Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OpenShift Commons Gathering Chicago 2023 - Evol...

OpenShift Commons Gathering Chicago 2023 - Evolution of Risk Management in Software

Vincent Danen (Red Hat), vice president of product security at Red Hat presents at the OpenShift Commons Gathering Co-Located with KubeCon + CloudNativeCon North America 2023.

OpenShift Commons

November 17, 2023
Tweet

More Decks by OpenShift Commons

Other Decks in Technology

Transcript

  1. Security is top of mind. Across all industries, from financial

    to government, security is being discussed, especially as it relates to open source. 2 Evolution of risk management in software
  2. More than half the global population is online (4.66 billion

    people!) Facebook and Twitter are created and the social media era begins HTTP becomes a standard and the World Wide Web is born Evolution of the internet Evolution of risk management in software 3 Source: Live Science, Internet history timeline: ARPANET to the World Wide Web https://www.livescience.com/20727-internet-history.html ARPANET 1969 1974 Telenet, first ISP HTTP and WWW 1990-1991 2004-2006 Social Media Internet of Things 2018 2021 Hack the planet! First packet-switching network created Telenet is the first commercial implementation of ARPANET, TCP designed IoT is firmly entrenched with 7 billion devices online
  3. More than half the global population is online (4.66 billion

    people!) Facebook and Twitter are created and the social media era begins HTTP becomes a standard and the World Wide Web is born Evolution of the internet Evolution of risk management in software 4 Source: Live Science, Internet history timeline: ARPANET to the World Wide Web https://www.livescience.com/20727-internet-history.html ARPANET 1969 1974 Telenet, first ISP HTTP and WWW 1990-1991 2004-2006 Social Media Internet of Things 2018 2021 Hack the planet! First packet-switching network created Telenet is the first commercial implementation of ARPANET, TCP designed IoT is firmly entrenched with 7 billion devices online
  4. The beginning of nation-state attacks on Industrial Control Devices The

    I LOVE YOU worm, Blaster, MyDoom Evolution of Cybercrime Evolution of risk management in software 5 Source: Fortinet, A Brief History of The Evolution of Malware https://www.fortinet.com/blog/threat-research/evolution-of-malware First viruses 1980s 1990s First phishing attacks First worms 2000-2003 2010 Stuxnet Modern day Ransomware 2011 2017 High-profile attacks Phishing attacks on AOL (AOHell). First botnet (GTbot) discovered capable of DDoS attacks Reveton is the first in a long list of ransomware campaigns that continue to persist First Mac and PC viruses, the Morris worm, AIDS Trojan ransomware spread via floppy disk Devastating Shadowbrokers leak and subsequent WannaCry, Petya/NotPetya attacks
  5. Evolution of security practices Evolution of risk management in software

    6 Passwords good! 👍 Password Rotation / Aging Multi-Factor Authentication / SSO / Monitor
  6. 25082 6494 Vulnerabilities continue to increase Evolution of risk management

    in software 7 Source: CVE Details https://www.cvedetails.com/ First year of CVE 1999 2005 452% increase over 6 years Steady state 2010 2015 40% increase over 5 years 125% increase over 2 years! 2017 2022 40% increase over 5 years 894 4932 4639 14643
  7. 122 41 Exploitation continues to increase Evolution of risk management

    in software 8 Source: CVE Details https://www.cvedetails.com/ First year of CVE 1999 2005 452% increase over 6 years Steady state 2010 2015 40% increase over 5 years 125% increase over 2 years! 2017 2022 40% increase over 5 years 0 1 19 82 Sourced from CISA Known Exploited Vulnerabilities database
  8. 25082 / 122 0.49% exploitation 6494 / 41 0.63% exploitation

    Vulnerabilities vs Exploitation Evolution of risk management in software 9 Source: CVE Details https://www.cvedetails.com/ First year of CVE 1999 2005 452% increase over 6 years Steady state 2010 2015 40% increase over 5 years 125% increase over 2 years! 2017 2022 40% increase over 5 years 894 / 0 0% exploitation 4932 / 1 0.02% exploitation 4639 / 19 0.41% exploitation 14643 / 82 0.56% exploitation
  9. 10 Verizon Evolution of risk management in software 2022 2023

    Sources: Verizon, 2022 and 2023 Data Breach Investigations Report https://www.verizon.com/business/resources/reports/dbir/2022/results-and-analysis-not-the-human-element/ https://www.verizon.com/business/resources/reports/dbir/2023/results-and-analysis-intro/
  10. 11 Verizon DBIR Report 2022 (Data Breach Investigations Report) Where

    we find security risk Sources: Verizon, 2022 and 2023 Data Breach Investigations Report https://www.verizon.com/business/resources/reports/dbir/2022/results-and-analysis-not-the-human-element/ https://www.verizon.com/business/resources/reports/dbir/2023/results-and-analysis-intro/ “The action variety of Exploit vulnerability is up to 7% of breaches this year, doubling from last year. While it’s not on par with the massive numbers we see in Credentials and Phishing, it’s worth some thought. The first question one might reasonably ask is “How are attackers finding these vulnerabilities?” As we pointed out last year, attackers have a sort of opportunistic attack sales funnel as seen [here]. They start with scanning for IPs and open ports. Then they move on to crawling for specific services. They then move to testing for specific CVEs. Finally, they try Remote Code Execution (RCE) to gain access to the system.” Evolution of risk management in software
  11. 12 Critical 19 discovered 2 known exploited Risk by the

    numbers Evolution of risk management in software Important 276 discovered 3 known exploited Moderate 1,086 discovered 2 known exploited Low 275 discovered 0 known exploited All 1,656* discovered 7 known exploited 10.5% 1.1% 0.2% 0% 0.4% Source:Red Hat Product Security risk report 2022 https://www.redhat.com/en/resources/product-security-risk-report-2022 * 1656 vulnerabilities in 2022 for the entire Red Hat portfolio of products
  12. $1.6M per customer* $1,086,000 Fix all Moderate (2 exploited, $543,000

    each) $275,000 Fix all Low (0 exploited, $275,000 🔥) $19,000 Fix all Critical (2 exploited, $9,500 each) $1,361,000 Fix all not risky (2 exploited, $680,500 each) Cost to avoid (2022) Evolution of risk management in software 13 $295,000 Fix all risky (5 exploited, $59,000 each) $276,000 Fix all Important (3 exploited, $92,000 each) * Using the assumption that every vulnerability costs a customer $1000 to fix (test and deploy).
  13. Innovation Stability A better balance is needed 14 Evolution of

    risk management in software Software Patching
  14. Innovation Stability A better balance is possible 15 Evolution of

    risk management in software Software Patching
  15. linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat 16 Red Hat is the world’s

    leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you