Post on 14-Apr-2017
LESSONS LEARNED FROM HEARTBLEED, STRUTS, AND THE Neglected 90%
Wendy Nather, Security Research Director, 451 Research, @451wendyJosh Corman, CTO, Sonatype, @joshcorman
FEATURED SPEAKERS
WENDY NATHER, SECURITY RESEARCH DIRECTOR, 451 RESEARCH JOSHUA CORMAN, CTO
CISO of Texas Education Agency
Security Director, Swiss Bank Corp
Co-author of ‘The Cloud Security Rules’
Co-founder of Rugged Software
Previously w/ Akamai & 451 Group
Trusted Security Professional @joshcorman@451wendy
https://451research.com/ http://www.sonatype.com/
STATE OF THE UNION
Web Apps are the Top Attack Surface
--- 2014 Verizon Data Breach Investigations Report
@joshcorman@451wendy
spending attack risk
Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary
Spending and risk are out of sync AppSec gets LEAST $ but MOST attacker focus
Worse, within AppSec, existing dollars go to the 10% written
Host Security ~$10B
Data Security ~$5B
People Security ~$4B
Network Security ~$20B
Application Security~$0.5B Assembled 3rd Party &
OpenSource Components
~90% of most applications
Almost No Spending
SAST/DAST on Written
@joshcorman@451wendy
Spending and risk are
OUT OF SYNC
Component Layer3rd Party &
OpenSource
Database, OS, Firmware, Network
Presentation Layer, Business Logic
DEPENDENCE
CURRENT SPENDING@joshcorman@451wendy
Application Security Technology Roadmap
Q. What is your status of implementation for this technology? n=198-205. Source: 451 Research Information Security – Wave 16 |
Multifactor Authentication for Web-based Applications
Application Security Testing – External Interface Fuzzing or Testing Vul-nerability Assessment
Database Security
Application Security Testing – Code or Binary Analysis-based Vulnerability Assessment
Web Application Firewall (WAF)
32%
35%
36%
38%
40%
0.01
0.005
0.01
0.005
2%
2%
2%
3%
4%
3%
3%
4%
4%
5%
58%
52%
51%
50%
47%
3%
9%
6%
4%
3%
In Use Now (Not Including Pilots) In Pilot/Evaluation (Budget Has Already Been Allocated) In Near-term Plan (In Next 6 Months)In Long-term Plan (6-18 Months) Past Long-term Plan (Later Than 18 Months Out) Not in PlanDon't Know
@joshcorman@451wendy
2013 vs. 2012 Spending Change for Application Security Technologies
Q. How will your spending on this technology change in 2013 as compared to 2012? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden.
Source: 451 Research Information Security – Wave 16 |
Database Security
Multifactor Authentication for Web-based Applications
Application Security Testing – External Interface Fuzzing or
Web Application Firewall (WAF)
Application Security Testing – Code or Binary Analysis-based
1%
1%
75%
77%
73%
72%
70%
16%
16%
19%
24%
24%
Less Spending About the Same More Spending
@joshcorman@451wendy
2014 vs. 2013 Spending Change for Application Security Technologies
Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Resarch Information Security – Wave 16 |
Application Security Testing – External Interface Fuzzing or
Multifactor Authentication for Web-based Applications
Database Security
Web Application Firewall (WAF)
Application Security Testing – Code or Binary Analysis-based
70%
68%
63%
60%
58%
21%
26%
28%
32%
34%
1%
3%
2%
Less Spending About the Same More Spending
@joshcorman@451wendy
2014 vs. 2013 Spending Change for Information Security Technologies
Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 |
Anti-spam/Email SecurityPatch ManagementPenetration Testing
Anti-spywareHard Drive Encryption
Laptop EncryptionAnti-virus
Host Intrusion Detection and/or Prevention (HIDS/HIPS)Secure File TransferComputer Forensics
Email/Messaging Archiving/ComplianceVulnerability/Risk Assessment/Scanning (of Infrastructure)
File Integrity MonitoringSSL VPNs
Secure Instant MessagingEmail Encryption
Application Security Testing – External Interface Fuzzing orKey Management and/or Public Key Infrastructure
Web Content FilteringThreat Intelligence
Two-factor (Strong) Authentication for Infrastructure (e.g.,Single Sign-on
IT Security Training/Education/AwarenessAnti-botnet
