Security Software Supply Chain: Is What You See What You Get?

Security Software Supply Chain: Is What You See

What You Get? Start Time: 9 am US Pacific / 12 noon US Eastern / 5 pm London Time

#ISSAWebConf

Security Software Supply Chain: Is What You See What You Get?


Welcome Conference Moderator

Mark Kadrich Chief Information Security & Privacy Officer, San Diego Health Connect

#ISSAWebConf

03/22/2016 2

Speaker Introduction


• Derek Weeks

VP and Rugged DEvOps Advocate, Sonatype • Jonathan Knudsen

Cybersecurity Engineer, Synopsys • Michael Angelo

CRISC, CISSP

• Henrik Plate Senior Security Researcher, SAP SE

To ask a question:

Type in your question in the Chat area of your screen.

You may need to click on the double arrows to open this function.

#ISSAWebConf

03/22/2016 3


• Derek Weeks

VP and Rugged DEvOps Advocate, Sonatype To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.

#ISSAWebConf

03/22/2016


4

Illusions of Control:

Security and Your Software Supply Chain

Derek E. Weeks

VP and Rugged DevOps Advocate, Sonatype

@WeeksTweets

#ISSAWebConf

highest quality parts

fewest and

best suppliers

visibility and

traceability

106,000 Organizations Analyzed

Get the report now:

[email protected]

We all have a

SOFTWARE SUPPLY CHAIN

Open Source Download Requests…

2013 2012 2011 2009 2008 2007 2010

2B 1B 500M 4B 6B 8B 13B 17B 2014

31B

2015

How Dependent on 3rd Parties Are We?

10% Custom Written Code

Typical Application

Open Source

Cloud Services

Closed Source

90% From 3rd Parties

highest quality parts

fewest and

best suppliers

visibility and

traceability

AUTOMATE AUTOMATE AUTOMATE

CHANGE Typical component is

updated 3 - 4X per year.

1,286,732 OSS COMPONENTS

11 MILLION OSS USERS 136,249 SUPPLIERS

Suppliers Serving Manufacturers

Source: 2015 State of the Software Supply Chain Report

Orders (downloads)

Suppliers (artifacts)

Parts (versions)

Average 240,757 7,601 18,614

59% never repaired

41% 390 days (median 265 days). CVSS 10s 224 days

<7 The best were remediated in under a week.

Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

Source: 2015 State of the Software Supply Chain Report

Public Repos

Local Repo

Build Tool

Public Repos

Build Tool

95% of downloads

5% of downloads

100-200

Cycle Time: Minutes-Hours

Oh, DevOps…

• Q: Does your organization have an open source policy?

• Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey

Orders Quality Control

Average downloads

# with known vulnerabilities

% with known vulnerabilities

% known vulnerabilities (2013 or older)

240,757 15,337 7.5% 66.3%

Download Volumes of Old CVEs

Source: 2015 State of the Software Supply Chain Report @sonatype

Analysis of 1,500+ applications…

ZTTR (Zero Time to Remediation)

EMPOWER DEVELOPERS FROM THE START 1

DESIGN A FRICTIONLESS APPROACH 2

CREATE A SOFTWARE BILL OF MATERIALS 3

GET MY SLIDES NOW:

[email protected]

Question and Answer


Derek Weeks

VP and Rugged DEvOps Advocate, Sonatype

To ask a question:



#ISSAWebConf

03/22/2016 32


Thank you Derek Weeks

VP and Rugged DEvOps Advocate, Sonatype

03/22/2016


33


• Jonathan Knudsen Cybersecurity Engineer, Synopsys To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.

#ISSAWebConf

03/22/2016


34

Yes! But What Can You See? Jonathan Knudsen <[email protected]>

03/22/2016 Security Software Supply Chain: Is What You See What You Get? 35

Do You Know What’s Inside?


Software is Assembled


Third-Party Code (Free Open Source Software)

First-Party Custom Code

Third-Party Code (Commercial Off-The-Shelf)

How Much Third-Party Code?


MULTIFUNCTION PRINTER

WI-FI ACCESS POINT

16 3rd-Party SW Components


ROUTER


SMART TV


THERMOSTAT

INFUSION PUMP



SMART PHONE

SECURITY CAMERA



Source: Synopsys Protecode SC http://protecode-sc.com/

Builder’s Supply Chain


postgresql gzip

expat

libxml2

Ipsec-tools logrotate gsoap

libssh2

zlib

pcre

xerces-j

sqlite3

raccoon

Router

Buyer’s Supply Chain


Network Infrastructure

Others

Business Software

Ready for the Next Big One?


Shellshock

POODLE

Everyone Point to the Person Next to You


BUILD COMPONENT

SELECTION DEPLOY PURCHASE MAINTENANCE

How Many Vulnerabilities?


