• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content







Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • CIO.com IT and business executives April, 2008 328 respondents
  • Linus’s Law
  • Written in java Wide range of functionality Used extensively to build and deploy enterprise applications Two to four versions of each project tested Freeware that were not open source excluded
  • Conducted source code analysis on the 11 applications Results reviewed manually to verify findings Responsible disclosure – no detailed vulnerability information These vulnerabilities are the most dangerous and the most easy to detect Across 11 applications, 3 versions each: 44,323 Total Issues 22,828 Cross-Site Scripting 15,612 Sequel Injection
  • Most applications have only gotten worse over the last 3 versions
  • Exceptions Exist: Mozilla Announced a security initiative to improve the browser’s security Hired Independent security consultant, Rich Mogul as advisor
  • Security best practices were a low priority

PPT PPT Presentation Transcript

  • When Security Isn’t Free The Myth of Open Source Security David Harper EMEA Services Director Fortify Software
  • Outline
    • The Open Source Myth
      • “ Open Source Software is inherently secure”
    • Examine the evidence
      • Open Source Security Study
    • Securing Open Source Software
      • An approach for the Open Source community
    • Exploiting Open Source Software securely
      • Recommendations for the Enterprise
  • “ Open Source Software is inherently secure”
  • Open Source is Prevalent
    • What type of applications?
      • Operating systems: 78%
      • Back end databases & Web servers: 74%
      • Software development tools: 61%
      • Desktop applications: 45%
      • Enterprise applications: 29%
    Do you use open source? CIO.com study – April 2008
  • Open Source is Trusted
    • Many open source projects claim enterprise-class capabilities
    • Open source is viewed similarly to closed source
      • 44% of respondents considered open source equally to closed-source
    • Security is not frequently a concern when choosing open source
      • Only 26% sited security as one of the top 3 barriers to adoption
    *Gartner: “ Application Security Testing Should Be Mandatory for Outsourced Development and Maintenance”
  • The Open Source Software Myth
    • “ Given enough eyeballs, all bugs are shallow”
      • The Cathedral and the Bazaar, Raymond 1977
    • Assumes
      • Motivation to perform security code review
      • Reviewers have security expertise
      • There are “enough eyeballs”
    • Goes against application security best practice
      • Secure Development Life-cycle
  • Myth has been widely discredited
    • The myth of more eyes
      • Burton Group, 2005
    • The myth of open source security
      • John Viega
    • Numerous examples of security vulnerabilities that have been present in OSS for more than 10 years
      • Sendmail
      • Kerberos
  • About Open Source Software
    • Open Source Software is not inherently in-secure either
      • Lots of security benefit from publishing source code
    • No “silver bullet” for Software Security
  • Open Source Security Study
  • Fortify Open Source Security Study
    • Are Open Source Development Communities Embracing Security Best Practices?
      • Examine sample of Java Open Source projects
        • Look for vulnerabilities
        • Look for Secure Development Best Practices
    • Study by Larry Suto
      • Commissioned by Fortify Software
      • Full report www.fortify.com
  • Open Source Projects – 11 Selected Application Description Derby Relational database Geronimo Application server Hibernate Object relational mapping tool Hipergate CRM web application JBoss Application server JOnAS Application server OFBiz E-Business solution web application OpenCMS Content management solution Resin Application server Struts Web application framework Tomcat Application server
  • Vulnerabilities Identified
    • High Impact Issues including:
      • SQL Injection
      • Cross-site Scripting
  • Vulnerability Trend Derby Geronimo Hibernate Hipergate
  • Secure Development Best Practice
    • Evaluated key indicators of Best Practice
      • Documentation that covers the security implications and secure deployment of the software they develop
      • A dedicated email alias for users to report security vulnerabilities
      • Easy access to internal security experts to discuss security issues
  • Secure Development Best Practice Application Prominent Link to Security Inf. Security-Specific email Alias Easy Access to Security Experts Derby N N N Geronimo N N N Hibernate N N N Hipergate N N N JBoss Y N Y JOnAS N N N OFBiz N N N OpenCMS N N N Resin N N Y Struts Y Y Y Tomcat N N N
  • Securing Open Source Software
  • Security in the Development Lifecycle
  • Secure Development Life-Cycle
    • See www.opensamm.org
    Governance Construction Deployment Verification Initiate Define Implement Design Develop Test Operate Strategy & Metrics Policy & Compliance Education & Guidance Threat Assessment Security Requirements Secure Architecture Design Review Code Review Security Testing Vulnerability Management Environment Hardening Operational Enablement
  • Java Open Review Project
    • Source Code Review service for Open Source Projects
      • Fortify Source Code Analyzer
      • Findbugs
    • Process
      • Developer submits project
        • Detailed results provided to developer
        • Summary information to consumers
      • Automatic scan of subsequent versions
    • See http://opensource.fortify.com
  • Java Open Review Project
  • Exploiting Open Source Software securely
  • Software Security Assurance (SSA)
    • A risk management strategy for all sources of software risk
    Remediate Vulnerabilities found in software Assess Software for security vulnerabilities Prevent Software security vulnerabilities
  • Assess
    • Create Inventory
      • Component
      • Version
      • Business Risk
    • Assign Owner
    • Identify and Classify Vulnerabilities
      • Source Code Analysis
      • Architectural Review
    • Ensure security involvement in any new OSS decisions
  • Remediate
    • Fix critical vulnerabilities
      • Upgrade to latest version
      • Security Patch
      • Fix code
      • Replace with secure alternative
      • Application Firewall
  • Prevent
    • For each OSS component
      • Assign Owner
      • Implement appropriate strategy
        • Treat as In-house Development
          • Manage using existing SDL
        • Treat as Out-Sourced Development
          • Become a Contributing Developer
          • Java Open Review project
        • Treat As COTS
          • Patch management
        • Replace
    • Establish OSS Security Guidelines
      • Approved List
  • Summary
    • Open Source Software is NOT inherently secure
      • Widespread miss-understanding putting organizations at risk
    • Open Source community should
      • Adopt a Secure Development Life-cycle
      • Take advantage of the Java Open Review service
    • Enterprises using Open Source Software must
      • Asses impact of current OSS deployments
      • Remediate critical vulnerabilities found
      • Prevent further vulnerabilities by adopting appropriate security strategy
  • Q&A David Harper [email_address] +44 118 983 2055