Multifactor Authentication for Web-based ApplicationsInformation or Digital Rights Management
Database SecurityAdvanced Anti-malware Response
Managed Security Service Provider (MSSP)Policy and Configuration Management
TokenizationWeb Application Firewall (WAF)
IT GRC (Governance, Risk, Compliance)Network Data-loss Prevention Solutions
Application Security Testing – Code or Binary Analysis-basedMobile Device Security (Not MDM)
Network Intrusion Detection and/or Prevention (NIDS/NIPS)Network Firewalls
Event Log Management SystemVirtualization Security
Application-aware FirewallIdentity Management
Unified Threat Management (UTM)Endpoint Data-loss Prevention Solutions
Network Access Control (NAC)Cloud Security
Security Information Event Management (SIEM)Mobile Device Management
5%4%3%
4%4%
4%5%6%
3%3%
2%2%
4%9%
4%3%
3%11%
1%9%
2%5%
5%
4%1%
4%13%
1%2%
3%5%8%
2%3%
6%10%
8%
10%5%
8%2%
2%
7%4%
83%83%82%
84%82%
83%80%78%
76%71%
79%76%74%
69%72%
73%70%
71%65%
71%66%
64%63%
64%68%
58%63%62%
53%66%
63%60%
51%49%
58%52%
54%51%
51%54%
46%50%48%
53%48%
32%44%42%
7%10%10%10%11%11%
13%14%
15%16%
17%18%
19%20%20%21%21%21%22%
23%23%
24%26%26%26%
27%28%
29%29%30%
31%32%
33%34%34%35%
36%36%37%37%
39%40%
40%42%42%
44%46%46%
Less Spending About the Same More Spending
@joshcorman@451wendy
2014 vs. 2013 Spending Change for Information Security Technologies
Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 |
Anti-spam/Email SecurityPatch ManagementPenetration Testing
Anti-spywareHard Drive Encryption
Laptop EncryptionAnti-virus
Host Intrusion Detection and/or Prevention (HIDS/HIPS)Secure File TransferComputer Forensics
Email/Messaging Archiving/ComplianceVulnerability/Risk Assessment/Scanning (of Infrastructure)
File Integrity MonitoringSSL VPNs
Secure Instant MessagingEmail Encryption
Application Security Testing – External Interface Fuzzing orKey Management and/or Public Key Infrastructure
Web Content FilteringThreat Intelligence
Two-factor (Strong) Authentication for Infrastructure (e.g.,Single Sign-on
IT Security Training/Education/AwarenessAnti-botnet
Multifactor Authentication for Web-based ApplicationsInformation or Digital Rights Management
Database SecurityAdvanced Anti-malware Response
Managed Security Service Provider (MSSP)Policy and Configuration Management
TokenizationWeb Application Firewall (WAF)
IT GRC (Governance, Risk, Compliance)Network Data-loss Prevention Solutions
Application Security Testing – Code or Binary Analysis-basedMobile Device Security (Not MDM)
Network Intrusion Detection and/or Prevention (NIDS/NIPS)Network Firewalls
Event Log Management SystemVirtualization Security
Application-aware FirewallIdentity Management
Unified Threat Management (UTM)Endpoint Data-loss Prevention Solutions
Network Access Control (NAC)Cloud Security
Security Information Event Management (SIEM)Mobile Device Management
5%4%3%
4%4%
4%5%6%
3%3%
2%2%
4%9%
4%3%
3%11%
1%9%
2%5%
5%
4%1%
4%13%
1%2%
3%5%8%
2%3%
6%10%
8%
10%5%
8%2%
2%
7%4%
83%83%82%
84%82%
83%80%78%
76%71%
79%76%74%
69%72%
73%70%
71%65%
71%66%
64%63%
64%68%
58%63%62%
53%66%
63%60%
51%49%
58%52%
54%51%
51%54%
46%50%48%
53%48%
32%44%42%
7%10%
10%10%11%11%
13%14%
15%16%
17%18%
19%20%20%21%21%21%22%
23%23%
24%26%26%26%
27%28%
29%29%30%
31%32%
33%34%34%35%
36%36%37%37%
39%40%
40%42%42%
44%46%46%
Less Spending About the Same More Spending
@joshcorman@451wendy
Below the Security Poverty Line …
• Little to no IT expertise• More likely to use open source because it’s free• No resources to monitor open source use or test it for
vulnerabilities• Disproportionately dependent on third party vendors
• Limited span of control• Configuration and tuning decisions• Architecture and strategy decisions• Risk management
• Information asymmetry
@joshcorman@451wendy
What do we mean by the ‘Neglected 90%’
90%AssembledWritten
@joshcorman@451wendy
Defensible Infrastructure
Operational Excellence
Situational Awareness
Counter-measures
What Security Approach Has the Most Impact?
@joshcorman@451wendy
IS IT OPEN SEASON ON OPEN SOURCE?
