Securing Modern Applications: The Data Behind DevSecOps

Presented at Global AppSec - DC 2019, Sept. 12, 2019, 3:30 p.m. (45 minutes)

Hackers took three days to identify and exploit a known vulnerability in Equifax's web applications. More importantly. Equifax was not alone. Hackers quickly attempted to exploit the Struts vulnerability elsewhere. According to David Hogue, a senior technical director for the NSA’s Cybersecurity Threat Operations Center (NCTOC), "We had a nation-state actor within 24 hours scanning for unpatched [Struts] servers within the DoD." Other breaches were recorded at Alaska Airlines, the Canada Revenue Agency, Okinawa Power, the Japanese Post, the India Post, AADHAAR (India’s social security system), and the GMO Payment Gateway, to name a few. The time required for hackers to exploit a newly disclosed open source vulnerability has shrunk by 93.5% in the last decade. This harsh reality establishes a new normal for software supply chain management and demands that organizations are prepared to do three things within 48 hours of a new public disclosure: * Assess which, if any, of their production applications are exploitable * Establish a comprehensive plan to remediate potential exposure, * Implement necessary fixes in production This session will highlight new data that reveals why three days (at most) is the new normal for DevSecOps teams to move new business /security requirements from design into production. It will also further enlighten DevOps teams, security and development professionals by sharing results from the 5th annual State of the Software Supply Chain Report -- a blend of public and proprietary data with expert research and analysis. Attendees can join this session to better understand how development and AppSec teams are applying lessons from W. Edwards Deming (circa 1982), Malcolm Goldrath (circa 1984) and Gene Kim (circa 2013) to improve their ability to respond to new business requirements and cyber risks.

Presenters:

• Derek Weeks - Sonatype
  Derek E. Weeks is the world's foremost researcher on the topic of DevSecOps and securing software supply chains. For the past five years, he has championed the research of the annual State of the Software Supply Chain Report and the DevSecOps Community Survey. Derek is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies and sustain long-lasting competitive advantages. He is a frequent keynote speaker and industry panelist at conferences like the RSA Conference, Red Hat Summit, numerous DevOps Days and DevOps Enterprise Summit. He currently serves as vice president and DevOps advocate at Sonatype, creators of the Nexus repository manager and the global leader in solutions for software supply chain automation. Derek is also the co-founder of All Day DevOps, an online community of 65,000 IT professionals. In 2018, Derek was recognized by DevOps.com as the "Best DevOps Evangelist" for his work in the community.

Links:

• https://globalappsecdc2019.sched.com/event/Ur5h/securing-modern-applications-the-data-behind-devsecops

Similar Presentations:

• AppSec USA 2015 / Security as Code: A New Frontier
• AppSec USA 2013 / Go Fast AND Be Secure: Eliminating Application Risk in the Era of Modern, Component-Based Development
• BSides Austin 2017 / DevOps and security: Lessons learned from Detroit to Deming