As presented by Mike Pittenger, VP of Security Strategy, at a lunch and learn on September 13, 2016.
Learn how your organization can:
* Know what's inside your code by identifying the open source you're using
* Map against known vulnerabilities and accelerate remediation efforts
* Take action to effectively secure and manage open source without impacting your agile SDLC
September 13, 2016: Security in the Age of Open Source:
1. SECURITY IN THE AGE
OF OPEN SOURCE
Mike Pittenger
VP, Security Strategy
2. Open Source Embraced By The Enterprise
OPEN SOURCE
• Needed functionality without
acquisition costs
• Faster time to market
• Lower development costs
• Broad support from communities
CUSTOM CODE
• Proprietary functionality
• Core enterprise IP
• Competitive differentiation
OPEN SOURCE
CUSTOM CODE
3. Open Source Changed the Way Applications are Built
10% Open
Source
20% Open
Source
50% Open
Source
Up to 90%
Open Source
1998 2005 2010
TODAY
Open Source is the modern architectureCustom & Commercial Code
Open Source Software
4. Consequences Can Be Costly When
You Can’t Control What You Can’t See
OpenSSL
Introduction: 2011
Discovery: 2014
Heartbleed
GNU C Library
Introduction: 2000
Discovery: 2015
Ghost
QEMU
Introduction: 2004
Discovery: 2015
Venom
Bash
Introduction: 1989
Discovery: 2014
Shellshock
OpenSSL
Introduction: 1990's
Discovery: 2015
Freak
FREAK!
5. • Static analysis
• Testing of source code or binaries for unknown security
vulnerabilities in custom code
• Advantages in buffer overflow, some types of SQL
injection
• Provides results in source code
• Dynamic analysis
• Testing of compiled application in a staging environment to
detect unknown security vulnerabilities in custom code
• Advantages in injection errors, XSS
• Provides results by URL, must be traced to source
• What’s Missing?
Why Aren’t We Finding These in Testing?
6. • Automated testing finds common
vulnerabilities in the code you write
• They are good, not perfect
• Different tools work better on different classes of
bugs
• Many types of bugs are undetectable except by
trained security researchers
There Are No Silver Bullets
All possible
security
vulnerabilities
FREAK!
7. • Static Analysis Tools and Dynamic Analysis Tools can be very effective in finding
bugs in the code written by internal developers.
• HOWEVER…
• They are ineffective in finding known vulnerabilities in Open Source components
• They provide a point-in-time snapshot of security
What happens when the threat landscape changes?
What Do Security Testing Tools Miss?
8. The Threat Landscape Constantly Changes
• VulnDB (Open Source Vulnerability Database)
• In 2015, over 3,000 new vulnerabilities in open source
• Since 2004, over 74,000 vulnerabilities have been disclosed by NVD.
• 63 reference automated tools
• 50 of those are for vulnerabilities reported in the tools
• 13 are for vulnerabilities that could be identified by a fuzzer
0
500
1000
1500
2000
2500
3000
3500
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Open Source Vulnerabilities Reported Per Year
nvd vulndb-exclusive
9. Black Duck Open Source Security Audit Report
Highlights Security & Management Challenges
10. OPEN SOURCE
CODE
INTERNAL CODE
OUTSOURCED CODE
LEGACY CODE
REUSED CODE
SUPPLY CHAIN CODE
THIRD PARTY CODE
We Have Little Control Over How Open
Source Enters The Code Base
11. Open Source is an Attractive Target
OPEN SOURCE IS USED EVERYWHERE
VULNERABILITIES ARE PUBLICIZEDEASY ACCESS TO SOURCE CODE
STEPS TO EXPLOIT READILY AVAILABLE
12. Who’s Responsible For Security?
Commercial Code Open Source Code
• Dedicated security researchers
• Alerting and notification infrastructure
• Regular patch updates
• Dedicated support team with SLA
• “community”-based code analysis
• Monitor newsfeeds yourself
• No standard patching mechanism
• Ultimately, you are responsible
13. 0
200
400
600
800
1000
1200
3/15/2002 3/15/2003 3/15/2004 3/15/2005 3/15/2006 3/15/2007 3/15/2008 3/15/2009 3/15/2010 3/15/2011 3/15/2012 3/15/2013 3/15/2014
Newest component on software was
compiled in Nov 2012. This indicates
That it was released with at least 509
unique CVEs affecting 24
components
around end of 2012 or early 2013.
As of 2015-02-15 total of 1094 unique CVEs
affected this software via now 30 vulnerable
components. That is about 0.8 new CVEs /
day .
