© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

7 Security Gaps in the "Neglected 90%" of Your Applications 3rd Party & Open Source Software Supply Chain Risks

Joshua Corman, Sonatype CTO Sep 2014 – HP Connect – Washington, DC

SW SUPPLY CHAIN IN CONTEXT OF CYBERSECURITY BIG PICTURE

KEY QUESTIONS

Where are Attackers most focused? Where are Defenders most focused? Which Activities have the most security impact?

-2014 Verizon Data Breach Investigations Report

MOST ATTACKED: WEAK SOFTWARE IS #1 ATTACK VECTOR

spending

7 9/9/2014 Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary

Software Security gets LEAST $ but MOST attacker focus

Host Security ~$10B

Data Security ~$5B

People Security ~$4B

Network Security ~$20B

Software Security ~$0.5B

LEAST SPENDING/PRIORITY: WEAK SOFTWARE

spending

8 9/9/2014

attack risk

Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary

Host Security ~$10B

Data Security ~$5B

People Security ~$4B

Network Security ~$20B

Software Security ~$0.5B

Assembled 3rd Party & OpenSource Components

~90% of most applications

Almost No Spending

Written Code Scanning

Software Security gets LEAST $ but MOST attacker focus

LEAST SPENDING/PRIORITY: WEAK SW

Worse, within Software, existing dollars go to the 10% written

Defensible Infrastructure

Operational Excellence

Situational Awareness

Counter-measures

@joshcorman @451wendy

10% Written

MOST IMPACT: BUY/BUILD DEFENSIBLE SOFTWARE

The software & hardware we build, buy, and deploy. 90% of software is assembled from 3rd

party & Open Source

IS IT OPEN SEASON ON OPEN SOURCE?

11 9/9/2014

Now that software is

ASSEMBLED… Our shared value becomes

our shared attack surface

THINK LIKE AN ATTACKER

One risky component, now affects thousands of victims

ONE EASY TARGET

12 9/9/2014

THINK LIKE AN ATTACKER

BEYOND HEARTBLEED: OPENSSL IN 2014 (17 IN NIST’S NVD THRU JULY 25)

13 9/9/2014

CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SEIMENS * CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SEIMENS * CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SEIMENS * CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleed CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM

As of today, internet scans by MassScan

reveal 300,000 of original 600,000 remain

unpatched or unpatchable

-

1,000

2,000

3,000

4,000

5,000

6,000

7,000

8,000

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Req

uest

s in

Mill

ions

13 Billion Requests in 2013

Growth Drivers

Mobile Cloud

Web Apps Big Data

Component Usage Has Exploded

14

OPEN SOURCE USAGE IS EXPLODING

Global Bank

Software Provider

Software Provider’s Customer

State University

Three-Letter Agency

Large Financial Exchange

Hundreds of Other Sites

STRUTS

TRUE? W/ MANY EYEBALLS, ALL BUGS ARE SHALLOW? E.G. STRUTS

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

10.0

9.0

8.0

7.0

6.0

5.0

4.0

3.0

2.0

1.0

CVE-2005-3745

CVE-2006-1546 CVE-2006-1547

CVE-2006-1548 CVE-2008-6504 CVE-2008-6505

CVE-2008-2025 CVE-2007-6726 CVE-2008-6682

CVE-2010-1870

CVE-2011-2087

CVE-2011-1772

CVE-2011-2088 CVE-2011-5057

CVE-2012-0392 CVE-2012-0391

CVE-2012-0393

CVE-2012-0394

CVE-2012-1006 CVE-2012-1007

CVE-2012-0838

CVE-2012-4386

CVE-2012-4387

CVE-2013-1966 CVE-2013-2115 CVE-2013-1965

CVE-2013-2134 CVE-2013-2135

CVE-2013-2248

CVE-2013-2251 CVE-2013-4316

CVE-2013-4310

CVE-2013-6348 CVE-2014-0094

CVSS

Latent 7-11 yrs

In 2013, 4,000 organizations downloaded a version of Bouncy Castle

with a level 10 vulnerability

20,000 TIMES …

MORE THAN FIVE YEARS

after the vulnerability was fixed

NATIONAL CYBER AWARENESS SYSTEM Original Release Date:

03/30/2009 CVE-2007-6721

Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0

BOUNCY CASTLE

In December 2013,

6,916 DIFFERENT organizations downloaded

a version of httpclient with broken ssl validation (cve-2012-5783)

66,824 TIMES …

More than ONE YEAR AFTER THE ALERT

NATIONAL CYBER AWARENESS SYSTEM Original Release Date:

11/04/2012 CVE-2012-5783

Apache Commons HttpClient 3.x CVSS v2 Base Score: 5.8 MEDIUM Impact Subscore: 4.9 Exploitability Subscore: 8.6

HTTPCLIENT 3.X

THE REAL IMPLICATIONS OF HEARTBLEED

HEARTBLEED + (UNPATCHABLE) INTERNET OF THINGS == ___ ?

