Black Duck & IBM Present: Application Security in the Age of Open Source

APPLICATION SECURITY IN THE AGE OF OPEN SOURCE

2© 2015 IBM Corporation

AGENDA

STATE OF APPLICATION SECURITY

HOLISTIC APPLICATION SECURITY SOLUTION

NEW CHALLENGES POSED BY OPEN SOURCE

© 2015 Black Duck Software, Inc. All Rights Reserved.

STATE OF APPLICATION SECURITY


WEB APPLICATION VULNERABILITIES XSS AND SQL INJECTION EXPLOITATIONS

XSS AND SQL INJECTION EXPLOITS ARE CONTINUING IN

HIGH NUMBERSSource: IBM X-Force Threat Intelligence Quarterly, 2014

Source: IBM X-Force Threat Intelligence Quarterly, 2014

APPLICATIONS - THE WEAKEST LINK IN THE IT SECURITY CHAIN

25%

20%

15%

10%

5%

0%

2009 2010 2011 2012 2013

WEB APPLICATION VULNERABILITIES

33% OF VULNERABILITY DISCLOSURES ARE WEB

APPLICATION VULNERABILITIES

33%


Attack types XSS Heart-bleed

Physical access

Brute force

Misconfig.

Watering hole

Phishing SQLi DDoS Malware Un-disclosed

January February March April May June July August September October November December

Source: IBM X-Force Threat Intelligence Quarterly 1Q 2015

SQL INJECTION - STILL RELIABLE FOR BREACHING APPLICATIONS

SAMPLING OF 2014 ATTACKSSQL injection accounted for 8.4% of attacks in 2014.Source: IBM X-Force Threat Intelligence Quarterly 1Q 2015

6© 2015 IBM CorporationSource: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013

INVESTMENT PRIORITY - WHERE ARE YOUR “SECURITY RISKS” VS. YOUR “SPEND”

MANY CLIENTS DO NOT PRIORITIZE APPLICATION SECURITY IN THEIR ENVIRONMENTS

35%

30%

25%

20%

15%

10%

5%

APPLICATIONLAYER

DATALAYER

NETWORKLAYER

HUMANLAYER

HOSTLAYER

PHYSICALLAYER

SECURITY RISK

SPENDINGSPENDING DOES NOT EQUAL RISK

Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013


PACECOMPLIANCE RESOURCES

RAPID GROWTH IN APPLICATIONS, RELEASES

AND TECHNOLOGY

EXTERNAL REGULATIONS AND INTERNAL POLICY

REQUIREMENTS

SMALL SECURITY TEAMS, LOTS OF APPLICATIONS

?

• Which applications pose the biggest business risk?

• How do we test apps for security in rapid DevOps / Agile shops without slowing down the process / business?

• How do we reduce costs and catch security problems earlier in the lifecycle?

• Where is my business risk?• How do I set internal policy

requirements for app security?• Is my private / sensitive data

exposed by apps?• How do I check for and

demonstrate application compliance?

• How do we prioritize the work for the resources I have?

• What do we test and how do we test it?

• How do we staff and improve skills and awareness?

APPLICATION SECURITY CHALLENGES


OPEN SOURCE EMBRACED BY THE ENTERPRISEOPEN SOURCE EMBRACED BY THE ENTERPRISE

OPEN SOURCE• Needed functionality without

acquisition costs• Faster time to market• Lower development costs• Broad support from

communities

CUSTOM CODE• Proprietary functionality• Core enterprise IP• Competitive differentiation

OPEN SOURCE

CUSTOM CODE


RISE OF OPEN SOURCE RISK


CHANGING DEVELOPMENT ENVIRONMENT BRINGS NEW SECURITY CHALLENGES

2010 201820142010 2014 2018

6000 NEW OPEN SOURCE VULNERABILITIES REPORTED SINCE 2014SOURCE: NATIONAL VULNERABILITY DATABASE (NVD)

OPEN SOURCE AS A PERCENTAGE OF CODE BASE IS GROWING.

98% OF COMPANIES ARE USING OPEN SOURCE SOFTWARE THEY DON’T KNOW ABOUT.SOURCE: BLACKDUCK


OPEN SOURCE HAS PASSED THE TIPPING POINT

“By 2016, Open Source Software will be included in mission-critical applications within 99% of Global 2000 enterprises.”

2007 2009 2011 2013 20150.00.20.40.60.81.01.21.41.6

millions

Growth of open source projects accelerating.

Will face problems because of no policy.

