@joshcorman

Continuous Acceleration:Why Continuous Everything Needs A Supply Chain Approach

Josh Corman@joshcorman

@joshcorman

Conclusions / Apply!

Idea: A full embrace of Deming is a SW Supply Chain: Fewer/Better Suppliers Highest Quality Supply Traceability/Visibility throughout Manufacturing / Prom & Agile Recall

Benefits: Such rigor enables: Even FASTER: Fewer instances of Unplanned/Unscheduled Work More EFFICIENT: Faster MTTD/MTTR Better QUALITY/RISK: Avoid elective/avoidable complexity/risk

Urgency: It’s OpenSeason on OpenSource And our dependence on connected tech is increasingly a public safety issue

Coming Actions: Known Vulnerabilities” Convergence Lawmakers, Insurers, Lawyers, etc. are converging

@joshcormanYOU CAN HAVE TOO MUCH OF A GOOD THING…

@joshcorman

Joshua CormanWho am I?

@joshcormanCTO, Sonatype

@joshcorman

@joshcorman

@joshcorman

7

@joshcorman

#RSAC

SESSION ID:

Gene Kim Joshua Corman

Rugged DevOps

Going Even Faster

With Software Supply Chains

CTOSonatype@joshcorman

Researcher and AuthorIT Revolution Press@RealGeneKim

@joshcorman10 10/23/2013

@joshcorman

~ Marc Marc Andreessen 2011

@joshcorman11

@joshcorman12 10/23/2013

@joshcorman

Trade OffsCosts & Benefits

@joshcorman

Beyond Heartbleed: OpenSSL in 2014 (31 in NIST’s NVD thru December)CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *

CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SEIMENS *

CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM

CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM

CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SEIMENS *

CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH

CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED **

CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM

CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM

CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleed

CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM

CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM

CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW

CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM

CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM

CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM

CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM

…

As of today, internet scans by MassScan reveal 300,000

of original 600,000 remain unpatched or unpatchable

@joshcorman

Heartbleed + (UnPatchable) Internet of Things == ___ ?

In Our Bodies In Our Homes

In Our InfrastructureIn Our Cars

@joshcorman

Sarcsm: I’m shocked!

15

@joshcorman

@joshcorman

@joshcorman

@joshcorman

•The

The Cavalry isn’t coming… It falls to us

Problem StatementOur society is adopting connected technology faster than we are able to secure it.

Mission StatementTo ensure connected technologies with the potential to impact public safety and human life are worthy of our trust.

Collecting existing research, researchers, and resourcesConnecting researchers with each other, industry, media, policy, and legal

Collaborating across a broad range of backgrounds, interests, and skillsetsCatalyzing positive action sooner than it would have happened on its own

Why Trust, public safety, human lifeHow Education, outreach, researchWho Infosec research community

Who Global, grass roots initiativeWhat Long-term vision for cyber safety

Medical Automotive ConnectedHome

PublicInfrastructure

I Am The Cavalry

@joshcorman

Innovate!

PRODUCTIVITY

TIME

@joshcorman

@joshcorman

@joshcorman23

@joshcorman

ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK

@joshcorman

@joshcormanAgile goats; not goat rodeo. “We need to be agile, but not fragile.” @RuggedSoftware @joshcorman @mortman #RSAC #DevOps

@joshcorman

ON TIME. Faster builds. Fewer interruptions.More innovation.

ON BUDGET.More efficient. More profitable.More competitive.

ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.

Agile / CI

@joshcorman

DevOps

It may feel like DevOps is Pandora’s Box, but it’s open… and hope remains. ;) @joshcorman @mortman #RSAC #DevOps

@joshcorman

ON TIME. Faster builds. Fewer interruptions.More innovation.

ON BUDGET.More efficient. More profitable.More competitive.

ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.

DevOps / CD

Agile / CI

@joshcorman

SW Supply Chains

@joshcorman

ON TIME. Faster builds. Fewer interruptions.More innovation.

ON BUDGET.More efficient. More profitable.More competitive.

ACCEPTABLE QUALITY/RISK.Easier compliance.Higher quality. Built-in audit protection.

SW Supply Chain

DevOps / CD

Agile / CI

@joshcorman

Toyota Advantage

ToyotaPrius

ChevyVolt

Unit Cost 61% $24,200 $39,900

Units Sold 13x 23,294 1,788

In-House Production 50% 27% 54%

Plant Suppliers 16% (10x per) 125 800

Firm-Wide Suppliers 4% 224 5,500

Comparing the Prius and the Volt

@joshcorman

Open source usage is

EXPLODING

Yesterday’s source

code is now replaced with

OPEN SOURCEcomponents

33 Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.

