© Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software...
Transcript of © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software...
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
7 Security Gaps in the "Neglected 90%" of Your Applications 3rd Party & Open Source Software Supply Chain Risks
Joshua Corman, Sonatype CTO Sep 2014 – HP Connect – Washington, DC
SW SUPPLY CHAIN IN CONTEXT OF CYBERSECURITY BIG PICTURE
KEY QUESTIONS
Where are Attackers most focused? Where are Defenders most focused? Which Activities have the most security impact?
-2014 Verizon Data Breach Investigations Report
MOST ATTACKED: WEAK SOFTWARE IS #1 ATTACK VECTOR
spending
7 9/9/2014 Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary
Software Security gets LEAST $ but MOST attacker focus
Host Security ~$10B
Data Security ~$5B
People Security ~$4B
Network Security ~$20B
Software Security ~$0.5B
LEAST SPENDING/PRIORITY: WEAK SOFTWARE
spending
8 9/9/2014
attack risk
Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary
Host Security ~$10B
Data Security ~$5B
People Security ~$4B
Network Security ~$20B
Software Security ~$0.5B
Assembled 3rd Party & OpenSource Components
~90% of most applications
Almost No Spending
Written Code Scanning
Software Security gets LEAST $ but MOST attacker focus
LEAST SPENDING/PRIORITY: WEAK SW
Worse, within Software, existing dollars go to the 10% written
Defensible Infrastructure
Operational Excellence
Situational Awareness
Counter-measures
@joshcorman @451wendy
10% Written
MOST IMPACT: BUY/BUILD DEFENSIBLE SOFTWARE
The software & hardware we build, buy, and deploy. 90% of software is assembled from 3rd
party & Open Source
IS IT OPEN SEASON ON OPEN SOURCE?
11 9/9/2014
Now that software is
ASSEMBLED… Our shared value becomes
our shared attack surface
THINK LIKE AN ATTACKER
One risky component, now affects thousands of victims
ONE EASY TARGET
12 9/9/2014
THINK LIKE AN ATTACKER
BEYOND HEARTBLEED: OPENSSL IN 2014 (17 IN NIST’S NVD THRU JULY 25)
13 9/9/2014
CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SEIMENS * CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SEIMENS * CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SEIMENS * CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleed CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM
As of today, internet scans by MassScan
reveal 300,000 of original 600,000 remain
unpatched or unpatchable
-
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Req
uest
s in
Mill
ions
13 Billion Requests in 2013
Growth Drivers
Mobile Cloud
Web Apps Big Data
Component Usage Has Exploded
14
OPEN SOURCE USAGE IS EXPLODING
Global Bank
Software Provider
Software Provider’s Customer
State University
Three-Letter Agency
Large Financial Exchange
Hundreds of Other Sites
STRUTS
TRUE? W/ MANY EYEBALLS, ALL BUGS ARE SHALLOW? E.G. STRUTS
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
10.0
9.0
8.0
7.0
6.0
5.0
4.0
3.0
2.0
1.0
CVE-2005-3745
CVE-2006-1546 CVE-2006-1547
CVE-2006-1548 CVE-2008-6504 CVE-2008-6505
CVE-2008-2025 CVE-2007-6726 CVE-2008-6682
CVE-2010-1870
CVE-2011-2087
CVE-2011-1772
CVE-2011-2088 CVE-2011-5057
CVE-2012-0392 CVE-2012-0391
CVE-2012-0393
CVE-2012-0394
CVE-2012-1006 CVE-2012-1007
CVE-2012-0838
CVE-2012-4386
CVE-2012-4387
CVE-2013-1966 CVE-2013-2115 CVE-2013-1965
CVE-2013-2134 CVE-2013-2135
CVE-2013-2248
CVE-2013-2251 CVE-2013-4316
CVE-2013-4310
CVE-2013-6348 CVE-2014-0094
CVSS
Latent 7-11 yrs
In 2013, 4,000 organizations downloaded a version of Bouncy Castle
with a level 10 vulnerability
20,000 TIMES …
MORE THAN FIVE YEARS
after the vulnerability was fixed
NATIONAL CYBER AWARENESS SYSTEM Original Release Date:
03/30/2009 CVE-2007-6721
Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0
BOUNCY CASTLE
In December 2013,
6,916 DIFFERENT organizations downloaded
a version of httpclient with broken ssl validation (cve-2012-5783)
66,824 TIMES …
More than ONE YEAR AFTER THE ALERT
NATIONAL CYBER AWARENESS SYSTEM Original Release Date:
11/04/2012 CVE-2012-5783
Apache Commons HttpClient 3.x CVSS v2 Base Score: 5.8 MEDIUM Impact Subscore: 4.9 Exploitability Subscore: 8.6
HTTPCLIENT 3.X
THE REAL IMPLICATIONS OF HEARTBLEED
HEARTBLEED + (UNPATCHABLE) INTERNET OF THINGS == ___ ?
