SlideShare une entreprise Scribd logo

LESSONS FROM HEARTBLEED, STRUTS, AND THE NEGLECTED 90

Télécharger en tant que PPTX, PDF
Sonatype
Sonatype

Watch this insightful and witty discussion between two old pals, Wendy Nather, Security Research Director at 451 Research and Josh Corman, CTO at Sonatype on the state of application security today. They share their perspectives on the changing landscape of application development and how this is impacting common application security approaches. They agree the dramatic shift from source code to component based development has created an open source security gap. With component vulnerabilities becoming national news, Heartbleed, Struts and the promise of more to come, now is the time to stop using components with known vulnerabilities. To learn more about Heartbleed and what it means for your company please visit http://www.sonatype.com/clm/spotlight-on-heartbleed

LogicielsTechnologie
1  sur  33
LESSONS LEARNED FROM HEARTBLEED, STRUTS, AND THE Neglected 90% Wendy Nather, Security Research Director, 451 Research, @451wendy Josh Corman, CTO, Sonatype, @joshcorman
FEATURED SPEAKERS WENDY NATHER, SECURITY RESEARCH DIRECTOR, 451 RESEARCH JOSHUA CORMAN, CTO CISO of Texas Education Agency Security Director, Swiss Bank Corp Co-author of ‘The Cloud Security Rules’ Co-founder of Rugged Software Previously w/ Akamai & 451 Group Trusted Security Professional @joshcorman@451wendy https://451research.com/ http://www.sonatype.com/
STATE OF THE UNION
Web Apps are the Top Attack Surface --- 2014 Verizon Data Breach Investigations Report @joshcorman@451wendy
spending attack risk Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary Spending and risk are out of sync AppSec gets LEAST $ but MOST attacker focus Worse, within AppSec, existing dollars go to the 10% written Host Security ~$10B Data Security ~$5B People Security ~$4B Network Security ~$20B Application Security ~$0.5B Assembled 3rd Party & OpenSource Components ~90% of most applications Almost No Spending SAST/DAST on Written @joshcorman@451wendy
Spending and risk are OUT OF SYNC Component Layer 3rd Party & OpenSource Database, OS, Firmware, Network Presentation Layer, Business Logic DEPENDENCE CURRENT SPENDING @joshcorman@451wendy
Application Security Technology Roadmap Q. What is your status of implementation for this technology? n=198-205. Source: 451 Research Information Security – Wave 16 | 32% 35% 36% 38% 40% 1% 1% 1% 1% 2% 2% 2% 3% 4% 3% 3% 4% 4% 5% 58% 52% 51% 50% 47% 3% 9% 6% 4% 3% Multifactor Authentication for Web-based Applications Application Security Testing – External Interface Fuzzing or Testing Vulnerability Assessment Database Security Application Security Testing – Code or Binary Analysis-based Vulnerability Assessment Web Application Firewall (WAF) In Use Now (Not Including Pilots) In Pilot/Evaluation (Budget Has Already Been Allocated) In Near-term Plan (In Next 6 Months) In Long-term Plan (6-18 Months) Past Long-term Plan (Later Than 18 Months Out) Not in Plan @joshcorman@451wendy
2013 vs. 2012 Spending Change for Application Security Technologies Q. How will your spending on this technology change in 2013 as compared to 2012? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 | 1% 1% 75% 77% 73% 72% 70% 16% 16% 19% 24% 24% Database Security Multifactor Authentication for Web-based Applications Application Security Testing – External Interface Fuzzing or Web Application Firewall (WAF) Application Security Testing – Code or Binary Analysis- based Less Spending About the Same More Spending @joshcorman@451wendy
2014 vs. 2013 Spending Change for Application Security Technologies Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Resarch Information Security – Wave 16 | 1% 3% 2% 70% 68% 63% 60% 58% 21% 26% 28% 32% 34% Application Security Testing – External Interface Fuzzing or Multifactor Authentication for Web-based Applications Database Security Web Application Firewall (WAF) Application Security Testing – Code or Binary Analysis- based Less Spending About the Same More Spending @joshcorman@451wendy
