even faster
play

Even Faster: How Rugged DevOps & SW Supply Chains Attack - PowerPoint PPT Presentation

Oct 27, 2022 •182 likes •832 views

Even Faster: How Rugged DevOps & SW Supply Chains Attack Developer Waste Josh Corman @joshcorman @joshcorman Conclusions / Apply! Idea: A full embrace of Deming is a SW Supply Chain: Fewer/Better Suppliers Highest Quality Supply

  1. Even Faster: How Rugged DevOps & SW Supply Chains Attack Developer Waste Josh Corman @joshcorman @joshcorman

  2. Conclusions / Apply! § Idea: A full embrace of Deming is a SW Supply Chain: § Fewer/Better Suppliers § Highest Quality Supply § Traceability/Visibility throughout Manufacturing / Prom & Agile Recall § Benefits: Such rigor enables: § Even FASTER: Fewer instances of Unplanned/Unscheduled Work ( ALSO CONTEXT SWITCHES) § More EFFICIENT: Faster MTTD/MTTR § Better QUALITY/RISK: Avoid elective/avoidable complexity/risk § Urgency: It’s OpenSeason on OpenSource § And our dependence on connected tech is increasingly a public safety issue § Coming Actions: “Known Vulnerabilities” Convergence § Lawmakers, Insurers, Lawyers, etc. are converging @joshcorman

  3. Who am I? Joshua Corman @joshcorman CTO, Sonatype @joshcorman

  4. @joshcorman

  5. @joshcorman

  6. @joshcorman 6

  7. h/t @petecheslock DevOpsDays AusHn 2015 True #DevOps + Security isn’t all rainbows & unicorns. Unicorn p00p has to be worked thru @joshcorman @mortman #RSAC @joshcorman

  8. @joshcorman

  9. Rugged DevOps SESSION ID: Going Even Faster With Software Supply Chains Gene Kim Joshua Corman Researcher and Author CTO IT Revolution Press Sonatype @RealGeneKim @joshcorman #RSAC

  10. ~ Marc Marc Andreessen 2011 @joshcorman 10/23/2013 10 @joshcorman

  11. @joshcorman 11

  12. Trade Offs Costs & Benefits @joshcorman 10/23/2013 12 @joshcorman

  13. Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December) As of today, internet scans by MassScan reveal 300,000 CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM ß SIEMENS * of original 600,000 remain CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM ß SIEMENS * CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM unpatched or unpatchable CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM ß SIEMENS * CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM ß HeartBleed CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM … @joshcorman

  14. Heartbleed + (UnPatchable) Internet of Things == ___ ? In Our Homes In Our Bodies In Our Cars In Our Infrastructure @joshcorman

  15. Sarcsm: I’m shocked! @joshcorman 15

  16. @joshcorman

  17. The Rugged Ma The Ru ed Mani nifesto festo I am I m rugged... and mo more imp mportantly, my my code is ru rugged. I recogniz I ize th that t softw ftware has become a fo foundatio tion of f our mo modern world. I I recogniz ize th the awesome responsib ibility ility th that t comes with ith th this is fo foundatio tional l role le. I I recogniz ize th that t my code will ill be used in in wa ways I cannot anticipat ant pate, in n ways ays it was as no not designe ned, and and for long nger th than it it was ever in inte tended. I recogniz I ize th that t my code will ill be atta ttacked by ta tale lente ted and pe persistent nt adve adversar aries who ho thr hreat aten n our phy physical al, ec econ onom omic ic, and nation ional sec securit ity. I I recogniz ize th these ese thin ings s - a and I I c choose t to b be r rugged. I am rugged because I I I refu fuse to to be a source of f vu vulne nerability or weakne kness. I I am rugged because I I assure my code will ill support t its its mi mission. I I am rugged because my code can fa face th these challe llenges and and pe persist in n spi pite te of f th them. I I am rugged, not t because it it is is easy, but t because it it is is necessar ne ary. y... and and I am am up up for the he chal hallenge nge. @joshcorman

