![Page 1: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/1.jpg)
SUPPLY CHAIN SOLUTIONS FOR
Modern DevelopmentBrian Fox @brian_fox
![Page 2: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/2.jpg)
INDUSTRIAL EVOLUTION
![Page 3: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/3.jpg)
Open source usage is
EXPLODING
Yesterday’s source code is now replaced with
OPEN SOURCEcomponents
201320122011200920082007 2010
2B1B500M 4B 6B 8B 13B
4 3/19/14 Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.
17B2014
![Page 4: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/4.jpg)
HOW DEPENDENT ON 3RD PARTIES ARE WE?
5 1/28/2016
10% Custom Written Code
Typical Application
Open Source
Cloud Services
Closed Source
90% From 3rd Parties
![Page 5: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/5.jpg)
Components are a hidden risk
![Page 6: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/6.jpg)
OPEN SOURCE:
QUALITY
INNOVATION
EFFICIENCY
![Page 7: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/7.jpg)
NO CONTROLS.
OPEN ACCESS.
HACKER TARGETS.
![Page 8: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/8.jpg)
Components are a hidden risk
![Page 9: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/9.jpg)
spending
10 1/28/2016
attack risk
Spending and risk are
OUT OF SYNC
Host ~$10B
Data Security ~$5B
People Security ~$4B
Network Infrastructure ~$20B
Component Security~$0.4B
![Page 10: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/10.jpg)
#1 ATTACK VECTOR LEADING TO BREACH
![Page 11: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/11.jpg)
12 1/28/2016
When software was first being written, finding exploitable code was like
LOOKINGfor a needle in a
HAYSTACK
![Page 12: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/12.jpg)
13 1/28/2016
Now that software is
ASSEMBLED…
![Page 13: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/13.jpg)
One risky component,multiplied thousands of times:
ONE EASYTARGET
14 1/28/2016
![Page 14: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/14.jpg)
1/28/2016
Java Cryptography API
CVSS v2 Base Score:
10.0 HIGH
Exploitability:
10.0
Since then
11,236organizations
downloaded it
214,484 times
Bouncy CastleCVE Date:
11/10/2007
Java HTTP implementation
CVSS v2 Base Score:
5.8 MEDIUM
Exploitability:
8.6
Since then
29,468organizations
downloaded it
3,749,193 times
HttpClientCVE Date:
11/04/2012
Web application framework
CVSS v2 Base Score:
9.3 HIGH
Exploitability:
10
Since then
4,076 organizations
downloaded it
179,050 times
Apache Struts 2
CVE Date:
07/20/2013
15 Source: Sonatype, Inc. analysis of (Maven) Central downloads and NIST National Vulnerability Database
![Page 15: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/15.jpg)
WIDESPREAD COMPROMISE
Hackers have first mover advantage
![Page 16: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/16.jpg)
WHY IS THIS SO HARD?
![Page 17: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/17.jpg)
Modern software development
HAS CHANGED
Our process
HASN’T CHANGEDENOUGH
![Page 18: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/18.jpg)
Diversity• 40,000 Projects
• 200M Classes
• 400K Components
ComplexityOne component may rely on 100s of others
VolumeTypical enterprise consumes 1,000s of components monthly
ChangeTypical component is updated 4X per year
1/28/2016
Components are like
MOLECULES not atoms.
There are massive dependencies.
19 Source: Sonatype, Inc. analysis of (Maven) Central Repository.
![Page 19: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/19.jpg)
ChangeTypical component is updated 4X per year
1/28/2016
CHANGETypical component is updated 4X per year.
20
11 MILLION OSS USERS
674,863 OSS COMPONENTS
Source: Components: (Maven) Central Repository; Users: IDC
![Page 20: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/20.jpg)
1/28/2016
CHANGETypical component is updated 4X per year.
21
Unlike COTS, there is no clear, effective
COMMUNICATION channel
674,863 OSS COMPONENTS
11 MILLION OSS USERS
• Has a risk been identified?
• What type of risk?
• Is a better version available?
![Page 21: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/21.jpg)
Use of components creates a
SOFTWARE SUPPLY CHAIN
Component Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT
SELECTION
22 3/19/14
![Page 22: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/22.jpg)
Component Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT
SELECTION
Today’s security
ISN’TWORKING
46m vulnerable
components downloaded
!
71% of apps have 1+
critical or severe
vulnerability
!
90% of
repositories have 1+ critical
vulnerability
!
23 3/19/14 Source: Sonatype, Inc. analysis based on Repository Healthchecks and Application Healthchecks used to determine component risk in repositories and applications.
![Page 23: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/23.jpg)
THE NEW LIFECYCLE
24 1/28/2016
Impact onReleases per Year
(Cycle Time)
1-2
10-20
100-200
Plan Design Deploy OperateTestBuild
Traditional Lifecycle (Waterfall)
Plan ...
