Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Security Software Supply Chain: Is What You See
What You Get? Start Time: 9 am US Pacific / 12 noon US Eastern / 5 pm London Time
#ISSAWebConf
Security Software Supply Chain: Is What You See What You Get?
Security Software Supply Chain: Is What You See What You Get?
Welcome Conference Moderator
Mark Kadrich Chief Information Security & Privacy Officer, San Diego Health Connect
#ISSAWebConf
03/22/2016 2
Speaker Introduction
Security Software Supply Chain: Is What You See What You Get?
• Derek Weeks
VP and Rugged DEvOps Advocate, Sonatype • Jonathan Knudsen
Cybersecurity Engineer, Synopsys • Michael Angelo
CRISC, CISSP
• Henrik Plate Senior Security Researcher, SAP SE
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016 3
Security Software Supply Chain: Is What You See What You Get?
• Derek Weeks
VP and Rugged DEvOps Advocate, Sonatype To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
4
Illusions of Control:
Security and Your Software Supply Chain
Derek E. Weeks
VP and Rugged DevOps Advocate, Sonatype
@WeeksTweets
#ISSAWebConf
highest quality parts
fewest and
best suppliers
visibility and
traceability
We all have a
SOFTWARE SUPPLY CHAIN
Open Source Download Requests…
2013 2012 2011 2009 2008 2007 2010
2B 1B 500M 4B 6B 8B 13B 17B 2014
31B
2015
How Dependent on 3rd Parties Are We?
10% Custom Written Code
Typical Application
Open Source
Cloud Services
Closed Source
90% From 3rd Parties
highest quality parts
fewest and
best suppliers
visibility and
traceability
AUTOMATE AUTOMATE AUTOMATE
CHANGE Typical component is
updated 3 - 4X per year.
1,286,732 OSS COMPONENTS
11 MILLION OSS USERS 136,249 SUPPLIERS
Suppliers Serving Manufacturers
Source: 2015 State of the Software Supply Chain Report
Orders (downloads)
Suppliers (artifacts)
Parts (versions)
Average 240,757 7,601 18,614
59% never repaired
41% 390 days (median 265 days). CVSS 10s 224 days
<7 The best were remediated in under a week.
Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
Source: 2015 State of the Software Supply Chain Report
Public Repos
Local Repo
Build Tool
Public Repos
Build Tool
95% of downloads
5% of downloads
100-200
Cycle Time: Minutes-Hours
Oh, DevOps…
• Q: Does your organization have an open source policy?
• Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey
Orders Quality Control
Average downloads
# with known vulnerabilities
% with known vulnerabilities
% known vulnerabilities (2013 or older)
240,757 15,337 7.5% 66.3%
Download Volumes of Old CVEs
Source: 2015 State of the Software Supply Chain Report @sonatype
Analysis of 1,500+ applications…
ZTTR (Zero Time to Remediation)
EMPOWER DEVELOPERS FROM THE START 1
DESIGN A FRICTIONLESS APPROACH 2
CREATE A SOFTWARE BILL OF MATERIALS 3
GET MY SLIDES NOW:
Question and Answer
Security Software Supply Chain: Is What You See What You Get?
Derek Weeks
VP and Rugged DEvOps Advocate, Sonatype
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016 32
Security Software Supply Chain: Is What You See What You Get?
Thank you Derek Weeks
VP and Rugged DEvOps Advocate, Sonatype
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
33
Security Software Supply Chain: Is What You See What You Get?
• Jonathan Knudsen Cybersecurity Engineer, Synopsys To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
34
Yes! But What Can You See? Jonathan Knudsen <[email protected]>
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 35
Do You Know What’s Inside?
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 36
Software is Assembled
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 37
Third-Party Code (Free Open Source Software)
First-Party Custom Code
Third-Party Code (Commercial Off-The-Shelf)
How Much Third-Party Code?
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 38
MULTIFUNCTION PRINTER
WI-FI ACCESS POINT
16 3rd-Party SW Components
35 3rd-Party SW Components
ROUTER
134 3rd-Party SW Components
SMART TV
72 3rd-Party SW Components
THERMOSTAT
INFUSION PUMP
38 3rd-Party SW Components
3 3rd-Party SW Components
SMART PHONE
SECURITY CAMERA
123 3rd-Party SW Components
4 3rd-Party SW Components
Source: Synopsys Protecode SC http://protecode-sc.com/
Builder’s Supply Chain
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 39
postgresql gzip
expat
libxml2
Ipsec-tools logrotate gsoap
libssh2
zlib
pcre
xerces-j
sqlite3
raccoon
Router
Buyer’s Supply Chain
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 40
Network Infrastructure
Others
Business Software
Ready for the Next Big One?
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 41
Shellshock
POODLE
Everyone Point to the Person Next to You
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 42
BUILD COMPONENT
SELECTION DEPLOY PURCHASE MAINTENANCE
How Many Vulnerabilities?