2014 vs. 2013 Spending Change for Information Security Technologies Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 | 5% 4% 3% 4% 4% 4% 5% 6% 3% 3% 2% 2% 4% 9% 4% 3% 3% 11% 1% 9% 2% 5% 5% 4% 1% 4% 13% 1% 2% 3% 5% 8% 2% 3% 6% 10% 8% 10% 5% 8% 2% 2% 7% 4% 83% 83% 82% 84% 82% 83% 80% 78% 76% 71% 79% 76% 74% 69% 72% 73% 70% 71% 65% 71% 66% 64% 63% 64% 68% 58% 63% 62% 53% 66% 63% 60% 51% 49% 58% 52% 54% 51% 51% 54% 46% 50% 48% 53% 48% 32% 44% 42% 7% 10% 10% 10% 11% 11% 13% 14% 15% 16% 17% 18% 19% 20% 20% 21% 21% 21% 22% 23% 23% 24% 26% 26% 26% 27% 28% 29% 29% 30% 31% 32% 33% 34% 34% 35% 36% 36% 37% 37% 39% 40% 40% 42% 42% 44% 46% 46% Anti-spam/Email Security Patch Management Penetration Testing Anti-spyware Hard Drive Encryption Laptop Encryption Anti-virus Host Intrusion Detection and/or Prevention (HIDS/HIPS) Secure File Transfer Computer Forensics Email/Messaging Archiving/Compliance Vulnerability/Risk Assessment/Scanning (of Infrastructure) File Integrity Monitoring SSL VPNs Secure Instant Messaging Email Encryption Application Security Testing – External Interface Fuzzing or Key Management and/or Public Key Infrastructure Web Content Filtering Threat Intelligence Two-factor (Strong) Authentication for Infrastructure (e.g., Single Sign-on IT Security Training/Education/Awareness Anti-botnet Multifactor Authentication for Web-based Applications Information or Digital Rights Management Database Security Advanced Anti-malware Response Managed Security Service Provider (MSSP) Policy and Configuration Management Tokenization Web Application Firewall (WAF) IT GRC (Governance, Risk, Compliance) Network Data-loss Prevention Solutions Application Security Testing – Code or Binary Analysis-based Mobile Device Security (Not MDM) Network Intrusion Detection and/or Prevention (NIDS/NIPS) Network Firewalls Event Log Management System Virtualization Security Application-aware Firewall Identity Management Unified Threat Management (UTM) Endpoint Data-loss Prevention Solutions Network Access Control (NAC) Cloud Security Security Information Event Management (SIEM) Mobile Device Management Less Spending About the Same More Spending @joshcorman@451wendy
2014 vs. 2013 Spending Change for Information Security Technologies Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 | 5% 4% 3% 4% 4% 4% 5% 6% 3% 3% 2% 2% 4% 9% 4% 3% 3% 11% 1% 9% 2% 5% 5% 4% 1% 4% 13% 1% 2% 3% 5% 8% 2% 3% 6% 10% 8% 10% 5% 8% 2% 2% 7% 4% 83% 83% 82% 84% 82% 83% 80% 78% 76% 71% 79% 76% 74% 69% 72% 73% 70% 71% 65% 71% 66% 64% 63% 64% 68% 58% 63% 62% 53% 66% 63% 60% 51% 49% 58% 52% 54% 51% 51% 54% 46% 50% 48% 53% 48% 32% 44% 42% 7% 10% 10% 10% 11% 11% 13% 14% 15% 16% 17% 18% 19% 20% 20% 21% 21% 21% 22% 23% 23% 24% 26% 26% 26% 27% 28% 29% 29% 30% 31% 32% 33% 34% 34% 35% 36% 36% 37% 37% 39% 40% 40% 42% 42% 44% 46% 46% Anti-spam/Email Security Patch Management Penetration Testing Anti-spyware Hard Drive Encryption Laptop Encryption Anti-virus Host Intrusion Detection and/or Prevention (HIDS/HIPS) Secure File Transfer Computer Forensics Email/Messaging Archiving/Compliance Vulnerability/Risk Assessment/Scanning (of Infrastructure) File Integrity Monitoring SSL VPNs Secure Instant Messaging Email Encryption Application Security Testing – External Interface Fuzzing or Key Management and/or Public Key Infrastructure Web Content Filtering Threat Intelligence Two-factor (Strong) Authentication for Infrastructure (e.g., Single Sign-on IT Security Training/Education/Awareness Anti-botnet Multifactor Authentication for Web-based Applications Information or Digital Rights Management Database Security Advanced Anti-malware Response Managed Security Service Provider (MSSP) Policy and Configuration Management Tokenization Web Application Firewall (WAF) IT GRC (Governance, Risk, Compliance) Network Data-loss Prevention Solutions Application Security Testing – Code or Binary Analysis-based Mobile Device Security (Not MDM) Network Intrusion Detection and/or Prevention (NIDS/NIPS) Network Firewalls Event Log Management System Virtualization Security Application-aware Firewall Identity Management Unified Threat Management (UTM) Endpoint Data-loss Prevention Solutions Network Access Control (NAC) Cloud Security Security Information Event Management (SIEM) Mobile Device Management Less Spending About the Same More Spending @joshcorman@451wendy
Below the Security Poverty Line … • Little to no IT expertise • More likely to use open source because it’s free • No resources to monitor open source use or test it for vulnerabilities • Disproportionately dependent on third party vendors • Limited span of control • Configuration and tuning decisions • Architecture and strategy decisions • Risk management • Information asymmetry @joshcorman@451wendy
