webcast: building a business case for building security in

Steve Green

The business case for building quality in.

WEBCAST

LiftOff WorkshopDiscoveryReadinessMaturityToolchain ReviewValue Stream MappingMastery/TrainingThe Pheonix Project GameTransformationIdeation to Realisation

DevOps Service Offerings

Cultural and organisational changeInteraction and process streamliningAutomation and tools implementation

CustomersTechnology Finance and Insurance

Retail and Manufacturing And!

The Business Case for Building Security In

Nick Coombs, Sonatype

90%Assembled

A Sea Change in Application Development

Written

Modern Software Development

SUPPLIERSOpen Source Projects

3.7 million open source developers

Over 1.3M component versions contributed105,000 open source

projects

WAREHOUSESComponent Repositories

31 billion download requests last year

90,000 private component repositories

in use

MANUFACTURERSSoftware DevTeams

11 million developers160,000 organizations

7,600 external suppliers used in an

average development organization

FINISHED GOODSSoftware Applications

80 - 90% component-based

106 components per application

The Modern Software Supply Chain

Once uploaded, always available3-4 yearly updates, no way to inform development teamsMean-time-to-repair a security vulnerability: 390 days

6.2% of requests have known security vulnerabilities34% of downloads have restrictive licenses95% rely on inefficient component distribution (or “sourcing”) practices.

27 versions of the same component downloaded43% don’t have open source policies75% of those with policies don’t enforce them31% suspect a related breach

24 known security vulnerabilities per application, critical or severe 9 restrictive licenses per application, critical or severe 60% don’t have a complete software Bill of Materials

Java Cryptography APICVSS v2 Base Score:

10.0 HIGHExploitability:

10.0

Since then 11,236 organizations

downloaded it214,484 times

Bouncy CastleCVE Date:

11/10/2007

Java HTTP implementationCVSS v2 Base Score:

5.8 MEDIUMExploitability:

8.6

Since then 29,468

organizationsdownloaded it

3,749,193 times

HttpClientCVE Date:

11/04/2012

Web application frameworkCVSS v2 Base Score:

9.3 HIGHExploitability:

10

Since then 4,076

organizationsdownloaded it

179,050 times

Apache Struts 2

CVE Date:07/20/2013

Intelligence Matters (components in an Application)

Components older than 2 years:• Account for 62% of all components• Account for 77% of the security risk• Are likely inactive

Application vulnerability density is 6.8 %

Commercial in Confidence

What if manufacturers built cars the way we build software:without supply chain visibility, process and automation …

Any part can be chosen

even if it is outdated or known to be

unsafe.

Since parts aren’t tracked,

it’schallenging to issue a recall.

There is no quality

control or consistency from car to car.

There is no inventory

of the parts that were used, or

where.

Manufacturers could choose any supplier they want for

any given part, regardless of

quality.

Time for a

FRESH APPROACH?Sonatype Nexus Lifecycle

• Precisely identify component and risks

• Remediate early in development

• Automate policy across the SDLC

• Manage risk with consolidated dashboard

• Continuously monitor applications for new risks

Use Case - Shift Left, Integrate with SDLC

Developers

SCM

Create Code

CI - Build‘Intellisense’Policy

Components Production

Nexus Firewall

Sonatype

Policy License Security Architecture

RulesNexus IQ Server

Continuous Assessment

Sonatype Research

REST APIJIRASonarQube

Policy Evaluation License Security Architecture

KPIs Security Architecture

ReportingTrending

Managers Production Support Legal IT Risk Cyber

Nexus Repository

Third Party & OSS

Components

Components

The Business Case for Building Security In

• Shift Left –> 30x lower cost to fix in development

• Manual Processes don’t work –> one hour per component

• Increase developer efficiency – > 8% to 30% time saving per day

• Faster releases• Less unplanned work• Fewer break-fixes• Easier maintenance• And better quality software!

• One days consultancy to help build the business case

• Free assessment on up to 3 applications

• Report

Free Scan & Consultancy

Be DevOpstastic