FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security Risks with Black Duck

Jul 18, 20180 likes645 views

Managing open source security risks is important because most modern applications contain a significant amount of open source code that may contain vulnerabilities. It is difficult to manage these risks because vulnerabilities are often discovered after code is released. Tools can help with open source selection, governance, detection of used components, prioritizing and remediating vulnerabilities, and monitoring applications post-release. Managing open source security risks requires identifying components, setting policies, understanding usage, prioritizing issues, and monitoring ongoing.

Managing Open Source Security
Risks with Black Duck
Jeffrey Michael
Senior Product Manager

Why: Why should you care and why is it so hard?
Open Source Security Risk Management
Selection: How to identify and use high-quality components?
Governance: How to set and enforce policies to ensure nothing falls through the cracks?
Detection: How to truly know what open source you’re using?
Prioritization, Mitigation, & Remediation: What to do and when?
Monitoring: What happens after you release?

Up to 90%
Open Source
TODAY
50%
Open Source
2010
20%
Open Source
20051998
10%
Open Source
Why should you care?
Today, most application code is open source

Why should you care?
Over 40,000 known open source vulnerabilities

Why is it hard?
Bug
Introduced
National
Vulnerability
Database
Vuln
Discovered
You
Find It
You
FIX It
Exploits
Published
Hackers
Hack
Highest Security Risk
The Race between you and open source hackers

Open Source Selection Process/Criteria
Active
Development
Security
track record
Support
Community
Version

Open Source Selection Process/Criteria
Active Development & Support Community
GitHub
OpenHub

Open Source Selection Process/Criteria
Security Track Record & Version

Governance: Open Source Policies
• Define/manage open source policies to meet your organizations risk tolerance.
• Transparency into what open source is entering your code base.
• Early notification of policy violations
• Reporting and visibility of what open source violates policy and where that open
source exists

Detection: What open source am I using?
• Automated and Multi-factor
• Supports multiple risk tolerance or LOE scenarios
• Most comprehensive language support
• Multiple points of verification to ensure accuracy
• Streamlines disambiguation
• Identifies partial, modified and snippet reused components
Source Content Scan
Optimized file system scanning
with Scan client Analyze Source
Content for:
• Snippet Matches
Dependency Analysis
Build process monitoring and
Package file inspection track
Direct & Transitive Dependencies
from:
• Static package management files
and other artifacts
• Dynamically resolved
dependencies listed in Build info
Component Scanning
File system scanning with Scan
Client Contextual analysis
identifies most open source in
use:
• File / Directory meta-data
• Exact File Content (SHA1
signatures)
Binary Analysis
(Protecode SC)
Contextual File system scanning
Analyzes Modified or
Unstructured Binaries from:
• Compiled Source Code
• Third Party Applications
Easy Hard

Where do I start and what do I do?
Prioritization Know the most significant vulnerabilities within your most critical applications.

Where do I start and what do I do?
Mitigation & Remediation What can I do to address my issues?

Monitoring: What about issues with production applications?
Reporting, Notification, and Dashboard
monitoring.

Monitoring: What about issues with production applications?
Hub Alert plugin
• Single notification platform
• Vulnerabilities
• Policy Violations
• Policy Overrides
• Policy cancelations
• Distribute to your channel of choice
• HipChat
• Slack
• Email

Monitoring: What about issues with production applications?
Jira integration for automated
notification/triage.

This document provides an overview of open source license management best practices that have evolved over 16 years, from 2002 to 2018. It discusses how the risks have changed from lawsuits prompting code inspections to security vulnerabilities coming to the forefront. It also outlines the key functionality of Black Duck Hub for managing open source licenses, including predefined license groups, component usage settings, license risk modeling, policy management, license review workflows, and integrations. Finally, it proposes a suggested license management workflow involving license planning, policy creation, component reviews, attribution statements, and more.

FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys

Basma Shahadat, Lead Research Engineer presented at Black Duck Flight West 2018. Security checking in the early stages of the SDLC is critical. This session will demonstrate how Proofpoint is taking proactive steps to reduce risk by integrating Black Duck into Proofpoint’s continuous integration pipeline to detect open source vulnerabilities during the product build. For more information, please visit us at https://www.blackducksoftware.com/

FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...Black Duck by Synopsys

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys

Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included: A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises. For more information, please visit us at www.blackducksoftware.com

FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys

Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys

Proactive sell side due diligence to identify, inventory, assess, and, when necessary, remediate open source risks helps ensure the target company receives the best value for its products in an M&A event (and avoid lawsuits). Discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether.

Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys

PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys

Integrating Black Duck into Your Environment with Hub APIsBlack Duck by Synopsys

This document discusses Hub APIs for integrating Black Duck into other environments. It provides an overview of common API scenarios, introduces the Hub APIs, and describes the currently available Hub API categories including general, report, notification, and extension APIs. The document also discusses REST API patterns and provides an example of API structure and interactions. It concludes by previewing future directions for Hub API enhancements.

FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...Black Duck by Synopsys

Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys

According to SAP 85% of cybersecurity attacks target the application layer. To be successful in defending against these attacks you need to use a variety of tools. In session we'll go into the various types application security tools and approaches, including SAST, DAST, RASP, PEN, as well as Open Source Vulnerability Management. We'll help you understand the differences between these tools and help you develop a plan for filling your application security toolbox.

Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys

Presented September 15, 2016 by John Steven, CTO, Cigital; Mike Pittenger, VP Security Strategy, Black Duck Today, open source comprises a critical component of software code in the average application, yet most organizations lack the visibility into and control of the open source they’re using. A 2016 analysis of 200 commercial applications showed that 67% contained known open source vulnerabilities. Whether it’s a SaaS solution you deliver to millions of customers, or an internal application developed for employees, addressing the open source visibility and control challenges is vital to ensuring proper software security. Open source use is ubiquitous worldwide. It powers your mobile phone and your company’s most important cloud application. Securing mission critical applications must evolve to address open source as part of software security, complementing and extending the testing of in-house written code. In this webinar by Cigital and Black Duck security experts, you’ll learn: - The current state of application security management within the Software Development Lifecycle (SDLC) - New security considerations organizations face in testing applications that combine open source and in-house written software. - Steps you can take to automate and manage open source security as part of application development

Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys

Myths and Misperceptions of Open Source Security Black Duck by Synopsys

This document discusses myths and misperceptions around open source security. It addresses 6 common misperceptions: 1) that security tools can find all open source vulnerabilities, 2) that scanning is best done at the end of development, 3) that the National Vulnerability Database covers all vulnerabilities, 4) that replacing vulnerable components is always the answer, 5) that the "many eyes" theory ensures open source security, and 6) that open source is less secure than commercial software. The document provides details to counter each misperception and emphasizes that all software can have vulnerabilities, and that visibility into what software is used is key to security.

A Brief Insight into Penetration TestingVikram Khanna

Penetration testing involves ethically hacking systems to identify vulnerabilities. It is conducted annually or when systems change, using tools like Wireshark, Nmap, Metasploit, and John the Ripper. The process includes reconnaissance, threat modeling, exploitation, post-exploitation, and re-testing phases to measure security policy compliance, identify weak spots, prevent disasters, and help developers create secure apps.

Continuous and Visible Security Testing with BDD-SecurityStephen de Vries

Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce

The document discusses integrating security testing into agile development processes. It proposes building security metrics at each stage and providing results to developers to help prioritize and quickly fix issues. Testing should be flexible to each team's needs and provide actionable results and tracing to help developers learn and fix root causes of errors. Maintaining independence of audits and regular updates are also suggested.

Proactive Security AppSec Case StudyAndy Hoernecke

Software Security Assurance for DevOpsBlack Duck by Synopsys

How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps. You’ll learn: -New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments -Best practices for designing and incorporating an automated approach to application security into your existing development environment -Future development and application security challenges organizations will face and what they can do to prepare

Making the Strategic Shift to Open Source at Fujitsu Network CommunicationBlack Duck by Synopsys

Fujitsu Network Communications (FNC) is making a strategic shift to open source. They are using the open source Warrior Framework for automation. Warrior is a keyword and data driven framework that was originally developed by FNC. It supports the automation of multiple protocols and devices. FNC is now open sourcing Warrior to enhance it through collaborative development and align with their open strategy.

Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotCigital

More and more organizations are using static analysis tools to find security bugs and other quality issues in software long before the code is tested and released. This is a good thing, and despite their well-known frustrations like high false positive rates and relatively slow speeds, these tools are helping improve the overall security of software. Unfortunately, these known frustrations may also introduce a dangerous blind spot in these tools which do not know modern frameworks as well as they know the base languages. Learn how organizations are often left feeling secure when they’re not.

Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys

The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.

Devops security-An Insight into Secure-SDLCSuman Sourav

Primer: The top ten automotive cybersecurity vulnerabilities of 2015Rogue Wave Software

If you’re trying to build connected automotive software that’s both bulletproof and secure, you’ve got a big task ahead of you; knowing where to focus your time and energy can be half the challenge. Nearly 90% of all detected security holes can be traced back to just ten types of vulnerabilities. Take a quick walk through the top ten in this primer presentation. Check out the last slide for links to detailed information about these vulnerabilities and fixes, including a webinar and white paper by automotive industry experts.

CISSP Prep: Ch 7. Security Assessment and TestingSam Bowne

The document discusses various methods for assessing security controls and testing systems, including penetration testing, social engineering, vulnerability testing, security audits, and software testing methods. It covers topics like penetration testing tools and methodology, assuring data confidentiality, different types of audits and reviews, and levels of software testing from unit to acceptance. Static and dynamic analysis are introduced as approaches to software security testing.

SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital

High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks. Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack. The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running. Let us guide you through your application security testing journey with more key differences between SAST and DAST:

September 13, 2016: Security in the Age of Open Source: Black Duck by Synopsys

Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai

This document provides an overview of application security services offered by Pactera Cybersecurity Consulting. It discusses why clients choose Pactera, the types of cybersecurity capabilities offered including application vulnerability testing, secure coding training, and third-party risk management. It then goes into more detail about application security testing methodologies and tools used for mobile, web, and API security assessments. Profiles of some of Pactera's cybersecurity experts are also included.

Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys

Presented August 11, 2016 by Michael Right, Senior Product Manager, HPE Security Fortify; Mike Pittenger, VP of Security Strategy, Black Duck. Open source software is an integral part of today’s technology ecosystem, powering everything from enterprise and mobile applications to cloud computing, containers and the Internet of Things. While open source offers attractive economic and productivity benefits for application development, it also presents organizations with significant security challenges. Every year, thousands of new open source security vulnerabilities – such as Heartbleed, Venom and Shellshock – are reported. Unfortunately, many organizations lack visibility into and control of their open source. Addressing this challenge is vital for ensuring security in applications and containers. Whether you’re building software for customers or for internal use, the majority of the code is likely open source and securing it is no easy task. In this session, you’ll learn about: • The evolving DevOps and software security assurance lifecycle in the age of open source • The software security considerations CISOs, security, and development teams must address when using open source • An automated approach to identifying vulnerabilities and managing software security assurance for custom and open source code.

Software Security Assurance for DevOpsBlack Duck by Synopsys

More Related Content

What's hot (20)