201320122011200920082007 2010

2B1B500M 4B 6B 8B 13B 17B2014

@joshcorman

34

Now that software is

ASSEMBLED…Our shared value becomes

our shared attack surface

THINK LIKE AN ATTACKER

@joshcorman

One risky component,now affects thousands of victims

ONE EASYTARGET

35

THINK LIKE AN ATTACKER

@joshcorman

Global BankSoftware ProviderSoftware

Provider’s CustomerState University

Three-LetterAgency

Large FinancialExchange

Hundreds of Other Sites

STRUTS

@joshcorman

w/many eyeballs, all bugs are??? Struts

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

10.09.08.07.06.05.04.03.02.01.0

CVE-2005-3745

CVE-2006-1546CVE-2006-1547

CVE-2006-1548 CVE-2008-6504CVE-2008-6505

CVE-2008-2025CVE-2007-6726CVE-2008-6682

CVE-2010-1870

CVE-2011-2087

CVE-2011-1772

CVE-2011-2088CVE-2011-5057

CVE-2012-0392CVE-2012-0391

CVE-2012-0393

CVE-2012-0394

CVE-2012-1006CVE-2012-1007

CVE-2012-0838

CVE-2012-4386

CVE-2012-4387

CVE-2013-1966CVE-2013-2115CVE-2013-1965

CVE-2013-2134CVE-2013-2135

CVE-2013-2248

CVE-2013-2251CVE-2013-4316

CVE-2013-4310

CVE-2013-6348CVE-2014-0094

CVSS Latent 7-11 yrs

@joshcorman

In 2013, 4,000organizations downloaded a version of Bouncy Castle

with a level 10 vulnerability

20,000 TIMES …Into XXX,XXX Applications…

SEVEN YEARSafter the vulnerability was fixed

NATIONAL CYBER AWARENESS SYSTEMOriginal Notification Date:

03/30/2009CVE-2007-6721Bouncy Castle Java Cryptography APICVSS v2 Base Score: 10.0 HIGHImpact Subscore: 10.0Exploitability Subscore: 10.0

BOUNCY CASTLE

@joshcorman

In December 2013,

6,916 DIFFERENTorganizations downloaded

a version of httpclient with broken ssl validation (cve-2012-5783)

66,824 TIMES …

More than ONE YEAR AFTER THE ALERT

NATIONAL CYBER AWARENESS SYSTEMOriginal Release Date:

11/04/2012

CVE-2012-5783Apache Commons HttpClient 3.xCVSS v2 Base Score: 5.8 MEDIUMImpact Subscore: 4.9Exploitability Subscore: 8.6

HTTPCLIENT 3.X

@joshcorman

40

Current approaches

AREN’T WORKINGTAKE COSTS OUT OF YOUR SUPPLY CHAIN

Component Selection

DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT SELECTION

228KUnique components

downloaded per company

!

75% Lack meaningful

controls over components in

apps!

XAverage number of

suppliers per company

!

48Different versions

of the same component downloaded

!

@joshcorman

41 04/15/2023

X Axis: Time (Days) following initial HeartBleed disclosure and patch availabilityY Axis: Number of products included in the vendor vulnerability disclosureZ Axis (circle size): Exposure as measured by the CVE CVSS score

COMMERCIAL RESPONSES TO OPENSSL

@joshcorman

https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

For the 41% 390 daysCVSS 10s 224 days

@joshcorman

ACME

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

$

$

$

$

$

$

$

$$$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

TRUE COSTS (& LEAST COST AVOIDERS)

@joshcorman

44

@joshcorman

H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014”

Elegant Procurement Trio

1) Ingredients:

Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions)

2) Hygiene & Avoidable Risk:

…and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY)

3) Remediation:

…and must be patchable/updateable – as new vulnerabilities will inevitably be revealed

@joshcorman

In 2013, 4,000organizations downloaded a version of Bouncy Castle

with a level 10 vulnerability

20,000 TIMES …Into XXX,XXX Applications…

SEVEN YEARSafter the vulnerability was fixed

NATIONAL CYBER AWARENESS SYSTEMOriginal Notification Date:

03/30/2009CVE-2007-6721Bouncy Castle Java Cryptography APICVSS v2 Base Score: 10.0 HIGHImpact Subscore: 10.0Exploitability Subscore: 10.0

PROCUREMENT TRIO + BOUNCY CASTLE

@joshcorman

47

SW Supply Chain

Intelligence Goes Here

@joshcorman

ACCORDING TO ADOBE

@joshcorman

ACCORDING TO IBM

@joshcorman

ACCORDING TO DOCKER

@joshcorman

Current approaches

AREN’T WORKING

Component Selection

DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT SELECTION

75% Lack meaningful

controls over components in

apps

27Different versions

of the same component downloaded

95%Inefficient sourcing: Components are not

downloaded to caching repositories

63% Don’t track

components used in

production

24Critical or severe

vulnerabilities per app

4Avg of strong

copyleft licensed components per

app

@joshcorman

Component Selection

DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT SELECTION

PUBLICREPOSITORIES

NEXUS LIFECYCLE

PRECIOUSLY IDENTIFY

COMPONENTS & RISKS

REMEDIATE EARLY IN

DEVEOPMENT AUTOMATE

POLICY ACROSS THE SDLC

MANAGE RISK WITH

CONSOLIDATED DASHBOARD

CONTINUOUSLYMONITORAPPS FOR NEW RISKS

@joshcorman

Full day of videos

Assessments Available

http://www.sonatype.org/nexus/

@joshcorman

Conclusions / Apply!

Idea: A full embrace of Deming is a SW Supply Chain: Fewer/Better Suppliers Highest Quality Supply Traceability/Visibility throughout Manufacturing / Prom & Agile Recall

Benefits: Such rigor enables: Even FASTER: Fewer instances of Unplanned/Unscheduled Work More EFFICIENT: Faster MTTD/MTTR Better QUALITY/RISK: Avoid elective/avoidable complexity/risk

Urgency: It’s OpenSeason on OpenSource And our dependence on connected tech is increasingly a public safety issue

Coming Actions: Known Vulnerabilities” Convergence Lawmakers, Insurers, Lawyers, etc. are converging

@joshcorman

Continuous Acceleration:Why Continuous Everything Needs A Supply Chain Approach

Josh Corman@joshcorman