Learn
Deploy
Learn
Operate
Agile Dev
Learn
Plan ...Operate Operate
Modern Lifecycle (+DevOps, Continuous *)
Cycle Time: Months-Years
Cycle Time: Days-Weeks
Cycle Time: Minutes-Hours
![Page 24: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/24.jpg)
THE NEW LIFECYCLE
25 1/28/2016
Traditional Lifecycle (Waterfall)
Plan Design Deploy OperateTestBuild
Plan
Agile Dev
...
Learn
Learn
Deploy
Learn
Plan ...
Modern Lifecycle (Continuous *)
Operate
Operate
Governance?
Operate
Manual
Manual + Point Tools
Cycle Time: Months-Years
Cycle Time: Days-Weeks
Cycle Time: Minutes-Hours
Policy-Driven Automation
New
Approach
![Page 25: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/25.jpg)
CYCLE TIME SQUEEZE
26 1/28/2016
• Work Arounds
• Batch Scans
• Rework
• Exposure
Legacy Governance
Cycle Time:
Min-Hours
If it does not fit,It does not get done.
Go Fast OR Sleep at Night
![Page 26: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/26.jpg)
But, Solutions are Designed for Yesterday’s Security War…
RISK IN COMPONENTS
Component usage
has exploded
Applications are the
primary vector of attack
There is a proliferation
of flawed components
Current approaches can’t handle
the complexity
![Page 27: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/27.jpg)
THOUGHT LEADERS ARE TAKING ACTION
![Page 28: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/28.jpg)
5/28/14
We are not the first INDUSTRYto
face this CHALLENGE
![Page 29: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/29.jpg)
HOW NOT TO SOLVE THIS PROBLEM
![Page 30: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/30.jpg)
What not to do
ANTI-PATTERNS
Cut the cord!
![Page 31: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/31.jpg)
What not to do
ANTI-PATTERNS
Lock the doors!
![Page 32: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/32.jpg)
What not to do
ANTI-PATTERNS
Point fingers!
![Page 33: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/33.jpg)
What not to do
HOPE IS NOT A STRATEGY
There is no problem here!
![Page 34: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/34.jpg)
MODERN SOFTWARE PRACTICESREQUIRE A MODERN APPROACH TO GOVERNANCE
35
![Page 35: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/35.jpg)
FAST SO IT CAN BE
CONTINUOUS
![Page 36: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/36.jpg)
AUTOMATE
1. Humans define policy
2. Machines automate the implementation of policy
3. Humans manage exceptions
![Page 37: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/37.jpg)
CYCLE TIME SYNERGY
38 1/28/2016
• No Interruption
• Entire Lifecycle
• Solve Early
• Avoid ReworkCycle Time:
Min-Hours
Continuous Governance for Continuous Delivery
Go Fast AND Sleep at Night
![Page 38: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/38.jpg)
PRECISE
![Page 39: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/39.jpg)
BE SPECIFIC
40
No Noise!• There is a world of difference
between saying "Struts is approved"
and saying "Struts 2.3.16.1 is good
and Struts 2.3.15.0 ANY OLDER
VERSION will get your system
owned“
![Page 40: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/40.jpg)
Dev Teams Shouldn’t Deal with Noise
Scan found 50,313 “issues”
Real issue count: 204
![Page 41: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/41.jpg)
CONTEXTUAL
![Page 42: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/42.jpg)
WHY CONTEXT MATTERS
• SQL Injection vulnerabilities don't affect applications without databases.
• CopyLeft may not be a problem for internal applications or services.
• I need information that applies to my application.
![Page 43: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/43.jpg)
CONTEXTUAL
44
Consume information and apply policy in the context of your
applications, organizations and enterprise via hierarchal policy
and reporting
![Page 44: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/44.jpg)
ACTIONABLE
![Page 45: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/45.jpg)
POLICIES ENSURE DEVELOPERS START WITH RIGHT COMPONENTS
“I can quickly pick the best component from the start, eliminating downstream rework.”Lead Developer
Analyze all components from within your IDE
License, Security and Architecture data for each component, evaluated against your policy
![Page 46: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/46.jpg)
PROVIDE A SOLUTION
• Now that you've told me about a problem, tell me what I can do to fix it.
• Suggest alternatives.
• Even if I don't completely understand the risk,
if you show me an easy fix, I will take it.
![Page 47: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/47.jpg)
EASY TO CONSUME
48
Provide stakeholders actionable, easy to consume
information to remediate problems
![Page 48: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/48.jpg)
ACROSS THE LIFECYCLE
![Page 49: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/49.jpg)
50 3/19/14
If you’re not using secure
COMPONENTSyou’re not building secure
APPLICATIONS
Component Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT
SELECTION
![Page 50: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/50.jpg)
3/19/14
Applications don’t age,
THEY ROTLIKE MILK
![Page 51: Supply Chain Solutions for Modern Software Development](https://reader031.vdocuments.net/reader031/viewer/2022032022/55a779771a28ab4e0a8b490e/html5/thumbnails/51.jpg)
We make it EASY to create
TRUSTED APPLICATIONS and keep them that way
OVER TIME