MULTIFUNCTION PRINTER

WI-FI ACCESS POINT

407 CVEs affecting 6 Components


THERMOSTAT

INFUSION PUMP



SMART PHONE

SECURITY CAMERA



ROUTER

4,269 CVEs affecting 70 Components

SMART TV


Source: Synopsys Protecode SC http://protecode-sc.com/

If It Ain’t Broke, It Will Be Soon


0

100

200

300

400

500

600

700

800

4/2/2008 4/2/2009 4/2/2010 4/2/2011 4/2/2012 4/2/2013 4/2/2014

Late

st F

irm

war

e R

elea

se (

12

/20

14

)

Co

mp

ilati

on

Dat

e fo

r O

ldes

t C

om

po

nen

ts (2

/20

08

)

Unique CVEs

Software Composition Analysis


• Obtain Software BoM

• Vulnerabilities

• Licenses

• Source analysis for builders

• Binary analysis for buyers

SCA for Builders


• Process and automation are key

• Shut down “bad” components before they happen

• Manage policy from above

• Let developers be developers

• Track supply chain for released products

SCA for Buyers


• X-Ray for software

• Assess risk

• Great for procurement!

• Track supply chains in deployed products

Use SCA to Minimize Risk

• Builders • Get a software bill of materials

• Manage vulnerabilities

• Manage licenses

• Protect your brand

• Save money

• Buyers • Get a software bill of materials

• Manage vulnerabilities

• Protect your brand

• Save money 03/22/2016 Security Software Supply Chain: Is What You See What You Get? 48

Question and Answer


Jonathan Knudsen

Cybersecurity Engineer, Synopsys

To ask a question:



#ISSAWebConf

03/22/2016 49


Thank you Jonathan Knudsen

Cybersecurity Engineer, Synopsys

03/22/2016


50


• Michael Angelo CRISC, CISSP To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.

#ISSAWebConf

03/22/2016


51

Your Organization Is What It Eats - Software Supply Chain Issues

Michael F. Angelo – CRISC, CISSP Chief Security Architect Micro Focus | NetIQ Corporation [email protected] @mfa0007


mailto:[email protected]

Question:

What do: -Printers

-Copiers

-Cars

-Medical devices

-Centrifuges

… have in common?


Answer

All are dependent on software

which has not been: -engineered to be secure

-can be exploited

All of these were developed in secure environments so they are okay?


Agenda

55

• Successful software

• The problem

• How to….

• The future?

03/22/2016 Security Software Supply Chain: Is What You See What You Get?

Successful Software

• 97% of enterprise desktops.

• 89% of computers in US

• 3 Billion phones

• 5 Billion Cards

• 125 million tvs

• All top OEMs ship Java

56

Since 2013, 612 Java Vulnerabilities 03/22/2016 Security Software Supply Chain: Is What You See What You Get?

Just Like Magic….

57

https://web.nvd.nist.gov/view/vuln/search?execution=e2s1


https://web.nvd.nist.gov/view/vuln/search?execution=e2s1

NVD Details

58 03/22/2016 Security Software Supply Chain: Is What You See What You Get?

NVD Summary

59

-Details on vulnerabilities

-Impact analysis

-Vectors

-Pointers to details

-List of affected software

No problem…right?


OpenSSL as an Example

60

-Open Source implementation of SSL and TLS.

-Almost 20 years

-Available for most Unix-like O/S, OpenVMS, and Windows.

• 20151 - 902,997,800 web servers

• 2014 CNN 2

3 web servers - OpenSSL

1 http://news.netcraft.com/archives/2015/11/16/november-2015-web-server-survey.html


http://news.netcraft.com/archives/2015/11/16/november-2015-web-server-survey.html










5 Year History

1 Vulnerability Impacts ~602 Million

61

Year CVE

2010 13

2011 7

2012 16

2013 12

2014 32

2015 35


Reported Vulnerabilities

• OpenSSL as a Component tracks differently than OpenSSL as a Product

• 1512 SSL Vulnerabilities in 2014


Year CVEs

2011 4150

2012 5278

2013 5174

2014 7903

2015 6500

Vulnerabilities asserted against products, not Components

The Problem

63

• Third Party Components are in products • Products tested, analyzed, and retested for

vulnerabilities….

• Components may not exhibit vulnerabilities.

• What components are in your environment?


How to Identify Components

64

• Ideas • Manifests

• Silent Installs

• Scraping Copyright / Trademark / Version information

• 3rd party license files

• Hashes -National Software Reference Library • http://www.nsrl.nist.gov/Downloads.htm


http://www.nsrl.nist.gov/Downloads.htm



The Future?

