Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in...
-
Upload
ranger4-limited -
Category
Sports
-
view
37 -
download
0
Transcript of Webcast: "Build Security In, Fix and Remediate Security, License and Architectural risk Early in...
Build Security In, Fix and Remediate Security, License and Architectural Risk Early in Your SDLC Process
Nick Coombs, SonatypeRyan Sheldrake, Sonatype
90%Assembled
A Sea Change in Application Development
Written
Source: 2012 / 2013 Sonatype analysis of more than 1,000 enterprise applications
Modern Software Development
SUPPLIERSOpen Source Projects
3.7 million open source developers
Over 1.56M component versions contributed105,000 open source
projects
WAREHOUSESComponent Repositories
31 billion download requests last year
90,000 private component repositories
in use
MANUFACTURERSSoftware DevTeams
11 million developers160,000 organizations
7,600 external suppliers used in an
average development organization
FINISHED GOODSSoftware Applications
80 - 90% component-based
106 components per application
The Modern Software Supply Chain
Once uploaded, always available3-4 yearly updates, no way to inform development teamsMean-time-to-repair a security vulnerability: 390 days
6.2% of requests have known security vulnerabilities34% of downloads have restrictive licenses95% rely on inefficient component distribution (or “sourcing”) practices.
27 versions of the same component downloaded43% don’t have open source policies75% of those with policies don’t enforce them31% suspect a related breach
24 known security vulnerabilities per application, critical or severe 9 restrictive licenses per application, critical or severe 60% don’t have a complete software Bill of Materials
Java Cryptography APICVSS v2 Base Score:
10.0 HIGHExploitability:
10.0
Since then 11,236 organizations
downloaded it214,484 times
Bouncy CastleCVE Date:
11/10/2007
Java HTTP implementationCVSS v2 Base Score:
5.8 MEDIUMExploitability:
8.6
Since then 29,468
organizationsdownloaded it
3,749,193 times
HttpClientCVE Date:
11/04/2012
Web application frameworkCVSS v2 Base Score:
9.3 HIGHExploitability:
10
Since then 4,076
organizationsdownloaded it
179,050 times
Apache Struts 2
CVE Date:07/20/2013
Intelligence Matters (components in an Application)
Components older than 2 years:• Account for 62% of all components• Account for 77% of the security risk• Are likely inactive
Application vulnerability density is 6.8 %
Commercial in Confidence
Shift Left – Fix in Development
Source : IBM - https://www.ibm.com/developerworks/community/blogs/invisiblethread/entry/enabling_devops_success_with_shift_left_continuous_testing?lang=en
OWASP A9 - Using Components with Known Vulnerabilities
ISO 27001 – A.14.2.1 - Secure development policy
13 05/01/2023
UK Government – Cyber Essentials
What if manufacturers built cars the way we build software:without supply chain visibility, process and automation …
Any part can be chosen
even if it is outdated or known to be
unsafe.
Since parts aren’t tracked,
it’schallenging to issue a recall.
There is no quality
control or consistency from car to car.
There is no inventory
of the parts that were used, or
where.
Manufacturers could choose any supplier they want for
any given part, regardless of
quality.
Time for a
FRESH APPROACH?Sonatype Nexus Lifecycle
• Precisely identify component and risks
• Remediate early in development
• Automate policy across the SDLC
• Manage risk with consolidated dashboard
• Continuously monitor applications for new risks
Use Case - Shift Left, Integrate with SDLC
Developers
SCM
Create Code
CI - Build‘Intellisense’Policy
Components Production
Nexus Firewall
Sonatype
Policy License Security Architecture
RulesNexus IQ Server
Continuous Assessment
Sonatype Research
REST APIJIRASonarQube
Policy Evaluation License Security Architecture
KPIs Security Architecture
ReportingTrending
Managers Production Support Legal IT Risk Cyber
Nexus Repository
Third Party & OSS
Components
Components
The Business Case for Building Security In
• Shift Left –> 30x lower cost to fix in development
• Manual Processes don’t work –> 1 to 4 hours per component
• Increase developer efficiency – > 8% to 30% time saving per day
• Faster releases• Less unplanned work• Fewer break-fixes• Increased innovation• And better quality software!
• One days consultancy to help build the business case
• Free assessment on up to 3 applications
• Report
Free Scan & Consultancy
Be DevOpstastic