Embed Size (px)
Citation preview
SECURITY IN THE AGE OF OPEN
SOURCEMike Pittenger
VP, Security Strategy
Open Source Embraced By The Enterprise
OPEN SOURCE• Needed functionality without
acquisition costs• Faster time to market• Lower development costs• Broad support from
communities
CUSTOM CODE• Proprietary functionality• Core enterprise IP• Competitive differentiation
OPEN SOURCE
CUSTOM CODE
Open Source Changed the Way Applications are Built
10% Open Source
20% Open Source
50% Open Source
Up to 90% Open Source
1998 2005 2010 TODAY
Open Source is the modern architecture
Custom & Commercial CodeOpen Source Software
Consequences Can Be Costly When You Can’t Control What You Can’t See
OpenSSLIntroduction: 2011Discovery: 2014
HeartbleedGNU C LibraryIntroduction: 2000Discovery: 2015
GhostQEMUIntroduction: 2004Discovery: 2015
VenomBashIntroduction: 1989Discovery: 2014
ShellshockOpenSSLIntroduction: 1990'sDiscovery: 2015
Freak
FREAK!
• Static analysis• Testing of source code or binaries for unknown security
vulnerabilities in custom code• Advantages in buffer overflow, some types of SQL
injection• Provides results in source code
• Dynamic analysis• Testing of compiled application in a staging
environment to detect unknown security vulnerabilities in custom code
• Advantages in injection errors, XSS• Provides results by URL, must be traced to source
• What’s Missing?
Why Aren’t We Finding These in Testing?
• Automated testing finds common vulnerabilities in the code you write• They are good, not perfect• Different tools work better on different classes
of bugs• Many types of bugs are undetectable except
by trained security researchers
There Are No Silver Bullets
All possible security
vulnerabilities
FREAK!
Identifiable with Static
Analysis
Identifiable with
Dynamic Analysis
• Static Analysis Tools and Dynamic Analysis Tools can be very effective in finding bugs in the code written by internal developers.• HOWEVER…• They are ineffective in finding known vulnerabilities in Open Source
components• They provide a point-in-time snapshot of security
What happens when the threat landscape changes?
What Do Security Testing Tools Miss?
The Threat Landscape Constantly Changes
• VulnDB (Open Source Vulnerability Database)• In 2015, over 3,000 new vulnerabilities in open source
• Since 2004, over 74,000 vulnerabilities have been disclosed by NVD. • 63 reference automated tools• 50 of those are for vulnerabilities reported in the tools• 13 are for vulnerabilities that could be identified by a fuzzer
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 20150500
100015002000250030003500
Open Source Vulnerabilities Reported Per Year
nvd vulndb-exclusive
Black Duck Open Source Security Audit Report Highlights Security & Management Challenges
OPEN SOURCE CODE
INTERNAL CODE
OUTSOURCED CODE
LEGACY CODE
REUSED CODE
SUPPLY CHAIN CODE
THIRD PARTY CODE
We Have Little Control Over How Open Source Enters The Code Base
Open Source is an Attractive Target
OPEN SOURCE IS USED EVERYWHERE
VULNERABILITIES ARE PUBLICIZEDEASY ACCESS TO SOURCE CODE
STEPS TO EXPLOIT READILY AVAILABLE
Who’s Responsible For Security?
Commercial Code Open Source Code
• Dedicated security researchers• Alerting and notification
infrastructure• Regular patch updates• Dedicated support team with
SLA
• “community”-based code analysis• Monitor newsfeeds yourself• No standard patching mechanism• Ultimately, you are responsible
0
200
400
600
800
1000
1200
Newest component on software was compiled in Nov 2012. This
indicatesThat it was released with at least
509unique CVEs affecting 24
componentsaround end of 2012 or early
2013.
As of 2015-02-15 total of 1094 unique CVEs
affected this software via now 30 vulnerable
components. That is about 0.8 new CVEs / day .
