAX WAS NOT ALONE April 13 India Post December ’17 Monero Cryptomining
- 16. 6-IN-10 HAVE OPEN SOURCE POLICIES @devstefops
- 17. @weekstweets CYBERSECURITY HYGIENE RATIO IS 1 IN 8
- 18. Laurie Voss, npm and the furture of JavaScript, 2018-10-10
- 19. DEFECT PERCENTAGES FOR JAVASCRIPT @llkkaT
- 22. 9 years later, vulnerable versions of Bouncy Castle were downloaded… 11M CVE-2007-6721 CVSS Base Score: 10.0 HIGH Exploitability Subscore: 10.0 23M 2007 2016 BOUNCY CASTLE
- 23. 18,330,958 78% downloads were vulnerable COMMONS COLLECTION CWE-502 23,476,966 total downloads in 2016
- 24. commons-fileupload STRUTS 2 CVE 2016- 1000031
- 26. Source : Maven Central Repository, Maaliskuu 2018 Spring Framework RCE ”Spring Break” - CVE-2017-8046 Download statistic for components affected in the Spring “Break” vulnerability
- 27. AVERAGE DAYS BEFORE VULNERABILITY IS EXPLOITED
- 28. “Emphasize performance of the entire system and never pass a defect downstream.” Gene Kim The Phoenix Project 2013
- 29. 100:1developers outnumber application security
- 30. DevCDCI Pro d QA UATCI Server Public OSS repositories Version Control Deployment Process Nexus Repository Developer Nexus Lifecycle IDE / maven Weeks to approve Relying solely on penetration tests is too late
- 31. “You cannot inspect quality into a product.” W. Edwards Deming Out of the Crisis 1982 31
- 33. THE REWARDS ARE IMPRESSIVE 90% improvement in time to deploy 34,000 hours saved in 90 days 48% increase in application quality
- 34. 1. Have a Software BoM for each application so you know what OSS you are using 2. Shift Left! Empower developers by giving them information into their IDEs and Source Control 3. Add checks at every stage to ensure you don’t pass defects downstream Three Takeaways
Editor's Notes
- #3: 145m record 600k Gdpr number C suite retirement Learn facts – watch ilka vid & atch youtube
- #5: Say hello to YOUR software supply chain, not “the software supply chain”; personalizing it more for the audience. For those of you that are unfamiliar with a software supply chain, it's really an allegate to the traditional supply chains used in manufacturing today. Those supply chains have suppliers that are building components. In the case of software development, that is the open-source [projects 00:07:53] that are building components, and making them freely available to developers around the world. [00:08:00] They're able to store and distribute those components in the large central warehouses, like the central repository that Sonatype is responsible for managing, but also repositories like rubygems.org, [pipi.org 00:08:16], thenugetgallery, etc. This is where the components are stored and available to the manufacturers, that are really the software development teams, that are consuming these components and downloading these components over the years. Those components are then used to create the finished goods, or the software applications, that organizations are then delivering to their customers. We'll continue to use this supply chain analogy for the software supply chain, then compare and contrast what's happening in traditional manufacturing, is to what's happening in software today.
- #6: There's a really interesting site out there called moduleaccounts.com. It has a simple value, it keeps track of the number of different components, or packages that are available across the different development languages, from pipi, to nuget, to bower, to maven, components, etc. And it shows the increase in the number of these components that are available to the developer ecosystem, or the developer population, over time. We used some data from that site to see that over a thousand new open-source projects were created each day. People delivering a new kind of software, a new kind of component. Then, from the general population of all open-source projects worldwide, we were able to estimate that ten thousand new versions of components are introduced every day. There's this huge supply of components entering the ecosystem, and available to our software supply chains. When we look at the central repository that Sonatype manages, of maven style or java open-source components, we looked across 380 thousand open-source projects, and found that on average those projects were releasing fourteen new versions of their components every year. That's great from a supply chain aspect, that the suppliers are very active, actively releasing new software, actively releasing new innovations, and actively improving the software that they're making available to developers worldwide.
- #12: Unfortunately, not all parts are equal... Some are healthy, some are not… …and all go bad over time (like milk, not like wine).
- #17: in the late 1950s, and the dominance of car design over good engineering
- #18: [00:14:00] One of the things that we measured year over year, and we do do some year over year comparisons throughout the report, is that 6.2% of the downloads from the central repository last year out of the billions of downloads, had a known security vulnerability in them. This past year we saw 6.1% of the downloads had a known vulnerability. That's about one in sixteen of every component download has a known vulnerability in it.
- #20: [00:14:00] One of the things that we measured year over year, and we do do some year over year comparisons throughout the report, is that 6.2% of the downloads from the central repository last year out of the billions of downloads, had a known security vulnerability in them. This past year we saw 6.1% of the downloads had a known vulnerability. That's about one in sixteen of every component download has a known vulnerability in it.
- #23: in 2016 there were 197 GAVs related to bouncycastle downloaded a total of 23,412,020 times. 61 of thos GAVs were insecure, and those were downloaded 11,181,493 times
- #24: for commons-collection, there were 25 GAVs downloaded a total of 23,476,966 times. 7 of those GAVs were insecure, and those were downloaded 18,330,958 times.
- #29: “Cease dependence on mass inspection.” Inspection does not improve quality. Nor guarantee quality. Inspection is too late. Harold F. Dodge: “You cannot inspect quality into a product” Automatic inspection and recording require constant vigil.
- #31: Run through to CI / CD relatively quickly. 2min max. When there, focus on discussing * ‘what happens when we introduce the questions of ‘what about security vulnerabilities?’ ‘What about licensing?’ Most companies solve these manually. Takes long time. Ask the attendees how they deal with it? When you know, start explaining we believe these should be automated throughout the SLCD instead of being at the very beginning or very end. Reveal each label, discuss briefly implications BEGIN DEMO FLOW. Stop after each major theme briefly for questiosn IDE Policy Jenkins / Bamboo REPORT – Vulnerabilities – Licensing – important to know what persona to know what to focus on here JIRA – DASHBOARD AT THE END OF THE DEMO – ASK FOR THEIR IMPRESSIONS “And that’s the end of the demo. What do you think, could this be useful?” => Helps set the stage for value affirmation and future next steps
- #32: “Cease dependence on mass inspection.” Inspection does not improve quality. Nor guarantee quality. Inspection is too late. Harold F. Dodge: “You cannot inspect quality into a product” Automatic inspection and recording require constant vigil.
- #33: The question is not: Can we build secure software?
- #34: Fannie mae? LM – R !LC 34,000 – amex? 48% FM?
- #35: This should be at the beginning and end of your presentation: What are the three talking points your audience should be able to answer after this presentation?