Lessons Learned From Heartbleed, Struts, and The Neglected 90%

LESSONS LEARNED FROM HEARTBLEED, STRUTS, AND THE Neglected 90%

Wendy Nather, Security Research Director, 451 Research, @451wendyJosh Corman, CTO, Sonatype, @joshcorman

FEATURED SPEAKERS

WENDY NATHER, SECURITY RESEARCH DIRECTOR, 451 RESEARCH JOSHUA CORMAN, CTO

CISO of Texas Education Agency

Security Director, Swiss Bank Corp

Co-author of ‘The Cloud Security Rules’

Co-founder of Rugged Software

Previously w/ Akamai & 451 Group

Trusted Security Professional @joshcorman@451wendy

https://451research.com/ http://www.sonatype.com/

https://451research.com/

https://451research.com/

http://www.sonatype.com/

http://www.sonatype.com/

STATE OF THE UNION

Web Apps are the Top Attack Surface

--- 2014 Verizon Data Breach Investigations Report

@joshcorman@451wendy

spending attack risk

Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary

Spending and risk are out of sync AppSec gets LEAST $ but MOST attacker focus

Worse, within AppSec, existing dollars go to the 10% written

Host Security ~$10B

Data Security ~$5B

People Security ~$4B

Network Security ~$20B

Application Security~$0.5B Assembled 3rd Party &

OpenSource Components

~90% of most applications

Almost No Spending

SAST/DAST on Written


Spending and risk are

OUT OF SYNC

Component Layer3rd Party &

OpenSource

Database, OS, Firmware, Network

Presentation Layer, Business Logic

DEPENDENCE

CURRENT SPENDING@joshcorman@451wendy

Application Security Technology Roadmap

Q. What is your status of implementation for this technology? n=198-205. Source: 451 Research Information Security – Wave 16 |

Multifactor Authentication for Web-based Applications

Application Security Testing – External Interface Fuzzing or Testing Vul-nerability Assessment

Database Security

Application Security Testing – Code or Binary Analysis-based Vulnerability Assessment

Web Application Firewall (WAF)

32%

35%

36%

38%

40%

0.01

0.005

0.01

0.005

2%

2%

2%

3%

4%

3%

3%

4%

4%

5%

58%

52%

51%

50%

47%

3%

9%

6%

4%

3%

In Use Now (Not Including Pilots) In Pilot/Evaluation (Budget Has Already Been Allocated) In Near-term Plan (In Next 6 Months)In Long-term Plan (6-18 Months) Past Long-term Plan (Later Than 18 Months Out) Not in PlanDon't Know


2013 vs. 2012 Spending Change for Application Security Technologies

Q. How will your spending on this technology change in 2013 as compared to 2012? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden.

Source: 451 Research Information Security – Wave 16 |

Database Security


Application Security Testing – External Interface Fuzzing or


Application Security Testing – Code or Binary Analysis-based

1%

1%

75%

77%

73%

72%

70%

16%

16%

19%

24%

24%

Less Spending About the Same More Spending


2014 vs. 2013 Spending Change for Application Security Technologies

Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Resarch Information Security – Wave 16 |

Application Security Testing – External Interface Fuzzing or


Database Security


Application Security Testing – Code or Binary Analysis-based

70%

68%

63%

60%

58%

21%

26%

28%

32%

34%

1%

3%

2%



2014 vs. 2013 Spending Change for Information Security Technologies

Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 |

Anti-spam/Email SecurityPatch ManagementPenetration Testing

Anti-spywareHard Drive Encryption

Laptop EncryptionAnti-virus

Host Intrusion Detection and/or Prevention (HIDS/HIPS)Secure File TransferComputer Forensics

Email/Messaging Archiving/ComplianceVulnerability/Risk Assessment/Scanning (of Infrastructure)

File Integrity MonitoringSSL VPNs

Secure Instant MessagingEmail Encryption

Application Security Testing – External Interface Fuzzing orKey Management and/or Public Key Infrastructure

Web Content FilteringThreat Intelligence

Two-factor (Strong) Authentication for Infrastructure (e.g.,Single Sign-on

IT Security Training/Education/AwarenessAnti-botnet

Multifactor Authentication for Web-based ApplicationsInformation or Digital Rights Management

Database SecurityAdvanced Anti-malware Response

Managed Security Service Provider (MSSP)Policy and Configuration Management

TokenizationWeb Application Firewall (WAF)