What do we mean by the ‘Neglected 90%’ 90%AssembledWritten @joshcorman@451wendy
Defensible Infrastructure Operational Excellence Situational Awareness Counter- measures What Security Approach Has the Most Impact? @joshcorman@451wendy
IS IT OPEN SEASON ON OPEN SOURCE?
Now that software is 90% ASSEMBLED… @joshcorman@451wendy
One risky component, multiplied thousands of times: ONE EASY TARGET @joshcorman@451wendy
Global Bank Software Provider Software Provider’s Customer State University Three-Letter Agency Large Financial Exchange Hundreds of Other Sites @joshcorman@451wendy
Is it true, with many eyeballs, all bugs are SHALLOW? 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 10.0 9.0 8.0 7.0 6.0 5.0 4.0 3.0 2.0 1.0 CVE-2005-3745 CVE-2006-1546 CVE-2006-1547 CVE-2006-1548 CVE-2008-6504 CVE-2008-6505 CVE-2008-2025 CVE-2007-6726 CVE-2008-6682 CVE-2010-1870 CVE-2011-2087 CVE-2011-1772 CVE-2011-2088 CVE-2011-5057 CVE-2012-0392 CVE-2012-0391 CVE-2012-0393 CVE-2012-0394 CVE-2012-1006 CVE-2012-1007 CVE-2012-0838 CVE-2012-4386 CVE-2012-4387 CVE-2013-1966 CVE-2013-2115 CVE-2013-1965 CVE-2013-2134 CVE-2013-2135 CVE-2013-2248 CVE-2013-2251 CVE-2013-4316 CVE-2013-4310 CVE-2013-6348 CVE-2014-0094 @joshcorman@451wendy
In 2013, 4,000 organizations downloaded a version of Bouncy Castle with a level 10 vulnerability 20,000 TIMES … MORE THAN FIVE YEARS after the vulnerability was fixed NATIONAL CYBER AWARENESS SYSTEM Original Release Date: 03/30/2009 CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 @joshcorman@451wendy
In December 2013, 6,916 DIFFERENT organizations downloaded a version of httpclient with broken ssl validation (cve-2012-5783) 66,824 TIMES … More than ONE YEAR AFTER THE ALERT NATIONAL CYBER AWARENESS SYSTEM Original Release Date: 11/04/2012 CVE-2012-5783 Apache Commons HttpClient 3.x CVSS v2 Base Score: 5.8 MEDIUM Impact Subscore: 4.9 Exploitability Subscore: 8.6 @joshcorman@451wendy
THE REAL IMPLICATIONS OF HEARTBLEED
Heartbleed + Internet of Things = ? In Our Bodies In Our Homes @joshcorman@451wendy
IS IT TIME FOR A SOFTWARE SUPPLY CHAIN? (and /or software liability)
APPLICATION PLATFORMS & TOOLS COMPONENT VERSION COMPONENTSPROJECTS DELIVERYINTEGRATIONSELECTIONSUPPLYSUPPLIER OPTIMIZATION (MONITORING) Supply Chain Management @joshcorman@451wendy
If you’re not using secure COMPONENTS you’re not building secure APPLICATIONS Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION @joshcorman@451wendy
Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION Today’s approaches AREN’T WORKING 46m vulnerable components downloaded ! 71% of apps have 1+ critical or severe vulnerability ! 90% of repositories have 1+ critical vulnerability ! @joshcorman@451wendy
“Sonatype presents a rare opportunity to do something concrete in the application security space. One of the 1st tools that comes close to remediation not just scan results and recommendations.” -- Wendy Nather @joshcorman@451wendy
Problem discovery Problem remediation “Scan and scold” Source code scanning Approval-centric workflow Empower developers Component analysis Automated policy across lifecycle Policy enforcement throughout SLC A NEW APPROACH CURRENT METHODS SONATYPE CLM Scans after development @joshcorman@451wendy
Don’t use vulnerable components. It’s an AVOIDABLE RISK 2013 Data Breach Investigations Report “Some organizations will be a target REGARDLESS of what they do, but most become a target BECAUSE of what they do.” @joshcorman@451wendy
How can we choose the best components FROM THE START? Shift Upstream = ZTTR (Zero Time to Remediation) Analyze all components from within your IDE License, Security and Architecture data for each component, evaluated against your policy @joshcorman@451wendy
How do we prevent future bleeding hearts? -- 3 step action plan @joshcorman@451wendy LEARN MORE “The combination of growing component usage, coupled with lack of security, requires us to urgently re-evaluate traditional application security approaches.” http://www.sonatype.com/clm/spotlight-on-heartbleed www.sonatype.com/neglected90
LESSONS LEARNED FROM HEARTBLEED, STRUTS AND THE NEGLECTED 90%

