APPLICATION SECURITY IN THE AGE OF OPEN SOURCE
2© 2015 IBM Corporation
AGENDA
STATE OF APPLICATION SECURITY
HOLISTIC APPLICATION SECURITY SOLUTION
NEW CHALLENGES POSED BY OPEN SOURCE
© 2015 Black Duck Software, Inc. All Rights Reserved.
STATE OF APPLICATION SECURITY
4© 2015 IBM Corporation
WEB APPLICATION VULNERABILITIES XSS AND SQL INJECTION EXPLOITATIONS
XSS AND SQL INJECTION EXPLOITS ARE CONTINUING IN
HIGH NUMBERSSource: IBM X-Force Threat Intelligence Quarterly, 2014
Source: IBM X-Force Threat Intelligence Quarterly, 2014
APPLICATIONS - THE WEAKEST LINK IN THE IT SECURITY CHAIN
25%
20%
15%
10%
5%
0%
2009 2010 2011 2012 2013
WEB APPLICATION VULNERABILITIES
33% OF VULNERABILITY DISCLOSURES ARE WEB
APPLICATION VULNERABILITIES
33%
5© 2015 IBM Corporation
Attack types XSS Heart-bleed
Physical access
Brute force
Misconfig.
Watering hole
Phishing SQLi DDoS Malware Un-disclosed
January February March April May June July August September October November December
Source: IBM X-Force Threat Intelligence Quarterly 1Q 2015
SQL INJECTION - STILL RELIABLE FOR BREACHING APPLICATIONS
SAMPLING OF 2014 ATTACKSSQL injection accounted for 8.4% of attacks in 2014.Source: IBM X-Force Threat Intelligence Quarterly 1Q 2015
6© 2015 IBM CorporationSource: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013
INVESTMENT PRIORITY - WHERE ARE YOUR “SECURITY RISKS” VS. YOUR “SPEND”
MANY CLIENTS DO NOT PRIORITIZE APPLICATION SECURITY IN THEIR ENVIRONMENTS
35%
30%
25%
20%
15%
10%
5%
APPLICATIONLAYER
DATALAYER
NETWORKLAYER
HUMANLAYER
HOSTLAYER
PHYSICALLAYER
SECURITY RISK
SPENDINGSPENDING DOES NOT EQUAL RISK
Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013
7© 2015 IBM Corporation
PACECOMPLIANCE RESOURCES
RAPID GROWTH IN APPLICATIONS, RELEASES
AND TECHNOLOGY
EXTERNAL REGULATIONS AND INTERNAL POLICY
REQUIREMENTS
SMALL SECURITY TEAMS, LOTS OF APPLICATIONS
?
• Which applications pose the biggest business risk?
• How do we test apps for security in rapid DevOps / Agile shops without slowing down the process / business?
• How do we reduce costs and catch security problems earlier in the lifecycle?
• Where is my business risk?• How do I set internal policy
requirements for app security?• Is my private / sensitive data
exposed by apps?• How do I check for and
demonstrate application compliance?
• How do we prioritize the work for the resources I have?
• What do we test and how do we test it?
• How do we staff and improve skills and awareness?
APPLICATION SECURITY CHALLENGES
8© 2015 IBM Corporation
OPEN SOURCE EMBRACED BY THE ENTERPRISEOPEN SOURCE EMBRACED BY THE ENTERPRISE
OPEN SOURCE• Needed functionality without
acquisition costs• Faster time to market• Lower development costs• Broad support from
communities
CUSTOM CODE• Proprietary functionality• Core enterprise IP• Competitive differentiation
OPEN SOURCE
CUSTOM CODE
© 2015 Black Duck Software, Inc. All Rights Reserved.
RISE OF OPEN SOURCE RISK
10© 2015 IBM Corporation
CHANGING DEVELOPMENT ENVIRONMENT BRINGS NEW SECURITY CHALLENGES
2010 201820142010 2014 2018
6000 NEW OPEN SOURCE VULNERABILITIES REPORTED SINCE 2014SOURCE: NATIONAL VULNERABILITY DATABASE (NVD)
OPEN SOURCE AS A PERCENTAGE OF CODE BASE IS GROWING.
98% OF COMPANIES ARE USING OPEN SOURCE SOFTWARE THEY DON’T KNOW ABOUT.SOURCE: BLACKDUCK
11© 2015 IBM Corporation
OPEN SOURCE HAS PASSED THE TIPPING POINT
“By 2016, Open Source Software will be included in mission-critical applications within 99% of Global 2000 enterprises.”
2007 2009 2011 2013 20150.00.20.40.60.81.01.21.41.6
millions
Growth of open source projects accelerating.
Will face problems because of no policy.
50%
OPEN SOURCE HAS PASSED THE TIPPING POINT
12© 2015 IBM Corporation
We have little control over how open source enters the code base
OPEN SOURCE
COMMUNITY
INTERNALLY DEVELOPED CODE
OUTSOURCED CODE
LEGACYCODE
REUSED CODE
SUPPLY CHAIN CODE
THIRD PARTY CODE
DELIVERED CODE
WE HAVE LITTLE CONTROL OVER HOW OPEN SOURCE ENTERS THE CODE BASE
OPEN SOURCE CODE IS INTRODUCED IN MANY WAYS AND ABSORBED INTO FINAL CODE
13© 2015 IBM Corporation
The shifting application security threat landscapeTHE SHIFTING APPLICATION SECURITY THREAT LANDSCAPE
OPEN SOURCE COMPONENTS WITH KNOWN VULNERABILITIES
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 -
1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000
In 2015, over 8,000 new vulnerabilities in open source components.
