Watch this insightful and witty discussion between two old pals, Wendy Nather, Security Research Director at 451 Research and Josh Corman, CTO at Sonatype on the state of application security today. They share their perspectives on the changing landscape of application development and how this is impacting common application security approaches. They agree the dramatic shift from source code to component based development has created an open source security gap. With component vulnerabilities becoming national news, Heartbleed, Struts and the promise of more to come, now is the time to stop using components with known vulnerabilities.
To learn more about Heartbleed and what it means for your company please visit http://www.sonatype.com/clm/spotlight-on-heartbleed
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
LESSONS FROM HEARTBLEED, STRUTS, AND THE NEGLECTED 90
1. LESSONS LEARNED
FROM HEARTBLEED,
STRUTS, AND THE
Neglected 90%
Wendy Nather, Security Research Director, 451
Research, @451wendy
Josh Corman, CTO, Sonatype, @joshcorman
2. FEATURED SPEAKERS
WENDY NATHER, SECURITY RESEARCH
DIRECTOR, 451 RESEARCH JOSHUA CORMAN, CTO
CISO of Texas Education Agency
Security Director, Swiss Bank Corp
Co-author of ‘The Cloud Security Rules’
Co-founder of Rugged Software
Previously w/ Akamai & 451 Group
Trusted Security Professional
@joshcorman@451wendy
https://451research.com/ http://www.sonatype.com/
4. Web Apps are the Top Attack Surface
--- 2014 Verizon Data Breach Investigations Report
@joshcorman@451wendy
5. spending attack risk
Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary
Spending and risk are out of sync
AppSec gets LEAST $ but MOST attacker focus
Worse, within AppSec, existing dollars go to the 10% written
Host Security ~$10B
Data Security ~$5B
People Security ~$4B
Network Security ~$20B
Application
Security
~$0.5B Assembled 3rd Party &
OpenSource
Components
~90% of most
applications
Almost No Spending
SAST/DAST on Written
@joshcorman@451wendy
6. Spending and risk are
OUT OF SYNC
Component Layer
3rd Party &
OpenSource
Database, OS, Firmware, Network
Presentation Layer,
Business Logic
DEPENDENCE
CURRENT SPENDING
@joshcorman@451wendy
7. Application Security Technology Roadmap
Q. What is your status of implementation for this technology? n=198-205. Source: 451 Research Information Security – Wave 16 |
32%
35%
36%
38%
40%
1%
1%
1%
1%
2%
2%
2%
3%
4%
3%
3%
4%
4%
5%
58%
52%
51%
50%
47%
3%
9%
6%
4%
3%
Multifactor Authentication for Web-based Applications
Application Security Testing – External Interface Fuzzing or Testing
Vulnerability Assessment
Database Security
Application Security Testing – Code or Binary Analysis-based
Vulnerability Assessment
Web Application Firewall (WAF)
In Use Now (Not Including Pilots) In Pilot/Evaluation (Budget Has Already Been Allocated)
In Near-term Plan (In Next 6 Months) In Long-term Plan (6-18 Months)
Past Long-term Plan (Later Than 18 Months Out) Not in Plan
@joshcorman@451wendy
8. 2013 vs. 2012 Spending Change for Application Security Technologies
Q. How will your spending on this technology change in 2013 as compared to 2012?
n=45-201. Data from respondents not using the technology or that don't know about
spending are hidden.
Source: 451 Research Information Security – Wave 16 |
1%
1%
75%
77%
73%
72%
70%
16%
16%
19%
24%
24%
Database Security
Multifactor Authentication for Web-based Applications
Application Security Testing – External Interface Fuzzing
or
Web Application Firewall (WAF)
