DeveloperWeek Global: Cloud 2020 DeveloperWeek Global: Cloud 2020

Expo Stage - Hopin 4

Join on Hopin

Wednesday, September 30, 2020

OPEN TALK: Automate or Die - DevSecOps in the Age of Software Supply Chain Attacks
Anthony Baer
Anthony Baer
Sonatype, Solution Architect

The race to out-innovate one’s competition has led to high performing organizations chasing increased deployment velocities but often ignoring the quality of parts being used to manufacture their applications. It was 2003 when Bruce Schneier (@schneierblog) penned, "Today there are no real consequences for having bad security, or having low-quality software of any kind. Even worse, the marketplace often rewards low quality. More precisely, it rewards additional features and timely release dates, even if they come at the expense of quality."

As nimble organizations deliver new innovations using DevOps principles, adversaries are also upping their game, something we saw in a series of high profile and devastating cyber attacks last year. Adversaries have the intent and ability to exploit security vulnerabilities in the software supply chain - and in some cases plant the vulnerabilities themselves. They have increased scale through automation and improved breach success through precision targeting. If the IT industry doesn’t fight back by doing the same - automating security directly in the DevOps pipeline, then we’ll never be able to win.

The industry currently lacks meaningful open source controls. The most common way to introduce controls is through the application of open source governance policies across a software supply chain. But, when over 5500 IT professionals were asked if their organisation employed open source governance policies, just 63% responded positively. That percentage degraded further when participants were asked if they followed the policy. For those without a DevOps practice just 25% of said they both had an OSS governance policy and adhered to it. Effectively, 75% of those who don’t deploy a DevOps strategy, either ignore policies or don’t have one at all.
Further evidence of the lack of cybersecurity hygiene was revealed by 67% of survey participants who admitted to not having meaningful controls over what open source components are used in their applications.

Modern software supply chains can only operate safely when protected with automated security and quality assessments of these upstream open source components and containers.

This sentiment was echoed in Forrester’s Top Recommendations For Your Security Program (March 2018) where analysts advised, "Automate faster than evil does. If you thought your security team struggled with alert volume — and alert fatigue — then you Manual methods to detect, investigate, and respond to threats will guarantee
failure in the near future."