Source: Risk Based Security’s VulnDB
14© 2015 IBM Corporation
Open Source is an Attractive TargetOPEN SOURCE IS AN ATTRACTIVE TARGET
OPEN SOURCE IS USED EVERYWHERE
VULNERABILITIES ARE PUBLICIZEDEASY ACCESS TO SOURCE CODE
STEPS TO EXPLOIT READILY AVAILABLE
15© 2015 IBM Corporation
Who’s responsible for security?WHO IS RESPONSIBLE FOR SECURITY?
DEDICATED SECURITY RESEARCHERSALERTING AND NOTIFICATION INFRASTRUCTUREREGULAR PATCH UPDATESDEDICATED SUPPORT TEAM WITH SLA
“COMMUNITY”-BASED CODE ANALYSISMONITOR NEWSFEEDS YOURSELFNO STANDARD PATCHING MECHANISMULTIMATELY, YOU ARE RESPONSIBLE
COMMERCIAL CODE OPEN SOURCE CODE
16© 2015 IBM Corporation
How are Companies Managing Open Source Today? Not Well.HOW ARE COMPANIES MANAGING OPEN SOURCE TODAY? NOT WELL.
TRACKING VULNERABILITIES• No single responsible entity• Manual effort and labor intensive• Unmanageable (11/day)• Match applications, versions,
components, vulnerabilities
SPREADSHEET INVENTORY• Depends on developer best effort or
memory• Difficult maintenance• Not source of truth
MANUAL TABULATION• Architectural Review Board• Occurs at end of SDLC• High effort and low accuracy• No controls
VULNERABILITY DETECTIONRun monthly/quarterly vulnerability assessment tools (e.g., Nessus, Nexpose) against all applications to identify exploitable instances
17© 2015 IBM Corporation
A solution to solving this problem would include these componentsA SOLUTION TO SOLVING THIS PROBLEM WOULD INCLUDE…
CHOOSE OPEN
SOURCE
INVENTORYOPEN SOURCE
MAP EXISTINGVULNERABILITI
ES
TRACK NEW VULNERABILITIE
S
Maintain accurate list of open source components
throughout the SDL
Identify vulnerabilities
during development Alert on new vulnerabilities and
map to applications
Proactively choose secure, supported
open source
GUIDE VERIFY/ENFORCE
MONITOR
18© 2015 IBM Corporation
New Integrated and Secure Development LifecycleNEW INTEGRATED AND SECURE DEVELOPMENT LIFECYCLE
OSS Security Requirements
OSS Risk Assessment
Guided OSS Selection
OSS Review Board
Broad coverage of Open Source code & snippets
Application Criticality Ranking
OSS Audit
Timely OSS Vulnerability
Identification & Reporting
Bug Severity Remediation Advice
Correlation with Bills of Material
OSS Audit
Timely OSS Vulnerability
Identification & Reporting
Bug Severity Remediation Advice
Correlation with Bills of Material
OSS Monitoring
Timely OSS Vulnerability
Identification & Reporting
Bug Severity Remediation Advice
Correlation with Bills of Material
Establish Security Requirements
Create Quality Gates
Risk Assessments
Establish Design Requirements
Analyze Attack Surface
Threat Modeling
Use Approved Tools
Deprecate Unsafe Functions
Static Analysis
Dynamic Analysis
Fuzz Testing
Attack Surface Review
Incident Response Plan
Final Security Review
Release Archive
REQUIREMENTS DESIGN BUILD TEST RELEASE
OPEN SOURCE
CUSTOM CODE
© 2015 Black Duck Software, Inc. All Rights Reserved.
HOLISTIC APPLICATION SECURITY SOLUTION
20© 2015 IBM Corporation
Custom Code VulnerabilitiesCUSTOM CODE VULNERABILITIES
CUSTOM CODE VULNERABILITIES
21© 2015 IBM Corporation
Open Source Vulnerabilities – Black DuckOPEN SOURCE VULNERABILITIES - BLACK DUCK
22© 2015 IBM Corporation
OPEN SOURCE VULNERABILITIES
Open Source VulnerabilitiesOPEN SOURCE VULNERABILITIES
23© 2015 IBM Corporation
Holistic View – Custom and Open SourceHOLISTIC VIEW - CUSTOM AND OPEN SOURCE
24© 2015 IBM Corporation
Key TakeawaysKEY TAKEAWAYS
• Application development ecosystem is changing
Open source provides increasing large foundation for custom code.
• Open source is here to stay (and growing)
Saves development costs and accelerates time to market.
• New paradigm requires new methodologies
Best practices for custom code continues to require automated testing.
Best practices of open source requires full visibility and continuous monitoring.
25© 2015 IBM Corporation
What can you do tomorrow?WHAT CAN YOU DO TOMORROW?
• Speak with your head of application development and find out…
What policies exist for managing open source?
Is there a list of components used in all applications?
How are they creating the list?
What controls do they have to ensure nothing gets through?
How are they tracking vulnerabilities for all components over time?
© 2015 Black Duck Software, Inc. All Rights Reserved.
Q&A