Oldest compiled componenton the software image was from Dec 2001
Hospital Monitoring System
Smart TV Set
6/1/20
11
7/9/201
1
8/16/2
011
9/23/2
011
10/31
/2011
12/8/
2011
1/15/2
012
2/22/20
12
3/31/20
12
5/8/20
12
6/15/2
012
7/23/2
012
8/30/2
012
10/7/
2012
11/14
/2012
12/22/2
012
1/29/2
013
3/8/20
13
4/15/2
013
5/23/2
013
6/30/20
13
8/7/20
13
9/14/2
013
10/22
/2013
11/29
/2013
1/6/20
14
2/13/20
14
3/23/2
014
4/30/2
014
6/7/201
4
7/15/2
014
8/22/20
14
9/29/20
14
11/6/
2014
12/14
/2014
1/21/2
015
0
100
200
300
400
500
600
700
11/1/
2022
March 1, 2015: 584 unique CVEs in 23 components
2012 Smart TV lineuplaunched: Nov/Dec 2011
Approx. 0.58 new CVEs / dayover the course of 23
months
(* date may not be fully accurate, as e.g. partial OTA updates may have been delivered after this date as well ( see sec. update on Nov 2014)
One year standardwarranty for partsand labor from thedate of purchase
7 years
Last firmware / SW update: Mar 2013 (*Approx. 178 unique CVEs affecting product at the moment of SW EoL)
Nov
2014
: sec
urity
upd
ate
to
patc
h cu
rl, o
pens
sl, fl
ash
play
er, ff
mpe
g , l
ibpn
g an
d fre
etyp
e
Nov 2022. End of 100.000 hours
average lifespan of LCD TV screen.
7 more years of expected operation of the LCD TV
(based on 100,000 hours average lifespan)
Estimated 2065 CVEs affecting Product by Nov
2022 based on historic 0.58 CWEs per day
How are Companies Managing Open Source Today? Not Well.
TRACKING VULNERABILITIES• No single responsible entity• Manual effort and labor intensive• Unmanageable (11/day)• Match applications, versions,
components, vulnerabilities
SPREADSHEET INVENTORY• Depends on developer best effort or
memory• Difficult maintenance• Not source of truth
MANUAL TABULATION• Architectural Review Board• Occurs at end of SDLC• High effort and low accuracy• No controls
VULNERABILITY DETECTIONRun monthly/quarterly vulnerability assessment tools (e.g., Nessus, Nexpose) against all applications to identify exploitable instances
Automating Five Critical Tasks and Having a Bill of Materials Provide Distinct Advantage
INVENTORYOpen
Source Software
MAPKnown
Security Vulnerabiliti
es
IDENTIFTYLicense
Compliance Risks
TRACKRemediation Priorities & Progress
ALERTNew
Vulnerabilities Affecting You
Visibility AND Control
1 2 3 4 5
Best Practices For Open Source
• Build and automatically enforce OSS policies• Identify OSS components early in the SDLC• Automatically create and maintain bills of material• Continuously monitor threat environment for new
vulnerabilitiesReqs• OSS Policies• Application
Criticality Ranking• OSS Risk
Parameters• License Risk• Security Risk• Operational Risk
Design• OSS Selection• Design Review• License Risk• Security Risk• Operational Risk
Code• OSS Detection• Automatically
detect and alert on non-conforming components
• Correlation with Bills of Material
Test• OSS Enforcement• Detect and alert on
non-conforming components
• Correlation with Bills of Material
Release• OSS Monitoring• Timely OSS
Vulnerability Identification & Reporting
• Bug Severity • Remediation Advice
Key Takeaways• Security testing is a good thing• It identifies common vulnerabilities in the code
companies write• Different testing methodologies are better suited for
different bug types• Open Source Security isn’t covered by traditional
tools• Monitor for open source with known vulnerabilities,
early in the SDL• Monitor production code for new vulnerabilities
• Security testing is a point-in-time snapshot• New vulnerabilities may result from…
• Changes to code can change security posture• Changes in the threat environment, even if the code hasn’t
changed
7 of the top 10 Software companies, and 44 of the top 100
6 of the top 8 Mobile handset vendors
6 of the top 10 Investment Banks
24Countries
250+Employees
1,600Customers
27 of the Fortune 100
About Black Duck
Award for Innovation
Gartner Group “Cool
Vendor”
“Top Place to Work,”
The Boston Globe
Four Years in the “Software 500” Largest
Software Companies
Six Years in a row for
Innovation
2014
Flight16 – Black Duck Conference Join us on October 4th – 6th for Flight16, Black Duck’s inaugural customer conference at the Seaport Hotel & World Trade Center in Boston, MA.• 2 ½ days focused on providing you with a fresh perspective on today’s security
threat landscape and helping you more effectively secure and manage open source.
• Three conference tracks• Technology, Security, & Legal/Compliance
• One-on-one sessions with Black Duck experts• Inspiring keynotes with
• Defense Intelligence Agency Director General Michael Flynn• Cigital CTO Gary McGraw• Black Duck CEO Lou Shipley
• Use code BOSTONLUNCH to register for free before September 16th.