Recommandé

Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilitySonatype
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)Arvind Bhardwaj [AB]
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - OverviewStephen Durrant
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat ModelingDr. Anish Cheriyan (PhD)
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 

Recommandé

Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilitySonatype
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)Arvind Bhardwaj [AB]
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - OverviewStephen Durrant
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat ModelingDr. Anish Cheriyan (PhD)
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Eoin Keary
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩baoyin
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...DevOps Indonesia
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecurityThomas Malmberg
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Application security
Application securityApplication security
Application securityHagar Alaa el-din
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Quick Heal Technologies Ltd.
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Cyber Security for Critical Infrastructure
Cyber Security for Critical InfrastructureCyber Security for Critical Infrastructure
Cyber Security for Critical InfrastructureMohit Rampal
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Security management
Security managementSecurity management
Security managementDean Iacovelli
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudGGV Capital
 

Contenu connexe

Tendances

Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Eoin Keary
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩baoyin
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...DevOps Indonesia
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecurityThomas Malmberg
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Cyber Security for Critical Infrastructure
Cyber Security for Critical InfrastructureCyber Security for Critical Infrastructure
Cyber Security for Critical InfrastructureMohit Rampal
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 

Tendances (20)

Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Application Security
Application SecurityApplication Security
Application Security
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring Security
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
Application security
Application securityApplication security
Application security
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Cyber Security for Critical Infrastructure
Cyber Security for Critical InfrastructureCyber Security for Critical Infrastructure
Cyber Security for Critical Infrastructure
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 

Similaire à LESSONS FROM HEARTBLEED, STRUTS, AND THE NEGLECTED 90

Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudGGV Capital
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfSidneyGiovanniSimas1
 
[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security
[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security
[EB100510] Evelyn del Monte: Context-Aware and Adaptive SecurityComputerworld Philippines
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteSplunk
 
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityCisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityNetworkCollaborators
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...North Texas Chapter of the ISSA
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical SecurityJorge Sebastiao
 
Cognitive Computing in Security with AI
Cognitive Computing in Security with AI Cognitive Computing in Security with AI
Cognitive Computing in Security with AI JoAnna Cheshire
 
Webinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityWebinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityGeorg Knon
 
FireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudFireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudAmazon Web Services
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 sucesuminas
 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceSPAN Infotech (India) Pvt Ltd
 
Threat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideThreat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideDLT Solutions
 
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Skycure
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
Data exfiltration so many threats 2016
Data exfiltration so many threats 2016Data exfiltration so many threats 2016
Data exfiltration so many threats 2016FitCEO, Inc. (FCI)
 

Similaire à LESSONS FROM HEARTBLEED, STRUTS, AND THE NEGLECTED 90 (20)

Security management
Security managementSecurity management
Security management
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
 
[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security
[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security
[EB100510] Evelyn del Monte: Context-Aware and Adaptive Security
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityCisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
 
1 - HKT Reporting.pdf
1 - HKT Reporting.pdf1 - HKT Reporting.pdf
1 - HKT Reporting.pdf
 
Cognitive Computing in Security with AI
Cognitive Computing in Security with AI Cognitive Computing in Security with AI
Cognitive Computing in Security with AI
 
Webinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityWebinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise Security
 
FireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the CloudFireEye: Seamless Visibility and Detection for the Cloud
FireEye: Seamless Visibility and Detection for the Cloud
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield X
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and compliance
 
Threat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideThreat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the Outside
 
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
Data exfiltration so many threats 2016
Data exfiltration so many threats 2016Data exfiltration so many threats 2016
Data exfiltration so many threats 2016
 

Plus de Sonatype

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019Sonatype
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOpsSonatype
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps SurveySonatype
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseSonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandSonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealSonatype
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way ForwardSonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizSonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsSonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsSonatype
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure AutomationSonatype
 

Plus de Sonatype (20)

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
 

Dernier

Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfYashikaSharma391629
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROmotivationalword821
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 

Dernier (20)

Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTRO
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 

LESSONS FROM HEARTBLEED, STRUTS, AND THE NEGLECTED 90

  • 1. LESSONS LEARNED FROM HEARTBLEED, STRUTS, AND THE Neglected 90% Wendy Nather, Security Research Director, 451 Research, @451wendy Josh Corman, CTO, Sonatype, @joshcorman
  • 2. FEATURED SPEAKERS WENDY NATHER, SECURITY RESEARCH DIRECTOR, 451 RESEARCH JOSHUA CORMAN, CTO CISO of Texas Education Agency Security Director, Swiss Bank Corp Co-author of ‘The Cloud Security Rules’ Co-founder of Rugged Software Previously w/ Akamai & 451 Group Trusted Security Professional @joshcorman@451wendy https://451research.com/ http://www.sonatype.com/
  • 3. STATE OF THE UNION
  • 4. Web Apps are the Top Attack Surface --- 2014 Verizon Data Breach Investigations Report @joshcorman@451wendy
  • 5. spending attack risk Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary Spending and risk are out of sync AppSec gets LEAST $ but MOST attacker focus Worse, within AppSec, existing dollars go to the 10% written Host Security ~$10B Data Security ~$5B People Security ~$4B Network Security ~$20B Application Security ~$0.5B Assembled 3rd Party & OpenSource Components ~90% of most applications Almost No Spending SAST/DAST on Written @joshcorman@451wendy
  • 6. Spending and risk are OUT OF SYNC Component Layer 3rd Party & OpenSource Database, OS, Firmware, Network Presentation Layer, Business Logic DEPENDENCE CURRENT SPENDING @joshcorman@451wendy
  • 7. Application Security Technology Roadmap Q. What is your status of implementation for this technology? n=198-205. Source: 451 Research Information Security – Wave 16 | 32% 35% 36% 38% 40% 1% 1% 1% 1% 2% 2% 2% 3% 4% 3% 3% 4% 4% 5% 58% 52% 51% 50% 47% 3% 9% 6% 4% 3% Multifactor Authentication for Web-based Applications Application Security Testing – External Interface Fuzzing or Testing Vulnerability Assessment Database Security Application Security Testing – Code or Binary Analysis-based Vulnerability Assessment Web Application Firewall (WAF) In Use Now (Not Including Pilots) In Pilot/Evaluation (Budget Has Already Been Allocated) In Near-term Plan (In Next 6 Months) In Long-term Plan (6-18 Months) Past Long-term Plan (Later Than 18 Months Out) Not in Plan @joshcorman@451wendy
  • 8. 2013 vs. 2012 Spending Change for Application Security Technologies Q. How will your spending on this technology change in 2013 as compared to 2012? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 | 1% 1% 75% 77% 73% 72% 70% 16% 16% 19% 24% 24% Database Security Multifactor Authentication for Web-based Applications Application Security Testing – External Interface Fuzzing or Web Application Firewall (WAF) Application Security Testing – Code or Binary Analysis- based Less Spending About the Same More Spending @joshcorman@451wendy
