The Three R’s of Software Supply Chains: Reject, Replace, and Respond

A great article from 2016 came up in a recent conversation. This article has come up a few times in my conversations about DevSecOps since it was first published. Justin Smith’s The Three R’s of Enterprise Security: Rotate, Repave, and Repair is a classic must-read. I just love the elegance of the alliteration and the simplicity of the message:

DevOps Connect:DevSecOps @ RSAC 2022

Rotate datacenter credentials every few minutes or hours. Repave every server and application in the datacenter every few hours from a known good state. Repair vulnerable operating systems and application stacks consistently within hours of patch availability.

The idea of Rotating keys was eye-opening for me but makes a lot of sense. I have no idea how to do it, but I get it. Repaving reminds me of back when I first heard that Netflix doesn’t have instances with uptimes of more than 36hrs. Netflix is also who brought us the Simian Army back in 2011 that turned operations on its head by intentionally killing live production instance. Then there is Repair, which is near and dear to our hearts here at Sonatype. I was so inspired by this article that I felt compelled to expound on the ‘repair’ with a simple alliteration of our own.

My next reaction was to realize this could get a bit silly, especially if it felt forced in any way, so I laughed it off and went back to work. It wasn’t until later that day, that it came to me.

Reject known bad components from entering your SDLC. Replace components that don’t meet governance standards. Respond to zero-day vulnerabilities with immediate impact assessments.

So with AppSec USA about to happen and the OWASP A9 a little over 6 yrs old now, I thought I’d like to expound on Justin’s article with three R’s (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Curtis Yanko. Read the original post at: