Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • CIO.com IT and business executives April, 2008 328 respondents
  • Linus’s Law
  • Written in java Wide range of functionality Used extensively to build and deploy enterprise applications Two to four versions of each project tested Freeware that were not open source excluded
  • Conducted source code analysis on the 11 applications Results reviewed manually to verify findings Responsible disclosure – no detailed vulnerability information These vulnerabilities are the most dangerous and the most easy to detect Across 11 applications, 3 versions each: 44,323 Total Issues 22,828 Cross-Site Scripting 15,612 Sequel Injection
  • Most applications have only gotten worse over the last 3 versions
  • Exceptions Exist: Mozilla Announced a security initiative to improve the browser’s security Hired Independent security consultant, Rich Mogul as advisor
  • Security best practices were a low priority
  • PPT

    1. 1. When Security Isn’t Free The Myth of Open Source Security David Harper EMEA Services Director Fortify Software
    2. 2. Outline <ul><li>The Open Source Myth </li></ul><ul><ul><li>“ Open Source Software is inherently secure” </li></ul></ul><ul><li>Examine the evidence </li></ul><ul><ul><li>Open Source Security Study </li></ul></ul><ul><li>Securing Open Source Software </li></ul><ul><ul><li>An approach for the Open Source community </li></ul></ul><ul><li>Exploiting Open Source Software securely </li></ul><ul><ul><li>Recommendations for the Enterprise </li></ul></ul>
    3. 3. “ Open Source Software is inherently secure”
    4. 4. Open Source is Prevalent <ul><li>What type of applications? </li></ul><ul><ul><li>Operating systems: 78% </li></ul></ul><ul><ul><li>Back end databases & Web servers: 74% </li></ul></ul><ul><ul><li>Software development tools: 61% </li></ul></ul><ul><ul><li>Desktop applications: 45% </li></ul></ul><ul><ul><li>Enterprise applications: 29% </li></ul></ul>Do you use open source? CIO.com study – April 2008
    5. 5. Open Source is Trusted <ul><li>Many open source projects claim enterprise-class capabilities </li></ul><ul><li>Open source is viewed similarly to closed source </li></ul><ul><ul><li>44% of respondents considered open source equally to closed-source </li></ul></ul><ul><li>Security is not frequently a concern when choosing open source </li></ul><ul><ul><li>Only 26% sited security as one of the top 3 barriers to adoption </li></ul></ul>*Gartner: “ Application Security Testing Should Be Mandatory for Outsourced Development and Maintenance”
    6. 6. The Open Source Software Myth <ul><li>“ Given enough eyeballs, all bugs are shallow” </li></ul><ul><ul><li>The Cathedral and the Bazaar, Raymond 1977 </li></ul></ul><ul><li>Assumes </li></ul><ul><ul><li>Motivation to perform security code review </li></ul></ul><ul><ul><li>Reviewers have security expertise </li></ul></ul><ul><ul><li>There are “enough eyeballs” </li></ul></ul><ul><li>Goes against application security best practice </li></ul><ul><ul><li>Secure Development Life-cycle </li></ul></ul>
    7. 7. Myth has been widely discredited <ul><li>The myth of more eyes </li></ul><ul><ul><li>Burton Group, 2005 </li></ul></ul><ul><li>The myth of open source security </li></ul><ul><ul><li>John Viega </li></ul></ul><ul><li>Numerous examples of security vulnerabilities that have been present in OSS for more than 10 years </li></ul><ul><ul><li>Sendmail </li></ul></ul><ul><ul><li>Kerberos </li></ul></ul>
    8. 8. About Open Source Software <ul><li>Open Source Software is not inherently in-secure either </li></ul><ul><ul><li>Lots of security benefit from publishing source code </li></ul></ul><ul><li>No “silver bullet” for Software Security </li></ul>
    9. 9. Open Source Security Study
