• No results found

Supply Chain Risk Management For Modern Software Development

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Supply Chain Risk Management For Modern Software Development"

Copied!
33
0
0

Loading.... (view fulltext now)

Download now ( 33 Page )

Full text

(1)

September 4, 2013

Maritime Institute & Conference Center

Linthicum Heights, Maryland

Supply Chain Risk Management

For

(2)

Ron Ross

Ron Ross is a Fellow at the National Institute of Standards and Technology

(NIST). His current areas of specialization include information security and risk

management. Dr. Ross leads the Federal Information Security Management

Act (FISMA) Implementation Project, which includes the development of

security standards and guidelines for the federal government, contractors, and

the United States critical information infrastructure. His recent publications

include Federal Information Processing Standards (FIPS) Publication 199

(security categorization standard), FIPS Publication 200 (security requirements

standard), NIST Special Publication (SP) 800-53 (security controls guideline),

NIST SP 800-53A (security assessment guideline), NIST SP 800-37 (security

authorization guideline), NIST SP 800-39 (risk management guideline), and

NIST SP 800-30 (risk assessment guideline).& Dr. Ross is the principal architect

of the Risk Management Framework and multi-tiered approach that provides

a disciplined and structured methodology for integrating the suite of FISMA

standards and guidelines into a comprehensive enterprise-wide information

security program. Dr. Ross also leads the Joint Task Force Transformation

Initiative, a partnership with NIST, the Department of Defense, the Intelligence

Community, the Office of the Director National Intelligence, and the

Committee on National Security Systems to develop a unified information

security framework for the federal government.

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

PhD, National Institute of Standards and

Technology (NIST)

(3)

On The SCRM Horizon

Implementation of NIST SP 800-53, Revision 4.

Revision of OMB Circular A-130, Appendix III.

OMB Continuous Monitoring Policy.

Supply Chain Risk Guidance—NIST SP 800-161.

Security Engineering Guidance—NIST SP 800-160.

(4)

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

Contact Information

100 Bureau Drive Mailstop 8930

Gaithersburg, MD USA 20899-8930

Project Leader

Administrative Support

Dr. Ron Ross

Peggy Himes

(301) 975-5390

(301) 975-2489

ron.ross@nist.gov

peggy.himes@nist.gov

Senior Information Security Researchers and Technical Support

Pat Toth

Kelley Dempsey

(301) 975-5140

(301) 975-2827

patricia.toth@nist.gov

kelley.dempsey@nist.gov

Arnold Johnson

Web:

csrc.nist.gov/sec-cert

(301) 975-3247

(5)

Wayne

Jackson

CEO

Sonatype

Wayne Jackson currently serves as the CEO of Sonatype, Inc., the leaders in Component Lifecycle Management and creators of Maven and other technologies used by millions of software developers worldwide.

Prior to joining Sonatype, Wayne served as the CEO of open source network security pioneer Sourcefire, Inc. (NASDAQ:FIRE), which he guided from fledgling start-up through an IPO in March of 2007, later acquired by Cisco for $2.7 billion.

Before joining Sourcefire, Wayne co-founded Riverbed Technologies, a wireless

infrastructure company, and served as its CEO until the sale of the company for more than $1 billion in March of 2000. Prior to Riverbed, Wayne built an emerging-technologies

business unit for a large systems integrator and provided consulting services to organizations including General Electric, the World Bank and the Federal Reserve. Wayne holds a B.B.S in Finance from James Madison University, 1985, and has completed the Executive Education program for Corporate Governance at Harvard University.

(6)

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

DevOpsSec

Supply chain management in modern

software development

(7)
(8)

90%

Assembled

Written

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

(9)

The Central Repository

• The canonical exchange for open source binaries

• Virtually every mainstream project in the Java ecosystem

– Accelerating adoption by other languages

• Virtually every organization developing software

• >100,000 organizations, >10 million developers

• Unique visibility

– Component supply

(10)

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

(11)

Tremendous Advantages

• Open = Leveraged Innovation

• Modular = Accelerated Development

• Agile = Accelerated Delivery

(12)

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

(13)

For Example: CVE-2013-2251

• Network exploitable

• Medium access complexity

• No authentication required for exploit

• Allows unauthorized disclosure of information;

allows unauthorized modification; allows

(14)

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

(15)
(16)

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

(17)

Toyota and v4L

• Variety of products offered

• Velocity of product flow

• Variability of outcomes against forecast

• Visibility of processes to enable learning

(18)

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

Toyota and v4L

• Variety of

software produced

• Velocity of

software delivery

• Variability of outcomes against forecast

• Visibility of processes to enable learning

(19)

The ‘L’ in v4L

• Create awareness

• Establish capability (empower)

• Make action protocols (govern)

(20)

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

Measurable Advantages

• Plant suppliers: 125 versus 800

• Firm-wide suppliers: 224 versus 5,500

• In-house production: 27% versus 54%

• Comparing the Volt and Prius

– $39,900 versus $24,200

(21)
(22)

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

(23)
(24)

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

(25)

A CIO’s Perspective on Open Source Software Mark Driver, Research Vice President

January 2011

When left unaudited and unmanaged,

open-source assets "seep" into and proliferate within an

enterprise's software portfolio as hidden "time

bombs" that can eventually result in catastrophic

technical failures, security failures, audit

compliance violations and intellectual

property (IP) risks that create a significant loss of

IT value — and, subsequently, broader business value.

(26)

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

(27)

Govern Effectively

• Humans define policy

– What component attributes violate policy

– What actions to take when a policy is violated

• Machines automate the implementation of

policy

(28)

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

Govern Effectively

2 8

(29)
(30)

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

(31)
(32)

Wednesday, September 4, 2013 www.oss-institute.org

NSA Open Source Industry Day 2013

OSSI

Substantial, Measurable ROI

• Reduced surface area

– exposure, maintenance, expertise

• Reduced re-work

• Pro-active situational awareness

• Better suppliers and supplier relationships

• Go fast AND be secure!

(33)

Thank You!

wayne@sonatype.com

• 301-684-8080 x102

• 8161 Maple Lawn Drive, Suite 250

Fulton, Md 20759

References

Download now ( PDF - 33 Page - 2.72 MB )

Related documents

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

A companion guide, NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, introduces the fundamental concepts that support the assessment

Bolt Action 9

The tool post grinder can shape the receiver every where, except for a small section just above the bolt stop lug, I finish that with files and a rotary tool.. With the grinding

Una Cerveza Rafaga

[r]

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

SP 800-53 Rev 3 – Recommended Security Controls for Federal Information Systems and Organizations SP 800-53A - Guide for Assessing the Security. Controls in Federal

Technical Rules in Chinese M & A : A Scrutiny

In China, the issuance of shares shall comply with the principle of fairness and impartiality, the shares of the same class shall have the same rights and

Is the Board Neutrality Rule Trivial? Amnesia About Corporate Law in European Takeover Regulation

It is however difficult to imagine circumstances in the voting control context where such flexibility would be necessary and, it is submitted, impossible to imagine in

Design ecologies:sustaining ethnocultural significance of products through urban ecologies of creative practice

In China, the UK team visited making practices and related sites of cultural significance, including 126.. museums, art galleries, maker collectives, and government-sponsored

ISO 9001:2008 ISO 14001:2004

As introduced in this section of the OH&S manual, the OHS procedure 18MP-434 provides for the development of the OH&S programs required to achieve the objectives and