In Our Bodies In Our Homes
In Our Infrastructure In Our Cars
IS IT TIME FOR A SOFTWARE SUPPLY CHAIN?
ELEGANT PROCUREMENT TRIO
22 9/9/2014
1) Ingredients: Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk: …and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY) 3) Remediation: …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
In 2013, 4,000 organizations downloaded a version of Bouncy Castle
with a level 10 vulnerability
20,000 TIMES …
MORE THAN FIVE YEARS
after the vulnerability was fixed
NATIONAL CYBER AWARENESS SYSTEM Original Release Date:
03/30/2009 CVE-2007-6721
Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0
PROCUREMENT TRIO + BOUNCY CASTLE
1) AS OPEN SOURCE USAGE EXPANDS, SO DO THE RISKS
24 9/9/2014
-
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Req
uest
s in
Mill
ions
13 Billion Requests in 2013
Growth Drivers
Mobile Cloud
Web Apps Big Data
Component Usage Has Exploded
25
OPEN SOURCE USAGE IS EXPLODING
2) SECURITY BUDGETS ARE OUT OF SYNC WITH RISK AND REALITY
26 9/9/2014
-2014 Verizon Data Breach Investigations Report
MOST ATTACKED: WEAK SOFTWARE IS #1 ATTACK VECTOR
spending
28 9/9/2014
attack risk
Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary
Host Security ~$10B
Data Security ~$5B
People Security ~$4B
Network Security ~$20B
Software Security ~$0.5B
Assembled 3rd Party & OpenSource Components
~90% of most applications
Almost No Spending
Written Code Scanning
Software Security gets LEAST $ but MOST attacker focus
LEAST SPENDING/PRIORITY: WEAK SW
Worse, within Software, existing dollars go to the 10% written
3) PARETO PRINCIPLE 2.0? (THE “90/10” RULE): LOW EFFORT AND BIG GAINS
29 9/9/2014
90% Assembled
Software Evolution
Written
30
HOW MUCH CODE DO WE “WRITE” THESE DAYS?
90% Assembled
Software Evolution
Written
31
HOW MUCH CODE DO WE “WRITE” THESE DAYS?
Defensible Infrastructure
Operational Excellence
Situational Awareness
Counter-measures
@joshcorman @451wendy
10% Written
MOST IMPACT: BUY/BUILD DEFENSIBLE SOFTWARE
The software & hardware we build, buy, and deploy. 90% of software is assembled from 3rd
party & Open Source
4) YOU USE A SOFTWARE SUPPLY CHAIN. HOW WELL DO YOU MANAGE IT?
33 9/9/2014
APPLICATION PLATFORMS & TOOLS
COMPONENT VERSION COMPONENTS PROJECTS
DELIVERY INTEGRATION SELECTION SUPPLY SUPPLIER
OPTIMIZATION (MONITORING)
Supply Chain Management
35 9/9/2014
Compound Project Consumer “Part”
Discovery Repair Discovery Repair Aware Recovery
Airbag Airbag Airbag
Car X Airbag Airbag Mary’s GM
36 9/9/2014
Compound Project Consumer “Part”
Discovery Repair Discovery Repair Aware Recovery
Airbag Airbag Airbag
Car X Airbag Airbag Mary’s GM
Struts Airbag Airbag
Bank of America Airbag Airbag
Sally Bank Customer
Struts Airbag Airbag
IBM WebSphere Airbag Airbag
Bank of America…
Bouncy Castle Airbag Airbag
20,000 Applications Airbag Airbag
x ??? Users
TRUE COSTS & LEAST COST AVOIDERS: DOWNSTREAM
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
38 9/9/2014
Compound Parts Product Part (Bolt) End Consumer
Discovery Repair Discovery Repair Aware Recovery Aware Recovery
Foo_0
IBM WebSphere
CIGNA X.com
Foo_1
Foo_2
Foo_3
Foo_4
Foo_5
Foo_6
Foo_7
Foo_8
Foo_9
Foo_ 10
Foo_11
Foo_0
Foo_1
Foo_2
Foo_3
Foo_4
Foo_5
Foo_6
Foo_7
Foo_8
Foo_9
Foo_ 10
Foo_11
Foo_0
Foo_1
Foo_2
Foo_3
Foo_4
Foo_5
Foo_6
Foo_7
Foo_8
Foo_9
Foo_ 10
Foo_11
Struts 2
39 9/9/2014
X Axis: Time (Days) following initial HeartBleed disclosure and patch availability Y Axis: Number of products included in the vendor vulnerability disclosure Z Axis (circle size): Exposure as measured by the CVE CVSS score
COMMERCIAL RESPONSES TO OPENSSL
5) EMPOWER YOUR DEVELOPERS. THEY’RE YOUR FRONT LINE DEFENSE.
