The Game of Hide and Seek, Hidden Risks in Modern Software Development

Similar documents
Cenzic Product Guide. Cloud, Mobile and Web Application Security

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

Supply Chain Risk Management For Modern Software Development

Cloud Application Security Assessment, Guerrilla Style

Centralized Secure Vault with Serena Dimensions CM

ENJOYING OPEN SOURCE WITHOUT COMPROMISING BUSINESS. Dr. Ron Rymon Founder, White Source Software

From the Bottom to the Top: The Evolution of Application Monitoring

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

Application Security Center overview

Developing Secure Software in the Age of Advanced Persistent Threats

How To Test For Security On A Network Without Being Hacked

SAST, DAST and Vulnerability Assessments, = 4

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

HP Fortify Software Security Center

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault. Best Practices Whitepaper June 18, 2014

IBM QRadar Security Intelligence April 2013

How to Secure Your SharePoint Deployment

Spooks in the Machine

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

BEST PRACTICES IN WEB CONFERENCING SECURITY. A Spire Research Report April By Pete Lindstrom, Research Director. Sponsored By:

Getting Started with Web Application Security

How to Grow and Transform your Security Program into the Cloud

Top Five Security Must-Haves for Office 365. Frank Cabri, Vice President, Marketing Shan Zhou, Senior Director, Security Engineering

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Realize That Big Security Data Is Not Big Security Nor Big Intelligence

State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

White Paper. Data Security. The Top Threat Facing Enterprises Today

Table of contents. Best practices in open source governance. Managing the selection and proliferation of open source software across your enterprise

How To Protect A Web Application From Attack From A Trusted Environment

2011 Forrester Research, Inc. Reproduction Prohibited

Data Security in the Insurance Industry: WHAT YOU NEED TO KNOW

SECURITY ORGANISATION Security Awareness and the Five Aspects of Security

How To Manage A Privileged Account Management

Managed & Professional Services

Panel: SwA Practices - Getting to Effectiveness in Implementation

Security Compliance and Data Governance: Dual problems, single solution CON8015

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT

FIVE PRACTICAL STEPS

Managing Mobile Devices in a Device-Agnostic World Finding and Enforcing a Policy That Makes Business Sense

5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Concierge SIEM Reporting Overview

NeXUS REPOSITORY managers

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Automated Risk Management Using SCAP Vulnerability Scanners

Provide access control with innovative solutions from IBM.

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

What Cloud computing means in real life

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Current IBAT Endorsed Services

CASE STUDY. Global Airline Empowers Mobile Workforce for SaaS Apps while Reducing Risk

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

CHIS, Inc. Privacy General Guidelines

Guide to Vulnerability Management for Small Companies

After the Attack. The Transformation of EMC Security Operations

ensuring security the way how we do it

Cloud, Beyond the Hype

Securing SharePoint 101. Rob Rachwald Imperva

White Paper. Ensuring Network Compliance with NetMRI. An Opportunity to Optimize the Network. Netcordia

Some Thoughts on the Future of Cyber-security

Nexus Professional Whitepaper. Repository Management: Stages of Adoption

10 Hidden IT Risks That Might Threaten Your Business

Neoscope

Agenda , Palo Alto Networks. Confidential and Proprietary.

8 Steps for Network Security Protection

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Are You Ready for PCI 3.1?

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

8 Steps For Network Security Protection

<Insert Picture Here> How to protect sensitive data, challenges & risks

RSA Via Lifecycle and Governance 101. Getting Started with a Solid Foundation

Application Security 101. A primer on Application Security best practices

Leveraging Privileged Identity Governance to Improve Security Posture

HP Application Security Center

THE TOP 4 CONTROLS.

MEDICAL DEVICE Cybersecurity.

Secret Server Qualys Integration Guide

The Crisis You Didn t See

Basics of Internet Security

Building a Web Application Security Program. Rich Mogull Adrian Lane Securosis, L.L.C.

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

Seven Simple steps. For Mobile Device Management (MDM) 1. Why MDM? Series

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

HIPAA Compliance Evaluation Report

SECURITY RISK MANAGEMENT. FIRST 2007 Seville, Spain

Esri Managed Cloud Services and FedRAMP

10 Hidden IT Risks That Threaten Your Financial Services Firm

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Extreme Networks Security Analytics G2 Vulnerability Manager

Exploring Converged Access of IT Security and Building Access Today, Tomorrow and the Future

Copyright 2013 Gravitant, Inc. Cloud Brokerage Makes IT-as-a-Service a Practical Reality

Transcription:

The Game of Hide and Seek, Hidden Risks in Modern Software Development SESSION ID: ASEC-R02 Ryan Berg CSO Sonatype @ryanberg00

Agenda The changing dynamics surrounding application security Why this is a supply chain problem What should you be doing, but likely aren t Q&A

The Language of Security is Risk Security Product Management http://xkcd.com/795/

4 What is Risk?

What does the snail tell us? we owe a duty of reasonable care to our neighbor Lord Atkin: Donoghue v. Stevenson (1932)

