DON’T FLY BLIND:SECURITY IN THE AGE

OF OPEN SOURCE

© Black Duck Software 2016

© Black Duck Software 2016 2

But security investment is often not aligned with actual risks

Up to 90%Open Source

TODAY

50%Open Source

2010

20%Open Source

20051998

10%Open Source

Open source is the foundation of modern applications

DEVELOPER DOWNLOADS

OUTSOURCED DEVELOPMENT

THIRD PARTY LIBRARIES

CODE REUSE

APPROVED COMPONENTS

COMMERCIAL APPS

OPEN SOURCE CODE

It enters your code through many channels…

…and open source vulnerabilities can come with it.

Most applications contain untracked open source & vulnerabilities

0

500

1000

1500

2000

2500

3000

3500

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

nvd vulndb-exclusive

Over 30,000 known open source vulnerabilities since 2000

© Black Duck Software 2016 8

CVE-2014-0160 (Heartbleed)OpenSSL

Community Health Systems4.5 million patient records compromised

CVE-2013-4810JBOSS

23,000 sites vulnerable200 known compromised sites

And open source vulnerabilities can have huge impacts

When vulnerabilities are discovered,it’s a race between you and hackers

VulnIntroduced

NationalVulnerabilityDatabase

VulnDiscovered

YouFind It

YouFIX It

ExploitsPublished

HackersHack

Highest Security Risk

© Black Duck Software 2016 10

So…who’s responsible for keeping your open source software secure?

• Dedicated security researchers• Security advisory notifications• Automated patching • Support teams and SLAs

© Black Duck Software 2016 11

With commercial software, the vendor has your back.

• The “community” reports vulns• Monitor newsfeeds yourself• No standard patching mechanisms• Most open source is unsupported

© Black Duck Software 2016 12

With open source, you have to watch your own.

OpenSSLIntroduced: 2011Discovered: 2014

Heartbleed

GNU C LibraryIntroduced: 2000Discovered: 2015

Ghost

QEMUIntroduced: 2004Discovered: 2015

Venom

BashIntroduced: 1989Discovered: 2014

Shellshock

OpenSSLIntroduced: 1990'sDiscovered: 2015

Freak

FREAK!

What do these vulnerabilities have in common?

All were found by security researchers – not SAST / DAST tools.

But most open source vulnerabilities are too complex and too deep in the code to be found by automated SAST/DAST tools.

© Black Duck Software 2016 14

Fact: SAST & DAST tools miss open source vulnerabilities

Automated SAST/DAST tools are good at finding vulnerabilities in the code written by your developers

Center for Open Source Research & Innovation

• Focused on providing cutting-edge research, innovation, information

• Ensure the Open Source ecosystem remains vibrant

• Consistently publish research on Open Source and security

Open Source Research, Info-Gathering & Sharing Efforts

•The world’s most complete, current and accurate repository and database of open source software, associated licenses and other critical information, including known security vulnerabilities.

KnowledgeBase™

• Conducts applied research in data mining, machine learning, natural language processing, big data management and software engineering.Vancouver Research Group

• Analyzes security issues and attack patterns in open source software to provide customers with actionable and meaningful security context on vulnerabilities, corrective actions to reduce risk, and strategies for using open source effectively.

Europe Research Group

• Open Hub offers analytics and search services for discovering, evaluating, tracking and comparing open source code and projects.Open Hub

• Active field research of commercial applications releasing trends in open source management.Open Source Security Audit Report

Know Your Code®