Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in...
-
Upload
ranger4-limited -
Category
Sports
-
view
38 -
download
0
Transcript of Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in...
![Page 1: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/1.jpg)
Build Security In, Fix and Remediate Security, License and Architectural Risk Early in Your SDLC Process
Nick Coombs, SonatypeRyan Sheldrake, Sonatype
![Page 2: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/2.jpg)
![Page 3: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/3.jpg)
![Page 4: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/4.jpg)
![Page 5: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/5.jpg)
![Page 6: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/6.jpg)
90%Assembled
A Sea Change in Application Development
Written
Source: 2012 / 2013 Sonatype analysis of more than 1,000 enterprise applications
Modern Software Development
![Page 7: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/7.jpg)
SUPPLIERSOpen Source Projects
3.7 million open source developers
Over 1.56M component versions contributed105,000 open source
projects
WAREHOUSESComponent Repositories
31 billion download requests last year
90,000 private component repositories
in use
MANUFACTURERSSoftware DevTeams
11 million developers160,000 organizations
7,600 external suppliers used in an
average development organization
FINISHED GOODSSoftware Applications
80 - 90% component-based
106 components per application
The Modern Software Supply Chain
Once uploaded, always available3-4 yearly updates, no way to inform development teamsMean-time-to-repair a security vulnerability: 390 days
6.2% of requests have known security vulnerabilities34% of downloads have restrictive licenses95% rely on inefficient component distribution (or “sourcing”) practices.
27 versions of the same component downloaded43% don’t have open source policies75% of those with policies don’t enforce them31% suspect a related breach
24 known security vulnerabilities per application, critical or severe 9 restrictive licenses per application, critical or severe 60% don’t have a complete software Bill of Materials
![Page 8: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/8.jpg)
Java Cryptography APICVSS v2 Base Score:
10.0 HIGHExploitability:
10.0
Since then 11,236 organizations
downloaded it214,484 times
Bouncy CastleCVE Date:
11/10/2007
Java HTTP implementationCVSS v2 Base Score:
5.8 MEDIUMExploitability:
8.6
Since then 29,468
organizationsdownloaded it
3,749,193 times
HttpClientCVE Date:
11/04/2012
Web application frameworkCVSS v2 Base Score:
9.3 HIGHExploitability:
10
Since then 4,076
organizationsdownloaded it
179,050 times
Apache Struts 2
CVE Date:07/20/2013
![Page 9: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/9.jpg)
Intelligence Matters (components in an Application)
Components older than 2 years:• Account for 62% of all components• Account for 77% of the security risk• Are likely inactive
Application vulnerability density is 6.8 %
Commercial in Confidence
![Page 10: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/10.jpg)
Shift Left – Fix in Development
Source : IBM - https://www.ibm.com/developerworks/community/blogs/invisiblethread/entry/enabling_devops_success_with_shift_left_continuous_testing?lang=en
![Page 11: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/11.jpg)
OWASP A9 - Using Components with Known Vulnerabilities
![Page 12: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/12.jpg)
ISO 27001 – A.14.2.1 - Secure development policy
![Page 13: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/13.jpg)
13 05/01/2023
![Page 14: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/14.jpg)
UK Government – Cyber Essentials
![Page 15: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/15.jpg)
What if manufacturers built cars the way we build software:without supply chain visibility, process and automation …
Any part can be chosen
even if it is outdated or known to be
unsafe.
Since parts aren’t tracked,
it’schallenging to issue a recall.
There is no quality
control or consistency from car to car.
There is no inventory
of the parts that were used, or
where.
Manufacturers could choose any supplier they want for
any given part, regardless of
quality.
![Page 16: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/16.jpg)
Time for a
FRESH APPROACH?Sonatype Nexus Lifecycle
• Precisely identify component and risks
• Remediate early in development
• Automate policy across the SDLC
• Manage risk with consolidated dashboard
• Continuously monitor applications for new risks
![Page 17: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/17.jpg)
Use Case - Shift Left, Integrate with SDLC
Developers
SCM
Create Code
CI - Build‘Intellisense’Policy
Components Production
Nexus Firewall
Sonatype
Policy License Security Architecture
RulesNexus IQ Server
Continuous Assessment
Sonatype Research
REST APIJIRASonarQube
Policy Evaluation License Security Architecture
KPIs Security Architecture
ReportingTrending
Managers Production Support Legal IT Risk Cyber
Nexus Repository
Third Party & OSS
Components
Components
![Page 18: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/18.jpg)
The Business Case for Building Security In
• Shift Left –> 30x lower cost to fix in development
• Manual Processes don’t work –> 1 to 4 hours per component
• Increase developer efficiency – > 8% to 30% time saving per day
• Faster releases• Less unplanned work• Fewer break-fixes• Increased innovation• And better quality software!
![Page 19: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/19.jpg)
• One days consultancy to help build the business case
• Free assessment on up to 3 applications
• Report
Free Scan & Consultancy
![Page 20: Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in Your SDLC Process" September 22nd 2016](https://reader035.fdocuments.net/reader035/viewer/2022070511/58a2409e1a28ab7b3c8b5d19/html5/thumbnails/20.jpg)
Be DevOpstastic