IT GRC (Governance, Risk, Compliance)Network Data-loss Prevention Solutions

Application Security Testing – Code or Binary Analysis-basedMobile Device Security (Not MDM)

Network Intrusion Detection and/or Prevention (NIDS/NIPS)Network Firewalls

Event Log Management SystemVirtualization Security

Application-aware FirewallIdentity Management

Unified Threat Management (UTM)Endpoint Data-loss Prevention Solutions

Network Access Control (NAC)Cloud Security

Security Information Event Management (SIEM)Mobile Device Management

5%4%3%

4%4%

4%5%6%

3%3%

2%2%

4%9%

4%3%

3%11%

1%9%

2%5%

5%

4%1%

4%13%

1%2%

3%5%8%

2%3%

6%10%

8%

10%5%

8%2%

2%

7%4%

83%83%82%

84%82%

83%80%78%

76%71%

79%76%74%

69%72%

73%70%

71%65%

71%66%

64%63%

64%68%

58%63%62%

53%66%

63%60%

51%49%

58%52%

54%51%

51%54%

46%50%48%

53%48%

32%44%42%

7%10%10%10%11%11%

13%14%

15%16%

17%18%

19%20%20%21%21%21%22%

23%23%

24%26%26%26%

27%28%

29%29%30%

31%32%

33%34%34%35%

36%36%37%37%

39%40%

40%42%42%

44%46%46%



2014 vs. 2013 Spending Change for Information Security Technologies

Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 |

Anti-spam/Email SecurityPatch ManagementPenetration Testing

Anti-spywareHard Drive Encryption

Laptop EncryptionAnti-virus

Host Intrusion Detection and/or Prevention (HIDS/HIPS)Secure File TransferComputer Forensics

Email/Messaging Archiving/ComplianceVulnerability/Risk Assessment/Scanning (of Infrastructure)

File Integrity MonitoringSSL VPNs

Secure Instant MessagingEmail Encryption

Application Security Testing – External Interface Fuzzing orKey Management and/or Public Key Infrastructure

Web Content FilteringThreat Intelligence

Two-factor (Strong) Authentication for Infrastructure (e.g.,Single Sign-on

IT Security Training/Education/AwarenessAnti-botnet

Multifactor Authentication for Web-based ApplicationsInformation or Digital Rights Management

Database SecurityAdvanced Anti-malware Response

Managed Security Service Provider (MSSP)Policy and Configuration Management

TokenizationWeb Application Firewall (WAF)

IT GRC (Governance, Risk, Compliance)Network Data-loss Prevention Solutions

Application Security Testing – Code or Binary Analysis-basedMobile Device Security (Not MDM)

Network Intrusion Detection and/or Prevention (NIDS/NIPS)Network Firewalls

Event Log Management SystemVirtualization Security

Application-aware FirewallIdentity Management

Unified Threat Management (UTM)Endpoint Data-loss Prevention Solutions

Network Access Control (NAC)Cloud Security

Security Information Event Management (SIEM)Mobile Device Management

5%4%3%

4%4%

4%5%6%

3%3%

2%2%

4%9%

4%3%

3%11%

1%9%

2%5%

5%

4%1%

4%13%

1%2%

3%5%8%

2%3%

6%10%

8%

10%5%

8%2%

2%

7%4%

83%83%82%

84%82%

83%80%78%

76%71%

79%76%74%

69%72%

73%70%

71%65%

71%66%

64%63%

64%68%

58%63%62%

53%66%

63%60%

51%49%

58%52%

54%51%

51%54%

46%50%48%

53%48%

32%44%42%

7%10%

10%10%11%11%

13%14%

15%16%

17%18%

19%20%20%21%21%21%22%

23%23%

24%26%26%26%

27%28%

29%29%30%

31%32%

33%34%34%35%

36%36%37%37%

39%40%

40%42%42%

44%46%46%



Below the Security Poverty Line …

• Little to no IT expertise• More likely to use open source because it’s free• No resources to monitor open source use or test it for

vulnerabilities• Disproportionately dependent on third party vendors

• Limited span of control• Configuration and tuning decisions• Architecture and strategy decisions• Risk management

• Information asymmetry


What do we mean by the ‘Neglected 90%’

90%AssembledWritten


Defensible Infrastructure

Operational Excellence

Situational Awareness

Counter-measures

What Security Approach Has the Most Impact?


IS IT OPEN SEASON ON OPEN SOURCE?

