DevSecOps – Security at the speed of Development Ryan Sheldrake – Solutions Architect EMEA rsheldrake@sonatype.com

Why am I here?

• Understand why we have open source vulnerabilities in our software

• Empower Developers – fix early!

• Effectively manage open source vulnerabilities and licenses throughout the delivery pipeline

“You cannot inspect quality into a product.” W. Edwards Deming

Out of the Crisis 1982

3

Thou shalt not pass

5 10/23/2013 @joshcorman ~ Marc Marc Andreessen 2011

XXXXXXX

HAS ALREADY CONSUMED

Heartbleed / Struts + (UnPatchable) Internet of Things == ___ ?

In Our Bodies In Our Homes

In Our Infrastructure In Our Cars

Source: Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed - Josh Corman, Gene Kim

HACKERS! HACKERS

EVERYWHERE!

100:1 developers outnumber application security

Incentives incentivise

ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK

Modern applications are mostly assembeld

The Perspective of Maven Central

DOWNLOAND RECORDS FOR

Jul-2014

10,000,000,000

ROLLING 365-DAY DOWNLOADS

Jan-2015 Jul-2015 Jan-2106

20,000,000,000

30,000,000,000

40,000,000,000

50,000,000,000

Jul-2106

DOWNLOAD RECORDS FOR PyPI

WHY is it so difficult to manage Open Source effectively?

Things get complex….FAST!

Now…a real application

Transitive dependencies – Maven Central 2015

Millions of components with complex interdependencies

8 years later, vulnerable versions of Bouncy Castle were downloaded…

5.7M times

CVE-2007-6721 CVSS Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0

2007 2015

Bouncy Castle

NEWER COMPONENTS MAKE BETTER SOFTWARE

Analysis of components in 25,000 applications scans

COMPONENTS BY YEAR

DEFECT DENSITY

1 2 3 4 5 6 7 8 9 10 11

5%

10%

15%

20%

25%

Component Age in Years

3X HIGHER DEFECT DENSITY

OLDER COMPONENTS DIE OFF Analysis of components in 25,000 applications scans

INACTIVE PROJECTS (% on latest version)

1 2 3 4 5 6 7 8 9 10 11

5%

10%

15%

20%

25%

Component Age in Years

TRACK AND TRACE Does your organization maintain an inventory of open source components used in production applications? (e.g., a software bill of materials)

1-in-5 had or suspected a breach related to an open source component in the

past 12 months.

18,330,958 78% downloads were vulnerable

COMMONS COLLECTION CWE-502

23,476,966 total downloads in 2016

2,731 organizations downloaded the

vulnerable versions.

STRUTS2 CVE-2017-5638

279,796 total downloads in 2016

Image Source: Canadian Revenue Agency, Wikipedia

DEFECT RATIO FOR JAVASCRIPT

Source: Thou Shalt Not Depend on Me: Analyzing the Use of Outdated JavaScript Libraries on the Web, © 2017 NDSS, Northeastern University

87% of handlebars inclusions were known vulnerable

37% of jQuery inclusions

were known vulnerable

40% of Angular inclusions

were known vulnerable

37% websites include at least one library with a known vulnerability

“Improvement of the process includes better allocation of the human effort.”

W. Edwards Deming Out of the Crisis

1982

Dev

Prod

QA

UAT Build

Public Component Repositories

Source Control

Deploy Repository

Developers

Up-front manual checks days-weeks

Near-production pen test & scan/scold

Weeks-months

Traditional Approach

So. In summary

• Unit testing has become TDD (Test Driven Development) • Usability testing has become BDD (Behaviour Driven

Development) • Integration testing has become MDD (Model Driven

Development)

•Q.E.D A large part of security needs to become SSD (Security Supported Development)

Fix early and fast…SAVE MONEY

Dev

CD

CI

Prod

QA

UAT Build

Public Component Repositories

Source Control

Deploy Repository

Developers IQ Server

Multiple Integration Points throughout the Pipeline

ZTTR (Zero Time to Remediation)

EMPOWER DEVELOPERS FROM THE START

@weekstweets

Make access to precise, quality information easy

**** COMMERCIAL DISCLAIMER – OTHER TOOLS EXIST

Synchronous testing occurs at every build

Keep a list of what you use

Dev CD CI

Prod

QA

UAT Build

Public Component Repositories

Source Control

Deploy Repository

Developers

OSS analysis (NLC, OWASP Dep Check) Static & Dynamic code analysis Fuzz Unit tests, BDD tests

TDD Test suite Infrastructure Test suite Behavioural test suite Security Test suite (Gauntlt, Metaspoilt, OSS analysis)

ZAP Proxy Infrastructure tests Chaos Monkey Gauntlt Secret managers

Red & Blue teaming Security incident monitoring AppSensor Kibanah, Splunk

https://github.com/devsecops/awesome-devsecops

Make Security Testing Fun

Test with Security games - Bring toolset along

Be transparent with information

Use the data you automatically collect

Summing Up

• Understand why we have open source vulnerabilities in our software

• Empower Developers – Choose the best version!

• Effectively manage open source vulnerabilities and

licenses throughout the delivery pipeline

Thanks - References • Wired Article – Hackers remotely kill Jeep on Highway: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

• https://www.theregister.co.uk/2016/03/30/bmw_complies_with_gpl/

• State of Devops 2015: https://puppetlabs.com/2015-devops-report

• Rugged Devops Book: http://devops.com/2015/04/20/the-rugged-devops-ebook/

• Rugged Software: http://www.ruggedsoftware.org/

• DevSecOps: http://devsecops.org

• “The Phoenix Project” by Gene Kim: http://itrevolution.com/books/phoenix-project-devops-book/

• State of Software Supply Chain 2015: https://www.sonatype.com/state-of-the-software-supply-chain

• 7 Habits of Rugged Devops: https://www.forrester.com/report/The+Seven+Habits+Of+Rugged+DevOps/-/E-RES126542

• Verizon Data Breach Report: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

• CodeCentric CI Example: https://blog.codecentric.de/en/2015/10/continuous-integration-platform-using-docker-container-jenkins-sonarqube-nexus-gitlab/

• FS-ISAC: https://www.sonatype.com/software-security-control-white-paper

• IEC-62304: http://www.iso.org/iso/catalogue_detail.htm?csnumber=38421

• PCI-DSS: https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

• Reflections on NPMGate: http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm

• Lessons learnt again from NPMGate: http://www.sonatype.org/nexus/2016/03/25/npm-gate-lessons-learned-again/

• DevSecOps toolkit: https://github.com/devsecops/awesome-devsecops