Supply Chain Risk Management For Modern Software Development

Transcription

1 Supply Chain Risk Management For Modern Software Development September 4, 2013 Maritime Institute & Conference Center Linthicum Heights, Maryland

2 Ron Ross PhD, National Institute of Standards and Technology (NIST) Ron Ross is a Fellow at the National Institute of Standards and Technology (NIST). His current areas of specialization include information security and risk management. Dr. Ross leads the Federal Information Security Management Act (FISMA) Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical information infrastructure. His recent publications include Federal Information Processing Standards (FIPS) Publication 199 (security categorization standard), FIPS Publication 200 (security requirements standard), NIST Special Publication (SP) (security controls guideline), NIST SP A (security assessment guideline), NIST SP (security authorization guideline), NIST SP (risk management guideline), and NIST SP (risk assessment guideline).& Dr. Ross is the principal architect of the Risk Management Framework and multi-tiered approach that provides a disciplined and structured methodology for integrating the suite of FISMA standards and guidelines into a comprehensive enterprise-wide information security program. Dr. Ross also leads the Joint Task Force Transformation Initiative, a partnership with NIST, the Department of Defense, the Intelligence Community, the Office of the Director National Intelligence, and the Committee on National Security Systems to develop a unified information security framework for the federal government.

3 On The SCRM Horizon Implementation of NIST SP , Revision 4. Revision of OMB Circular A-130, Appendix III. OMB Continuous Monitoring Policy. Supply Chain Risk Guidance NIST SP Security Engineering Guidance NIST SP Build It Right, Continuously Monitor NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

4 Contact Information Project Leader 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA Administrative Support Dr. Ron Ross Peggy Himes (301) (301) Senior Information Security Researchers and Technical Support Pat Toth Kelley Dempsey (301) (301) Arnold Johnson (301) Web: csrc.nist.gov/sec-cert Comments: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

5 Wayne Jackson Wayne Jackson currently serves as the CEO of Sonatype, Inc., the leaders in Component Lifecycle Management and creators of Maven and other technologies used by millions of software developers worldwide. Prior to joining Sonatype, Wayne served as the CEO of open source network security pioneer Sourcefire, Inc. (NASDAQ:FIRE), which he guided from fledgling start-up through an IPO in March of 2007, later acquired by Cisco for $2.7 billion. Before joining Sourcefire, Wayne co-founded Riverbed Technologies, a wireless infrastructure company, and served as its CEO until the sale of the company for more than $1 billion in March of Prior to Riverbed, Wayne built an emerging-technologies business unit for a large systems integrator and provided consulting services to organizations including General Electric, the World Bank and the Federal Reserve. Wayne holds a B.B.S in Finance from James Madison University, 1985, and has completed the Executive Education program for Corporate Governance at Harvard University. CEO Sonatype

6 DevOpsSec Supply chain management in modern software development

7 Industrial Evolution

8 Software Evolution Written Assembled 90%

9 The Central Repository The canonical exchange for open source binaries Virtually every mainstream project in the Java ecosystem Accelerating adoption by other languages Virtually every organization developing software >100,000 organizations, >10 million developers Unique visibility Component supply Component consumption

10 Open Source is Everywhere

11 Tremendous Advantages Open = Leveraged Innovation Modular = Accelerated Development Agile = Accelerated Delivery

12 But Some Drawbacks

13 For Example: CVE Network exploitable Medium access complexity No authentication required for exploit Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service

14 Widespread Compromise

15 Struts2 Downloads

16 An Ecosystem Phenomenon

17 Toyota and v4l Variety of products offered Velocity of product flow Variability of outcomes against forecast Visibility of processes to enable learning

18 Toyota and v4l Variety of software produced Velocity of software delivery Variability of outcomes against forecast Visibility of processes to enable learning

19 The L in v4l Create awareness Establish capability (empower) Make action protocols (govern) Generate system-level awareness (monitor)

20 Measurable Advantages Plant suppliers: 125 versus 800 Firm-wide suppliers: 224 versus 5,500 In-house production: 27% versus 54% Comparing the Volt and Prius $39,900 versus $24,200 1,788 units versus 23,294 units

21 Core Supply Chain Principles

22 Create Awareness

23 Create Awareness

24 Empower

25 Govern When left unaudited and unmanaged, opensource assets "seep" into and proliferate within an enterprise's software portfolio as hidden "time bombs" that can eventually result in catastrophic technical failures, security failures, audit compliance violations and intellectual property (IP) risks that create a significant loss of IT value and, subsequently, broader business value. A CIO s Perspective on Open Source Software Mark Driver, Research Vice President January 2011 January 2013 Sonatype survey of 2,500 software developers, team leads, and architects

26 Govern

27 Govern Effectively Humans define policy What component attributes violate policy What actions to take when a policy is violated Machines automate the implementation of policy Humans manage exceptions

28 Govern Effectively 2 8

29 Monitor

30 Monitor

31 Core Supply Chain Principles

32 Substantial, Measurable ROI Reduced surface area exposure, maintenance, expertise Reduced re-work Pro-active situational awareness Better suppliers and supplier relationships Go fast AND be secure!

33 Thank You! x Maple Lawn Drive, Suite 250 Fulton, Md 20759