Now that software is 90%

ASSEMBLED…


One risky component,multiplied thousands of times:

ONE EASYTARGET


Global Bank

Software Provider

Software Provider’s Customer

State University

Three-LetterAgency

Large FinancialExchange

Hundreds of Other Sites


Is it true, with many eyeballs, all bugs are SHALLOW?

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

10.0

9.0

8.0

7.0

6.0

5.0

4.0

3.0

2.0

1.0

CVE-2005-3745

CVE-2006-1546CVE-2006-1547

CVE-2006-1548 CVE-2008-6504CVE-2008-6505

CVE-2008-2025CVE-2007-6726CVE-2008-6682

CVE-2010-1870

CVE-2011-2087

CVE-2011-1772

CVE-2011-2088CVE-2011-5057

CVE-2012-0392CVE-2012-0391

CVE-2012-0393

CVE-2012-0394

CVE-2012-1006CVE-2012-1007

CVE-2012-0838

CVE-2012-4386

CVE-2012-4387

CVE-2013-1966CVE-2013-2115CVE-2013-1965

CVE-2013-2134CVE-2013-2135

CVE-2013-2248

CVE-2013-2251CVE-2013-4316

CVE-2013-4310

CVE-2013-6348

CVE-2014-0094


In 2013, 4,000organizations downloaded a version of Bouncy Castle

with a level 10 vulnerability

20,000 TIMES …

MORE THAN FIVE YEARS

after the vulnerability was fixed

NATIONAL CYBER AWARENESS SYSTEMOriginal Release Date:

03/30/2009CVE-2007-6721Bouncy Castle Java Cryptography APICVSS v2 Base Score: 10.0 HIGHImpact Subscore: 10.0Exploitability Subscore: 10.0


In December 2013,

6,916 DIFFERENTorganizations downloaded

a version of httpclient with broken ssl validation (cve-2012-5783)

66,824 TIMES …

More than ONE YEAR AFTER THE ALERT

NATIONAL CYBER AWARENESS SYSTEMOriginal Release Date:

11/04/2012CVE-2012-5783Apache Commons HttpClient 3.xCVSS v2 Base Score: 5.8 MEDIUMImpact Subscore: 4.9Exploitability Subscore: 8.6


THE REAL IMPLICATIONS OF HEARTBLEED

Heartbleed + Internet of Things = ?

In Our Bodies In Our Homes


IS IT TIME FOR A SOFTWARE SUPPLY CHAIN? (and /or software liability)

APPLICATIONPLATFORMS & TOOLS

COMPONENTVERSIONCOMPONENTSPROJECTS

DELIVERYINTEGRATIONSELECTIONSUPPLYSUPPLIER

OPTIMIZATION(MONITORING)

Supply Chain Management


If you’re not using secure

COMPONENTSyou’re not building secure

APPLICATIONS

Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT

SELECTION


Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT

SELECTION

Today’s approaches

AREN’T WORKING

46m vulnerable

components downloaded

!

71% of apps have 1+

critical or severe

vulnerability

!

90% of

repositories have 1+ critical

vulnerability

!


“Sonatype presents a rare opportunity to do something concrete in the application security space. One of the 1st tools that comes close to remediation not just scan results and recommendations.”

-- Wendy Nather


Problem discovery Problem remediation

“Scan and scold”

Source code scanning

Approval-centric workflow

Empower developers

Component analysis

Automated policy across lifecycle

Policy enforcement throughout SLC

A NEW APPROACH

CURRENT METHODS SONATYPE CLM

Scans after development


Don’t use vulnerable components. It’s an

AVOIDABLERISK

2013 Data Breach Investigations Report

“Some organizations will be a target REGARDLESS of what they do, but most become a target BECAUSE of what they do.”


How can we choose the best components

FROM THE START?

Shift Upstream = ZTTR (Zero Time to Remediation)

Analyze all components from within your IDE

License, Security and Architecture data for each component, evaluated against your policy


How do we prevent future bleeding hearts?

-- 3 step action plan


LEARN MORE

“The combination of growing component usage, coupled with lack of security, requires us to urgently re-evaluate traditional application security approaches.”

http://www.sonatype.com/clm/spotlight-on-heartbleed

www.sonatype.com/neglected90



http://www.sonatype.com/neglected90

LESSONS LEARNED FROM HEARTBLEED, STRUTS AND THE NEGLECTED 90%

Lessons Learned From Heartbleed, Struts, and The Neglected 90%

Software

Transcript of Lessons Learned From Heartbleed, Struts, and The Neglected 90%