65

• If you Identified all the software, and associated components, in your environment

• Then you need • cross reference software to vulnerability in databases

• Need to raise awareness

• provide sufficient information to enable you to test the PSV


Proof of Concept


Feature Creap


Caution

• Not every Vulnerability will be meaningful

• Every CVE would be marked as • Relevant, Not Relevant,

Investigation

• Mitigated, Not Mitigated, No mitigation needed


Re-Cap Applying This Today

69

• Look at resources in this presentation

• Create a tool that: • Identifies components in software

• Checks against CVE

• Enables triage & communication of potential issues

• Spread the word &


Question and Answer


Michael Angelo CRISC, CISSP

To ask a question:



#ISSAWebConf

03/22/2016 70


Thank you Michael Angelo

CRISC, CISSP

03/22/2016


71


• Henrik Plate

Senior Security Researcher, SAP SE To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.

#ISSAWebConf

03/22/2016


72

Security Software Supply

Chain: Is What You See

What You Get?


Vulnerability Impact Assessment

Henrik Plate (SAP SE)

03/22/2016 73

OWASP Dependency Check, etc. OSS Vulnerability

Scanner

You Include a Vulnerable Library – What Now?

74

What now?

Scan app during build

Central, workflow-based database of app dependencies on OSS

OSS Vulnerability Scanners integrated into development lifecycle

Common understanding of the dependency on a vulnerable library

OSS Vulnerability Scanner

Solution Goal – Assess Exploitability

75

Scan app during build

Central, workflow-based database of app dependencies on OSS

OSS Vulnerability Scanners integrated into development lifecycle

Vulnerability Exploitable?

yes no Fix now Fix later

Common understanding of the dependency on a vulnerable library

Solution Approach

76

• Application-specific exploitability is difficult to determine (minimalistic vuln. descriptions, transitive dependencies, multi-module OSS projects, data provenance, sanitizations, configurations, etc.)

• Only code matters: Can the application be executed in such a way that vulnerable library code is ran?

• Assumption: If an application executes code for which a security fix exists, then there is a significant risk that the vulnerability can be exploited in the specific application context

Vulnerability Exploitable?

yes no Fix now Fix later

Static Analysis Call graph reachability check for elements of OSS security patch

Dynamic Analysis Comparison of traces collected during tests with change lists of OSS security patches

Solution Approach

77

Vulnerable Code Actually

Executed?

yes High Risk

Low Risk

no

Vulnerable Code

Potentially Executed?

yes no

Plate, Ponta, Sabetta, “Impact assessment for vulnerabilities in open-source software libraries,” ICSME 2015, 31st IEEE International Conference on Software Maintenance and Evolution

Assessment Levels

Non-vulnerable library release used

Vulnerable library release used

Vulnerable library code potentially executable

Vulnerable library code actually executed

Central Build Infrastructure or App-specific CI System

OSS Repo

Solution Architecture (Java)

Backend (Central Service @ SAP)

Maven Plugin (scheduled periodically)

Application

(a) analyze

(b) up/download analysis results

3rd Party OSS Repositories

(2) retrieve file revisions

Tool Expert @ Central Team

Security & Application Expert

(1) trigger analysis of OSS security patch

(c) review results of app analysis

79

Example & Screenshots

CVE-2012-2098 • Algorithmic complexity vulnerability in the sorting algorithms in bzip2

compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.

• cpe:/a:apache:commons-compress:*

Maven GAV • org.apache.commons : commons-compress : 1.4

81

Wrap-up & Outlook

84

Today • Code-centricity reduces false-positives, and is robust against

rebundling • Static and dynamic analyses prioritize backlog • New bugs do not require new scans • Productively used at SAP

Tomorrow • Continued development, e.g., as part of EIT project VAMOSS • Production of re-usable library call graphs • Analysis of alternative fixing strategies

Question and Answer


Henrik Plate

Senior Security Researcher, SAP SE

To ask a question:



#ISSAWebConf

03/22/2016 85


Thank you Henrik Plate

Senior Security Researcher, SAP SE

03/22/2016


86

Open Panel with Audience Q&A


• Michael Angelo CRISC, CISSP

• Jonathan Knudsen Cybersecurity Engineer, Synopsys

• Henrik Plate Senior Security Researcher, SAP SE

• Derek Weeks VP and Rugged DEvOps Advocate, Sonatype

#ISSAWebConf

To ask a question:



03/22/2016 87

Security Software Supply Chain:

Is What You See What You Get?

Closing Remarks


Thank you Citrix for donating the Webcast service

03/22/2016 88

CPE Credit


• Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz.

• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.

• On-Demand Viewers Quiz Link: http://www.surveygizmo.com/s3/2662670/ISSA-Web-Conference-March-22-2016-Security-Software-Supply-Chain-Is-What-You-See-What-You-Get

#ISSAWebConf

03/22/2016 89

http://www.surveygizmo.com/s3/2662670/ISSA-Web-Conference-March-22-2016-Security-Software-Supply-Chain-Is-What-You-See-What-You-Get


































Documents

Security Software Supply Chain: Is What You See What You Get?