Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
snyk.io Stranger Danger Guy Podjarny, Snyk @guypod
snyk.io Open Source Is Awesome Share Your Work Reuse What Others Built Focus on Creating Your Own New Thing
snyk.io Open Source Usage 
 Has Exploded
snyk.io 78% of Enterprises
 use Open Source
snyk.io Is Security a Concern 
 When Adopting OSS? Number 1 concern: 13% Number 2 concern: 29% Number 3 concern: 21% (Tota...
snyk.io Open Source != Closely Inspected
snyk.io Open Source != Secure Open Source != Insecure Either!
snyk.io Heartbleed
snyk.io Shellshock
snyk.io Logjam
snyk.io Open Source is 
 Less Tested For Security OS Project Owners not aware/budgeted for security OS consumers not engag...
snyk.io Attackers Are 
 Targeting Open Source One vulnerability, many victims
snyk.io How Do We Consume OSS?
snyk.io 2000: 
 Select Open Source Providers Apache, Linux, IBM, OpenSSL…
snyk.io 2015: 
 Open Source Marketplaces Everybody is a provider
snyk.io Ubuntu apt:
 ~54,000 packages 
 (trusty/LTS 14)
snyk.io Docker Hub:
 ~150,000 repos 
 ~150M pulls (to-date)
snyk.io Node.js npm:
 ~250,000 packages 
 ~10M downloads/day
snyk.io Your App
snyk.io Your Code Your App
snyk.io Each Dependency Is A Security Risk
snyk.io Do You Know 
 Which Dependencies 
 You Have?
snyk.io Do you know, for 
 EVERY SINGLE DEPENDENCY if its developers have any Security Expertise?
snyk.io Do you know, for 
 EVERY SINGLE DEPENDENCY if it went through any Security Testing?
snyk.io Do you know, for 
 EVERY SINGLE DEPENDENCY if it has Known Vulnerabilities?
snyk.io ~30% 
 of Docker Hub images carry 
 Known Vulnerabilities High Priority known vulnerabilites, to be exact Source: ...
snyk.io ~14% 
 of npm Packages Carry 
 Known Vulnerabilities ~80% of Snyk users found vulns in their apps Source: Snyk dat...
snyk.io ~59% of Reported Vulnerabilities 
 in Maven Packages
 Remain Unfixed Mean Time to Repair: 390 days MTTR for CVSS 10...
snyk.io Do You Have Known Vulnerabilities In Your Code? Do you even know?
snyk.io What Can You Do?
snyk.io Not Use Third Parties
snyk.io Third Party
 Binaries Third Party
 Code
snyk.io 1. Track & Update Your Dep’s
snyk.io Aptitude-based (Ubuntu, Debian, etc): dpkg -l RPM-based (Fedora, RHEL, etc): rpm -qa pkg*-based (OpenBSD, FreeBSD,...
snyk.io Node/Ruby
 npm/bundle outdated Track Outdated Code
 (command line) Python pip list --outdated Java Maven Dep's Plu...
snyk.io Track Outdated Code
 (SaaS) GreenKeeper (Node.js)
 Gemnasium (Ruby) Requires.io (Python)
 Libraries.io (all)
snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need
snyk.io Find Unused Binaries
 (sort by last use date) Ubuntu
 UnusedPkg Fedora rpmusage
snyk.io Find Unused Code
 (show unreferenced packages) Node.js depcheck Ruby
 gem stale Java Maven Dep's Plugin
snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need
 3. Find & Fix Current Vulns
snyk.io Find Known Vulnerabilities
 in Binaries
 (by checking security updates) Ubuntu usn
 Auto Sec Updates Fedora yum se...
snyk.io Find Known Vulnerabilities
 in Code
 (Looking in vuln DB, upgrade to fix) Client Side JS RetireJS Ruby rubysec Java...
snyk.io Find & Fix
 Known Vulnerabilities
 in npm dep’s
snyk.io To Fix, Upgrade Could be hard for indirect dependencies
snyk.io Can’t Upgrade? You can: - Drop The Dependency - Apply a security patch - Prevent Exploits via WAF rules
snyk.io Test for Known Vulnerabilities
 in Build (CI)& Deploys (CD)
snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need
 3. Find & Fix Current Vulns
 4. Monitor For New Vulns
snyk.io Newly Disclosed Vulnerabilities 
 Are Found On Old Code
snyk.io Register to Security Alerts Platform Specific Ubuntu
 Node.js
 OpenSSL
 (your vendor sec list) Broad Lists US-CERT
...
snyk.io Snyk Monitor
snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need
 3. Find & Fix Current Vulns
 4. Monitor For New Vulns 5. St...
snyk.io The Risk Doesn’t End with
 Known Vulnerabilities
snyk.io Your Code Your App
snyk.io npm has 65,000+ publishers
snyk.io Do you know, for 
 EVERY SINGLE CONTRIBUTOR if they’ve been… Compromised?
snyk.io Developers are targeted as a 
 Distribution Channel Ex: iOS Malware via Xcode Ghost
snyk.io Do you know, for 
 EVERY SINGLE CONTRIBUTOR if they are… MALICIOUS?
snyk.io Open Source Maintenance is… complicated.
snyk.io If one component was evil, Would you know?
snyk.io Isolate each system
snyk.io use low-privilege users
snyk.io Monitor Outbound Communication
snyk.io Don’t Trust Your Own App To the extent you can…
snyk.io Stay Alert
snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need
 3. Find & Fix Current Vulns
 4. Monitor For New Vulns 5. St...
snyk.io Open Source Is Awesome
snyk.io Open Source Is Awesome Please Enjoy Responsibly Questions? Guy Podjarny, Snyk @guypod
Prochain SlideShare
Chargement dans…5
×
Technologie
1 395 vues
4 mar. 2016

