SlideShare una empresa de Scribd logo

Risks in the Software Supply Chain

Mark Sherman
Mark Sherman

Presentation on the risks present in the supply chain for software given at the Supply Chain Risk Management Symposium on Jan 15, 2015 in Arlington VA. Contains a brief introduction on how one might approach reducing the risks.

Software
1 de 25
Descargar para leer sin conexión
© 2015 Carnegie Mellon University Risks in the Software Supply Chain Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Mark Sherman, Ph.D. Technical Director, CERT Jan 15, 2015
2 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Copyright 2015 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon®, CERT® and CMMI® are registered marks of Carnegie Mellon University. DM-0002130
3 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Conventional view of supply chain risk Sources: http://www.nytix.com/NewYorkCity/articles/handbags.html; http://www.laserwisetech.co.nz/secret.php; http://www.muscatdaily.com/Archive/Oman/Fake-car-parts-contribute-to-rise-in-road-accidents-Experts; http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1.shtml; http://unites-systems.com/l.php?id=191
4 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software is the new hardware – IT IT moving from specialized hardware to software, virtualized as • Servers: virtual CPUs • Storage: SANs • Switches: Soft switches • Networks: Software defined networks
5 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University • Cellular • Main processor • Base band processor • Secure element (SIM) • Automotive • Up to 100 networked CPUs in luxury cars • Vehicle to infrastructure (V2I) • Vehicle to vehicle (V2V) • Industrial and home automation • 3D printing (additive manufacturing) • Autonomous robots • Interconnected SCADA • Aviation • 80% of airplane function in software • Next Gen air traffic control • Smart grid • Smart electric meters • Smart metering infrastructure • Embedded medical devices Software is the new hardware – cyber physical
6 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software is the new hardware – everything 90 percent of [Samsung’s] products -- which includes everything from smartphones to refrigerator-- would be able to connect to the Web by 2017. In five years, every product in the company's entire catalog would be Internet connected. B.K. Yoon, Samsung co-CEO CNET Jan 5, 2015 Source: http://www.cnet.com/news/samsung-co-ceo-in-5-years-all-our-products-will-be-internet-connected/ http://www.wsj.com/articles/SB10001424053111903480904576512250915629460 Software is eating the world. Marc Andreessen, WSJ, Aug 20,2011
7 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Evolution of software development Custom development – context: • Software was limited  Size  Function  Audience • Each organization employed developers • Each organization created their own software Shared development – ISVs (COTS) – context: • Function largely understood  Automating existing processes • Grown beyond ability for using organization to development economically • Outside of core competitiveness by acquirers Supply chain: practically none Supply chain: software supplier
8 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Development is now assembly General Ledger SQL Server WebSphere HTTP server XML Parser Oracle DB SIP servlet container GIF library Note: hypothetical application composition Collective development – context: • Too large for single organization • Too much specialization • Too little value in individual components Supply chain: long
9 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software supply chain for assembled software Expanding the scope and complexity of acquisition and deployment Visibility and direct program office controls are limited (only in shaded area) Source: “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04- 678 report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks”
10 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Corruption along the supply chain is easy Knowledgeable analysts can convert packaged binary into malware in minutes Sources: Pedro Candel, Deloitte CyberSOC Academy , Deloitte http://www.8enise.webcastlive.es/webcast.htm?video=08; http://www.microsoft.com/Products/Games/FSInsider/freeflight/PublishingImages/scene.jpg; https://www.withfriendship.com/user/mithunss/easter-eggs-in-microsoft-products.php Unexpected or unintended behaviors in components
11 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Substantial open source contained in supply chain • At least 75% of organizations rely on open source as the foundation of their applications • Most applications are now assembled from hundreds of open source components, often reflecting as much as 90% of an application. Distributed development – context: • Amortize expense • Outsource non-differential features • Lower acquisition (CapEx) expense Source: Sonatype, 2014 Sonatype Open Source Development and Application Security Survey Supply chain: opaque
12 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Open source supply chain has a long path App server HTTP server XML Parser C Libraries C compiler Generated Parser Parser Generator 2nd Compiler
13 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Versions of Android illustrate open source fragmentation Source: http://opensignal.com/reports/fragmentation.php .
14 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Open source is not secure Heartbleed and Shellshock were found by exploitation Other open source software illustrates vulnerabilities from cursory inspection Sources: Steve Christey (MITRE) & Brian Martin (OSF), Buying Into the Bias: Why Vulnerability Statistics Suck, https://media.blackhat.com/us-13/US-13-Martin-Buying-Into-The-Bias-Why-Vulnerability-Statistics- Suck-Slides.pdf; Sonatype, Sonatype Open Source Development and Application Security Survey 46 million vulnerable open source components downloaded annually
15 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Reducing software supply chain risk factors Software supply chain risk for a product needs to be reduced to acceptable level Supplier follows practices that reduce supply chain risks Delivered or updated product is acceptably secure Product Distribution Operational Product Control Product is used in a secure manner Methods of transmitting the product to the purchaser guard again tampering Product Security Supplier Capability
