Download as PDF, PPTX
Uploaded bySonatype
RSAC DevSecOpsDays 2018 - We are all Equifax
This document discusses software supply chain security and vulnerabilities. It references the Equifax data breach in 2017 that was caused by a vulnerability in the Apache Struts software. The document notes that 80-90% of modern applications and operations consist of assembled components, but not all parts are created equal from a security standpoint. It provides statistics showing that 11.1% of Java components downloaded annually have known vulnerabilities and that 80% of organizations analyzed show poor cyber hygiene. The key takeaway is that businesses are ultimately responsible for the security of their data and systems, so emphasizing security for the entire software supply chain is important.
More Related Content
Similar to RSAC DevSecOpsDays 2018 - We are all Equifax
![[OWASP Poland Day] Application frameworks' vulnerabilities](https://cdn.slidesharecdn.com/ss_thumbnails/wd-applicationframeworksvulns-pub-171003211201-thumbnail.jpg?width=640&height=640&fit=bounds)
RSAC DevSecOpsDays 2018 - We are all Equifax
- 1. We Are AllEquifax Derek E. Weeks Vice President, Sonatype Co-founder, All Day DevOps @weekstweets
- 2. “Emphasize performance ofthe entire system and never pass a defect downstream.” Gene Kim The Phoenix Project 2013
- 3. Say Hello toYour Software Supply Chain… @weekstweets
- 5. THE SSC INDEX OpenSource Component Download Requests, The Central Repository, 2008 - 2017 87 2017
- 6. 80% to 90%of modern apps consist of assembled components.
- 7. 80% to 90%of modern operations consist of assembled containers. Containers Hand-built applications and infrastructure
- 8. NOT ALL PARTSARE CREATED EQUAL @weekstweets
- 9. @weekstweets CYBERSECURITY HYGIENE RATIOIS 1 IN 8 @weekstweets
- 10. 170,000 Java component downloads annually 18,870 11.1%with known vulnerabilities 7,500 ORGANIZATIONS ANALYZED @weekstweets
- 11. 6-IN-10 HAVE OPENSOURCE POLICIES @weekstweets
- 14. DEFECT PERCENTAGES FORJAVASCRIPT @weekstweets
- 15. 5 Month Opportunityto Take Corrective Action Large Scale Exploit March 10 Equifax applications breached through Struts2 vulnerability AprMar May Jun Jul Aug Sept March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 July 29 Breach is discovered by Equifax. Sept 7 A new RCE vulnerability is announced and fixed. CVE-2017-9805 Probing Hack Crisis Management
- 16. 3 DAYS BEFOREEXPLOIT Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 2011 2012 2013 2104 2015 10 20 30 40 50 0 AverageDaystoExploit Average 45 15 2017
- 17. Struts vulnerability announced The breach Breach discovered. New Strutsand Spring vulnerabilities. 12 months since Equifax breach. 0 20,000 40,000 60,000 80,000 100,000 120,000 Mar-17 Apr-17 May-17 Jun-17 Jul-17 Aug-17 Sep-17 Oct-17 Nov-17 Dec-17 Jan-18 Feb-18 Mar-18 Total Breach disclosed. 80% SHOW POOR CYBER HYGIENE Number of vulnerable Struts component downloads per month
- 18. Source: Maven CentralRepository, March 2018 VULNERABLE SPRING FRAMEWORK DOWNLOADS CVE-2017-8046
- 19. 72% see security pros inthe role of “nag”.
- 20.
- 22. Which application securitytools are critical to your organization?
- 23. TRUSTED SOFTWARE SUPPLYCHAINS
- 24. The question isnot: Can we build secure software?
- 25. Businesses decide whereand how to invest in cybersecurity based on a cost-benefit assessment but they are ultimately liable for the security of their data and systems. U.K.’s National Cyber Security Strategy 2016 - 2021
- 26. “Emphasize performance ofthe entire system and never pass a defect downstream.” Gene Kim The Phoenix Project 2013
- 27.