  • 9. 2014 vs. 2013 Spending Change for Application Security Technologies Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Resarch Information Security – Wave 16 | 1% 3% 2% 70% 68% 63% 60% 58% 21% 26% 28% 32% 34% Application Security Testing – External Interface Fuzzing or Multifactor Authentication for Web-based Applications Database Security Web Application Firewall (WAF) Application Security Testing – Code or Binary Analysis- based Less Spending About the Same More Spending @joshcorman@451wendy
  • 10. 2014 vs. 2013 Spending Change for Information Security Technologies Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 | 5% 4% 3% 4% 4% 4% 5% 6% 3% 3% 2% 2% 4% 9% 4% 3% 3% 11% 1% 9% 2% 5% 5% 4% 1% 4% 13% 1% 2% 3% 5% 8% 2% 3% 6% 10% 8% 10% 5% 8% 2% 2% 7% 4% 83% 83% 82% 84% 82% 83% 80% 78% 76% 71% 79% 76% 74% 69% 72% 73% 70% 71% 65% 71% 66% 64% 63% 64% 68% 58% 63% 62% 53% 66% 63% 60% 51% 49% 58% 52% 54% 51% 51% 54% 46% 50% 48% 53% 48% 32% 44% 42% 7% 10% 10% 10% 11% 11% 13% 14% 15% 16% 17% 18% 19% 20% 20% 21% 21% 21% 22% 23% 23% 24% 26% 26% 26% 27% 28% 29% 29% 30% 31% 32% 33% 34% 34% 35% 36% 36% 37% 37% 39% 40% 40% 42% 42% 44% 46% 46% Anti-spam/Email Security Patch Management Penetration Testing Anti-spyware Hard Drive Encryption Laptop Encryption Anti-virus Host Intrusion Detection and/or Prevention (HIDS/HIPS) Secure File Transfer Computer Forensics Email/Messaging Archiving/Compliance Vulnerability/Risk Assessment/Scanning (of Infrastructure) File Integrity Monitoring SSL VPNs Secure Instant Messaging Email Encryption Application Security Testing – External Interface Fuzzing or Key Management and/or Public Key Infrastructure Web Content Filtering Threat Intelligence Two-factor (Strong) Authentication for Infrastructure (e.g., Single Sign-on IT Security Training/Education/Awareness Anti-botnet Multifactor Authentication for Web-based Applications Information or Digital Rights Management Database Security Advanced Anti-malware Response Managed Security Service Provider (MSSP) Policy and Configuration Management Tokenization Web Application Firewall (WAF) IT GRC (Governance, Risk, Compliance) Network Data-loss Prevention Solutions Application Security Testing – Code or Binary Analysis-based Mobile Device Security (Not MDM) Network Intrusion Detection and/or Prevention (NIDS/NIPS) Network Firewalls Event Log Management System Virtualization Security Application-aware Firewall Identity Management Unified Threat Management (UTM) Endpoint Data-loss Prevention Solutions Network Access Control (NAC) Cloud Security Security Information Event Management (SIEM) Mobile Device Management Less Spending About the Same More Spending @joshcorman@451wendy
  • 11. 2014 vs. 2013 Spending Change for Information Security Technologies Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 | 5% 4% 3% 4% 4% 4% 5% 6% 3% 3% 2% 2% 4% 9% 4% 3% 3% 11% 1% 9% 2% 5% 5% 4% 1% 4% 13% 1% 2% 3% 5% 8% 2% 3% 6% 10% 8% 10% 5% 8% 2% 2% 7% 4% 83% 83% 82% 84% 82% 83% 80% 78% 76% 71% 79% 76% 74% 69% 72% 73% 70% 71% 65% 71% 66% 64% 63% 64% 68% 58% 63% 62% 53% 66% 63% 60% 51% 49% 58% 52% 54% 51% 51% 54% 46% 50% 48% 53% 48% 32% 44% 42% 7% 10% 10% 10% 11% 11% 13% 14% 15% 16% 17% 18% 19% 20% 20% 21% 21% 21% 22% 23% 23% 24% 26% 26% 26% 27% 28% 29% 29% 30% 31% 32% 33% 34% 34% 35% 36% 36% 37% 37% 39% 40% 40% 42% 42% 44% 46% 46% Anti-spam/Email Security Patch Management Penetration Testing Anti-spyware Hard Drive Encryption Laptop Encryption Anti-virus Host Intrusion Detection and/or Prevention (HIDS/HIPS) Secure File Transfer Computer Forensics Email/Messaging Archiving/Compliance Vulnerability/Risk Assessment/Scanning (of Infrastructure) File Integrity Monitoring SSL VPNs Secure Instant Messaging Email Encryption Application Security Testing – External Interface Fuzzing or Key Management and/or Public Key Infrastructure Web Content Filtering Threat Intelligence Two-factor (Strong) Authentication for Infrastructure (e.g., Single Sign-on IT Security Training/Education/Awareness Anti-botnet Multifactor Authentication for Web-based Applications Information or Digital Rights Management Database Security Advanced Anti-malware Response Managed Security Service Provider (MSSP) Policy and Configuration Management Tokenization Web Application Firewall (WAF) IT GRC (Governance, Risk, Compliance) Network Data-loss Prevention Solutions Application Security Testing – Code or Binary Analysis-based Mobile Device Security (Not MDM) Network Intrusion Detection and/or Prevention (NIDS/NIPS) Network Firewalls Event Log Management System Virtualization Security Application-aware Firewall Identity Management Unified Threat Management (UTM) Endpoint Data-loss Prevention Solutions Network Access Control (NAC) Cloud Security Security Information Event Management (SIEM) Mobile Device Management Less Spending About the Same More Spending @joshcorman@451wendy