16 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Supplier security commitment evidence Supplier employees are educated as to security engineering practices • Documentation for each engineer of training and when trained/retrained • Revision dates for training materials • Lists of acceptable credentials for instructors • Names of instructors and their credentials Supplier follows suitable security design practices • Documented design guidelines • Provides evidence that design and coding weaknesses that affect security have been addressed (Common Weakness Enumeration (CWE)) • Has analyzed attack patterns appropriate to the design such as those that are included in Common Attack Pattern Enumeration and Classification (CAPEC)
17 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Evaluate a product’s threat resistance What product characteristics minimize opportunities to enter and change the product’s security characteristics? • Attack surface evaluation: Exploitable features have been identified and eliminated where possible – Access controls – Input/output channels – Attack enabling applications – email, Web – Targets • Design and coding weaknesses associated with exploitable features have been identified and mitigated (CWE) • Independent validation and verification of threat resistance
18 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Establishing good product distribution practices Recognize that supply chain risks are accumulated • Subcontractor/COTS-product supply chain risk is inherited by those that use that software, tool, system, etc. Apply to the acquiring organizations and their suppliers • Require good security practices by their suppliers • Assess the security of delivered products • Address the additional risks associated with using the product in their context
19 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Maintain attack resistance Who assumes responsibility for preserving product attack resistance with product deployment? • Patching and version upgrades • Expanded distribution of usage • Expanded integration Usage changes the attack surface and potential attacks for the product • Change in feature usage or risks • Are supplier risk mitigations adequate for desired usage? • Effects of vendor upgrades/patches and local configuration changes • Effects of integration into operations (system of systems)
20 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University What about open source? Establish a supplier for open source • Self • 3rd party focusing on open source Subject to same evaluation • Supplier capability • Product security • Product distribution • Operational product control Source: http://opensource.org/
21 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Business decisions are about risk There are many risks to a business process or mission thread • Within a system • Collection of systems Supply chain is one of many risk components Evaluate software supply chain risk in the larger context of • Supply chain risk • System risk • System of systems risk
22 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Security Engineering Risk Analysis (SERA ) 1. Establish operational context. 2. Identify risk. 3. Analyze risk. 4. Develop control plan. Mission Thread / Business Process Worksheet Risk Identification Worksheet Risk Evaluation Criteria Risk Analysis Worksheet Control Approach Worksheet Control Plan Worksheet
23 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Where to start Anywhere • 76% do not have meaningful controls over what components are in their applications • 81% do not coordinate their security practices in various stages of the development life cycle • 47% do not perform acceptance tests for third-party code Plenty of models to choose from BSIMM: Building Security in Maturity Model CMMI: Capability Maturity Model Integration for Acquisitions PRM: SwA Forum Processes and Practices Group Process Reference Model RMM: CERT Resilience Management Model SAMM: OWASP Open Software Assurance Maturity Model Sources: Sonatype, 2014 Sonatype Open Source Development and Application Security Survey; Forrester Consulting, “State of Application Security,” January 2011
24 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Further reading Alberts, Christopher, et al., “Introduction to the Security Engineering Risk Analysis (SERA) Fraemwork,” Software Engineering Institute, Nov 2014, http://resources.sei.cmu.edu/asset_files/TechnicalNote/2014_004_001_427329.pdf Axelrod, C. Warren, “Mitigating Software Supply Chain Risk,” ISCA Journal Online, Vol 4., 2013, http://www.isaca.org/Journal/Past- Issues/2013/Volume-4/Pages/JOnline-Mitigating-Software-Supply-Chain-Risk.aspx Axelrod, C. Warren, “Malware, Weakware and the Security of Software Supply Chains,” Cross-Talk, March/April 2014, p. 20, http://www.crosstalkonline.org/storage/issue-archives/2014/201403/201403-Axelrod.pdf Ellison, Robert, et al, “Software Supply Chain Risk Management: From Products to Systems of Systems,” Software Engineering Institute, Dec 2010, https://resources.sei.cmu.edu/asset_files/technicalnote/2010_004_001_15194.pdf Ellison, Robert, et al. “Evaluating and Mitigating Software Supply Chain Security Risks,” Software Engineering Institute, May 2010, http://resources.sei.cmu.edu/asset_files/technicalnote/2010_004_001_15176.pdf Ellison, Robert and Woody, Carol, “Supply-Chain Risk Management: Incorporating Security into Software Development,” Proceedings of the 43rd Hawaii International Conference on System Sciences, 2010, http://resources.sei.cmu.edu/asset_files/WhitePaper/2013_019_001_297341.pdf Jarzombek, Joe, “Collaboratively Advancing Strategies to Mitigate Software Supply Chain Risks,” July 30, 2009, http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2009-07/ispab_july09-jarzombek_swa-supply-chain.pdf Software Assurance Forum, Processes and Practices Working Group, “Software Assurance Checklist for Software Supply Chain Risk Management,” https://buildsecurityin.us-cert.gov/sites/default/files/20101208-SwAChecklist.pdf “Software Supply Chain Risk Management & Due-Diligence,” Software Assurance Pocket Guide Series: Acquisition & Outsourcing, Vol II, Version 1.2, June 16, 2009, https://buildsecurityin.us-cert.gov/sites/default/files/DueDiligenceMWV12_01AM090909.pdf
25 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Contact Information Slide Format Mark Sherman Technical Director Cyber Security Foundations Telephone: +1 412-268-9223 Email: mssherman@sei.cmu.edu U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA Web www.sei.cmu.edu www.sei.cmu.edu/contact.cfm Customer Relations Email: info@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257

