securing software supply chains
play

Securing Software Supply Chains Why 3 Days Might Be Your New Normal - PowerPoint PPT Presentation

Aug 15, 2023 •45 likes •515 views

Securing Software Supply Chains Why 3 Days Might Be Your New Normal for DevSecOps Cameron Townshend Solution Architect, APJ, Sonatype Since 2000, 52% of Fortune 500 have been replaced. Established business leaders are also under attack

  1. Securing Software Supply Chains Why 3 Days Might Be Your New Normal for DevSecOps Cameron Townshend Solution Architect, APJ, Sonatype

  2. Since 2000, 52% of Fortune 500 have been replaced. Established business leaders are also under attack…

  3. Source: https://www.visualcapitalist.com/animation-top-15-global-brands-2000- 2018/ 3

  4. What is software supply chain management? A new (yet proven) way of thinking. 1. Source parts from fewer and better suppliers. 2. Use only the highest quality parts. 3. Never pass known defects downstream. 4. Continuously track location of every part. W. Edwards Deming, 1945

  5. Jez Humble, 2010

  6. Gene Kim, 2013

  8. 47% deploy multiple times per week velocity Source: 2019 DevSecOps Community Survey

  9. 59,000 data breaches have been reported to GDPR regulators since May 2018 source: DLA Piper, February 2019

  10. Business applications are under attack… 51% 43% 68% Of enterprises suffered at Of enterprise attacks are Of external attacks target least one breach in last 12 perpetrated by external web apps and known months. actors. vulnerabilities. Forrester: Best Practices for Deploying And Managing Enterprise Password Managers – Jan 2018 10

  11. Everyone has a software supply chain. (even if you don’t call it that)

  12. Demand drives 15,000 new releases every day

  13. Automation accelerates OSS downloads Source: Sonatype’s 2018 State of the Software Supply Chain Report

  15. 85% of your code is sourced from external suppliers

  16. 170,000 Java component downloads annually 3,500 unique source: 2018 State of the Software Supply Chain Report

  17. 60,660 JavaScript packages downloaded per developer per year source: npm, 2018

  18. Not all parts are created equal.

  19. We are not “building quality in”. 2016 Java Downloads NOT RELFECTIVE OF THE HARTFORD’S DATA source: 2019 State of the Software Supply Chain Report

  21. We are not “building quality in”. 2018 npm source: 2018 npm

  22. 6∑ 5∑ 4∑ 1∑ 2∑ 3∑ 1,000,000 691,000 510,000 309,000 120K 66.8K 6.2K 233 3.4 Defects targets per million for 6-sigma

  23. 170,000 java component 18,870 downloads annually 11.1% with known 3,500 vulnerabilities unique

  24. 60,660 30,936 JavaScript packages 51% with known downloaded annually vulnerabilities per developer

  26. Social normalization of deviance “People within the organization become so much accustomed to a deviant behavior that they don't consider it as deviant, despite the fact that they far exceed their own rules for elementary safety .” Diane Vaughan

  27. Breaches increased 71% 14% 24% suspect or have verified a suspect or have verified a breach related to open source breach related to open source components in the 2014 survey components in the 2019 survey source: DevSecOps Community Survey 2014 and 2019

  28. The speed of exploits has compressed 93% Sources: Gartner, IBM, Sonatype

  29. Quickly identify who is faster than their adversaries source: 2019 DevSecOps Community Survey

  30. Equifax was not alone March 7 March ’18 Apache Struts releases March 13 updated version to India’s AADHAAR Okinawa Power thwart vulnerability Japan Post CVE-2017-5638 March 9 April 13 Cisco observes "a high India Post number of exploitation events." 3 Days in March The Rest of the Story March 10 March 8 December ’17 Today NSA reveals Pentagon Equifax servers scanned by Monero Crypto Mining 65% of the Fortune 100 nation-states for download vulnerable Canada Revenue Agency vulnerable Struts versions instances Canada Statistics Struts exploit published GMO Payment Gateway to Exploit-DB.