40 9/9/2014
How can we choose the best components
FROM THE START?
Shift Upstream = ZTTR (Zero Time to Remediation)
Analyze all components from within your IDE
License, Security and Architecture data for each component, evaluated against your policy
@joshcorman @451wendy
6) MANUAL POLICIES JUST DON’T WORK IN A SECURE DEVELOPMENT LIFECYCLE.
42 9/9/2014
If you’re not using secure
COMPONENTS you’re not building secure
APPLICATIONS
Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT
SELECTION
Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT
SELECTION
Today’s approaches
AREN’T WORKING
46m vulnerable
components downloaded
!
71% of apps have 1+
critical or severe
vulnerability
!
90% of
repositories have 1+ critical
vulnerability
!
7) AGILE DEVELOPMENT REQUIRES AGILE SECURITY.
45 9/9/2014
RUGGED DEVOPS AND GENE’S “THREE WAYS”
1) Systems Thinking 2) Amplify Feedback Loops 3) Culture of Continuous Experimentation
& Learning
ADOPT A "DEVSECOPS" MINDSET
Policies, Models, Templates
IT Operations Intelligence and Security Intelligence
Requirements
Prevent Issues
Detect Issues
Remediate/ Change
Build Assemble
Test
Deploy
Predict Issues
Monitoring and Analytics
Source: Neil MacDonald Gartner
THE ADAPTIVE SECURITY ARCHITECTURE
Continuous Monitoring
and Analytics
Divert Attackers
Investigate/Forensics
Remediate/ Make Change
Detect Incidents
Harden and Isolate Systems
Prevent Incidents
Baseline Systems
Confirm and Prioritize
Contain Incidents
Proactive Exposure Assessment
Design/Model change
Predict Attacks
Predict Prevent
Detect Respond
Source: Neil MacDonald Gartner
1. AS OPEN SOURCE USAGE EXPANDS, SO DO THE RISKS
2. SECURITY BUDGETS ARE OUT OF SYNC WITH RISK AND REALITY
3. PARETO PRINCIPLE 2.0? (THE “90/10” RULE): LOW EFFORT AND BIG GAINS
4. YOU USE A SOFTWARE SUPPLY CHAIN. HOW WELL DO YOU MANAGE IT?
5. EMPOWER YOUR DEVELOPERS. THEY’RE YOUR FRONT LINE DEFENSE
6. MANUAL POLICIES JUST DON’T WORK IN A SECURE DEVELOPMENT LIFECYCLE
7. AGILE DEVELOPMENT REQUIRES AGILE SECURITY 49 9/9/2014
“Sonatype presents a rare opportunity to do something concrete in the application security space. One of the 1st tools that comes close to remediation not just scan results and recommendations.” -- Wendy Nather
https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
CAN YOU ANSWER THESE 3 QUESTIONS? 1. What open source components do you use? 2. Where? 3. Are there known vulnerabilities?
Announcing a
NEW BREED of Application Security Open
Source
Static Dynamic
AVAILABLE TODAY IN FORTIFY ON DEMAND
• Summary: The number of components analyzed, including security issues and licenses used
• Bill of Materials: A complete list of the components used in your application
• Security Analysis: Known security threats by vulnerability and severity level
• Quality Analysis: Details component age, fingerprint verification & adherence to policies
• License Analysis: License descriptors for every component & license implication for your application
SONATYPE OPEN SOURCE VISIBILITY REPORT PROVIDES:
Lists Sonatype published report here.
Customer accesses PDF report here.
Sonatype materials available in the FoD Help Center
FULLY ENABLED:
http://www.sonatype.com/fortify/report
http://www.sonatype.com/fortify
Visit this page to get a detailed walk-thru of the Open Source Visibility Report.
Visit this page to find out more about Sonatype and HP Fortify on Demand. Download the product brief, FAQ and more.
FULLY EXPLAINED
Developer friendly – makes it easy to find and fix problems early.
Visibility and control. Automated and integrated policy enforcement throughout the software lifecycle.
Proactive and ongoing for continued trust.
SONATYPE’S FULL CLM OFFERING
SONATYPE CLM
HOW TO LEARN MORE…
Visit Sonatype’s Booth Visit http://www.sonatype.com/fortify
Contact Sonatype, [email protected] Contact Fortify on Demand, [email protected]
THANK YOU
@JOSHCORMAN @SONATYPE
61 9/9/2014
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 62
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session BB3168 Speakers Joshua Corman
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.