Post on 09-Feb-2017
A Practitioners Tale: Uniting Dev, Sec, And Ops TribesCurtis YankoSr. Principal Architect
A Bit About Me
• Started programming in the 1970’s• I’ve seen the rise of and used…
• ...OOP, 4th Gen languages, UML, XP, Agile, ERP, SOA, CI, CD...• Started programming proffessionally in the 1990’s
• ...like a lot of junior programmers I got stuck with the build/SCM• Did Enterprise CI at a Fortune 25 company• Did CI/CD at a Fortune 100 company• Launched a DevOps Center of ‘Enablement’
For Fun
• Night Hikes• Board game night• Ultimate Frisbee• Volunteer for ECAD to help raise
and train service dogs• @onCommit• DevOps in the Enterprise on
Agenda
• Why we should care• Practitioners Tale
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Seriously?
Count of exploited CVE’s in 2014 by year published
8 years later, vulnerable versions of Bouncy Castle were downloaded…
5.8M times
CVE-2007-6721CVSS Base Score: 10.0 HIGHImpact Subscore: 10.0Exploitability Subscore: 10.0
2007 2015
USE THE HIGHEST QUALITY PARTS
Why Sec hates Dev
Security can’t keep up with the pace of modern development practices and the complexities of component dependencies.
229,898downloads
orders
5,275components - all versions
parts
2,071components
suppliers
Analysis of 3,000 organizations
Why Dev hate Sec
Developers don’t like security slowing them down by dumping scan reports on them weeks or months after the fact
SOFTWARE IS MANUFACTURED FROM PARTS
“Software is eating the world”
-- Marc Andreesen
“If you want to make enemies, try to change something”
-- Woodrow Wiilson
Empathy
A pictureCI CD
Public Repos
Binary RepoBuild
Source Code Deploy
Dev
QA
UAT
Prod
Software Factory & Component Based Development
INNOVATION WAVE IN YOUR SOFTWARE
FACTORY
WhatvsHow There is a difference
between Policies and Governance
AUTOMATE AUTOMATE AUTOMATE
DESIGN A FRICTIONLESS APPROACH
@sonatype
CREATE A SOFTWARE BILL OF MATERIALS
bit.ly/softwareBOM@sonatype
ZTTR (Zero Time to Remediation)
EMPOWER DEVELOPERS FROM THE START
@weekstweets
Say Hello to Your Software Supply Chain…
Automate your software supply chain with three proven principles:
Use higher quality parts
Use better & fewer suppliers
Track what you use and where
Fast Forward
Forrester Report
Thank You!