Stranger Danger: Securing Third Party Components (Tech2020)

Building software today involves more assembly than actual coding. Much of our code is in fact pulled in open source packages, and the applications heavily rely on surrounding third party binaries. These third parties make us more productive - but they also introduce an enormous risk. Each third party component is a potential source of vulnerabilities or malicious code, each third party service a potential door into our system.

This talk contains more information about this risk, create a framework for digesting and tackling it, and lists a myriad of tools that can help.

no profile picture user

  • Identifiez-vous pour voir les commentaires

Stranger Danger: Securing Third Party Components (Tech2020)

  1. 1. snyk.io Stranger Danger Guy Podjarny, Snyk @guypod
  2. 2. snyk.io Open Source Is Awesome Share Your Work Reuse What Others Built Focus on Creating Your Own New Thing
  3. 3. snyk.io Open Source Usage 
 Has Exploded
  4. 4. snyk.io 78% of Enterprises
 use Open Source
  5. 5. snyk.io Is Security a Concern 
 When Adopting OSS? Number 1 concern: 13% Number 2 concern: 29% Number 3 concern: 21% (Total: 63%) Source: Wipro
  6. 6. snyk.io Open Source != Closely Inspected
  7. 7. snyk.io Open Source != Secure Open Source != Insecure Either!
  8. 8. snyk.io Heartbleed
  9. 9. snyk.io Shellshock
  10. 10. snyk.io Logjam
  11. 11. snyk.io Open Source is 
 Less Tested For Security OS Project Owners not aware/budgeted for security OS consumers not engaged/aware of code
  12. 12. snyk.io Attackers Are 
 Targeting Open Source One vulnerability, many victims
  13. 13. snyk.io How Do We Consume OSS?
  14. 14. snyk.io 2000: 
 Select Open Source Providers Apache, Linux, IBM, OpenSSL…
  15. 15. snyk.io 2015: 
 Open Source Marketplaces Everybody is a provider
  16. 16. snyk.io Ubuntu apt:
 ~54,000 packages 
 (trusty/LTS 14)
  17. 17. snyk.io Docker Hub:
 ~150,000 repos 
 ~150M pulls (to-date)
  18. 18. snyk.io Node.js npm:
 ~250,000 packages 
 ~10M downloads/day
  19. 19. snyk.io Your App
  20. 20. snyk.io Your Code Your App
  21. 21. snyk.io Each Dependency Is A Security Risk
  22. 22. snyk.io Do You Know 
 Which Dependencies 
 You Have?
  23. 23. snyk.io Do you know, for 
 EVERY SINGLE DEPENDENCY if its developers have any Security Expertise?
  24. 24. snyk.io Do you know, for 
 EVERY SINGLE DEPENDENCY if it went through any Security Testing?
  25. 25. snyk.io Do you know, for 
 EVERY SINGLE DEPENDENCY if it has Known Vulnerabilities?
  26. 26. snyk.io ~30% 
 of Docker Hub images carry 
 Known Vulnerabilities High Priority known vulnerabilites, to be exact Source: BanyanOps Analysis
  27. 27. snyk.io ~14% 
 of npm Packages Carry 
 Known Vulnerabilities ~80% of Snyk users found vulns in their apps Source: Snyk data, Mar 2016
  28. 28. snyk.io ~59% of Reported Vulnerabilities 
 in Maven Packages
 Remain Unfixed Mean Time to Repair: 390 days MTTR for CVSS 10: 265 days Source: Josh Corman & Dan Geer
  29. 29. snyk.io Do You Have Known Vulnerabilities In Your Code? Do you even know?
  30. 30. snyk.io What Can You Do?
  31. 31. snyk.io Not Use Third Parties
  32. 32. snyk.io Third Party
 Binaries Third Party
 Code
  33. 33. snyk.io 1. Track & Update Your Dep’s
