Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

RSAC DevSecOpsDays 2018 - We are all Equifax

3.299 visualizaciones

Publicado el

RSAC DevSecOpsDays 2018 - We are all Equifax

Publicado en: Tecnología
  • Sé el primero en comentar

RSAC DevSecOpsDays 2018 - We are all Equifax

  1. 1. We Are All Equifax Derek E. Weeks Vice President, Sonatype Co-founder, All Day DevOps @weekstweets
  2. 2. “Emphasize performance of the entire system and never pass a defect downstream.” Gene Kim The Phoenix Project 2013
  3. 3. Say Hello to Your Software Supply Chain… @weekstweets
  4. 4. THE SSC INDEX Open Source Component Download Requests, The Central Repository, 2008 - 2017 87 2017
  5. 5. 80% to 90% of modern apps consist of assembled components.
  6. 6. 80% to 90% of modern operations consist of assembled containers. Containers Hand-built applications and infrastructure
  7. 7. NOT ALL PARTS ARE CREATED EQUAL @weekstweets
  8. 8. @weekstweets CYBERSECURITY HYGIENE RATIO IS 1 IN 8 @weekstweets
  9. 9. 170,000 Java component downloads annually 18,870 11.1% with known vulnerabilities 7,500 ORGANIZATIONS ANALYZED @weekstweets
  10. 10. 6-IN-10 HAVE OPEN SOURCE POLICIES @weekstweets
  11. 11. DEFECT PERCENTAGES FOR JAVASCRIPT @weekstweets
  12. 12. 5 Month Opportunity to Take Corrective Action Large Scale Exploit March 10 Equifax applications breached through Struts2 vulnerability AprMar May Jun Jul Aug Sept March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 July 29 Breach is discovered by Equifax. Sept 7 A new RCE vulnerability is announced and fixed. CVE-2017-9805 Probing Hack Crisis Management
  13. 13. 3 DAYS BEFORE EXPLOIT Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 2011 2012 2013 2104 2015 10 20 30 40 50 0 AverageDaystoExploit Average 45 15 2017
  14. 14. Struts vulnerability announced The breach Breach discovered. New Struts and Spring vulnerabilities. 12 months since Equifax breach. 0 20,000 40,000 60,000 80,000 100,000 120,000 Mar-17 Apr-17 May-17 Jun-17 Jul-17 Aug-17 Sep-17 Oct-17 Nov-17 Dec-17 Jan-18 Feb-18 Mar-18 Total Breach disclosed. 80% SHOW POOR CYBER HYGIENE Number of vulnerable Struts component downloads per month
  15. 15. Source: Maven Central Repository, March 2018 VULNERABLE SPRING FRAMEWORK DOWNLOADS CVE-2017-8046
  16. 16. 72% see security pros in the role of “nag”.
  17. 17. Check in Trigger Feedback Trigger
  18. 18. Which application security tools are critical to your organization?
  19. 19. TRUSTED SOFTWARE SUPPLY CHAINS
  20. 20. The question is not: Can we build secure software?
  21. 21. Businesses decide where and how to invest in cybersecurity based on a cost-benefit assessment but they are ultimately liable for the security of their data and systems. U.K.’s National Cyber Security Strategy 2016 - 2021
  22. 22. “Emphasize performance of the entire system and never pass a defect downstream.” Gene Kim The Phoenix Project 2013
  23. 23. weeks@sonatype.com

×