Application Security Testing – Code or Binary Analysis-
based
Less Spending About the Same More Spending
@joshcorman@451wendy
9. 2014 vs. 2013 Spending Change for Application Security Technologies
Q. How will your spending on this technology change in 2014 as compared to 2013?
n=45-201. Data from respondents not using the technology or that don't know about
spending are hidden. Source: 451 Resarch Information Security – Wave 16 |
1%
3%
2%
70%
68%
63%
60%
58%
21%
26%
28%
32%
34%
Application Security Testing – External Interface Fuzzing
or
Multifactor Authentication for Web-based Applications
Database Security
Web Application Firewall (WAF)
Application Security Testing – Code or Binary Analysis-
based
Less Spending About the Same More Spending
@joshcorman@451wendy
10. 2014 vs. 2013 Spending Change for Information Security Technologies
Q. How will your spending on this technology change in 2014 as compared to 2013?
n=45-201. Data from respondents not using the technology or that don't know about
spending are hidden. Source: 451 Research Information Security – Wave 16 |
5%
4%
3%
4%
4%
4%
5%
6%
3%
3%
2%
2%
4%
9%
4%
3%
3%
11%
1%
9%
2%
5%
5%
4%
1%
4%
13%
1%
2%
3%
5%
8%
2%
3%
6%
10%
8%
10%
5%
8%
2%
2%
7%
4%
83%
83%
82%
84%
82%
83%
80%
78%
76%
71%
79%
76%
74%
69%
72%
73%
70%
71%
65%
71%
66%
64%
63%
64%
68%
58%
63%
62%
53%
66%
63%
60%
51%
49%
58%
52%
54%
51%
51%
54%
46%
50%
48%
53%
48%
32%
44%
42%
7%
10%
10%
10%
11%
11%
13%
14%
15%
16%
17%
18%
19%
20%
20%
21%
21%
21%
22%
23%
23%
24%
26%
26%
26%
27%
28%
29%
29%
30%
31%
32%
33%
34%
34%
35%
36%
36%
37%
37%
39%
40%
40%
42%
42%
44%
46%
46%
Anti-spam/Email Security
Patch Management
Penetration Testing
Anti-spyware
Hard Drive Encryption
Laptop Encryption
Anti-virus
Host Intrusion Detection and/or Prevention (HIDS/HIPS)
Secure File Transfer
Computer Forensics
Email/Messaging Archiving/Compliance
Vulnerability/Risk Assessment/Scanning (of Infrastructure)
File Integrity Monitoring
SSL VPNs
Secure Instant Messaging
Email Encryption
Application Security Testing – External Interface Fuzzing or
Key Management and/or Public Key Infrastructure
Web Content Filtering
Threat Intelligence
Two-factor (Strong) Authentication for Infrastructure (e.g.,
Single Sign-on
IT Security Training/Education/Awareness
Anti-botnet
Multifactor Authentication for Web-based Applications
Information or Digital Rights Management
Database Security
Advanced Anti-malware Response
Managed Security Service Provider (MSSP)
Policy and Configuration Management
Tokenization
Web Application Firewall (WAF)
IT GRC (Governance, Risk, Compliance)
Network Data-loss Prevention Solutions
Application Security Testing – Code or Binary Analysis-based
Mobile Device Security (Not MDM)
Network Intrusion Detection and/or Prevention (NIDS/NIPS)
Network Firewalls
Event Log Management System
Virtualization Security
Application-aware Firewall
Identity Management
Unified Threat Management (UTM)
Endpoint Data-loss Prevention Solutions
Network Access Control (NAC)
Cloud Security
Security Information Event Management (SIEM)
