Over 6,000 new open source vulnerabilities have been discovered since 2014. In Q1 2016, 960 new vulnerabilities were found, a 20% increase over Q1 2015. Common vulnerability types include buffer errors and input validation issues. Notable vulnerabilities included issues in glibc and OpenSSL (DROWN). It can be difficult for companies to manage open source security due to a lack of centralized responsibility and patching. A software bill of materials that tracks components and vulnerabilities is recommended to address this problem.

1. © 2016 Black Duck Software, Inc. All Rights Reserved.
Secure and Manage Your Open Source Software
OPEN SOURCE VULNERABILITY REVIEW
Q1, 2016

2. 2 © 2016 Black Duck Software, Inc. All Rights Reserved.
HOW ARE VULNERABILITIES FOUND AND
DISCLOSED?
Over 6,000 new
vulnerabilities in open
source since 2014
Over 76,000 total
vulnerabilities in NVD,
only 63 reference
automated tools
• 50 of those are for
vulnerabilities
reported in the tools
• 13 are for
vulnerabilities that
could be identified by
a fuzzer
0
200
400
600
800
1,000
1,200
NVD
Open Source Vulnerability Disclosures by Month
Heartbleed
Disclosure

3. 3 © 2016 Black Duck Software, Inc. All Rights Reserved.
WHAT’S NEW IN THE FIRST 90 DAYS OF 2016
960 new vulnerabilities in open source
components
• ~20% increase over Q1 2015
• ~35% increase in high and critical
vulnerabilities
Popular components continue to be targets for
research
• Firefox – 61 new vulnerabilities
• Debian Linux – 24 new vulnerabilities
• OpenSSL – 11 new vulnerabilities
• Apache Tomcat – 7 new vulnerabilities
Good News!
• WordPress – 0 new vulnerabilities
• Drupal – 0 new vulnerabilities

4. 4 © 2016 Black Duck Software, Inc. All Rights Reserved.
MOST COMMON VULNERABILITY TYPES
CWE Frequency
Buffer Errors 262
Information Leak/Disclosure 142
Input Validation 133
Cross Site Scripting 124
Improper Access Control 32
Cross Site Request Forgery 22
Credentials Management 21
Cryptographic Issues 16
Data Handling 16
Code 11
0
50
100
150
200
250
300
NVD - Top Ten CWE's
Q1, 2016

5. 5 © 2016 Black Duck Software, Inc. All Rights Reserved.
TOP “HONORS” FOR Q1
glibc and DROWN

6. 6 © 2016 Black Duck Software, Inc. All Rights Reserved.
GLIBC VULNERABILITY
CVE-2015-7547
Component: GNU C Standard Library
CWE 119 – Buffer Errors
Introduced to code base: 2008
Vulnerability disclosed: 02/18/2016
Recommendation: Upgrade immediately
• Central component in all Linux distros
• IT infrastructure
• Mission critical applications
• Internet of Things
• Vulnerability affects a universally used protocol
(DNS)
• Attack can force an affected client to look up a
malicious domain, then return a payload that
exploits the buffer overflow in glibc
• Can result in complete takeover of the system
glibc
Source: https://dankaminsky.com/2016/02/20/skeleton/#ciso
Galaxy map of Ubunto Linux

7. 7 © 2016 Black Duck Software, Inc. All Rights Reserved.
DROWN VULNERABILITY
CVE-2016-0800
Component: OpenSSL
CWE 200 – Information Leak/Disclosure
Introduced to code base: 2010
Vulnerability disclosed: 03/01/2016
Recommendation: Upgrade immediately
• Widely used encryption protocol
• Apache and NGINX comprise 85% of web servers
• Many Linux distros
• Internet of Things
• IT Infrastructure
• Attacker can force “agreement” to a very weak cypher
(SSL v2)
• Man-in-the-middle can intercept/modify any
communications between users and server
Vulnerable
at Disclosure
(March 1)
Vulnerable
March 26
HTTPS — Top one
million domains
25% 15%
HTTPS — All browser-
trusted sites
22% 16%
HTTPS — All sites 33% 28%
Source: https://drownattack.com/
* http://http://www.w3cook.com/webserver/summary/

8. 8 © 2016 Black Duck Software, Inc. All Rights Reserved.
HONORABLE MENTION
The Panama Papers
Mossack Fonseca
• 11.5 million (2.6 TB) confidential
documents stolen
• Details of over 200,000 off-shore
entities and shell companies
• Suspected attack vectors
• Drupal 7.23 (2013)
• 611 known vulnerabilities
(including DROWN)
• WordPress 4.1 (2014)
• 435 known vulnerabilities
• Outlook Web Access
• Unpatched since 2009
• No encryption enabled

9. 9 © 2016 Black Duck Software, Inc. All Rights Reserved.
WHAT IS SPECIAL ABOUT OPEN
SOURCE VULNERABILITIES?