50%

OPEN SOURCE HAS PASSED THE TIPPING POINT


We have little control over how open source enters the code base

OPEN SOURCE

COMMUNITY

INTERNALLY DEVELOPED CODE

OUTSOURCED CODE

LEGACYCODE

REUSED CODE

SUPPLY CHAIN CODE

THIRD PARTY CODE

DELIVERED CODE

WE HAVE LITTLE CONTROL OVER HOW OPEN SOURCE ENTERS THE CODE BASE

OPEN SOURCE CODE IS INTRODUCED IN MANY WAYS AND ABSORBED INTO FINAL CODE


The shifting application security threat landscapeTHE SHIFTING APPLICATION SECURITY THREAT LANDSCAPE

OPEN SOURCE COMPONENTS WITH KNOWN VULNERABILITIES

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 -

1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000

In 2015, over 8,000 new vulnerabilities in open source components.

Source: Risk Based Security’s VulnDB


Open Source is an Attractive TargetOPEN SOURCE IS AN ATTRACTIVE TARGET

OPEN SOURCE IS USED EVERYWHERE

VULNERABILITIES ARE PUBLICIZEDEASY ACCESS TO SOURCE CODE

STEPS TO EXPLOIT READILY AVAILABLE


Who’s responsible for security?WHO IS RESPONSIBLE FOR SECURITY?

DEDICATED SECURITY RESEARCHERSALERTING AND NOTIFICATION INFRASTRUCTUREREGULAR PATCH UPDATESDEDICATED SUPPORT TEAM WITH SLA

“COMMUNITY”-BASED CODE ANALYSISMONITOR NEWSFEEDS YOURSELFNO STANDARD PATCHING MECHANISMULTIMATELY, YOU ARE RESPONSIBLE

COMMERCIAL CODE OPEN SOURCE CODE


How are Companies Managing Open Source Today? Not Well.HOW ARE COMPANIES MANAGING OPEN SOURCE TODAY? NOT WELL.

TRACKING VULNERABILITIES• No single responsible entity• Manual effort and labor intensive• Unmanageable (11/day)• Match applications, versions,

components, vulnerabilities

SPREADSHEET INVENTORY• Depends on developer best effort or

memory• Difficult maintenance• Not source of truth

MANUAL TABULATION• Architectural Review Board• Occurs at end of SDLC• High effort and low accuracy• No controls

VULNERABILITY DETECTIONRun monthly/quarterly vulnerability assessment tools (e.g., Nessus, Nexpose) against all applications to identify exploitable instances


A solution to solving this problem would include these componentsA SOLUTION TO SOLVING THIS PROBLEM WOULD INCLUDE…

CHOOSE OPEN

SOURCE

INVENTORYOPEN SOURCE

MAP EXISTINGVULNERABILITI

ES

TRACK NEW VULNERABILITIE

S

Maintain accurate list of open source components

throughout the SDL

Identify vulnerabilities

during development Alert on new vulnerabilities and

map to applications

Proactively choose secure, supported

open source

GUIDE VERIFY/ENFORCE

MONITOR


New Integrated and Secure Development LifecycleNEW INTEGRATED AND SECURE DEVELOPMENT LIFECYCLE

OSS Security Requirements

OSS Risk Assessment

Guided OSS Selection

OSS Review Board

Broad coverage of Open Source code & snippets

Application Criticality Ranking

OSS Audit

Timely OSS Vulnerability

Identification & Reporting

Bug Severity Remediation Advice

Correlation with Bills of Material

OSS Audit





OSS Monitoring





Establish Security Requirements

Create Quality Gates

Risk Assessments

Establish Design Requirements

Analyze Attack Surface

Threat Modeling

Use Approved Tools

Deprecate Unsafe Functions

Static Analysis

Dynamic Analysis

Fuzz Testing

Attack Surface Review

Incident Response Plan

Final Security Review

Release Archive

REQUIREMENTS DESIGN BUILD TEST RELEASE

OPEN SOURCE

CUSTOM CODE


HOLISTIC APPLICATION SECURITY SOLUTION


Custom Code VulnerabilitiesCUSTOM CODE VULNERABILITIES

CUSTOM CODE VULNERABILITIES


Open Source Vulnerabilities – Black DuckOPEN SOURCE VULNERABILITIES - BLACK DUCK


OPEN SOURCE VULNERABILITIES

Open Source VulnerabilitiesOPEN SOURCE VULNERABILITIES


Holistic View – Custom and Open SourceHOLISTIC VIEW - CUSTOM AND OPEN SOURCE


Key TakeawaysKEY TAKEAWAYS

• Application development ecosystem is changing

Open source provides increasing large foundation for custom code.

• Open source is here to stay (and growing)

Saves development costs and accelerates time to market.

• New paradigm requires new methodologies

Best practices for custom code continues to require automated testing.

Best practices of open source requires full visibility and continuous monitoring.


What can you do tomorrow?WHAT CAN YOU DO TOMORROW?

• Speak with your head of application development and find out…

What policies exist for managing open source?

Is there a list of components used in all applications?

How are they creating the list?

What controls do they have to ensure nothing gets through?

How are they tracking vulnerabilities for all components over time?


Q&A


Send questions to

[email protected]

Thank you