Managing the Security Impactof Bundled Third-Party Software                     Tim Sammut               tsammut@cisco.com
About meCisco Security Research &   Gentoo Linux Security Team    ICASI Third-Party Software       Operations             ...
About you
Do you produce a product, service          or package?
Do you disclose vulnerabilities     to your customers?
Where is third-party software creating     security problems for you?
 Open Source Software vs. Third-Party SoftwareQuick Level Set    Do we even care about this stuff?                   Wh...
It is not our code, but it is our product!
The Challenges
 Which packages?                                                                 Which versions?                        ...
 Exposure expands in under-understood ways                                                                 Dependencies ...
 No naming scheme                                                                 Even authoritative names change       ...
 How are development teams choosing which TPS                                                                  is used?  ...
 No “Single Source of Truth”         Learning of Newly                                       Disclosure formats, vehicle...
 Do we wait for a new upstream release?                                                                 Do we upgrade? C...
 Who is responsible to fix the issue?                           External                               How quickly?     ...
What other challenges exist?Knowing Where TPS is   Understanding   Inconsistent Package     Unmanageable         Learning ...
The “Solutions”
Absolutely critical and foundational                                                                                      ...
Creates tremendous efficiencies                                                                               throughout t...
Must produce a consistent vulnerability                                                                            feed fo...
Key to understanding todays impact                                                                                 and the...
Support and require the equivalent of                                                                                  int...
Questions?             It is not our code, but it is our product!
Thank you.tsammut@cisco.com
Upcoming SlideShare
Loading in …5
×

Managing the Security Impact of Bundled Open Source Software from OSCON

3,808 views
3,728 views

Published on

The benefits of including Open Source Software in products and services are very well understood, including many that greatly improve the security of the resultant product. Less well-known or understood, however, is the real security impact of bundling OSS and other third-party software into products. View the blog and on-demand presentation: http://ow.ly/dIZsl

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,808
On SlideShare
0
From Embeds
0
Number of Embeds
1,204
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Managing the Security Impact of Bundled Open Source Software from OSCON

  1. 1. Managing the Security Impactof Bundled Third-Party Software Tim Sammut tsammut@cisco.com
  2. 2. About meCisco Security Research & Gentoo Linux Security Team ICASI Third-Party Software Operations Member Security Working Group Chair tsammut@cisco.com underling@gentoo.org
  3. 3. About you
  4. 4. Do you produce a product, service or package?
  5. 5. Do you disclose vulnerabilities to your customers?
  6. 6. Where is third-party software creating security problems for you?
  7. 7.  Open Source Software vs. Third-Party SoftwareQuick Level Set  Do we even care about this stuff?  What are we trying to accomplish?
  8. 8. It is not our code, but it is our product!
  9. 9. The Challenges
  10. 10.  Which packages?  Which versions?  Which compile-time options? Knowing Where  Which kernel versions? TPS is Used Given a vulnerable TPS package can you reliably determine affected products?Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  11. 11.  Exposure expands in under-understood ways  Dependencies are equally exposed to vulnerabilities Understanding  Tools hide build and run-time dependencies Dependencies Focus is often on point requirements without documenting every TPS package incorporated.Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  12. 12.  No naming scheme  Even authoritative names change  Locally modified packages are indistinguishable Inconsistent  Simple input variances Package Naming  Versioning is itself complex Are you able to efficiently process large amounts of TPS usage data?Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  13. 13.  How are development teams choosing which TPS is used?  Are the considering stability or security? Unmanageable  Are they planing for the ongoing maintenance? Selection Processes Are you gaining development-time freedoms at the expense of long-term maintainability?Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  14. 14.  No “Single Source of Truth” Learning of Newly  Disclosure formats, vehicles and time lines vary wildly Disclosed  Monitoring the CVE dictionary is incomplete Vulnerabilities Do you learn of new and relevant TPS vulnerabilities before your customers?Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  15. 15.  Do we wait for a new upstream release?  Do we upgrade? Can we upgrade?  Do we patch? Inconsistent Fixing  Will an upstream fix ever come? of Vulnerabilities  Is the upstream even active? Solving this one time is easy. Do you know what you did last time or across many products?Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  16. 16.  Who is responsible to fix the issue? External  How quickly?  In what cases? Development  And for how long? Partners  Are each of the previous challenges covered? Combining TPS and external partners creates efficiency and vast unknowns that must be managed.Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  17. 17. What other challenges exist?Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  18. 18. The “Solutions”
  19. 19. Absolutely critical and foundational to success Build a Strong Catalog of TPS UseKnowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  20. 20. Creates tremendous efficiencies throughout the problem space Standardize Everything PossibleKnowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  21. 21. Must produce a consistent vulnerability feed for internal consumption Monitor Vulnerability Disclosure ScalablyKnowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  22. 22. Key to understanding todays impact and the historic record Instrument the Bug DatabaseKnowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  23. 23. Support and require the equivalent of internal processes Require Contract Language with PartnersKnowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  24. 24. Questions? It is not our code, but it is our product!
  25. 25. Thank you.tsammut@cisco.com

×