  • 12. Below the Security Poverty Line … • Little to no IT expertise • More likely to use open source because it’s free • No resources to monitor open source use or test it for vulnerabilities • Disproportionately dependent on third party vendors • Limited span of control • Configuration and tuning decisions • Architecture and strategy decisions • Risk management • Information asymmetry @joshcorman@451wendy
  • 13. What do we mean by the ‘Neglected 90%’ 90%AssembledWritten @joshcorman@451wendy
  • 14. Defensible Infrastructure Operational Excellence Situational Awareness Counter- measures What Security Approach Has the Most Impact? @joshcorman@451wendy
  • 15. IS IT OPEN SEASON ON OPEN SOURCE?
  • 16. Now that software is 90% ASSEMBLED… @joshcorman@451wendy
  • 17. One risky component, multiplied thousands of times: ONE EASY TARGET @joshcorman@451wendy
  • 18. Global Bank Software Provider Software Provider’s Customer State University Three-Letter Agency Large Financial Exchange Hundreds of Other Sites @joshcorman@451wendy
  • 19. Is it true, with many eyeballs, all bugs are SHALLOW? 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 10.0 9.0 8.0 7.0 6.0 5.0 4.0 3.0 2.0 1.0 CVE-2005-3745 CVE-2006-1546 CVE-2006-1547 CVE-2006-1548 CVE-2008-6504 CVE-2008-6505 CVE-2008-2025 CVE-2007-6726 CVE-2008-6682 CVE-2010-1870 CVE-2011-2087 CVE-2011-1772 CVE-2011-2088 CVE-2011-5057 CVE-2012-0392 CVE-2012-0391 CVE-2012-0393 CVE-2012-0394 CVE-2012-1006 CVE-2012-1007 CVE-2012-0838 CVE-2012-4386 CVE-2012-4387 CVE-2013-1966 CVE-2013-2115 CVE-2013-1965 CVE-2013-2134 CVE-2013-2135 CVE-2013-2248 CVE-2013-2251 CVE-2013-4316 CVE-2013-4310 CVE-2013-6348 CVE-2014-0094 @joshcorman@451wendy
  • 20. In 2013, 4,000 organizations downloaded a version of Bouncy Castle with a level 10 vulnerability 20,000 TIMES … MORE THAN FIVE YEARS after the vulnerability was fixed NATIONAL CYBER AWARENESS SYSTEM Original Release Date: 03/30/2009 CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 @joshcorman@451wendy
  • 21. In December 2013, 6,916 DIFFERENT organizations downloaded a version of httpclient with broken ssl validation (cve-2012-5783) 66,824 TIMES … More than ONE YEAR AFTER THE ALERT NATIONAL CYBER AWARENESS SYSTEM Original Release Date: 11/04/2012 CVE-2012-5783 Apache Commons HttpClient 3.x CVSS v2 Base Score: 5.8 MEDIUM Impact Subscore: 4.9 Exploitability Subscore: 8.6 @joshcorman@451wendy
  • 22. THE REAL IMPLICATIONS OF HEARTBLEED
  • 23. Heartbleed + Internet of Things = ? In Our Bodies In Our Homes @joshcorman@451wendy
  • 24. IS IT TIME FOR A SOFTWARE SUPPLY CHAIN? (and /or software liability)
  • 26. If you’re not using secure COMPONENTS you’re not building secure APPLICATIONS Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION @joshcorman@451wendy
  • 27. Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION Today’s approaches AREN’T WORKING 46m vulnerable components downloaded ! 71% of apps have 1+ critical or severe vulnerability ! 90% of repositories have 1+ critical vulnerability ! @joshcorman@451wendy
  • 28. “Sonatype presents a rare opportunity to do something concrete in the application security space. One of the 1st tools that comes close to remediation not just scan results and recommendations.” -- Wendy Nather @joshcorman@451wendy
  • 29. Problem discovery Problem remediation “Scan and scold” Source code scanning Approval-centric workflow Empower developers Component analysis Automated policy across lifecycle Policy enforcement throughout SLC A NEW APPROACH CURRENT METHODS SONATYPE CLM Scans after development @joshcorman@451wendy
  • 30. Don’t use vulnerable components. It’s an AVOIDABLE RISK 2013 Data Breach Investigations Report “Some organizations will be a target REGARDLESS of what they do, but most become a target BECAUSE of what they do.” @joshcorman@451wendy
  • 31. How can we choose the best components FROM THE START? Shift Upstream = ZTTR (Zero Time to Remediation) Analyze all components from within your IDE License, Security and Architecture data for each component, evaluated against your policy @joshcorman@451wendy
  • 32. How do we prevent future bleeding hearts? -- 3 step action plan @joshcorman@451wendy LEARN MORE “The combination of growing component usage, coupled with lack of security, requires us to urgently re-evaluate traditional application security approaches.” http://www.sonatype.com/clm/spotlight-on-heartbleed www.sonatype.com/neglected90
  • 33. LESSONS LEARNED FROM HEARTBLEED, STRUTS AND THE NEGLECTED 90%