  34. 34. snyk.io Aptitude-based (Ubuntu, Debian, etc): dpkg -l RPM-based (Fedora, RHEL, etc): rpm -qa pkg*-based (OpenBSD, FreeBSD, etc): pkg_info Portage-based (Gentoo, etc): equery list or eix -I pacman-based (Arch Linux, etc): pacman -Q Cygwin: cygcheck --check-setup --dump-only * Slackware: slapt-get --installed http://unix.stackexchange.com/questions/20979/how-do-i-list-all-installed-programs Tracking Outdated Binaries
  35. 35. snyk.io Node/Ruby
 npm/bundle outdated Track Outdated Code
 (command line) Python pip list --outdated Java Maven Dep's Plugin
  36. 36. snyk.io Track Outdated Code
 (SaaS) GreenKeeper (Node.js)
 Gemnasium (Ruby) Requires.io (Python)
 Libraries.io (all)
  37. 37. snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need
  38. 38. snyk.io Find Unused Binaries
 (sort by last use date) Ubuntu
 UnusedPkg Fedora rpmusage
  39. 39. snyk.io Find Unused Code
 (show unreferenced packages) Node.js depcheck Ruby
 gem stale Java Maven Dep's Plugin
  40. 40. snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need
 3. Find & Fix Current Vulns
  41. 41. snyk.io Find Known Vulnerabilities
 in Binaries
 (by checking security updates) Ubuntu usn
 Auto Sec Updates Fedora yum security Auto Sec Updates
  42. 42. snyk.io Find Known Vulnerabilities
 in Code
 (Looking in vuln DB, upgrade to fix) Client Side JS RetireJS Ruby rubysec Java OWASP Dep's Check
  43. 43. snyk.io Find & Fix
 Known Vulnerabilities
 in npm dep’s
  44. 44. snyk.io To Fix, Upgrade Could be hard for indirect dependencies
  45. 45. snyk.io Can’t Upgrade? You can: - Drop The Dependency - Apply a security patch - Prevent Exploits via WAF rules
  46. 46. snyk.io Test for Known Vulnerabilities
 in Build (CI)& Deploys (CD)
  47. 47. snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need
 3. Find & Fix Current Vulns
 4. Monitor For New Vulns
  48. 48. snyk.io Newly Disclosed Vulnerabilities 
 Are Found On Old Code
  49. 49. snyk.io Register to Security Alerts Platform Specific Ubuntu
 Node.js
 OpenSSL
 (your vendor sec list) Broad Lists US-CERT
 NVD OSVDB
  50. 50. snyk.io Snyk Monitor
  51. 51. snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need
 3. Find & Fix Current Vulns
 4. Monitor For New Vulns 5. Stay Alert
  52. 52. snyk.io The Risk Doesn’t End with
 Known Vulnerabilities
  53. 53. snyk.io Your Code Your App
  54. 54. snyk.io npm has 65,000+ publishers
  55. 55. snyk.io Do you know, for 
 EVERY SINGLE CONTRIBUTOR if they’ve been… Compromised?
  56. 56. snyk.io Developers are targeted as a 
 Distribution Channel Ex: iOS Malware via Xcode Ghost
  57. 57. snyk.io Do you know, for 
 EVERY SINGLE CONTRIBUTOR if they are… MALICIOUS?
  58. 58. snyk.io Open Source Maintenance is… complicated.
  59. 59. snyk.io If one component was evil, Would you know?
  60. 60. snyk.io Isolate each system
  61. 61. snyk.io use low-privilege users
  62. 62. snyk.io Monitor Outbound Communication
  63. 63. snyk.io Don’t Trust Your Own App To the extent you can…
  64. 64. snyk.io Stay Alert
  65. 65. snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need
 3. Find & Fix Current Vulns
 4. Monitor For New Vulns 5. Stay Alert
  66. 66. snyk.io Open Source Is Awesome
  67. 67. snyk.io Open Source Is Awesome Please Enjoy Responsibly Questions? Guy Podjarny, Snyk @guypod

×