  31. Complete software bill of materials (SBOM) 50% 19% 2019 No DevOps Practice 2019 Mature DevOps Practices Source: 2019 DevSecOps Community Survey

  32. 18,126 organizations downloading vulnerable versions of Struts 14 Breach announced. Source: Sonatype

  33. DevSecOps challenge: automate faster than evil.

  34. 1.3 million vulnerabilities in OSS components undocumented No corresponding CVE advisory in the public NVD database

  35. The new battlefront Software Supply Chain Attacks 1 7 ssh-decorator Python Module stealing private ssh Study found credentials online affecting publishing keys. 4 access to 14% of npm repository. +79,000 Golang go-bindata github id deleted and packages. reclaimed. Malicious npm Packages “ typosquatted ” (40 packages for 2 weeks. Collecting env including 8 npm publishing credentials). Gentoo Linux Repository Compromised. 5 Conventional-changelog compromised and turned into a Monero miner. 9 2 6 Malicious Eslint discovered to be stealing npm 10 Malicious Python packages credentials. Backdoor discovered in npm get-cookies Basic info collected and sent to module published since March. Chinese IP address Unauthorized publishing of mailparser. 10 Homebrew repository compromised . 3 Blog: “I’m harvesting credit card numbers and passwords from your site. Here’s how.” 11 npm event-stream attack on CoPay. July Aug Sep Oct Nov Dec Jan Feb Mar May Jun Jul Apr Aug Sep Oct Nov Dec 2017 2017 2017 2017 2017 2017 2018 2018 2018 2018 2018 2018 2018 2018 2018 2018 2018 2018 Image by Sonatype

  36. At what point in the development process does your organization perform automated application analysis? 2019 No DevSecOps Practice 2019 Mature DevSecOps Practices

  37. Which application security tools are used? 2019 No DevSecOps Practice 2019 Mature DevSecOps Practices

  38. How are you informed of InfoSec and AppSec issues? Automating security enables faster DevOps feedback loops

  39. Automation continues to prove difficult to ignore 2019 No DevOps Practice 2019 Mature DevOps Practices Source: 2019 DevSecOps Community Survey

  40. Trusted software supply chains are 2x more secure Source: 2018 State of the Software Supply Chain Report

  41. “ I see no prospect in the long run for avoiding liability for insecure code.” Paul Rozenzweig Senior Fellow, R Street Institute 2018

  42. The rising tide of regulation and software liability

  43. 1. An up to date inventory of open-source components utilized in the software 2. A process for identifying known vulnerabilities within open source components 3. 360 degree monitoring of open source components throughout the SDLC January 2019 4. A policy and process to immediately remediate vulnerabilities as they become known source: https://blog.pcisecuritystandards.org/just-published-new-pci-software-security-standards

  44. 1 in 7 Downloads All Countries Show Poor Cyber Hygiene 1 in 9 Downloads

  45. “Emphasize performance of the entire system and never pass a defect downstream.”

  46. ctownshend@sonatype.com

Recommend

Securing Software Supply Chains with in in-to toto to Tobias Furuholm Combient NotPetya

Securing Software Supply Chains with in in-to toto to Tobias Furuholm Combient NotPetya

Securing Software Supply Chains with in in-to toto to Tobias Furuholm Combient NotPetya Software Supply Chain Test Code Build Package Deliver Supply chain verification with in-toto ? Layout { "_type": "layout",

269 views • 13 slides
Exploring Software Supply Chains from a Technical Debt Perspective J. Yates Monteith John D.

Exploring Software Supply Chains from a Technical Debt Perspective J. Yates Monteith John D.

Exploring Software Supply Chains from a Technical Debt Perspective J. Yates Monteith John D. McGregor Strategic Software Engineering Research Group 1 Problem: Quality in the Software Supply Chain Due diligence requires that deliveries

549 views • 15 slides
How is software made? 2 A stylized software supply chain test code build package 3

How is software made? 2 A stylized software supply chain test code build package 3

in-toto -- Securing the whole software supply chain Santiago Torres-Arias, Hammad Afzali, Lukas Phringer , Reza Curtmola, Justin Cappos How is software made? 2 A stylized software supply chain test code build package 3 Attackers can

495 views • 28 slides
Leveraging Supply Chains for Profit

Leveraging Supply Chains for Profit

Leveraging Supply Chains for Profit www.william.lawrence@uwimona.edu.jm 1. What is a supply chain? 2. Leveraging supply chains 3. Measuring supply chain

373 views • 20 slides
SUPPLY CHAIN CONFERENCE 2019 Organised by Supply Chains Connect (SCC) on 6 th Dec 2019 @ Mensvic

SUPPLY CHAIN CONFERENCE 2019 Organised by Supply Chains Connect (SCC) on 6 th Dec 2019 @ Mensvic

Presentations from SUPPLY CHAIN CONFERENCE 2019 Organised by Supply Chains Connect (SCC) on 6 th Dec 2019 @ Mensvic Hotel, Accra This compilation is the work of Supply Chains Connect (SCC) and the content therein are the sole property of the

1.34k views • 104 slides
Drivers and Constraints for OSH Im Improvement in Food and Agriculture Supply Chains A+A ILO