  18. I I recogniz ize th that t softw ftware has become a fo foundatio tion of f our mo modern world. I recogniz I ize th the awesome responsib ibility ility th that t comes with ith th this is fo foundatio tional l role le. I I recogniz ize th that t my code will ill be used in in wa ways I cannot anticipat ant pate, in n ways ays it was as no not designe ned, and and for long nger th than it it was ever in inte tended. I recogniz I ize th that t my code will ill be atta ttacked by ta tale lente ted and pe persistent nt adve adversar aries who ho thr hreat aten n our phy physical al, ec econ onom omic ic, and nation ional sec securit ity. I I recogniz ize th these ese thin ings s - a and I I c choose t to b be r rugged. I I am rugged because I I refu fuse to to be a source of f vulne vu nerability or weakne kness. I I am rugged because I I assure my code will ill support t its its mi mission. @joshcorman

  19. I Am The Cavalry The Cavalry isn’t coming … It falls to us Problem Statement Mission Statement Our society is adopHng connected To ensure connected technologies with technology faster than we are able to the potenHal to impact public safety secure it . and human life are worthy of our trust . • The Why Trust, public safety, human life How EducaHon, outreach, research Who Infosec research community AutomoHve Connected Public Who Global, grass roots iniHaHve Medical Home Infrastructure What Long-term vision for cyber safety Collec9ng exisHng research, researchers, and resources Connec9ng researchers with each other, industry, media, policy, and legal Collabora9ng across a broad range of backgrounds, interests, and skillsets @joshcorman Catalyzing posiHve acHon sooner than it would have happened on its own

  20. 5-Star Framework Addressing Automotive Cyber Systems 5-Star Capabili9es « Safety by Design – AnHcipate failure and plan miHgaHon « Third-Party Collabora9on – Engage willing allies « Evidence Capture – Observe and learn from failure « Security Updates – Respond quickly to issues discovered « Segmenta9on & Isola9on – Prevent cascading failure Connec9ons and Ongoing Collabora9ons AutomoHve Policy Insurance Accident Standards Security Engineers Makers Analysts InvesHgators OrganizaHons Researchers @joshcorman h`ps://www.iamthecavalry.org/auto/5star/

  21. 5-Star Cyber Safety Formal Capacities Plain Speak 1. Safety By Design 1. Avoid Failure 2. Third Party 2. Engage Allies To Avoid Collaboration Failure 3. Evidence Capture 3. Learn From Failure 4. Security Updates 4. Respond to Failure 5. Segmentation and 5. Isolate Failure Isolation www.iamthecavalry.org @iamthecavalry

  22. h/t @petecheslock DevOpsDays AusHn 2015 True #DevOps + Security isn’t all rainbows & unicorns. Unicorn p00p has to be worked thru @joshcorman @mortman #RSAC @joshcorman

  23. SESSION ID: ASD-T07R Continuous Security: 5 Ways DevOps Improves Security Joshua Corman David Mortman Chief Security Architect & Distinguished Engineer CTO Dell Software Sonatype @mortman @joshcorman #RSAC

  24. @joshcorman

  25. @joshcorman

  26. @joshcorman

  27. Innovate! PRODUCTIVITY TIME @joshcorman

  28. @joshcorman 28

  29. ACCEPTABLE ON TIME ON BUDGET QUALITY/RISK @joshcorman

  30. @joshcorman

  31. Agile goats; not goat rodeo. “We need to be agile, but not fragile.” @RuggedSojware @joshcorman @mortman #RSAC #DevOps @joshcorman

  32. ON TIME. ON BUDGET. ACCEPTABLE QUALITY/RISK. Faster builds. More efficient. Easier compliance. Fewer interrup9ons. More profitable. Higher quality. More innova9on. More compe99ve. Built-in audit protec9on. Agile / CI @joshcorman

  33. DevOps It may feel like DevOps is Pandora’s Box, but it’s open… and hope remains. ;) @joshcorman @mortman #RSAC #DevOps @joshcorman

  34. ON TIME. ON BUDGET. ACCEPTABLE QUALITY/RISK. Faster builds. More efficient. Easier compliance. Fewer interrup9ons. More profitable. Higher quality. More innova9on. More compe99ve. Built-in audit protec9on. Agile / CI DevOps / CD @joshcorman

  35. SW Supply Chains @joshcorman

  36. ON TIME. ON BUDGET. ACCEPTABLE QUALITY/RISK. Faster builds. More efficient. Easier compliance. Fewer interrup9ons. More profitable. Higher quality. More innova9on. More compe99ve. Built-in audit protec9on. Agile / CI DevOps / CD SW Supply Chain @joshcorman