You Built It, Your Responsible a manufacturer of products, which he sells in such a form as to show that he intends them to reach the ultimate consumer in the form in which they left him with no reasonable possibility of intermediate examination, and with knowledge that the absence of reasonable care in the preparation or putting up of products will result in an injury to the consumer's life or property, owes a duty to the consumer to take that reasonable care. 6

What is Risk? United States v. Carroll Towing Co. 159 F.2d 169 (2d. Cir. 1947)

The cost of Doing nothing can t be ignored if the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B < PL. Translation: If the Cost of Protecting Against Harm is less than the Cost of the Damage Multiplied by the Likelihood of the Damage, then there is negligence. Risk = probability x impact 8

Modern software development HAS CHANGED Application security HASN T CHANGED ENOUGH

Modern software development HAS CHANGED Application security HASN T CHANGED ENOUGH

Modern software development HAS CHANGED Application security HASN T CHANGED ENOUGH

APPLICATIONS are assembled using third party components, most of which are open source In fact, 90% of a typical application is open source

Open source usage is EXPLODING Yesterday s source code is today s OPEN SOURCE 2007 2008 2009 2010 500M 1B 2B 2011 2012 2013 4B 6B 8B 13B

Creating today s software SUPPLY CHAIN COMPONENT SELECTION DEVELOPMENT BUILD AND DEPLOY PRODUCTION

Do you know who your SUPPLIERS ARE? Component Selection COMPONENT SELECTION DEVELOPMENT BUILD AND DEPLOY PRODUCTION

OPEN SOURCE: QUALITY INNOVATION EFFICIENCY

NO CONTROLS. OPEN ACCESS. HACKER TARGETS.

Security spans the Enterprise Security concerns are across the Enterprise Development Operations Security Features Performance Security Usability Reliability/Scalability Compliance Performance Compliance Everything Else Reliability/Scalability Security Maintainability Maintainability Security Features/Usability Compliance

Haven t We Learned Compliant Does Not Mean Secure, Often the Opposite

A disproportionate spend against the risk Prevention Detection Monitoring Firewall IDS SIEM Encryption SAST DAM IPS DAST RAST WebApp Firewall (WAF) Evolution of Spend

A Sea Change in Application Development Written Assembled 90% Source: 2012 / 2013 Sonatype analysis of more than 1,000 enterprise applications

What me worry, tis just a bit of floating ice

Components are a hidden risk

What are you doing to ADDRESS THIS RISK?

What are you doing to ADDRESS THIS RISK?

FOSS Review Board Scans post development Golden repository Approval workflow

FOSS Review Board Scans post development NOTHING? Golden repository Approval workflow

If you re not using secure COMPONENTS you re not securing your APPS Component Selection COMPONENT SELECTION DEVELOPMENT BUILD AND DEPLOY PRODUCTION

46m vulnerable components downloaded! 90% of repositories have 1+ critical vulnerability! Today s approaches AREN T WORKING 71% of apps have 1+ critical or severe vulnerability! COMPONENT SELECTION DEVELOPMENT BUILD AND DEPLOY PRODUCTION

WHY? The problem is too complex to manage manually. Complexity One component may rely on 100s of others Volume Diversity 40,000 Projects 200M Classes 400K Components Typical enterprise consumes 1,000s of components monthly Change Typical component is updated 4X per year

Manual processes DON T WORK Automation should ENFORCE POLICIES Humans should manage EXCEPTIONS

To reduce cost per defect To achieve compliance WHY is this important? To manage risk!!!

For Example: CVE-2013-2251 Network exploitable Medium access complexity No authentication required for exploit Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service

Hackers have first mover advantage

35 THE ANTI-PATTERNS

TURN OFF THE LIGHTS

LOCK THE DOORS

POINT FINGERS

THESE ARE NOT MY DROIDS

EVERYTHING IS A NAIL

Success Requires Discipline

The Problem is Not Problem Discovery When our software development ecosystem looks like this it is easy to find problems The real challenge is to develop at scale and deliver continuous value continuously when everything else is a mess

The problem is no longer like this

It s Starting to Look More Like This

Time for a FRESH APPROACH? Developer friendly makes it easy to find and fix problems early. Visibility and control. Automated and integrated policy enforcement throughout the software lifecycle. Proactive and ongoing for continued trust.

Got questions? Get the ANSWERS.????? What production applications are at risk? What problems are most critical? What components are being used? Where are they? Which components have known security vulnerabilities? What are our license obligations??? Do our applications comply with our policies? How can we choose the best components from the start?

Building A Better Bridge Between Dev, Ops and Security Need to recognize that the priorities are different Tooling needs to adopt the practice of the practitioner not the other way around A Tool is not a process and a process is not a tool learn to leverage both.

Building A Better Bridge Between Dev, Ops and Security Need to recognize that the priorities are different Tooling needs to adopt the practice of the practitioner not the other way around A Tool is not a process and a process is not a tool learn to leverage both.

Supply Chain Mgt. for Modern Software Development Go Fast. Be Secure. Build security in from the start Enforce policy in the tools you already use Reduce risk by automating governance throughout the lifecycle Reduce cost by fixing early in the process React to new threats by knowing what they are and where to fix them Go fast by using tools your developers already know

Thank You @ryanberg00

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information