10. 10 © 2016 Black Duck Software, Inc. All Rights Reserved.
WE HAVE LITTLE CONTROL OVER HOW OPEN
SOURCE ENTERS THE CODE BASE
Open Source
Community
Internally
Developed
Code
Outsourced
Code
Legacy
Code
Reused Code
Supply
Chain
Code
Third
Party
Code
Delivered Code
Open source code introduced
i a y ways…
…a d absorbed i to
final code.

11. 11 © 2016 Black Duck Software, Inc. All Rights Reserved.
OPEN SOURCE: EASY TARGETS
Used
everywhere
Easy access to code
Vulnerabilities are
publicized
Exploits readily available

12. 12 © 2016 Black Duck Software, Inc. All Rights Reserved.
WHO’S RESPONSIBLE FOR SECURITY?
Commercial Code Open Source Code
• Dedicated security researchers
• Alerting and notification infrastructure
• Regular patch updates
• Dedicated support team with SLA
• “community”-based code analysis
• Monitor newsfeeds yourself
• No standard patching mechanism
• Ultimately, you are responsible

13. 13 © 2016 Black Duck Software, Inc. All Rights Reserved.
HOW ARE COMPANIES ADDRESSING
THIS TODAY? NOT WELL.
Manual tabulation
• Architectural Review Board
• End of SDLC
• High effort and low accuracy
• No controls
Spreadsheet-based inventory
• Dependent on developer best
effort or memory
• Difficult maintenance
• Not source of truth
Tracking vulnerabilities
• No single responsible entity
• Manual effort and labor intensive
• Unmanageable (11/day)
• Match applications, versions,
components, vulnerabilities
Vulnerability detection
• Run monthly/quarterly
vulnerability assessment
tools (e.g., Nessus, Nexpose)
against all applications to
identify exploitable instances

14. 14 © 2016 Black Duck Software, Inc. All Rights Reserved.
WHAT SECURITY TEAMS CAN DO

15. 15 © 2016 Black Duck Software, Inc. All Rights Reserved.
A SOFTWARE BILL OF MATERIALS SOLVES THE PROBLEM
• Components and serial
numbers
• Unique to each vehicle VIN
• Can track defective parts to
unique vehicles
• Complete analysis of open source components
• Unique to each project or application
• Security, license, and operational risk surfaced

16. 16 © 2016 Black Duck Software, Inc. All Rights Reserved.
A SOLUTION TO SOLVING THIS PROBLEM WOULD
INCLUDE THESE COMPONENTS
Choose Open
Source
Inventory
Open Source
Map Existing
Vulnerabilities
Track New
Vulnerabilities
Maintain accurate list of
open source
components throughout
the SDL
Identify
vulnerabilities during
development Alert on new
vulnerabilities and
map to applications
Proactively choose
secure, supported
open source
GUIDE VERIFY/ENFORCE MONITOR

17. 17 © 2016 Black Duck Software, Inc. All Rights Reserved.
KEY TAKEAWAYS
1. Use appropriate tools to identify bugs in the code you write
• Understand the strengths and weakness of each
2. Create and maintain an inventory (Bill of Materials) of all open
source
• Update with each build or release
3. Monitor the threat space for information on new vulnerabilities
• New vulnerabilities change your security profile
4. Patch quickly
• Attackers respond quickly, we must also

18. 18 © 2016 Black Duck Software, Inc. All Rights Reserved.
WHAT CAN YOU DO TOMORROW?
Speak with your head of
application development and find
out:
• What policies exist?
• Is there a list of components?
• How are they creating the list?
• What controls do they have to
ensure nothing gets through?
• How are they tracking
vulnerabilities for all
components over time?

19. 19 © 2016 Black Duck Software, Inc. All Rights Reserved.
7 of the top 10 Software companies,
and 44 of the top 100
6 of the top 8 Mobile handset vendors
6 of the top 10 Investment Banks
24
Countries
230
Employees
1,600Customers
27 of the Fortune 100
ABOUT BLACK DUCK
Award for
Innovation
Four Years in the “Software
500” Largest Software
Companies
Six Years in a row
for Innovation
Gartner Group
“Cool Vendor”
“Top Place to Work,”
The Boston Globe
2014