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 43
MULTIFUNCTION PRINTER
WI-FI ACCESS POINT
407 CVEs affecting 6 Components
858 CVEs affecting 17 Components
THERMOSTAT
INFUSION PUMP
724 CVEs affecting 18 Components
54 CVEs affecting 1 Components
SMART PHONE
SECURITY CAMERA
909 CVEs affecting 44 Components
226 CVEs affecting 3 Components
ROUTER
4,269 CVEs affecting 70 Components
SMART TV
888 CVEs affecting 26 Components
Source: Synopsys Protecode SC http://protecode-sc.com/
If It Ain’t Broke, It Will Be Soon
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 44
0
100
200
300
400
500
600
700
800
4/2/2008 4/2/2009 4/2/2010 4/2/2011 4/2/2012 4/2/2013 4/2/2014
Late
st F
irm
war
e R
elea
se (
12
/20
14
)
Co
mp
ilati
on
Dat
e fo
r O
ldes
t C
om
po
nen
ts (2
/20
08
)
Unique CVEs
Software Composition Analysis
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 45
• Obtain Software BoM
• Vulnerabilities
• Licenses
• Source analysis for builders
• Binary analysis for buyers
SCA for Builders
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 46
• Process and automation are key
• Shut down “bad” components before they happen
• Manage policy from above
• Let developers be developers
• Track supply chain for released products
SCA for Buyers
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 47
• X-Ray for software
• Assess risk
• Great for procurement!
• Track supply chains in deployed products
Use SCA to Minimize Risk
• Builders • Get a software bill of materials
• Manage vulnerabilities
• Manage licenses
• Protect your brand
• Save money
• Buyers • Get a software bill of materials
• Manage vulnerabilities
• Protect your brand
• Save money 03/22/2016 Security Software Supply Chain: Is What You See What You Get? 48
Question and Answer
Security Software Supply Chain: Is What You See What You Get?
Jonathan Knudsen
Cybersecurity Engineer, Synopsys
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016 49
Security Software Supply Chain: Is What You See What You Get?
Thank you Jonathan Knudsen
Cybersecurity Engineer, Synopsys
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
50
Security Software Supply Chain: Is What You See What You Get?
• Michael Angelo CRISC, CISSP To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
51
Your Organization Is What It Eats - Software Supply Chain Issues
Michael F. Angelo – CRISC, CISSP Chief Security Architect Micro Focus | NetIQ Corporation [email protected] @mfa0007
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 52
Question:
What do: -Printers
-Copiers
-Cars
-Medical devices
-Centrifuges
… have in common?
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 53
Answer
All are dependent on software
which has not been: -engineered to be secure
-can be exploited
All of these were developed in secure environments so they are okay?
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 54
Agenda
55
• Successful software
• The problem
• How to….
• The future?
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
Successful Software
• 97% of enterprise desktops.
• 89% of computers in US
• 3 Billion phones
• 5 Billion Cards
• 125 million tvs
• All top OEMs ship Java
56
Since 2013, 612 Java Vulnerabilities 03/22/2016 Security Software Supply Chain: Is What You See What You Get?
Just Like Magic….
57
https://web.nvd.nist.gov/view/vuln/search?execution=e2s1
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
NVD Details
58 03/22/2016 Security Software Supply Chain: Is What You See What You Get?
NVD Summary
59
-Details on vulnerabilities
-Impact analysis
-Vectors
-Pointers to details
-List of affected software
No problem…right?
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
OpenSSL as an Example
60
-Open Source implementation of SSL and TLS.
-Almost 20 years
-Available for most Unix-like O/S, OpenVMS, and Windows.
• 20151 - 902,997,800 web servers
• 2014 CNN 2
3 web servers - OpenSSL
1 http://news.netcraft.com/archives/2015/11/16/november-2015-web-server-survey.html
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
5 Year History
1 Vulnerability Impacts ~602 Million
61
Year CVE
2010 13
2011 7
2012 16
2013 12
2014 32
2015 35
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
Reported Vulnerabilities
• OpenSSL as a Component tracks differently than OpenSSL as a Product
• 1512 SSL Vulnerabilities in 2014
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 62
Year CVEs
2011 4150
2012 5278
2013 5174
2014 7903
2015 6500
Vulnerabilities asserted against products, not Components
The Problem
63
• Third Party Components are in products • Products tested, analyzed, and retested for
vulnerabilities….
• Components may not exhibit vulnerabilities.
• What components are in your environment?
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
How to Identify Components
64
• Ideas • Manifests
• Silent Installs
• Scraping Copyright / Trademark / Version information
• 3rd party license files
• Hashes -National Software Reference Library • http://www.nsrl.nist.gov/Downloads.htm
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
The Future?
65
• If you Identified all the software, and associated components, in your environment
• Then you need • cross reference software to vulnerability in databases
• Need to raise awareness
• provide sufficient information to enable you to test the PSV
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
Proof of Concept
66 03/22/2016 Security Software Supply Chain: Is What You See What You Get?
Feature Creap
67 03/22/2016 Security Software Supply Chain: Is What You See What You Get?
