September 13, 2016: Security in the Age of Open Source:
Download as PPTX, PDF1 like617 views
As presented by Mike Pittenger, VP of Security Strategy, at a lunch and learn on September 13, 2016. Learn how your organization can: * Know what's inside your code by identifying the open source you're using * Map against known vulnerabilities and accelerate remediation efforts * Take action to effectively secure and manage open source without impacting your agile SDLC
Ad
More Related Content
What's hot (20)
Viewers also liked (14)
Ad
Similar to September 13, 2016: Security in the Age of Open Source: (20)
Ad
More from Black Duck by Synopsys (20)
Recently uploaded (20)
September 13, 2016: Security in the Age of Open Source:
- 1. SECURITY IN THE AGE OF OPEN SOURCE Mike Pittenger VP, Security Strategy
- 2. Open Source Embraced By The Enterprise OPEN SOURCE • Needed functionality without acquisition costs • Faster time to market • Lower development costs • Broad support from communities CUSTOM CODE • Proprietary functionality • Core enterprise IP • Competitive differentiation OPEN SOURCE CUSTOM CODE
- 3. Open Source Changed the Way Applications are Built 10% Open Source 20% Open Source 50% Open Source Up to 90% Open Source 1998 2005 2010 TODAY Open Source is the modern architectureCustom & Commercial Code Open Source Software
- 4. Consequences Can Be Costly When You Can’t Control What You Can’t See OpenSSL Introduction: 2011 Discovery: 2014 Heartbleed GNU C Library Introduction: 2000 Discovery: 2015 Ghost QEMU Introduction: 2004 Discovery: 2015 Venom Bash Introduction: 1989 Discovery: 2014 Shellshock OpenSSL Introduction: 1990's Discovery: 2015 Freak FREAK!
- 5. • Static analysis • Testing of source code or binaries for unknown security vulnerabilities in custom code • Advantages in buffer overflow, some types of SQL injection • Provides results in source code • Dynamic analysis • Testing of compiled application in a staging environment to detect unknown security vulnerabilities in custom code • Advantages in injection errors, XSS • Provides results by URL, must be traced to source • What’s Missing? Why Aren’t We Finding These in Testing?
- 6. • Automated testing finds common vulnerabilities in the code you write • They are good, not perfect • Different tools work better on different classes of bugs • Many types of bugs are undetectable except by trained security researchers There Are No Silver Bullets All possible security vulnerabilities FREAK!
- 7. • Static Analysis Tools and Dynamic Analysis Tools can be very effective in finding bugs in the code written by internal developers. • HOWEVER… • They are ineffective in finding known vulnerabilities in Open Source components • They provide a point-in-time snapshot of security What happens when the threat landscape changes? What Do Security Testing Tools Miss?
- 8. The Threat Landscape Constantly Changes • VulnDB (Open Source Vulnerability Database) • In 2015, over 3,000 new vulnerabilities in open source • Since 2004, over 74,000 vulnerabilities have been disclosed by NVD. • 63 reference automated tools • 50 of those are for vulnerabilities reported in the tools • 13 are for vulnerabilities that could be identified by a fuzzer 0 500 1000 1500 2000 2500 3000 3500 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year nvd vulndb-exclusive
- 9. Black Duck Open Source Security Audit Report Highlights Security & Management Challenges
- 10. OPEN SOURCE CODE INTERNAL CODE OUTSOURCED CODE LEGACY CODE REUSED CODE SUPPLY CHAIN CODE THIRD PARTY CODE We Have Little Control Over How Open Source Enters The Code Base
- 11. Open Source is an Attractive Target OPEN SOURCE IS USED EVERYWHERE VULNERABILITIES ARE PUBLICIZEDEASY ACCESS TO SOURCE CODE STEPS TO EXPLOIT READILY AVAILABLE
- 12. Who’s Responsible For Security? Commercial Code Open Source Code • Dedicated security researchers • Alerting and notification infrastructure • Regular patch updates • Dedicated support team with SLA • “community”-based code analysis • Monitor newsfeeds yourself • No standard patching mechanism • Ultimately, you are responsible
- 13. 0 200 400 600 800 1000 1200 3/15/2002 3/15/2003 3/15/2004 3/15/2005 3/15/2006 3/15/2007 3/15/2008 3/15/2009 3/15/2010 3/15/2011 3/15/2012 3/15/2013 3/15/2014 Newest component on software was compiled in Nov 2012. This indicates That it was released with at least 509 unique CVEs affecting 24 components around end of 2012 or early 2013. As of 2015-02-15 total of 1094 unique CVEs affected this software via now 30 vulnerable components. That is about 0.8 new CVEs / day . Oldest compiled component on the software image was from Dec 2001 Hospital Monitoring System