  37. Comparing the Prius and the Volt Toyota Toyota Chevy Advantage Prius Volt Unit Cost 61% $24,200 $39,900 Units Sold 13x 23,294 1,788 In-House 50% 27% 54% ProducHon 16% Plant Suppliers 125 800 (10x per) Firm-Wide 4% 224 5,500 Suppliers @joshcorman

  38. Embrace proven supply chain principles @joshcorman

  39. Software Supply Chain Hygiene Use better & fewer Use higher Track what you use suppliers quality parts and where @joshcorman

  40. Open source usage is EXPLODING Yesterday’s source code is now replaced with OPEN SOURCE components 2014 2007 2008 2009 2010 2011 2012 2013 1B 2B 4B 6B 8B 13B 17B 500M @joshcorman 40 Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.

Recommend

Faster Haskell Neil Mitchell www.cs.york.ac.uk/~ndm The Goal Make Haskell faster

Faster Haskell Neil Mitchell www.cs.york.ac.uk/~ndm The Goal Make Haskell faster

Faster Haskell Neil Mitchell www.cs.york.ac.uk/~ndm The Goal Make Haskell faster Reduce the runtime But keep high-level declarative style Full automatic - no special functions Different from foldr/build,

478 views • 24 slides
FASTER TRANSFORMER Bo Yang Hsueh, 2019/12/18 AGENDA What is Faster Transformer Introduce the

FASTER TRANSFORMER Bo Yang Hsueh, 2019/12/18 AGENDA What is Faster Transformer Introduce the

FASTER TRANSFORMER Bo Yang Hsueh, 2019/12/18 AGENDA What is Faster Transformer Introduce the Transformer and Faster Transformer 1.0 New Features in Faster Transformer 2.0 Introduce the Faster Transformer 2.0 Faster Transformer 2.0 performance

932 views • 55 slides
Faster Code Nicolas Limare 2014/11/19 faster? one task vs many speeds one operation vs many

Faster Code Nicolas Limare 2014/11/19 faster? one task vs many speeds one operation vs many

Faster Code Nicolas Limare 2014/11/19 faster? one task vs many speeds one operation vs many algos one algo vs many codes one code vs many binaries one binary vs many runs We want faster runs for the same operation. why go fast?

620 views • 17 slides
Water Rights Accounting New Accounting Model New Technology: 1979 versus 2011 Faster

Water Rights Accounting New Accounting Model New Technology: 1979 versus 2011 Faster

Water Rights Accounting New Accounting Model New Technology: 1979 versus 2011 Faster processors Faster graphics Larger, faster, memory Larger, faster, disk storage Common Application Use single application to build and

585 views • 33 slides
SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange. Hwajeong Seo (Hansung University), Zhe Liu (Nanjing University of Aeronautics and Astronautics), Patrick Longa (Microsoft Research), Zhi

593 views • 36 slides
FASTER Overview Aspa Tzeletopoulou Alexios Vlachopoulos 833507 FASTER

FASTER Overview Aspa Tzeletopoulou Alexios Vlachopoulos 833507 FASTER

FASTER Overview Aspa Tzeletopoulou Alexios Vlachopoulos 833507 FASTER H2020-SU-SEC-2018-2019-2020/H2020-SU-SEC-2018 1 Project funded by: EUROPEAN UNION - Research Executive Agency (REA) Project Information First responder Advanced

312 views • 14 slides
WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER

WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER

WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER 1 . 2 WRITING FASTER PYTHON @SebaWitowski 1 . 3 PYTHON WAS NOT MADE TO BE FAST... ...BUT TO MAKE DEVELOPERS FAST. 2 . 1 It was nice to

451 views • 43 slides
NEW PRODUCT LAUNCH: ATR-500 ADJUSTABLE TRAY ROLLER Part Number: ATR-500 FASTER Installs faster

NEW PRODUCT LAUNCH: ATR-500 ADJUSTABLE TRAY ROLLER Part Number: ATR-500 FASTER Installs faster

NEW PRODUCT LAUNCH: ATR-500 ADJUSTABLE TRAY ROLLER Part Number: ATR-500 FASTER Installs faster than standard cable rollers SAFER Enables secure vertical rise and drop of cable SMARTER Handles tray rung spacing from 10 to 20- 1/4

607 views • 9 slides
Faster Cover Trees Mike Izbicki and Christian R. Shelton UC Riverside Izbicki and Shelton (UC

Faster Cover Trees Mike Izbicki and Christian R. Shelton UC Riverside Izbicki and Shelton (UC

Faster Cover Trees Mike Izbicki and Christian R. Shelton UC Riverside Izbicki and Shelton (UC Riverside) Faster Cover Trees July 7, 2015 1 / 21 Outline Why care about faster cover trees? Making cover trees faster. Experimental setup

465 views • 23 slides
10-20x Faster 10-20x Faster Software Builds Software Builds John Ousterhout 2307 Leghorn

10-20x Faster 10-20x Faster Software Builds Software Builds John Ousterhout 2307 Leghorn

10-20x Faster 10-20x Faster Software Builds Software Builds John Ousterhout 2307 Leghorn Street Mountain View, CA 94043 www.electric-cloud.com Overview Overview Slow builds impact almost all medium/large development teams Electric Cloud

716 views • 32 slides
Memory Hierarchy & Caching Use several levels of faster and faster memory to hide delay of

Memory Hierarchy & Caching Use several levels of faster and faster memory to hide delay of

7a.1 7a.2 Memory Hierarchy & Caching Use several levels of faster and faster memory to hide delay of upper levels EE 457 Unit 7a Unit of Transfer: Word, Half, or Byte (LW, LH, LB or SW, SH, SB) Registers L1 Cache ~ 1ns Cache and

492 views • 10 slides
Get to ASICs Faster Get to ASICs Faster A Novel Mixed Signal Design Methodology Dr Greg

Get to ASICs Faster Get to ASICs Faster A Novel Mixed Signal Design Methodology Dr Greg

February 24-26, 2009 Get to ASICs Faster Get to ASICs Faster A Novel Mixed Signal Design Methodology Dr Greg Tumbush: Tumbush Enterprises Dr. Greg Tumbush: Tumbush Enterprises ON Semiconductor: Gareth Weale, Dustin Griesdorf, , , Alaa

447 views • 20 slides
Faster cancer treatment November 2012 PREPARED BY Faster cancer treatment patient pathway

Faster cancer treatment November 2012 PREPARED BY Faster cancer treatment patient pathway

Faster cancer treatment November 2012 PREPARED BY Faster cancer treatment patient pathway approach that covers surgical and non-surgical cancer treatment measured by three indicators: DHBs are expected to provide baseline

294 views • 11 slides
Making State Government Simpler, Faster, Better, and Less Costly Michael Buerger and Rich

Making State Government Simpler, Faster, Better, and Less Costly Michael Buerger and Rich

Making State Government Simpler, Faster, Better, and Less Costly Michael Buerger and Rich Martinski February 10, 2014 SIMPLER. FASTER. BETTER. LESS COSTLY. SIMPLER. FASTER. BETTER. LESS COSTLY. 7 Steps to Implementing Lean

910 views • 37 slides
RCRA Brownbag Session Faster Cleanup and Faster Reuse at RCRA Corrective Action Sites and PCB

RCRA Brownbag Session Faster Cleanup and Faster Reuse at RCRA Corrective Action Sites and PCB

RCRA Brownbag Session Faster Cleanup and Faster Reuse at RCRA Corrective Action Sites and PCB Cleanup Sites Steve Armann, Manager, US EPA Region 9 Joseph Kelly, Project Manager US EPA Region 5 10/3/2018 1 U.S. Environmental Protection Agency

249 views • 14 slides
Quantum Computing, At First Glance, This . . . Here We Come! Making Lemonade . . . Fast Search

Quantum Computing, At First Glance, This . . . Here We Come! Making Lemonade . . . Fast Search

Faster, Faster, Faster: . . . Blame It on Einsteins . . . Honey, I Shrunk the . . . Why Is Micro-World . . . Quantum Computing, At First Glance, This . . . Here We Come! Making Lemonade . . . Fast Search Vladik Kreinovich End of

566 views • 25 slides
Localiza)on using Faster R-CNN and Mul)-Frame Fusion Ryosuke Yamamoto, Nakamasa Inoue, Koichi