Now that software is 90%
ASSEMBLED…
@joshcorman@451wendy
One risky component,multiplied thousands of times:
ONE EASYTARGET
@joshcorman@451wendy
Global Bank
Software Provider
Software Provider’s Customer
State University
Three-LetterAgency
Large FinancialExchange
Hundreds of Other Sites
@joshcorman@451wendy
Is it true, with many eyeballs, all bugs are SHALLOW?
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
10.0
9.0
8.0
7.0
6.0
5.0
4.0
3.0
2.0
1.0
CVE-2005-3745
CVE-2006-1546CVE-2006-1547
CVE-2006-1548 CVE-2008-6504CVE-2008-6505
CVE-2008-2025CVE-2007-6726CVE-2008-6682
CVE-2010-1870
CVE-2011-2087
CVE-2011-1772
CVE-2011-2088CVE-2011-5057
CVE-2012-0392CVE-2012-0391
CVE-2012-0393
CVE-2012-0394
CVE-2012-1006CVE-2012-1007
CVE-2012-0838
CVE-2012-4386
CVE-2012-4387
CVE-2013-1966CVE-2013-2115CVE-2013-1965
CVE-2013-2134CVE-2013-2135
CVE-2013-2248
CVE-2013-2251CVE-2013-4316
CVE-2013-4310
CVE-2013-6348
CVE-2014-0094
@joshcorman@451wendy
In 2013, 4,000organizations downloaded a version of Bouncy Castle
with a level 10 vulnerability
20,000 TIMES …
MORE THAN FIVE YEARS
after the vulnerability was fixed
NATIONAL CYBER AWARENESS SYSTEMOriginal Release Date:
03/30/2009CVE-2007-6721Bouncy Castle Java Cryptography APICVSS v2 Base Score: 10.0 HIGHImpact Subscore: 10.0Exploitability Subscore: 10.0
@joshcorman@451wendy
In December 2013,
6,916 DIFFERENTorganizations downloaded
a version of httpclient with broken ssl validation (cve-2012-5783)
66,824 TIMES …
More than ONE YEAR AFTER THE ALERT
NATIONAL CYBER AWARENESS SYSTEMOriginal Release Date:
11/04/2012CVE-2012-5783Apache Commons HttpClient 3.xCVSS v2 Base Score: 5.8 MEDIUMImpact Subscore: 4.9Exploitability Subscore: 8.6
@joshcorman@451wendy
THE REAL IMPLICATIONS OF HEARTBLEED
Heartbleed + Internet of Things = ?
In Our Bodies In Our Homes
@joshcorman@451wendy
IS IT TIME FOR A SOFTWARE SUPPLY CHAIN? (and /or software liability)
APPLICATIONPLATFORMS & TOOLS
COMPONENTVERSIONCOMPONENTSPROJECTS
DELIVERYINTEGRATIONSELECTIONSUPPLYSUPPLIER
OPTIMIZATION(MONITORING)
Supply Chain Management
@joshcorman@451wendy
If you’re not using secure
COMPONENTSyou’re not building secure
APPLICATIONS
Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT
SELECTION
@joshcorman@451wendy
Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT
SELECTION
Today’s approaches
AREN’T WORKING
46m vulnerable
components downloaded
!
71% of apps have 1+
critical or severe
vulnerability
!
90% of
repositories have 1+ critical
vulnerability
!
@joshcorman@451wendy
“Sonatype presents a rare opportunity to do something concrete in the application security space. One of the 1st tools that comes close to remediation not just scan results and recommendations.”
-- Wendy Nather
@joshcorman@451wendy
Problem discovery Problem remediation
“Scan and scold”
Source code scanning
Approval-centric workflow
Empower developers
Component analysis
Automated policy across lifecycle
Policy enforcement throughout SLC
A NEW APPROACH
CURRENT METHODS SONATYPE CLM
Scans after development
@joshcorman@451wendy
Don’t use vulnerable components. It’s an
AVOIDABLERISK
2013 Data Breach Investigations Report
“Some organizations will be a target REGARDLESS of what they do, but most become a target BECAUSE of what they do.”
@joshcorman@451wendy
How can we choose the best components
FROM THE START?
Shift Upstream = ZTTR (Zero Time to Remediation)
Analyze all components from within your IDE
License, Security and Architecture data for each component, evaluated against your policy
@joshcorman@451wendy
How do we prevent future bleeding hearts?
-- 3 step action plan
@joshcorman@451wendy
LEARN MORE
“The combination of growing component usage, coupled with lack of security, requires us to urgently re-evaluate traditional application security approaches.”
http://www.sonatype.com/clm/spotlight-on-heartbleed
www.sonatype.com/neglected90
LESSONS LEARNED FROM HEARTBLEED, STRUTS AND THE NEGLECTED 90%