Recomendados

Cybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainCybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainAnthony Braddy
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
SOFWARE QUALITY, INTRODUCTION
SOFWARE QUALITY, INTRODUCTIONSOFWARE QUALITY, INTRODUCTION
SOFWARE QUALITY, INTRODUCTIONNetworked Research Lab, UK
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous DeliveryMainstay
 
2009 X Force Treath And Risk Wwiscop
2009 X Force Treath And Risk Wwiscop2009 X Force Treath And Risk Wwiscop
2009 X Force Treath And Risk WwiscopJuan Carlos Carrillo
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application SecuritySaadSaif6
 
web security
web securityweb security
web securityMyprivateresearcher.com
 
State of Web Application Security by Ponemon Institute
State of Web Application Security by Ponemon InstituteState of Web Application Security by Ponemon Institute
State of Web Application Security by Ponemon InstituteJeremiah Grossman
 

Recomendados

Cybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainCybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainAnthony Braddy
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
SOFWARE QUALITY, INTRODUCTION
SOFWARE QUALITY, INTRODUCTIONSOFWARE QUALITY, INTRODUCTION
SOFWARE QUALITY, INTRODUCTIONNetworked Research Lab, UK
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous DeliveryMainstay
 
2009 X Force Treath And Risk Wwiscop
2009 X Force Treath And Risk Wwiscop2009 X Force Treath And Risk Wwiscop
2009 X Force Treath And Risk WwiscopJuan Carlos Carrillo
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application SecuritySaadSaif6
 
web security
web securityweb security
web securityMyprivateresearcher.com
 
State of Web Application Security by Ponemon Institute
State of Web Application Security by Ponemon InstituteState of Web Application Security by Ponemon Institute
State of Web Application Security by Ponemon InstituteJeremiah Grossman
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Synopsys Software Integrity Group
 
Phil Koopman's ISSRE 2016 Keynote
Phil Koopman's ISSRE 2016 KeynotePhil Koopman's ISSRE 2016 Keynote
Phil Koopman's ISSRE 2016 Keynoteedgecaseresearch
 
[Whitepaper] Culture of Security
[Whitepaper] Culture of Security[Whitepaper] Culture of Security
[Whitepaper] Culture of SecurityFlevy.com Best Practices
 