In Our Bodies In Our Homes

In Our Infrastructure In Our Cars

IS IT TIME FOR A SOFTWARE SUPPLY CHAIN?

ELEGANT PROCUREMENT TRIO

22 9/9/2014

1) Ingredients: Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk: …and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY) 3) Remediation: …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed

In 2013, 4,000 organizations downloaded a version of Bouncy Castle

with a level 10 vulnerability

20,000 TIMES …

MORE THAN FIVE YEARS

after the vulnerability was fixed

NATIONAL CYBER AWARENESS SYSTEM Original Release Date:

03/30/2009 CVE-2007-6721

Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0

PROCUREMENT TRIO + BOUNCY CASTLE

1) AS OPEN SOURCE USAGE EXPANDS, SO DO THE RISKS

24 9/9/2014

-

1,000

2,000

3,000

4,000

5,000

6,000

7,000

8,000

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Req

uest

s in

Mill

ions

13 Billion Requests in 2013

Growth Drivers

Mobile Cloud

Web Apps Big Data

Component Usage Has Exploded

25

OPEN SOURCE USAGE IS EXPLODING

2) SECURITY BUDGETS ARE OUT OF SYNC WITH RISK AND REALITY

26 9/9/2014

-2014 Verizon Data Breach Investigations Report

MOST ATTACKED: WEAK SOFTWARE IS #1 ATTACK VECTOR

spending

28 9/9/2014

attack risk

Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary

Host Security ~$10B

Data Security ~$5B

People Security ~$4B

Network Security ~$20B

Software Security ~$0.5B

Assembled 3rd Party & OpenSource Components

~90% of most applications

Almost No Spending

Written Code Scanning

Software Security gets LEAST $ but MOST attacker focus

LEAST SPENDING/PRIORITY: WEAK SW

Worse, within Software, existing dollars go to the 10% written

3) PARETO PRINCIPLE 2.0? (THE “90/10” RULE): LOW EFFORT AND BIG GAINS

29 9/9/2014

90% Assembled

Software Evolution

Written

30

HOW MUCH CODE DO WE “WRITE” THESE DAYS?

90% Assembled

Software Evolution

Written

31

HOW MUCH CODE DO WE “WRITE” THESE DAYS?

Defensible Infrastructure

Operational Excellence

Situational Awareness

Counter-measures

@joshcorman @451wendy

10% Written

MOST IMPACT: BUY/BUILD DEFENSIBLE SOFTWARE

The software & hardware we build, buy, and deploy. 90% of software is assembled from 3rd

party & Open Source

4) YOU USE A SOFTWARE SUPPLY CHAIN. HOW WELL DO YOU MANAGE IT?

33 9/9/2014

APPLICATION PLATFORMS & TOOLS

COMPONENT VERSION COMPONENTS PROJECTS

DELIVERY INTEGRATION SELECTION SUPPLY SUPPLIER

OPTIMIZATION (MONITORING)

Supply Chain Management

35 9/9/2014

Compound Project Consumer “Part”

Discovery Repair Discovery Repair Aware Recovery

Airbag Airbag Airbag

Car X Airbag Airbag Mary’s GM

36 9/9/2014

Compound Project Consumer “Part”

Discovery Repair Discovery Repair Aware Recovery

Airbag Airbag Airbag

Car X Airbag Airbag Mary’s GM

Struts Airbag Airbag

Bank of America Airbag Airbag

Sally Bank Customer

Struts Airbag Airbag

IBM WebSphere Airbag Airbag

Bank of America…

Bouncy Castle Airbag Airbag

20,000 Applications Airbag Airbag

x ??? Users

TRUE COSTS & LEAST COST AVOIDERS: DOWNSTREAM

ACME

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

Enterprise

Bank

Retail

Manufacturing

BioPharma

Education

High Tech

38 9/9/2014

Compound Parts Product Part (Bolt) End Consumer

Discovery Repair Discovery Repair Aware Recovery Aware Recovery

Foo_0

IBM WebSphere

CIGNA X.com

Foo_1

Foo_2

Foo_3

Foo_4

Foo_5

Foo_6

Foo_7

Foo_8

Foo_9

Foo_ 10

Foo_11

Foo_0

Foo_1

Foo_2

Foo_3

Foo_4

Foo_5

Foo_6

Foo_7

Foo_8

Foo_9

Foo_ 10

Foo_11

Foo_0

Foo_1

Foo_2

Foo_3

Foo_4

Foo_5

Foo_6

Foo_7

Foo_8

Foo_9

Foo_ 10

Foo_11

Struts 2

39 9/9/2014

X Axis: Time (Days) following initial HeartBleed disclosure and patch availability Y Axis: Number of products included in the vendor vulnerability disclosure Z Axis (circle size): Exposure as measured by the CVE CVSS score

COMMERCIAL RESPONSES TO OPENSSL

5) EMPOWER YOUR DEVELOPERS. THEY’RE YOUR FRONT LINE DEFENSE.

