Upload
all-things-open
View
66
Download
3
Tags:
Embed Size (px)
Citation preview
ALIENS IN YOUR APPS? Are you using components with known vulnerabiliBes?
October 22, 2014 – All Things Open Ryan Berg, CSO, Sonatype
Our world runs on software, and software runs on open source components. For
FOUR YEARS, we HAVE asked Those on the front lines — developers, architects, and
managers, about how they're using Open source components, and how they're balancing
the need for speed with the need for security.
3,353 THIS YEAR
PEOPLE SHARED THEIR VIEWS
The TRUE State of OSS Security
OSS POLICIES 56% have a policy
and 68% follow policies.
Top 3 challenges no enforcement/workaround are common, no security, not
clear what’s expected
PRACTICES 76% don’t have meaningful
controls over what components are in their applications.
21% must prove use of secure components.
63% have incomplete view of license risk.
COMPONENTS
The Central Repository is used by 83%.
Nexus component managers used 3-to-1 over others
84% of developers use
Maven/Jar to build applications.
STATE OF THE INDUSTRY
Applications are the #1 attack vector leading to breach
13 billion open source
component requests annually
11 million developers worldwide
90% of a typical application is
is now open source components
46 million
vulnerable open source components downloaded
annually
APP SECURITY 6 in 10 don’t track
vulnerabilities over time.
77% have never banned a component.
31% suspected an open source breach.
Open source component use has exploded
Source: 1Sonatype, Inc. analysis of the (Maven) Central Repository; 2IDC
13 BILLION
Open Source soVware Component requests
2013 2012 2011 2009 2008 2007 2010
2B 1B 500M 4B 6B 8B 13B
11 MILLION
developers worldwide
2
1
...to help build your applications Most applications are now assembled from hundreds of open source components…often reflecting as much as 90% of an application.
...and satisfy demand. Open source helps meet accelerated development demand required for these growth drivers.
ASSEMBLED
WRITTEN
Open Source Software is essential
Heartbleed raises awareness
Q: Has your organizaBon had a breach that can be a\ributed to a vulnerability in an open source component or dependency in the last 12 months?
Not uncommon (if you look)
1-‐in-‐10 had or suspected an open source related breach in the past 12 months
We care (shhh don’t tell we don’t really)
Q: Has your organizaBon ever banned use of an open source component, library or project?
Proof is in the pudding More than 1-‐in-‐3 say their open source policy doesn’t cover security.
Q: How does your open source policy address security vulnerabiliBes?
Source: 2014 Sonatype Open Source Development and ApplicaBon Security Survey
But what about developers … Even when component versions are updated 4-‐5 =mes a year to fix known security, license or quality issues.
Q: Does someone acBvely monitor your components for changes in vulnerability data?
At least it’s good in producXon?
Q: Does your organizaBon maintain an inventory of open source components used in producBon applicaBons?
Which way are the fingers poinXng? Q: Who has responsibility for tracking & resolving newly discovered component vulnerabiliBes in *producBon* applicaBons?
In 2013, 50% Named AppDev
In 2013, 8% Named AppSec
Policy without controls is? Is an “Open Source Policy” more than just a document?
Q: How well does your organizaBon control which components are used in development projects?
Don’t worry we got it But control is not unanimous.
Q: Who in your organizaBon has PRIMARY responsibility for open source policy/governance?
But do I care?
Q: How would you characterize your developers’ interest in applicaBon security?
Source: 2013 and 2014 Sonatype Open Source Development and Application Security Survey
Hey if it works … ship it!
Q: When selecBng components, which characterisBcs would be most helpful to you? (choose four)
Source: 2014 Sonatype Open Source Development and Application Security Survey
This security thing is such a drag … Bacon
Q: What applicaBon security training is available to you? (mulBple selecBons possible)
Cleanup on Aisle 9, Cleanup on Aisle 9 AppDev runs at Agile & DevOps speed. Is security is keeping pace?
Q: At what point in the development process does your organizaBon perform applicaBon security analysis? Q: (mulBple selecBons possible)
You mean licenses maber? Yet, licensing data is considered helpful to 67% of respondents when selec=ng open source components to use.
Q: Are open source licensing risks or liabiliBes a top concern in your posiBon?
Why yes, I believe it does
Q: Does your organizaBon/policy manage the use of components by license types? (e.g., GPL, copyleV)?
Number of Dependent Components
8781
Downloads 6,987,246
CVSS Score 6.8
MTTR 229
Unique OrganizaBons 72,156
CVE-‐2011-‐2894 Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote a\ackers to bypass intended security restricBons and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocaBonHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserializaBon of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.RunBme class.
Its always Spring somewhere
An App just isn’t an App without XML
Number of Dependent Components
4003
Downloads 3,797,847
CVSS 5
MTTR 867
Unique OrganizaBons 119,569
CVE-‐2009-‐2625 XMLScanner.java in Apache Xerces2 Java, as used in Sun Java RunBme Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote a\ackers to cause a denial of service (infinite loop and applicaBon hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
We are sXll using that?
Number of Dependent Components
75
Downloads 324,765
CVSS 6.8
Unique OrganizaBons 119,569
CVE-‐2003-‐1516 The org.apache.xalan.processor.XSLProcessorVersion class in Java Plug-‐in 1.4.2_01 allows signed and unsigned applets to share variables, which violates the Java security model and could allow remote a\ackers to read or write data belonging to a signed applet.
No license, no worries
Number of Dependent Components
1164
Number of Downloads 182,145
Latest Release Date May-‐11-‐2006
Unique OrganizaBons 8,383
jstl:1.2 java standard template library implementaBon
I am what I say I am
Number of Dependent Components
1190
Number of Downloads 19,621
Last Release Date Jan-‐12-‐2011
Unique OrganizaBons 1,026,964
asm:3.3.1 java bytecode analysis framework
One release … Ever!
Number of Dependent Components
305
Number of Downloads 432,468
Last Release Nov-‐8-‐2005
Unique OrganizaBons 14,454
jakarta-‐regexp:1.4 regular expression parsing library
Thank You! [email protected]