Mobile Device Management
Less Spending About the Same More Spending
@joshcorman@451wendy
11. 2014 vs. 2013 Spending Change for Information Security Technologies
Q. How will your spending on this technology change in 2014 as compared to 2013?
n=45-201. Data from respondents not using the technology or that don't know about
spending are hidden. Source: 451 Research Information Security – Wave 16 |
5%
4%
3%
4%
4%
4%
5%
6%
3%
3%
2%
2%
4%
9%
4%
3%
3%
11%
1%
9%
2%
5%
5%
4%
1%
4%
13%
1%
2%
3%
5%
8%
2%
3%
6%
10%
8%
10%
5%
8%
2%
2%
7%
4%
83%
83%
82%
84%
82%
83%
80%
78%
76%
71%
79%
76%
74%
69%
72%
73%
70%
71%
65%
71%
66%
64%
63%
64%
68%
58%
63%
62%
53%
66%
63%
60%
51%
49%
58%
52%
54%
51%
51%
54%
46%
50%
48%
53%
48%
32%
44%
42%
7%
10%
10%
10%
11%
11%
13%
14%
15%
16%
17%
18%
19%
20%
20%
21%
21%
21%
22%
23%
23%
24%
26%
26%
26%
27%
28%
29%
29%
30%
31%
32%
33%
34%
34%
35%
36%
36%
37%
37%
39%
40%
40%
42%
42%
44%
46%
46%
Anti-spam/Email Security
Patch Management
Penetration Testing
Anti-spyware
Hard Drive Encryption
Laptop Encryption
Anti-virus
Host Intrusion Detection and/or Prevention (HIDS/HIPS)
Secure File Transfer
Computer Forensics
Email/Messaging Archiving/Compliance
Vulnerability/Risk Assessment/Scanning (of Infrastructure)
File Integrity Monitoring
SSL VPNs
Secure Instant Messaging
Email Encryption
Application Security Testing – External Interface Fuzzing or
Key Management and/or Public Key Infrastructure
Web Content Filtering
Threat Intelligence
Two-factor (Strong) Authentication for Infrastructure (e.g.,
Single Sign-on
IT Security Training/Education/Awareness
Anti-botnet
Multifactor Authentication for Web-based Applications
Information or Digital Rights Management
Database Security
Advanced Anti-malware Response
Managed Security Service Provider (MSSP)
Policy and Configuration Management
Tokenization
Web Application Firewall (WAF)
IT GRC (Governance, Risk, Compliance)
Network Data-loss Prevention Solutions
Application Security Testing – Code or Binary Analysis-based
Mobile Device Security (Not MDM)
Network Intrusion Detection and/or Prevention (NIDS/NIPS)
Network Firewalls
Event Log Management System
Virtualization Security
Application-aware Firewall
Identity Management
Unified Threat Management (UTM)
Endpoint Data-loss Prevention Solutions
Network Access Control (NAC)
Cloud Security
Security Information Event Management (SIEM)
Mobile Device Management
Less Spending About the Same More Spending
@joshcorman@451wendy
12. Below the Security Poverty Line …
• Little to no IT expertise
• More likely to use open source because it’s free
• No resources to monitor open source use or test it for
vulnerabilities
• Disproportionately dependent on third party vendors
• Limited span of control
• Configuration and tuning decisions
• Architecture and strategy decisions
• Risk management
• Information asymmetry
@joshcorman@451wendy
13. What do we mean by the ‘Neglected 90%’
90%AssembledWritten
@joshcorman@451wendy
20. In 2013, 4,000
organizations downloaded
a version of Bouncy Castle
with a level 10 vulnerability
20,000 TIMES …
MORE THAN
FIVE YEARS
after the vulnerability was fixed
NATIONAL CYBER
AWARENESS SYSTEM
Original Release Date:
03/30/2009
CVE-2007-6721
Bouncy Castle Java Cryptography API
CVSS v2 Base Score: 10.0 HIGH
Impact Subscore: 10.0
Exploitability Subscore: 10.0
@joshcorman@451wendy
21. In December 2013,
6,916 DIFFERENT
organizations downloaded
a version of httpclient with broken
ssl validation (cve-2012-5783)
66,824 TIMES …
More than ONE YEAR
AFTER THE ALERT
NATIONAL CYBER
AWARENESS SYSTEM
Original Release Date:
11/04/2012
CVE-2012-5783
Apache Commons HttpClient 3.x
CVSS v2 Base Score: 5.8 MEDIUM
Impact Subscore: 4.9
Exploitability Subscore: 8.6
@joshcorman@451wendy
26. If you’re not using secure
COMPONENTS
you’re not building secure
APPLICATIONS
Component
Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTION
COMPONENT
SELECTION
@joshcorman@451wendy
27. Component
Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTION
COMPONENT
SELECTION
Today’s approaches
AREN’T
WORKING
46m
vulnerable
components
downloaded
!
71%
of apps
have 1+
critical or
severe
vulnerability
!
90%
of
repositories
have 1+
critical
vulnerability
!
@joshcorman@451wendy
28. “Sonatype presents a rare
opportunity to do something
concrete in the application
security space. One of the 1st
tools that comes close to
remediation not just scan
results and recommendations.”