Drivers and Constraints for OSH Im Improvement in Food and Agriculture Supply Chains A+A ILO

Drivers and Constraints for OSH Im Improvement in Food and Agriculture Supply Chains A+A ILO International Occupational Safety and Health Conference 2017 OSH in Global Supply chains Dusseldorf, 19 October 2017 Lou Tessier - ILO - LABADMIN/OSH

122 views • 8 slides
RAY SCHRAFF Hyland Software, USA 9 th Global Supply Chain and Logistics Summit 16 Nov 2016

RAY SCHRAFF Hyland Software, USA 9 th Global Supply Chain and Logistics Summit 16 Nov 2016

Presentation Title Documentation Automation for Optimal Supply Chains Presented by: RAY SCHRAFF Hyland Software, USA 9 th Global Supply Chain and Logistics Summit 16 Nov 2016 www.sclgsummit.org Data is the New Oil 9 th Global Supply Chain

426 views • 13 slides
Supply Chain Management in the New World How will the Global Pandemic Impact Supply Chains?

Supply Chain Management in the New World How will the Global Pandemic Impact Supply Chains?

Supply Chain Management in the New World How will the Global Pandemic Impact Supply Chains? Kenneth J. Petersen Helen Robson Walton Endowed Chair Director, Division of Marketing & Supply Chain Management Price College of Business

892 views • 51 slides
Overview of U.S. agrifood supply chains ECONOMIC CHARACTERISTICS OF THE AGRIFOOD SUPPLY

Overview of U.S. agrifood supply chains ECONOMIC CHARACTERISTICS OF THE AGRIFOOD SUPPLY

OBJECTIVE Overview of U.S. agrifood supply chains ECONOMIC CHARACTERISTICS OF THE AGRIFOOD SUPPLY CHAIN Describe seven specific Michael Boland, Ph.D. Director of University of Minnesota characteristics that are different from Food

164 views • 5 slides
Rise of the Enabling Environment for Responsible Supply Chains recent trends and practices round

Rise of the Enabling Environment for Responsible Supply Chains recent trends and practices round

Rise of the Enabling Environment for Responsible Supply Chains recent trends and practices round the globe 20 November 2018 Responsible Supply Chains in Asia Project Launch and Stakeholders Engagement at Hotel Sofitel, Manila, Philippines

623 views • 30 slides
Supply Chains, Global Supply World Bioenergy Association Webinar Pyrolysis Oil Markets &

Supply Chains, Global Supply World Bioenergy Association Webinar Pyrolysis Oil Markets &

EU/US/Japanese Markets, Supply Chains, Global Supply World Bioenergy Association Webinar Pyrolysis Oil Markets & Growth in Global Supply Jan 31, 2017 Douglas Bradley- President, Climate Change Solutions 402 Third Avenue, Ottawa,

395 views • 27 slides
The Governance Gap in Supply Chains of Foreign Mul8na8onal Corpora8ons (MNCs) in China Dr Qingxiu

The Governance Gap in Supply Chains of Foreign Mul8na8onal Corpora8ons (MNCs) in China Dr Qingxiu

In Indic icator ors an s and Me Metrics f rics for S or Socially In ocially Inclu clusiv sive e Waste Manageme ment and Resource Effic fficiency (WM&RE) in Supply Chains: Measuring and ReporAng to Emb mbed Sustainability in

425 views • 25 slides
5/16/2019 The Circular Economy Drives Value Creation LINEAR CIRCULAR Circular supply chains

5/16/2019 The Circular Economy Drives Value Creation LINEAR CIRCULAR Circular supply chains

5/16/2019 The Circular Economy Drives Value Creation LINEAR CIRCULAR Circular supply chains reduce costs, increase efficiency and Linear supply chains are costly, susceptible to volatility and harmful to our environment. create a sustainable

266 views • 11 slides
Hyperbolic Models for Large Supply Chains Christian Ringhofer (Arizona State University)

Hyperbolic Models for Large Supply Chains Christian Ringhofer (Arizona State University)

Hyperbolic Models for Large Supply Chains Christian Ringhofer (Arizona State University) Hyperbolic Models for Large Supply Chains p. 1/4 Introduction Topic: Overview of conservation law (traffic - like) models for large supply chains.