40 9/9/2014

How can we choose the best components

FROM THE START?

Shift Upstream = ZTTR (Zero Time to Remediation)

Analyze all components from within your IDE

License, Security and Architecture data for each component, evaluated against your policy

@joshcorman @451wendy

6) MANUAL POLICIES JUST DON’T WORK IN A SECURE DEVELOPMENT LIFECYCLE.

42 9/9/2014

If you’re not using secure

COMPONENTS you’re not building secure

APPLICATIONS

Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT

SELECTION

Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT

SELECTION

Today’s approaches

AREN’T WORKING

46m vulnerable

components downloaded

!

71% of apps have 1+

critical or severe

vulnerability

!

90% of

repositories have 1+ critical

vulnerability

!

7) AGILE DEVELOPMENT REQUIRES AGILE SECURITY.

45 9/9/2014

RUGGED DEVOPS AND GENE’S “THREE WAYS”

1) Systems Thinking 2) Amplify Feedback Loops 3) Culture of Continuous Experimentation

& Learning

ADOPT A "DEVSECOPS" MINDSET

Policies, Models, Templates

IT Operations Intelligence and Security Intelligence

Requirements

Prevent Issues

Detect Issues

Remediate/ Change

Build Assemble

Test

Deploy

Predict Issues

Monitoring and Analytics

Source: Neil MacDonald Gartner

THE ADAPTIVE SECURITY ARCHITECTURE

Continuous Monitoring

and Analytics

Divert Attackers

Investigate/Forensics

Remediate/ Make Change

Detect Incidents

Harden and Isolate Systems

Prevent Incidents

Baseline Systems

Confirm and Prioritize

Contain Incidents

Proactive Exposure Assessment

Design/Model change

Predict Attacks

Predict Prevent

Detect Respond

Source: Neil MacDonald Gartner

1. AS OPEN SOURCE USAGE EXPANDS, SO DO THE RISKS

2. SECURITY BUDGETS ARE OUT OF SYNC WITH RISK AND REALITY

3. PARETO PRINCIPLE 2.0? (THE “90/10” RULE): LOW EFFORT AND BIG GAINS

4. YOU USE A SOFTWARE SUPPLY CHAIN. HOW WELL DO YOU MANAGE IT?

5. EMPOWER YOUR DEVELOPERS. THEY’RE YOUR FRONT LINE DEFENSE

6. MANUAL POLICIES JUST DON’T WORK IN A SECURE DEVELOPMENT LIFECYCLE

7. AGILE DEVELOPMENT REQUIRES AGILE SECURITY 49 9/9/2014

“Sonatype presents a rare opportunity to do something concrete in the application security space. One of the 1st tools that comes close to remediation not just scan results and recommendations.” -- Wendy Nather

https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

CAN YOU ANSWER THESE 3 QUESTIONS? 1. What open source components do you use? 2. Where? 3. Are there known vulnerabilities?

Announcing a

NEW BREED of Application Security Open

Source

Static Dynamic

AVAILABLE TODAY IN FORTIFY ON DEMAND

• Summary: The number of components analyzed, including security issues and licenses used

• Bill of Materials: A complete list of the components used in your application

• Security Analysis: Known security threats by vulnerability and severity level

• Quality Analysis: Details component age, fingerprint verification & adherence to policies

• License Analysis: License descriptors for every component & license implication for your application

SONATYPE OPEN SOURCE VISIBILITY REPORT PROVIDES:

Lists Sonatype published report here.

Customer accesses PDF report here.

Sonatype materials available in the FoD Help Center

FULLY ENABLED:

http://www.sonatype.com/fortify/report

http://www.sonatype.com/fortify

Visit this page to get a detailed walk-thru of the Open Source Visibility Report.

Visit this page to find out more about Sonatype and HP Fortify on Demand. Download the product brief, FAQ and more.

FULLY EXPLAINED

Developer friendly – makes it easy to find and fix problems early.

Visibility and control. Automated and integrated policy enforcement throughout the software lifecycle.

Proactive and ongoing for continued trust.

SONATYPE’S FULL CLM OFFERING

SONATYPE CLM

HOW TO LEARN MORE…

Visit Sonatype’s Booth Visit http://www.sonatype.com/fortify

Contact Sonatype, Fortify@sonatype.com Contact Fortify on Demand, FODSales@hp.com

THANK YOU

@JOSHCORMAN @SONATYPE

61 9/9/2014

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 62

Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session BB3168 Speakers Joshua Corman

Please give me your feedback

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.