Caution
• Not every Vulnerability will be meaningful
• Every CVE would be marked as • Relevant, Not Relevant,
Investigation
• Mitigated, Not Mitigated, No mitigation needed
68 03/22/2016 Security Software Supply Chain: Is What You See What You Get?
Re-Cap Applying This Today
69
• Look at resources in this presentation
• Create a tool that: • Identifies components in software
• Checks against CVE
• Enables triage & communication of potential issues
• Spread the word &
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
Question and Answer
Security Software Supply Chain: Is What You See What You Get?
Michael Angelo CRISC, CISSP
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016 70
Security Software Supply Chain: Is What You See What You Get?
Thank you Michael Angelo
CRISC, CISSP
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
71
Security Software Supply Chain: Is What You See What You Get?
• Henrik Plate
Senior Security Researcher, SAP SE To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
72
Security Software Supply
Chain: Is What You See
What You Get?
Security Software Supply Chain: Is What You See What You Get?
Vulnerability Impact Assessment
Henrik Plate (SAP SE)
03/22/2016 73
OWASP Dependency Check, etc. OSS Vulnerability
Scanner
You Include a Vulnerable Library – What Now?
74
What now?
Scan app during build
Central, workflow-based database of app dependencies on OSS
OSS Vulnerability Scanners integrated into development lifecycle
Common understanding of the dependency on a vulnerable library
OSS Vulnerability Scanner
Solution Goal – Assess Exploitability
75
Scan app during build
Central, workflow-based database of app dependencies on OSS
OSS Vulnerability Scanners integrated into development lifecycle
Vulnerability Exploitable?
yes no Fix now Fix later
Common understanding of the dependency on a vulnerable library
Solution Approach
76
• Application-specific exploitability is difficult to determine (minimalistic vuln. descriptions, transitive dependencies, multi-module OSS projects, data provenance, sanitizations, configurations, etc.)
• Only code matters: Can the application be executed in such a way that vulnerable library code is ran?
• Assumption: If an application executes code for which a security fix exists, then there is a significant risk that the vulnerability can be exploited in the specific application context
Vulnerability Exploitable?
yes no Fix now Fix later
Static Analysis Call graph reachability check for elements of OSS security patch
Dynamic Analysis Comparison of traces collected during tests with change lists of OSS security patches
Solution Approach
77
Vulnerable Code Actually
Executed?
yes High Risk
Low Risk
no
Vulnerable Code
Potentially Executed?
yes no
Plate, Ponta, Sabetta, “Impact assessment for vulnerabilities in open-source software libraries,” ICSME 2015, 31st IEEE International Conference on Software Maintenance and Evolution
Assessment Levels
Non-vulnerable library release used
Vulnerable library release used
Vulnerable library code potentially executable
Vulnerable library code actually executed
Central Build Infrastructure or App-specific CI System
OSS Repo
Solution Architecture (Java)
Backend (Central Service @ SAP)
Maven Plugin (scheduled periodically)
Application
(a) analyze
(b) up/download analysis results
3rd Party OSS Repositories
(2) retrieve file revisions
Tool Expert @ Central Team
Security & Application Expert
(1) trigger analysis of OSS security patch
(c) review results of app analysis
79
Example & Screenshots
CVE-2012-2098 • Algorithmic complexity vulnerability in the sorting algorithms in bzip2
compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.
• cpe:/a:apache:commons-compress:*
Maven GAV • org.apache.commons : commons-compress : 1.4
81
Wrap-up & Outlook
84
Today • Code-centricity reduces false-positives, and is robust against
rebundling • Static and dynamic analyses prioritize backlog • New bugs do not require new scans • Productively used at SAP
Tomorrow • Continued development, e.g., as part of EIT project VAMOSS • Production of re-usable library call graphs • Analysis of alternative fixing strategies
Question and Answer
Security Software Supply Chain: Is What You See What You Get?
Henrik Plate
Senior Security Researcher, SAP SE
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016 85
Security Software Supply Chain: Is What You See What You Get?
Thank you Henrik Plate
Senior Security Researcher, SAP SE
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
86
Open Panel with Audience Q&A
Security Software Supply Chain: Is What You See What You Get?
• Michael Angelo CRISC, CISSP
• Jonathan Knudsen Cybersecurity Engineer, Synopsys
• Henrik Plate Senior Security Researcher, SAP SE
• Derek Weeks VP and Rugged DEvOps Advocate, Sonatype
#ISSAWebConf
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
03/22/2016 87
Security Software Supply Chain:
Is What You See What You Get?
Closing Remarks
Security Software Supply Chain: Is What You See What You Get?
Thank you Citrix for donating the Webcast service
03/22/2016 88
CPE Credit
Security Software Supply Chain: Is What You See What You Get?
• Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz.
• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.
• On-Demand Viewers Quiz Link: http://www.surveygizmo.com/s3/2662670/ISSA-Web-Conference-March-22-2016-Security-Software-Supply-Chain-Is-What-You-See-What-You-Get
#ISSAWebConf
03/22/2016 89