EMPOWERING APPLICATION SECURITY IN THE WORLD OF

DEVOPS

AGENDA

STATE OF APPLICATION SECURITY

INTEGRATING APPLICATION SECURITY IN DEVOPS

UNIQUE CHALLENGES IN DEVOPS

© 2015 Black Duck Software, Inc.  All Rights Reserved.

STATE OF APPLICATION SECURITY: CUSTOM & OPEN SOURCE CODE

WEB APPLICATION VULNERABILITIES XSS AND SQL INJECTION EXPLOITATIONS

XSS AND SQL INJECTION EXPLOITS ARE CONTINUING IN

HIGH NUMBERSSource: IBM X-Force Threat Intelligence Quarterly, 2014

Source: IBM X-Force Threat Intelligence Quarterly, 2014

APPLICATIONS - THE WEAKEST LINK IN THE IT SECURITY CHAIN

25%

20%

15%

10%

5%

0%

2009 2010 2011 2012 2013

WEB APPLICATION VULNERABILITIES

33% OF VULNERABILITY DISCLOSURES ARE WEB

APPLICATION VULNERABILITIES

33%

Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013

INVESTMENT PRIORITY - “SECURITY RISKS” VS. YOUR “SPEND”

MANY CLIENTS DO NOT PRIORITIZE APPLICATION SECURITY IN THEIR ENVIRONMENTS

35%

30%

25%

20%

15%

10%

5%

APPLICATION

LAYER

DATALAYER

NETWORKLAYER

HUMANLAYER

HOSTLAYER

PHYSICALLAYER

SECURITY RISK

SPENDINGSPENDING DOES NOT EQUAL RISK

Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013

CUSTOM AND OPEN SOURCE CODE MIX

OPEN SOURCE• Needed functionality

without acquisition costs• Faster time to market• Lower development costs• Broad support from

communities

CUSTOM CODE• Proprietary functionality• Core enterprise IP• Competitive differentiation

OPEN SOURCE

CUSTOM CODE

The shifting application security threat landscapeRISE OF OPEN SOURCE VULNERABILITIESOPEN SOURCE COMPONENTS WITH KNOWN

VULNERABILITIES

Since 2014, over 6,000 new vulnerabilities in open source components.Source: Risk Based Security’s VulnDB

0

200

400

600

800

1,000

1,200 Heartbleed Disclosure

8 CONFIDENTIAL

WHO’S RESPONSIBLE FOR SECURITY?WHO IS RESPONSIBLE FOR SECURITY?

DEDICATED SECURITY RESEARCHERSALERTING AND NOTIFICATION INFRASTRUCTUREREGULAR PATCH UPDATESDEDICATED SUPPORT TEAM WITH SLA

“COMMUNITY”-BASED CODE ANALYSISMONITOR NEWSFEEDS YOURSELFNO STANDARD PATCHING MECHANISMULTIMATELY, YOU ARE RESPONSIBLE

COMMERCIAL CODE OPEN SOURCE CODE

9 CONFIDENTIAL

CONTAINERS AND DEVOPS

Containers can be vulnerable by virtue of the code that runs inside them

• OSS components running inside containers represent potential attack vectors

• Could cause problems for the application itself

• Could cause more problems if the container is running with the –privileged flag set

© 2015 Black Duck Software, Inc.  All Rights Reserved.

UNIQUE CHALLENGES IN DEVOPS

11 CONFIDENTIAL

WHAT IS DEVOPS?

• Set of principles• Faster software delivery• Continuous process• Collaborative• Achieved by automation

12 CONFIDENTIAL

CHALLENGES WITH APPLICATION SECURITY IN DEVOPS

• Developers are not security experts• Time pressure• Security can be an afterthought• Application security teams are small• Testing happens too late in the process

13 CONFIDENTIAL

BENEFIT FROM DEVOPS WITHOUT COMPROMISING SECURITY

• Automation of Security Testing

• Security Gates

INTEGRATING APPLICATION SECURITY IN DEVOPS

15 CONFIDENTIAL

CONTINUOUS INTEGRATION ENVIRONMENT

Binary Repository Management(Artifactory / Nexus)

Developers / IDE(Eclipse)

Deployment Environments (Amazon / Docker / VMWare /

Openstack)

Continuous Integration Server

(Jenkins / TeamCity / Bamboo)

Test Automation Tools(Selenium / JUnit)

Quality Management Tools

Bug Tracking Tools

Source Control Management (Git, CVS / Subversion / Perforce)

Build Tools (Maven / Bundler)

16 CONFIDENTIAL

StaticAnalysis

Dynamic Analysis

InteractiveAnalysis

Open Source

Scanning

APPLICATION SECURITY TESTING TECHNOLOGIES

17 CONFIDENTIAL

CONTINUOUS INTEGRATION ENVIRONMENT

Binary Repository Management(Artifactory / Nexus)

Developers / IDE(Eclipse)

Continuous Integration Server

(Jenkins / TeamCity / Bamboo)

Deployment Environments (Amazon / Docker / VMWare /

Openstack)

Test Automation Tools(Selenium / JUnit)

Quality Management Tools

Bug Tracking Tools

Source Control Management (Git, CVS / Subversion / Perforce)

Build Tools (Maven / Bundler)

DAST / IASTSAST / OSS

Bug TrackingIntegration

OSS

IDE integration

18 CONFIDENTIAL

BUILD CUSTOM SECURITY GATES BASED ON NEEDS

DELIVERY TEAM

VERSION CONTROL

BUILD & UNIT

TESTS

AUTOMATED

ACCEPTANCE TESTS

USER ACCEPTANCE TESTS

RELEASE

PIPELINE 1

PIPELINE 2

PIPELINE 3

19 CONFIDENTIAL

CUSTOM CODE VULNERABILITIESIBM AND BLACK DUCK – INTEGRATED VIEW

CUSTOM CODE VULNERABILITIES

OPEN SOURCE VULNERABILITIES

CUSTOM CODE VULNERABILITIES

20 CONFIDENTIAL

WHAT CAN YOU DO TOMORROW?WHAT CAN YOU DO TOMORROW?

Speak with your head of application development, DevOps and find out…

What are your current application security practices?

What kinds of security gates do you need to build to ensure nothing gets through?

What tools are you using as part of the development and application security lifecycle?

Are containers like Docker part of your deployment model?

How are you tracking for new vulnerabilities over time?

SEND QUESTIONS TO

IBM@BLACKDUCKSOFTWARE.COM

THANK YOU!