The unprecedented state of web insecurity
The unprecedented state of web insecurityThe unprecedented state of web insecurity
The unprecedented state of web insecurityVincent Kwon
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
IMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDY
IMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDYIMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDY
IMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDYijwscjournal
 
Web App Sec Benchmarks
Web App Sec BenchmarksWeb App Sec Benchmarks
Web App Sec BenchmarksAung Khant
 
Performance testing methodologies and tools
Performance testing methodologies and toolsPerformance testing methodologies and tools
Performance testing methodologies and toolsAlexander Decker
 
11.performance testing methodologies and tools
11.performance testing methodologies and tools11.performance testing methodologies and tools
11.performance testing methodologies and toolsAlexander Decker
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
IRJET- Underpinning the Impact of Web Application Security on Businesses ...
IRJET- Underpinning the Impact of Web Application Security on Businesses ...IRJET- Underpinning the Impact of Web Application Security on Businesses ...
IRJET- Underpinning the Impact of Web Application Security on Businesses ...IRJET Journal
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesSynopsys Software Integrity Group
 
IT Metrics in Real Life
IT Metrics in Real LifeIT Metrics in Real Life
IT Metrics in Real LifeFabio Cicerchia
 
Implementing and Managing Open Source Compliance Programs - A Crash Course
Implementing and Managing Open Source Compliance Programs - A Crash CourseImplementing and Managing Open Source Compliance Programs - A Crash Course
Implementing and Managing Open Source Compliance Programs - A Crash CourseOpen Source Strategy Forum
 
RITISH AGGARWAL
RITISH AGGARWALRITISH AGGARWAL
RITISH AGGARWAL9914814928
 
Online Payments For Developers
Online Payments For DevelopersOnline Payments For Developers
Online Payments For DevelopersPayPalX Developer Network
 
Mobile Payments: An IBM Point of View
Mobile Payments: An IBM Point of ViewMobile Payments: An IBM Point of View
Mobile Payments: An IBM Point of ViewMark Sherman
 
Dell Supply Chain Management
Dell Supply Chain ManagementDell Supply Chain Management
Dell Supply Chain Managementpratikdhar
 
Routing Protocols in WSN
Routing Protocols in WSNRouting Protocols in WSN
Routing Protocols in WSNDarpan Dekivadiya
 
Unpacking TOGAF's 'Phase B': Business Transformation, Business Architecture a...
Unpacking TOGAF's 'Phase B': Business Transformation, Business Architecture a...Unpacking TOGAF's 'Phase B': Business Transformation, Business Architecture a...
Unpacking TOGAF's 'Phase B': Business Transformation, Business Architecture a...Tetradian Consulting
 

Más contenido relacionado

La actualidad más candente

Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Synopsys Software Integrity Group
 
Phil Koopman's ISSRE 2016 Keynote
Phil Koopman's ISSRE 2016 KeynotePhil Koopman's ISSRE 2016 Keynote
Phil Koopman's ISSRE 2016 Keynoteedgecaseresearch
 
The unprecedented state of web insecurity
The unprecedented state of web insecurityThe unprecedented state of web insecurity
The unprecedented state of web insecurityVincent Kwon
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
IMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDY
IMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDYIMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDY
IMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDYijwscjournal
 
Web App Sec Benchmarks
Web App Sec BenchmarksWeb App Sec Benchmarks
Web App Sec BenchmarksAung Khant
 
Performance testing methodologies and tools
Performance testing methodologies and toolsPerformance testing methodologies and tools
Performance testing methodologies and toolsAlexander Decker
 
11.performance testing methodologies and tools
11.performance testing methodologies and tools11.performance testing methodologies and tools
11.performance testing methodologies and toolsAlexander Decker
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
IRJET- Underpinning the Impact of Web Application Security on Businesses ...
IRJET- Underpinning the Impact of Web Application Security on Businesses ...IRJET- Underpinning the Impact of Web Application Security on Businesses ...
IRJET- Underpinning the Impact of Web Application Security on Businesses ...IRJET Journal
 
Implementing and Managing Open Source Compliance Programs - A Crash Course
Implementing and Managing Open Source Compliance Programs - A Crash CourseImplementing and Managing Open Source Compliance Programs - A Crash Course
Implementing and Managing Open Source Compliance Programs - A Crash CourseOpen Source Strategy Forum
 