Notes de l'éditeur

  1. We are in the business of open source governance, management and compliance (add in slide or on cover slide) Your Company Runs on Software – it must be trusted
  2. Verizon Data Breach – Figure 16 Web app is the top attack surface
  3. Another way to show same thing as prior.
  4. 7
  5. 8
  6. 9
  7. 10
  8. 11
  9. Here are just a few examples so you can see that this risk is real… Bouncy Castle is a popular open source component… and even after critical security alerts were issued in 2009, 4000 companies still downloaded it 20,000 times. And that was five years after a better, safer replacement was issued. This is a level 10 critical security risk. Imagine the exposed applications out there… maybe some of them store your personal credit card data or other personal information.
  10. This example is even worse… a version of httpclient with a broken SSL validation downloaded by 6,916 organizations 66,824 times more than a year after the alert. It wasn’t hard for us to find these examples… this just skims the surface. Some of you may have heard about the FBI Warning last year about Struts… a vulnerable – and old – version of this framework was used to hack into a handful of large organizations.It mde a lot of news. But people are still using it today.
  11. This isn’t new – it’s new to us…it’s a maturity of the industry and components are new to the s/w industry Not sure the supplier is something worth shaking down…there aren’t big guys but more little guys…more like the kickstarter movement. Supplier means nothing b/c the Supplier is equivalent Can get data on how people use it but can’t necessarily get info on the people who make up the project or getting them to self-certify… Project level info we can get from the users Apache, Eclipse or JBOSS can work but over time that is becoming less important in the overall component landscape. Key is “what is everyone doing” – what are the behaviors that are good indicators of the quality of work that is produced in any project. # of people in project and # of commits is “braindead” what OHLO does…more elegant way is possible (MH)
  12. You have at risk components flowing into your organization. It is an absolute fact. And we’re not just talking about security issues… you also have some quality issues and software licensing issues that make it illegal to use a component for a commercial use. It’s like building a car with parts manufactured by unknown vendors… and no criteria to be met.
  13. Despite some efforts to manage component usage, it just isnt working… We know this because we know how many vulnerable components are downloaded… We know how many, on average, end up in your Nexus repository manager And we know how many, on average, end up in your applications
  14. Sonatype presents a rare opportunity to do something concrete in the application security space. One of the 1st tools that comes close to remediation not just scan results and recommendation
  15. We’ve talked a lot about the issues and the concerns, now what can you do about it? Sonatype specializes in accelerating open source usage, while minimizing risk not just in development but all throughout the software lifecycle. Tired of being told there is a problem, but it is up to you to figure out how to fix it? Weary of huge scan reports with false positives? Focusing primarily on source code instead of components? Bogged down by attempts to automate approval workflow? Waiting till after development is done to find security issues? When you add component security to complement your DAST and SAST efforts, you cover 100% of your application. And a little bit of investment in component security covers 90% of your application.
  16. Thank you for sharing your valuable time with me. If you only remember ne thing from today, I hope it is this. Using vulnerable components is an easily avoidable risk.
  17. Ask Brian for Struts example, pane 1 Click onto pane and zoom in and zoom out