794 views • 41 slides
The Future of Supply Chains in Asia PBEC Webinar Dialogue Series 2020 A reality check for

The Future of Supply Chains in Asia PBEC Webinar Dialogue Series 2020 A reality check for

The Future of Supply Chains in Asia PBEC Webinar Dialogue Series 2020 A reality check for Asia-Pacific Supply Chains Ben Simpfendorfer Barrett Bingley Ritesh Kumar Singh Alex Capri Anne Petterd Fatya Mamcu Senior Fellow and

277 views • 4 slides
Supply Chain Rebuild your supply chains to ensure timely access to all inputs your business

Supply Chain Rebuild your supply chains to ensure timely access to all inputs your business

Supply Chain Rebuild your supply chains to ensure timely access to all inputs your business requires In partnership with www.b3cmsme.org 1 Key questions to be addressed Why do we need to focus on supply chain? 1 Which component(s) of

591 views • 12 slides
Risk Management and Global Supply Risk Management and Global Supply Chains T-TIP Stakeholder

Risk Management and Global Supply Risk Management and Global Supply Chains T-TIP Stakeholder

Risk Management and Global Supply Risk Management and Global Supply Chains T-TIP Stakeholder Presentation 5 th Round Arlington, VA May 21, 2014 AAEI Works with European Partners p What Are the General Trends for Trade? Facilitation

425 views • 17 slides
SHORT SUPPLY CHAINS AND SMALL HOLDINGS IN SERBIA Natalija Bogdanov CONTENT DEFINITIONS

SHORT SUPPLY CHAINS AND SMALL HOLDINGS IN SERBIA Natalija Bogdanov CONTENT DEFINITIONS

SHORT SUPPLY CHAINS AND SMALL HOLDINGS IN SERBIA Natalija Bogdanov CONTENT DEFINITIONS CLASSIFICATIONS BENEFITS AND MOTIVES WHY SHORT SUPPLY CHAINS IN SERBIA? SHORT SUPPLY CHAIN IN SERBIA STRATEGIC AND REGULATORY

265 views • 22 slides
Even Faster: How Rugged DevOps & SW Supply Chains Attack Developer Waste Josh Corman

Even Faster: How Rugged DevOps & SW Supply Chains Attack Developer Waste Josh Corman

Even Faster: How Rugged DevOps & SW Supply Chains Attack Developer Waste Josh Corman @joshcorman @joshcorman Conclusions / Apply! Idea: A full embrace of Deming is a SW Supply Chain: Fewer/Better Suppliers Highest Quality Supply

832 views • 64 slides
CLS+ VIETNAM Objective: To explore labour practices in the global supply chains in Asia within

CLS+ VIETNAM Objective: To explore labour practices in the global supply chains in Asia within

1/24/2017 CLS + Linking Trade and Shared Prosperity in Global Supply Chains in Asia Vietnam Country Study Ready-Made Garment, Footwear and Electronic Industries Do Quynh Chi Research Center for Employment Relations 1 CLS+ VIETNAM

409 views • 13 slides
Running Supply Chains is like a Massively Multiplayer Online Game Michael Hugos CIO at Large,

Running Supply Chains is like a Massively Multiplayer Online Game Michael Hugos CIO at Large,

Running Supply Chains is like a Massively Multiplayer Online Game Michael Hugos CIO at Large, SCM Globe http: / / scmglobe.com/ Supply Chain Challenges Best laid plans quickly out of date Steady Volatile (planning cycles take too long)

468 views • 15 slides
Take Back Manufacturing . E ssential for Sustainable Supply Chains in the future. The

Take Back Manufacturing . E ssential for Sustainable Supply Chains in the future. The

5/5/2016 TBM Take Back Manufacturing WWW.SME-TBM.ORG Take Back Manufacturing . E ssential for Sustainable Supply Chains in the future. The Globalized manufacturing approach with efficient supply chain management has been the business norm in

1.18k views • 70 slides
Securing the Supply Chain 1 We need to make Security the Foundation We need to Deliver

Securing the Supply Chain 1 We need to make Security the Foundation We need to Deliver

Securing the Supply Chain 1 We need to make Security the Foundation We need to Deliver Uncompromised Cost, Schedule, Performance ARE ONLY EFFECTIVE IN A SECURE ENVIROMENT 2 Delivered Uncompromised by Mitre 5 Key Structural Challenges 15

227 views • 11 slides
Consistently Optimised Resilient Secure Global Supply-Chains Antwerp 24/9/2015 CORE Key

Consistently Optimised Resilient Secure Global Supply-Chains Antwerp 24/9/2015 CORE Key

Consistently Optimised Resilient Secure Global Supply-Chains Antwerp 24/9/2015 CORE Key Concepts Elaboration of CORE key concepts (1) The fundament: key enabling technologies 1. Visibility of end-to-end supply chains and visibility of SC

432 views • 11 slides

More recommend