La actualidad más candente (16)

Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
 
Phil Koopman's ISSRE 2016 Keynote
Phil Koopman's ISSRE 2016 KeynotePhil Koopman's ISSRE 2016 Keynote
Phil Koopman's ISSRE 2016 Keynote
 
[Whitepaper] Culture of Security
[Whitepaper] Culture of Security[Whitepaper] Culture of Security
[Whitepaper] Culture of Security
 
The unprecedented state of web insecurity
The unprecedented state of web insecurityThe unprecedented state of web insecurity
The unprecedented state of web insecurity
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011
 
IMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDY
IMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDYIMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDY
IMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDY
 
Web App Sec Benchmarks
Web App Sec BenchmarksWeb App Sec Benchmarks
Web App Sec Benchmarks
 
Performance testing methodologies and tools
Performance testing methodologies and toolsPerformance testing methodologies and tools
Performance testing methodologies and tools
 
11.performance testing methodologies and tools
11.performance testing methodologies and tools11.performance testing methodologies and tools
11.performance testing methodologies and tools
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
IRJET- Underpinning the Impact of Web Application Security on Businesses ...
IRJET- Underpinning the Impact of Web Application Security on Businesses ...IRJET- Underpinning the Impact of Web Application Security on Businesses ...
IRJET- Underpinning the Impact of Web Application Security on Businesses ...
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
 
IT Metrics in Real Life
IT Metrics in Real LifeIT Metrics in Real Life
IT Metrics in Real Life
 
Implementing and Managing Open Source Compliance Programs - A Crash Course
Implementing and Managing Open Source Compliance Programs - A Crash CourseImplementing and Managing Open Source Compliance Programs - A Crash Course
Implementing and Managing Open Source Compliance Programs - A Crash Course
 

Destacado

RITISH AGGARWAL
RITISH AGGARWALRITISH AGGARWAL
RITISH AGGARWAL9914814928
 
Mobile Payments: An IBM Point of View
Mobile Payments: An IBM Point of ViewMobile Payments: An IBM Point of View
Mobile Payments: An IBM Point of ViewMark Sherman
 
Dell Supply Chain Management
Dell Supply Chain ManagementDell Supply Chain Management
Dell Supply Chain Managementpratikdhar
 
Unpacking TOGAF's 'Phase B': Business Transformation, Business Architecture a...
Unpacking TOGAF's 'Phase B': Business Transformation, Business Architecture a...Unpacking TOGAF's 'Phase B': Business Transformation, Business Architecture a...
Unpacking TOGAF's 'Phase B': Business Transformation, Business Architecture a...Tetradian Consulting
 
software configuration management
software configuration managementsoftware configuration management
software configuration managementFáber D. Giraldo
 
IT Portfolio Management Using Enterprise Architecture and ITIL® Service Strategy
IT Portfolio Management Using Enterprise Architecture and ITIL® Service StrategyIT Portfolio Management Using Enterprise Architecture and ITIL® Service Strategy
IT Portfolio Management Using Enterprise Architecture and ITIL® Service StrategyNUS-ISS
 
Telecommunication Business Process - eTOM Flows
Telecommunication Business Process - eTOM FlowsTelecommunication Business Process - eTOM Flows
Telecommunication Business Process - eTOM FlowsRobert Bratulic
 

Destacado (9)

RITISH AGGARWAL
RITISH AGGARWALRITISH AGGARWAL
RITISH AGGARWAL
 
Online Payments For Developers
Online Payments For DevelopersOnline Payments For Developers
Online Payments For Developers
 
Mobile Payments: An IBM Point of View
Mobile Payments: An IBM Point of ViewMobile Payments: An IBM Point of View
Mobile Payments: An IBM Point of View
 
Dell Supply Chain Management
Dell Supply Chain ManagementDell Supply Chain Management
Dell Supply Chain Management
 
Routing Protocols in WSN
Routing Protocols in WSNRouting Protocols in WSN
Routing Protocols in WSN
 
Unpacking TOGAF's 'Phase B': Business Transformation, Business Architecture a...
Unpacking TOGAF's 'Phase B': Business Transformation, Business Architecture a...Unpacking TOGAF's 'Phase B': Business Transformation, Business Architecture a...
Unpacking TOGAF's 'Phase B': Business Transformation, Business Architecture a...
 