Oldest compiled component
on the software image was
from Dec 2001
Hospital Monitoring System
14. Smart TV Set
0
100
200
300
400
500
600
700
March 1, 2015: 584 unique
CVEs in 23 components
2012 Smart TV lineup
launched: Nov/Dec 2011
Approx. 0.58 new CVEs / day
over the course of 23 months
(* date may not be fully accurate, as e.g. partial OTA updates may have been delivered after this date as well ( see sec. update on Nov 2014)
One year standard
warranty for parts
and labor from the
date of purchase
7 years
Last firmware / SW update: Mar 2013
(*Approx. 178 unique CVEs affecting
product at the moment of SW EoL)
Nov2014:securityupdateto
patchcurl,openssl,flashplayer,
ffmpeg,libpngandfreetype
Nov 2022. End of 100.000 hours
average lifespan of LCD TV screen.
7 more years of expected
operation of the LCD TV
(based on 100,000 hours
average lifespan)
Estimated 2065 CVEs affecting
Product by Nov 2022 based on
historic 0.58 CWEs per day
15. How are Companies Managing
Open Source Today? Not Well.
TRACKING
VULNERABILITIES
• No single responsible entity
• Manual effort and labor intensive
• Unmanageable (11/day)
• Match applications, versions, components,
vulnerabilities
SPREADSHEET INVENTORY
• Depends on developer best effort or memory
• Difficult maintenance
• Not source of truth
MANUAL TABULATION
• Architectural Review Board
• Occurs at end of SDLC
• High effort and low accuracy
• No controls
VULNERABILITY DETECTION
Run monthly/quarterly vulnerability assessment
tools (e.g., Nessus, Nexpose) against all
applications to identify exploitable instances
16. Automating Five Critical Tasks and Having a Bill of Materials
Provide Distinct Advantage
INVENTORY
Open
Source
Software
MAP
Known
Security
Vulnerabilities
IDENTIFTY
License
Compliance
Risks
TRACK
Remediation
Priorities &
Progress
ALERT
New
Vulnerabilities
Affecting You
Visibility AND Control
1 2 3 4 5
17. Best Practices For Open Source
• Build and automatically enforce OSS policies
• Identify OSS components early in the SDLC
• Automatically create and maintain bills of material
• Continuously monitor threat environment for new vulnerabilities
Reqs
• OSS Policies
• Application Criticality
Ranking
• OSS Risk
Parameters
• License Risk
• Security Risk
• Operational Risk
Design
• OSS Selection
• Design Review
• License Risk
• Security Risk
• Operational Risk
Code
• OSS Detection
• Automatically detect
and alert on non-
conforming
components
• Correlation with Bills
of Material
Test
• OSS Enforcement
• Detect and alert on
non-conforming
components
• Correlation with Bills
of Material
Release
• OSS Monitoring
• Timely OSS
Vulnerability
Identification &
Reporting
• Bug Severity
• Remediation Advice
18. Key Takeaways
• Security testing is a good thing
• It identifies common vulnerabilities in the code companies
write
• Different testing methodologies are better suited for different
bug types
• Open Source Security isn’t covered by traditional tools
• Monitor for open source with known vulnerabilities, early in the
SDL
• Monitor production code for new vulnerabilities
• Security testing is a point-in-time snapshot
• New vulnerabilities may result from…
• Changes to code can change security posture
• Changes in the threat environment, even if the code hasn’t changed
19. 7 of the top 10 Software companies,
and 44 of the top 100
6 of the top 8 Mobile handset vendors
6 of the top 10 Investment Banks
24
Countries
250+
Employees
1,600Customers
27 of the Fortune 100
About Black Duck
Award for
Innovation
Gartner Group
“Cool Vendor”
“Top Place to Work,”
The Boston Globe
Four Years in the “Software
500” Largest Software
Companies
Six Years in a row
for Innovation
2014
20. Flight16 – Black Duck Conference
Join us on October 4th – 6th for Flight16, Black Duck’s inaugural customer
conference at the Seaport Hotel & World Trade Center in Boston, MA.
• 2 ½ days focused on providing you with a fresh perspective on today’s security threat
landscape and helping you more effectively secure and manage open source.
• Three conference tracks
• Technology, Security, & Legal/Compliance
• One-on-one sessions with Black Duck experts
• Inspiring keynotes with
• Defense Intelligence Agency Director General Michael Flynn
• Cigital CTO Gary McGraw
• Black Duck CEO Lou Shipley
• Use code BOSTONLUNCH to register for free before September 16th.