Upload
kangaroot
View
113
Download
0
Embed Size (px)
Citation preview
DON’T FLY BLIND:SECURITY IN THE AGE
OF OPEN SOURCE
© Black Duck Software 2016
© Black Duck Software 2016 2
But security investment is often not aligned with actual risks
Up to 90%Open Source
TODAY
50%Open Source
2010
20%Open Source
20051998
10%Open Source
Open source is the foundation of modern applications
DEVELOPER DOWNLOADS
OUTSOURCED DEVELOPMENT
THIRD PARTY LIBRARIES
CODE REUSE
APPROVED COMPONENTS
COMMERCIAL APPS
OPEN SOURCE CODE
It enters your code through many channels…
…and open source vulnerabilities can come with it.
Most applications contain untracked open source & vulnerabilities
0
500
1000
1500
2000
2500
3000
3500
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
nvd vulndb-exclusive
Over 30,000 known open source vulnerabilities since 2000
© Black Duck Software 2016 8
CVE-2014-0160 (Heartbleed)OpenSSL
Community Health Systems4.5 million patient records compromised
CVE-2013-4810JBOSS
23,000 sites vulnerable200 known compromised sites
And open source vulnerabilities can have huge impacts
When vulnerabilities are discovered,it’s a race between you and hackers
VulnIntroduced
NationalVulnerabilityDatabase
VulnDiscovered
YouFind It
YouFIX It
ExploitsPublished
HackersHack
Highest Security Risk
© Black Duck Software 2016 10
So…who’s responsible for keeping your open source software secure?
• Dedicated security researchers• Security advisory notifications• Automated patching • Support teams and SLAs
© Black Duck Software 2016 11
With commercial software, the vendor has your back.
• The “community” reports vulns• Monitor newsfeeds yourself• No standard patching mechanisms• Most open source is unsupported
© Black Duck Software 2016 12
With open source, you have to watch your own.
OpenSSLIntroduced: 2011Discovered: 2014
Heartbleed
GNU C LibraryIntroduced: 2000Discovered: 2015
Ghost
QEMUIntroduced: 2004Discovered: 2015
Venom
BashIntroduced: 1989Discovered: 2014
Shellshock
OpenSSLIntroduced: 1990'sDiscovered: 2015
Freak
FREAK!
What do these vulnerabilities have in common?
All were found by security researchers – not SAST / DAST tools.
But most open source vulnerabilities are too complex and too deep in the code to be found by automated SAST/DAST tools.
© Black Duck Software 2016 14
Fact: SAST & DAST tools miss open source vulnerabilities
Automated SAST/DAST tools are good at finding vulnerabilities in the code written by your developers
Center for Open Source Research & Innovation
• Focused on providing cutting-edge research, innovation, information
• Ensure the Open Source ecosystem remains vibrant
• Consistently publish research on Open Source and security
Open Source Research, Info-Gathering & Sharing Efforts
•The world’s most complete, current and accurate repository and database of open source software, associated licenses and other critical information, including known security vulnerabilities.
KnowledgeBase™
• Conducts applied research in data mining, machine learning, natural language processing, big data management and software engineering.Vancouver Research Group
• Analyzes security issues and attack patterns in open source software to provide customers with actionable and meaningful security context on vulnerabilities, corrective actions to reduce risk, and strategies for using open source effectively.
Europe Research Group
• Open Hub offers analytics and search services for discovering, evaluating, tracking and comparing open source code and projects.Open Hub
• Active field research of commercial applications releasing trends in open source management.Open Source Security Audit Report
Know Your Code®