-- Wendy Nather
@joshcorman@451wendy
29. Problem discovery Problem remediation
“Scan and scold”
Source code scanning
Approval-centric workflow
Empower developers
Component analysis
Automated policy across lifecycle
Policy enforcement throughout SLC
A NEW APPROACH
CURRENT METHODS SONATYPE CLM
Scans after development
@joshcorman@451wendy
30. Don’t use vulnerable components. It’s an
AVOIDABLE
RISK
2013 Data Breach Investigations Report
“Some organizations will be a
target REGARDLESS of what
they do, but most become a target
BECAUSE of what they do.”
@joshcorman@451wendy
31. How can we choose the best components
FROM THE START?
Shift Upstream = ZTTR (Zero Time to Remediation)
Analyze all components
from within your IDE
License, Security and Architecture data for each
component, evaluated against your policy
@joshcorman@451wendy
32. How do we prevent future
bleeding hearts?
-- 3 step action plan
@joshcorman@451wendy
LEARN MORE
“The combination of growing component usage, coupled with
lack of security, requires us to urgently re-evaluate traditional
application security approaches.”
http://www.sonatype.com/clm/spotlight-on-heartbleed
www.sonatype.com/neglected90
We are in the business of open source governance, management and compliance (add in slide or on cover slide)
Your Company Runs on Software – it must be trusted
Verizon Data Breach – Figure 16
Web app is the top attack surface
Another way to show same thing as prior.
7
8
9
10
11
Here are just a few examples so you can see that this risk is real…
Bouncy Castle is a popular open source component… and even after critical security alerts were issued in 2009, 4000 companies still downloaded it 20,000 times.
And that was five years after a better, safer replacement was issued.
This is a level 10 critical security risk. Imagine the exposed applications out there… maybe some of them store your personal credit card data or other personal information.
This example is even worse… a version of httpclient with a broken SSL validation downloaded by 6,916 organizations 66,824 times more than a year after the alert.
It wasn’t hard for us to find these examples… this just skims the surface.
Some of you may have heard about the FBI Warning last year about Struts… a vulnerable – and old – version of this framework was used to hack into a handful of large organizations.It mde a lot of news. But people are still using it today.
This isn’t new – it’s new to us…it’s a maturity of the industry
and components are new to the s/w industry
Not sure the supplier is something worth shaking down…there aren’t big guys but more little guys…more like the kickstarter movement.
Supplier means nothing b/c the Supplier is equivalent
Can get data on how people use it but can’t necessarily get info on the people who make up the project or getting them to self-certify…
Project level info we can get from the users
Apache, Eclipse or JBOSS can work but over time that is becoming less important in the overall component landscape.
Key is “what is everyone doing” – what are the behaviors that are good indicators of the quality of work that is produced in any project.
# of people in project and # of commits is “braindead” what OHLO does…more elegant way is possible (MH)
You have at risk components flowing into your organization. It is an absolute fact.
And we’re not just talking about security issues… you also have some quality issues and software licensing issues that make it illegal to use a component for a commercial use.
It’s like building a car with parts manufactured by unknown vendors… and no criteria to be met.
Despite some efforts to manage component usage, it just isnt working…
We know this because we know how many vulnerable components are downloaded…
We know how many, on average, end up in your Nexus repository manager
And we know how many, on average, end up in your applications
Sonatype presents a rare opportunity to do something concrete in the application security space.
One of the 1st tools that comes close to remediation not just scan results and recommendation
We’ve talked a lot about the issues and the concerns, now what can you do about it?
Sonatype specializes in accelerating open source usage, while minimizing risk not just in development but all throughout the software lifecycle.
Tired of being told there is a problem, but it is up to you to figure out how to fix it?
Weary of huge scan reports with false positives?
Focusing primarily on source code instead of components?
Bogged down by attempts to automate approval workflow?
Waiting till after development is done to find security issues?
When you add component security to complement your DAST and SAST efforts, you cover 100% of your application. And a little bit of investment in component security covers 90% of your application.
Thank you for sharing your valuable time with me. If you only remember ne thing from today, I hope it is this.
Using vulnerable components is an easily avoidable risk.
Ask Brian for Struts example, pane 1
Click onto pane and zoom in and zoom out