Best Practices for Managing Risk from Open Source Libraries and Components

Best Practices for Managing Risk from Open Source Libraries and Components

February 5th at 1pm ETJim Routh & Joshua Corman

2 04/11/2023

FEATURED SPEAKERS

JIM ROUTH, CISO JOSHUA CORMAN, CTO

Certified with CSSLP & CISM

Chairman of FS-ISAC Committee

20+ Years in Application Security

Co-founder of Rugged Software

Previously w/ Akamai & 451 Group

Trusted Security Professional @joshcorman

3 04/11/2023

TODAY’S AGENDA

• What is the Third Party Security Working Group

• What are the recommended control types

• Why policy management & enforcement

• What changed?

• Dependence (disproportional)

• Component Lifecycle Management in action

FS-ISAC Third Party Software Security Working Group

Third Party Software Security

Steering Committee Members

1. Jerry Brady, Morgan Stanley2. Mark Connelly, Thomson

Reuters3. Mahi Dontamasetti, DTCC4. Paul Fulton, Citi5. Keith Gordon, Capital One6. Royal Hansen, Goldman

Sachs7. Chauncey Holden, RBS

Citizens Bank8. Rich Jones, JP Morgan Chase9. Ben Miron, GE 10.Jim Routh, Aetna

Working Group Members

1. David Smith, Fidelity2. Don Elkins, Morgan Stanley3. Matt Levine, Goldman

Sachs4. David Hubley, Capital One5. Tim Mathias, Thomson

Reuters6. Rishikesh Pande, Citi

The Third Party Software Security Working Group was established with a mandate to analyze control options and develop specific recommendations on control types for member firms to consider adding to their vendor governance programs.

These recommendations on control types are captured in the FS-ISAC Working Group whitepaper, “Appropriate Software Security Control Types for Third Party Service and Product Providers.”


Recommended Control Types

vBSIMM Process Maturity

Binary Static Analysis

Policy management and enforcement for consumption of open source libraries and components

1

2

3


Control Types


Control 3 - Policy management and enforcement for consumption

of open source libraries and components This control type identifies consumable open source libraries for a given

Financial Institution, identifies the security vulnerabilities by open source component and enables the Financial Institution to apply

controls or governance over the acquisition and use of open source libraries.


Component Usage Has Exploded

Control 3 Open Source Policy Management


Policy Management Capability


FS-ISAC Third Party Software Security Working Group Whitepaper

www.fs-isac.com

WHAT’S CHANGED?

COST, COMPLEXITY, AND RISK

CONSEQUENCES: VALUE & REPLACEABILITY

http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/



Countermeasures

Situational Awareness

Operational ExcellenceDefensible Infrastructure

Countermeasures


Operational Excellence

Defensible Infrastructure

Countermeasures




Countermeasures




Life RightsCritInf

r IP PII CCN

Counter-

measures

Situational

Awareness

OperationalExcellence

DefensibleInfrastructure

REPLACEABILITY

90%Assembled

Software Evolution

Written

20

HOW MUCH CODE DO WE “WRITE” THESE DAYS?

90%Assembled

Software Evolution

Written

21

HOW MUCH CODE DO WE “WRITE” THESE DAYS?

Component Selection

Open source usage is

EXPLODING

Yesterday’s source code is today’s

OPEN SOURCE

201320122011200920082007 2010

2B1B500M 4B 6B 8B 13B

A Sea Change in Hacker Targeting

Now that software is assembled…

23

Today’s approaches

AREN’T WORKING

Component Selection

DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT SELECTION

46m vulnerable

components downloaded

!

71% of repos have 1+

critical or severe

vulnerability

!

90% of repos have 1+ critical

vulnerability

!

A Massive Supply Chain Problem

No Visibility

No Control

No Fix

No visibility to what components are used, where they are used and where there is risk

No way to govern/enforce component usage. Policies are not integrated with development .

No efficient way to fix existing flaws.

25

27

FROM THE FS-ISAC WHITE PAPER

• Enabling application architects to control versions of software.

• Accelerating the development process by encouraging the consumption of open source libraries that are resilient.

• Reduce operating costs since the cost of ripping out obsolete components from existing applications is high assuming the older versions can be identified in the first place.

CLM IN ACTION

BACK TO… CONTROL TYPES

Notional Exposure Active Risk

Snapshot Report

Repository Health Check

Application Health Check

What have I downloaded ?

What’s in my repo? Are my apps vulnerable?

31

Global Bank

Software ProviderSoftware

Provider’s Customer

State UniversityThree-Letter

AgencyLarge Financial

Exchange

CVE-2013-2251: WIDESPREAD COMPROMISE

How can we choose the best components

FROM THE START?

Shift Upstream = ZTTR (Zero Time to Remediation)

Analyze all components from within your IDE

License, Security and Architecture data for each component, evaluated against your policy

Software Evolution

33

BIG IMPACT Little Effort,

WE NEED BETTER LEVERAGE!

Most security programs are getting a little bit better everywhere; but not sufficiently better anywhere...

Earlier. Easier. Effective.

35 04/11/2023

DEVELOPERS & APPLICATION SECURITY:

WHO’S RESPONSIBLE?

Take the Survey: https://www.surveymonkey.com/s/Developers_and_App

63% of people concerned with open source

https://www.surveymonkey.com/s/Developers_and_App



36 04/11/2023

“A new approach in the market is Component Lifecycle Management (CLM) which offers the ability to enforce policies in the development process.”

LEARN MORE

To learn more about the ‘Component Lifecycle Management Approach’, read the OVUM report.

http://www.sonatype.com/resources/whitepapers



BEST PRACTICES FOR MANAGING RISK FROM OPEN SOURCE LIBRARIES AND COMPONENTS Thank you for attending today’s event, please contact us with any questions. http://www.sonatype.com/contact/general-inquiry

http://www.sonatype.com/contact/general-inquiry

http://www.sonatype.com/contact/general-inquiry

Technology

Best Practices for Managing Risk from Open Source Libraries and Components