- 14. Smart TV Set 0 100 200 300 400 500 600 700 March 1, 2015: 584 unique CVEs in 23 components 2012 Smart TV lineup launched: Nov/Dec 2011 Approx. 0.58 new CVEs / day over the course of 23 months (* date may not be fully accurate, as e.g. partial OTA updates may have been delivered after this date as well ( see sec. update on Nov 2014) One year standard warranty for parts and labor from the date of purchase 7 years Last firmware / SW update: Mar 2013 (*Approx. 178 unique CVEs affecting product at the moment of SW EoL) Nov2014:securityupdateto patchcurl,openssl,flashplayer, ffmpeg,libpngandfreetype Nov 2022. End of 100.000 hours average lifespan of LCD TV screen. 7 more years of expected operation of the LCD TV (based on 100,000 hours average lifespan) Estimated 2065 CVEs affecting Product by Nov 2022 based on historic 0.58 CWEs per day
- 15. How are Companies Managing Open Source Today? Not Well. TRACKING VULNERABILITIES • No single responsible entity • Manual effort and labor intensive • Unmanageable (11/day) • Match applications, versions, components, vulnerabilities SPREADSHEET INVENTORY • Depends on developer best effort or memory • Difficult maintenance • Not source of truth MANUAL TABULATION • Architectural Review Board • Occurs at end of SDLC • High effort and low accuracy • No controls VULNERABILITY DETECTION Run monthly/quarterly vulnerability assessment tools (e.g., Nessus, Nexpose) against all applications to identify exploitable instances
- 16. Automating Five Critical Tasks and Having a Bill of Materials Provide Distinct Advantage INVENTORY Open Source Software MAP Known Security Vulnerabilities IDENTIFTY License Compliance Risks TRACK Remediation Priorities & Progress ALERT New Vulnerabilities Affecting You Visibility AND Control 1 2 3 4 5
- 17. Best Practices For Open Source • Build and automatically enforce OSS policies • Identify OSS components early in the SDLC • Automatically create and maintain bills of material • Continuously monitor threat environment for new vulnerabilities Reqs • OSS Policies • Application Criticality Ranking • OSS Risk Parameters • License Risk • Security Risk • Operational Risk Design • OSS Selection • Design Review • License Risk • Security Risk • Operational Risk Code • OSS Detection • Automatically detect and alert on non- conforming components • Correlation with Bills of Material Test • OSS Enforcement • Detect and alert on non-conforming components • Correlation with Bills of Material Release • OSS Monitoring • Timely OSS Vulnerability Identification & Reporting • Bug Severity • Remediation Advice
- 18. Key Takeaways • Security testing is a good thing • It identifies common vulnerabilities in the code companies write • Different testing methodologies are better suited for different bug types • Open Source Security isn’t covered by traditional tools • Monitor for open source with known vulnerabilities, early in the SDL • Monitor production code for new vulnerabilities • Security testing is a point-in-time snapshot • New vulnerabilities may result from… • Changes to code can change security posture • Changes in the threat environment, even if the code hasn’t changed
- 19. 7 of the top 10 Software companies, and 44 of the top 100 6 of the top 8 Mobile handset vendors 6 of the top 10 Investment Banks 24 Countries 250+ Employees 1,600Customers 27 of the Fortune 100 About Black Duck Award for Innovation Gartner Group “Cool Vendor” “Top Place to Work,” The Boston Globe Four Years in the “Software 500” Largest Software Companies Six Years in a row for Innovation 2014
- 20. Flight16 – Black Duck Conference Join us on October 4th – 6th for Flight16, Black Duck’s inaugural customer conference at the Seaport Hotel & World Trade Center in Boston, MA. • 2 ½ days focused on providing you with a fresh perspective on today’s security threat landscape and helping you more effectively secure and manage open source. • Three conference tracks • Technology, Security, & Legal/Compliance • One-on-one sessions with Black Duck experts • Inspiring keynotes with • Defense Intelligence Agency Director General Michael Flynn • Cigital CTO Gary McGraw • Black Duck CEO Lou Shipley • Use code BOSTONLUNCH to register for free before September 16th.