software configuration management
software configuration managementsoftware configuration management
software configuration management
 
IT Portfolio Management Using Enterprise Architecture and ITIL® Service Strategy
IT Portfolio Management Using Enterprise Architecture and ITIL® Service StrategyIT Portfolio Management Using Enterprise Architecture and ITIL® Service Strategy
IT Portfolio Management Using Enterprise Architecture and ITIL® Service Strategy
 
Telecommunication Business Process - eTOM Flows
Telecommunication Business Process - eTOM FlowsTelecommunication Business Process - eTOM Flows
Telecommunication Business Process - eTOM Flows
 

Similar a Risks in the Software Supply Chain

Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityCAST
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
 
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?CA Technologies
 
Case Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicCase Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicIBM Security
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfSolviosTechnology
 
New threats to cyber-security
New threats to cyber-securityNew threats to cyber-security
New threats to cyber-securityMark Sherman
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyserTim Youm
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsSonatype
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Salesforce Partners
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - PrintAndrew Kanikuru
 
IBM Mobile Overview for Ecosystem Partners
IBM Mobile Overview for Ecosystem PartnersIBM Mobile Overview for Ecosystem Partners
IBM Mobile Overview for Ecosystem PartnersJeremy Siewert
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaChris Bailey
 

Similar a Risks in the Software Supply Chain (20)

Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software Security
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
 
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
 
Case Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicCase Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographic
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdf
 
New threats to cyber-security
New threats to cyber-securityNew threats to cyber-security
New threats to cyber-security
 
Automotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsAutomotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still Exists
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyser
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
 
Revolution in Mobility
Revolution in MobilityRevolution in Mobility
Revolution in Mobility
 
Research Paper
Research PaperResearch Paper
Research Paper
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
 
IBM Mobile Overview for Ecosystem Partners
IBM Mobile Overview for Ecosystem PartnersIBM Mobile Overview for Ecosystem Partners
IBM Mobile Overview for Ecosystem Partners
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for Java
 

Último

HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 

Último (20)

HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 

Risks in the Software Supply Chain

  • 1. © 2015 Carnegie Mellon University Risks in the Software Supply Chain Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Mark Sherman, Ph.D. Technical Director, CERT Jan 15, 2015
  • 2. 2 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Copyright 2015 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon®, CERT® and CMMI® are registered marks of Carnegie Mellon University. DM-0002130
  • 3. 3 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Conventional view of supply chain risk Sources: http://www.nytix.com/NewYorkCity/articles/handbags.html; http://www.laserwisetech.co.nz/secret.php; http://www.muscatdaily.com/Archive/Oman/Fake-car-parts-contribute-to-rise-in-road-accidents-Experts; http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1.shtml; http://unites-systems.com/l.php?id=191
  • 4. 4 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software is the new hardware – IT IT moving from specialized hardware to software, virtualized as • Servers: virtual CPUs • Storage: SANs • Switches: Soft switches • Networks: Software defined networks
  • 5. 5 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University • Cellular • Main processor • Base band processor • Secure element (SIM) • Automotive • Up to 100 networked CPUs in luxury cars • Vehicle to infrastructure (V2I) • Vehicle to vehicle (V2V) • Industrial and home automation • 3D printing (additive manufacturing) • Autonomous robots • Interconnected SCADA • Aviation • 80% of airplane function in software • Next Gen air traffic control • Smart grid • Smart electric meters • Smart metering infrastructure • Embedded medical devices Software is the new hardware – cyber physical
  • 6. 6 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software is the new hardware – everything 90 percent of [Samsung’s] products -- which includes everything from smartphones to refrigerator-- would be able to connect to the Web by 2017. In five years, every product in the company's entire catalog would be Internet connected. B.K. Yoon, Samsung co-CEO CNET Jan 5, 2015 Source: http://www.cnet.com/news/samsung-co-ceo-in-5-years-all-our-products-will-be-internet-connected/ http://www.wsj.com/articles/SB10001424053111903480904576512250915629460 Software is eating the world. Marc Andreessen, WSJ, Aug 20,2011
  • 7. 7 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Evolution of software development Custom development – context: • Software was limited  Size  Function  Audience • Each organization employed developers • Each organization created their own software Shared development – ISVs (COTS) – context: • Function largely understood  Automating existing processes • Grown beyond ability for using organization to development economically • Outside of core competitiveness by acquirers Supply chain: practically none Supply chain: software supplier
  • 8. 8 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Development is now assembly General Ledger SQL Server WebSphere HTTP server XML Parser Oracle DB SIP servlet container GIF library Note: hypothetical application composition Collective development – context: • Too large for single organization • Too much specialization • Too little value in individual components Supply chain: long
  • 9. 9 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Software supply chain for assembled software Expanding the scope and complexity of acquisition and deployment Visibility and direct program office controls are limited (only in shaded area) Source: “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04- 678 report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks”
  • 10. 10 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Corruption along the supply chain is easy Knowledgeable analysts can convert packaged binary into malware in minutes Sources: Pedro Candel, Deloitte CyberSOC Academy , Deloitte http://www.8enise.webcastlive.es/webcast.htm?video=08; http://www.microsoft.com/Products/Games/FSInsider/freeflight/PublishingImages/scene.jpg; https://www.withfriendship.com/user/mithunss/easter-eggs-in-microsoft-products.php Unexpected or unintended behaviors in components
  • 11. 11 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Substantial open source contained in supply chain • At least 75% of organizations rely on open source as the foundation of their applications • Most applications are now assembled from hundreds of open source components, often reflecting as much as 90% of an application. Distributed development – context: • Amortize expense • Outsource non-differential features • Lower acquisition (CapEx) expense Source: Sonatype, 2014 Sonatype Open Source Development and Application Security Survey Supply chain: opaque
  • 12. 12 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Open source supply chain has a long path App server HTTP server XML Parser C Libraries C compiler Generated Parser Parser Generator 2nd Compiler
  • 13. 13 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Versions of Android illustrate open source fragmentation Source: http://opensignal.com/reports/fragmentation.php .
  • 14. 14 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Open source is not secure Heartbleed and Shellshock were found by exploitation Other open source software illustrates vulnerabilities from cursory inspection Sources: Steve Christey (MITRE) & Brian Martin (OSF), Buying Into the Bias: Why Vulnerability Statistics Suck, https://media.blackhat.com/us-13/US-13-Martin-Buying-Into-The-Bias-Why-Vulnerability-Statistics- Suck-Slides.pdf; Sonatype, Sonatype Open Source Development and Application Security Survey 46 million vulnerable open source components downloaded annually
  • 15. 15 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Reducing software supply chain risk factors Software supply chain risk for a product needs to be reduced to acceptable level Supplier follows practices that reduce supply chain risks Delivered or updated product is acceptably secure Product Distribution Operational Product Control Product is used in a secure manner Methods of transmitting the product to the purchaser guard again tampering Product Security Supplier Capability
  • 16. 16 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Supplier security commitment evidence Supplier employees are educated as to security engineering practices • Documentation for each engineer of training and when trained/retrained • Revision dates for training materials • Lists of acceptable credentials for instructors • Names of instructors and their credentials Supplier follows suitable security design practices • Documented design guidelines • Provides evidence that design and coding weaknesses that affect security have been addressed (Common Weakness Enumeration (CWE)) • Has analyzed attack patterns appropriate to the design such as those that are included in Common Attack Pattern Enumeration and Classification (CAPEC)
  • 17. 17 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Evaluate a product’s threat resistance What product characteristics minimize opportunities to enter and change the product’s security characteristics? • Attack surface evaluation: Exploitable features have been identified and eliminated where possible – Access controls – Input/output channels – Attack enabling applications – email, Web – Targets • Design and coding weaknesses associated with exploitable features have been identified and mitigated (CWE) • Independent validation and verification of threat resistance
  • 18. 18 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Establishing good product distribution practices Recognize that supply chain risks are accumulated • Subcontractor/COTS-product supply chain risk is inherited by those that use that software, tool, system, etc. Apply to the acquiring organizations and their suppliers • Require good security practices by their suppliers • Assess the security of delivered products • Address the additional risks associated with using the product in their context
  • 19. 19 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Maintain attack resistance Who assumes responsibility for preserving product attack resistance with product deployment? • Patching and version upgrades • Expanded distribution of usage • Expanded integration Usage changes the attack surface and potential attacks for the product • Change in feature usage or risks • Are supplier risk mitigations adequate for desired usage? • Effects of vendor upgrades/patches and local configuration changes • Effects of integration into operations (system of systems)
  • 20. 20 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University What about open source? Establish a supplier for open source • Self • 3rd party focusing on open source Subject to same evaluation • Supplier capability • Product security • Product distribution • Operational product control Source: http://opensource.org/
  • 21. 21 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Business decisions are about risk There are many risks to a business process or mission thread • Within a system • Collection of systems Supply chain is one of many risk components Evaluate software supply chain risk in the larger context of • Supply chain risk • System risk • System of systems risk
  • 22. 22 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Security Engineering Risk Analysis (SERA ) 1. Establish operational context. 2. Identify risk. 3. Analyze risk. 4. Develop control plan. Mission Thread / Business Process Worksheet Risk Identification Worksheet Risk Evaluation Criteria Risk Analysis Worksheet Control Approach Worksheet Control Plan Worksheet
  • 23. 23 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Where to start Anywhere • 76% do not have meaningful controls over what components are in their applications • 81% do not coordinate their security practices in various stages of the development life cycle • 47% do not perform acceptance tests for third-party code Plenty of models to choose from BSIMM: Building Security in Maturity Model CMMI: Capability Maturity Model Integration for Acquisitions PRM: SwA Forum Processes and Practices Group Process Reference Model RMM: CERT Resilience Management Model SAMM: OWASP Open Software Assurance Maturity Model Sources: Sonatype, 2014 Sonatype Open Source Development and Application Security Survey; Forrester Consulting, “State of Application Security,” January 2011
  • 24. 24 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Further reading Alberts, Christopher, et al., “Introduction to the Security Engineering Risk Analysis (SERA) Fraemwork,” Software Engineering Institute, Nov 2014, http://resources.sei.cmu.edu/asset_files/TechnicalNote/2014_004_001_427329.pdf Axelrod, C. Warren, “Mitigating Software Supply Chain Risk,” ISCA Journal Online, Vol 4., 2013, http://www.isaca.org/Journal/Past- Issues/2013/Volume-4/Pages/JOnline-Mitigating-Software-Supply-Chain-Risk.aspx Axelrod, C. Warren, “Malware, Weakware and the Security of Software Supply Chains,” Cross-Talk, March/April 2014, p. 20, http://www.crosstalkonline.org/storage/issue-archives/2014/201403/201403-Axelrod.pdf Ellison, Robert, et al, “Software Supply Chain Risk Management: From Products to Systems of Systems,” Software Engineering Institute, Dec 2010, https://resources.sei.cmu.edu/asset_files/technicalnote/2010_004_001_15194.pdf Ellison, Robert, et al. “Evaluating and Mitigating Software Supply Chain Security Risks,” Software Engineering Institute, May 2010, http://resources.sei.cmu.edu/asset_files/technicalnote/2010_004_001_15176.pdf Ellison, Robert and Woody, Carol, “Supply-Chain Risk Management: Incorporating Security into Software Development,” Proceedings of the 43rd Hawaii International Conference on System Sciences, 2010, http://resources.sei.cmu.edu/asset_files/WhitePaper/2013_019_001_297341.pdf Jarzombek, Joe, “Collaboratively Advancing Strategies to Mitigate Software Supply Chain Risks,” July 30, 2009, http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2009-07/ispab_july09-jarzombek_swa-supply-chain.pdf Software Assurance Forum, Processes and Practices Working Group, “Software Assurance Checklist for Software Supply Chain Risk Management,” https://buildsecurityin.us-cert.gov/sites/default/files/20101208-SwAChecklist.pdf “Software Supply Chain Risk Management & Due-Diligence,” Software Assurance Pocket Guide Series: Acquisition & Outsourcing, Vol II, Version 1.2, June 16, 2009, https://buildsecurityin.us-cert.gov/sites/default/files/DueDiligenceMWV12_01AM090909.pdf
  • 25. 25 Risks in the Software Supply Chain Mark Sherman, 15-Jan-2015 © 2015 Carnegie Mellon University Contact Information Slide Format Mark Sherman Technical Director Cyber Security Foundations Telephone: +1 412-268-9223 Email: mssherman@sei.cmu.edu U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA Web www.sei.cmu.edu www.sei.cmu.edu/contact.cfm Customer Relations Email: info@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257