Localiza)on using Faster R-CNN and Mul)-Frame Fusion Ryosuke Yamamoto, Nakamasa Inoue, Koichi

Localiza)on using Faster R-CNN and Mul)-Frame Fusion Ryosuke Yamamoto, Nakamasa Inoue, Koichi Shinoda Tokyo Ins8tute of Technology Outline Mo)va)on: detect an ac)on concept Si?ngDown Our method: Faster R-CNN + LSTM + Re-scoring Annota)on:

481 views • 19 slides
PRODUCT NUMBER: RT01 REAL TENDER Product Number: RT01 FASTER Crank handle for faster

PRODUCT NUMBER: RT01 REAL TENDER Product Number: RT01 FASTER Crank handle for faster

PRODUCT NUMBER: RT01 REAL TENDER Product Number: RT01 FASTER Crank handle for faster re-spooling. SAFER No more lifting Heavy wire spools. SMARTER Rolls over rough terrain on the jobsite. REAL TENDER Product Number: RT01 Product

319 views • 6 slides
The Sky is the Limit! Faster? Equal, but different Where have we been? Where are we now? Is

The Sky is the Limit! Faster? Equal, but different Where have we been? Where are we now? Is

The Sky is the Limit! Faster? Equal, but different Where have we been? Where are we now? Is there a glass ceiling? Is there a CIO wage gap? Expect equality Organizational fit Market Driven Hierarchical Collaborative Raise your

602 views • 24 slides
I N V E S T O R P R E S E N T A T I O N A P R I L 2 0 1 8 AIXPLOR ER U LTIMATE : FASTER , MOR E

I N V E S T O R P R E S E N T A T I O N A P R I L 2 0 1 8 AIXPLOR ER U LTIMATE : FASTER , MOR E

I N V E S T O R P R E S E N T A T I O N A P R I L 2 0 1 8 AIXPLOR ER U LTIMATE : FASTER , MOR E R ELIABLE, MOR E C OMPR EH EN SIVE OFFICIAL LAUNCH : SEPTEMBER 7, 2017 INCREASED COMPUTING POWER X4,5 NEW REFINED DESIGN NEW USER

742 views • 25 slides
Faster Johnson-Lindenstrauss style reductions Aditya Menon August 23, 2007 Faster

Faster Johnson-Lindenstrauss style reductions Aditya Menon August 23, 2007 Faster

Faster Johnson-Lindenstrauss style reductions Faster Johnson-Lindenstrauss style reductions Aditya Menon August 23, 2007 Faster Johnson-Lindenstrauss style reductions Outline Introduction 1 Dimensionality reduction The Johnson-Lindenstrauss

990 views • 65 slides
Day Two: October 4, 2018 1 1 Building a Foundation for a Faster Payments Ecosystem: An Update

Day Two: October 4, 2018 1 1 Building a Foundation for a Faster Payments Ecosystem: An Update

Day Two: October 4, 2018 1 1 Building a Foundation for a Faster Payments Ecosystem: An Update from the Directories and the Rules, Standards, Laws, and Regulations Work Groups 2 Origin of Industry Work Groups In July 2017, the Faster

391 views • 17 slides
IS ECR REALLY "FASTER, BETTER, AND CHEAPER? AN AUSTRALIAN AND NEW ZEALAND PRESENTATION

IS ECR REALLY "FASTER, BETTER, AND CHEAPER? AN AUSTRALIAN AND NEW ZEALAND PRESENTATION

THE 5 TH NATIONAL CONFERENCE OF THE UNITED STATES INSTITUTE FOR ENVIRONMENTAL CONFLICT RESOLUTION TUCSON, ARIZONA Wednesday 21 MAY 2008 5. Breakout Session: 3.30 to 5.00 pm BO3G IS ECR REALLY "FASTER, BETTER, AND CHEAPER? AN

644 views • 37 slides
/ Major persistent trends Beat the clock race o Requirement for faster and faster

/ Major persistent trends Beat the clock race o Requirement for faster and faster

On the Joint Content Caching and User Association Problem in Small Cell Networks M. Karaliopoulos, L. Chatzieleftheriou, G. Darzanos, I. Koutsopoulos 3rd Workshop on Ultra-high speed, Low latency and Massive Communication for Futuristic 6G

358 views • 17 slides

More recommend