    10. 10. Fortify Open Source Security Study <ul><li>Are Open Source Development Communities Embracing Security Best Practices? </li></ul><ul><ul><li>Examine sample of Java Open Source projects </li></ul></ul><ul><ul><ul><li>Look for vulnerabilities </li></ul></ul></ul><ul><ul><ul><li>Look for Secure Development Best Practices </li></ul></ul></ul><ul><li>Study by Larry Suto </li></ul><ul><ul><li>Commissioned by Fortify Software </li></ul></ul><ul><ul><li>Full report www.fortify.com </li></ul></ul>
    11. 11. Open Source Projects – 11 Selected Application Description Derby Relational database Geronimo Application server Hibernate Object relational mapping tool Hipergate CRM web application JBoss Application server JOnAS Application server OFBiz E-Business solution web application OpenCMS Content management solution Resin Application server Struts Web application framework Tomcat Application server
    12. 12. Vulnerabilities Identified <ul><li>High Impact Issues including: </li></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>Cross-site Scripting </li></ul></ul>14,425
    13. 13. Vulnerability Trend Derby Geronimo Hibernate Hipergate
    14. 14. Secure Development Best Practice <ul><li>Evaluated key indicators of Best Practice </li></ul><ul><ul><li>Documentation that covers the security implications and secure deployment of the software they develop </li></ul></ul><ul><ul><li>A dedicated email alias for users to report security vulnerabilities </li></ul></ul><ul><ul><li>Easy access to internal security experts to discuss security issues </li></ul></ul>
    15. 15. Secure Development Best Practice Application Prominent Link to Security Inf. Security-Specific email Alias Easy Access to Security Experts Derby N N N Geronimo N N N Hibernate N N N Hipergate N N N JBoss Y N Y JOnAS N N N OFBiz N N N OpenCMS N N N Resin N N Y Struts Y Y Y Tomcat N N N
    16. 16. Securing Open Source Software
    17. 17. Security in the Development Lifecycle
    18. 18. Secure Development Life-Cycle <ul><li>See www.opensamm.org </li></ul>Governance Construction Deployment Verification Initiate Define Implement Design Develop Test Operate Strategy & Metrics Policy & Compliance Education & Guidance Threat Assessment Security Requirements Secure Architecture Design Review Code Review Security Testing Vulnerability Management Environment Hardening Operational Enablement
    19. 19. Java Open Review Project <ul><li>Source Code Review service for Open Source Projects </li></ul><ul><ul><li>Fortify Source Code Analyzer </li></ul></ul><ul><ul><li>Findbugs </li></ul></ul><ul><li>Process </li></ul><ul><ul><li>Developer submits project </li></ul></ul><ul><ul><ul><li>Detailed results provided to developer </li></ul></ul></ul><ul><ul><ul><li>Summary information to consumers </li></ul></ul></ul><ul><ul><li>Automatic scan of subsequent versions </li></ul></ul><ul><li>See http://opensource.fortify.com </li></ul>
    20. 20. Java Open Review Project
    21. 21. Exploiting Open Source Software securely
    22. 22. Software Security Assurance (SSA) <ul><li>A risk management strategy for all sources of software risk </li></ul>Remediate Vulnerabilities found in software Assess Software for security vulnerabilities Prevent Software security vulnerabilities
    23. 23. Assess <ul><li>Create Inventory </li></ul><ul><ul><li>Component </li></ul></ul><ul><ul><li>Version </li></ul></ul><ul><ul><li>Business Risk </li></ul></ul><ul><li>Assign Owner </li></ul><ul><li>Identify and Classify Vulnerabilities </li></ul><ul><ul><li>Source Code Analysis </li></ul></ul><ul><ul><li>Architectural Review </li></ul></ul><ul><li>Ensure security involvement in any new OSS decisions </li></ul>
    24. 24. Remediate <ul><li>Fix critical vulnerabilities </li></ul><ul><ul><li>Upgrade to latest version </li></ul></ul><ul><ul><li>Security Patch </li></ul></ul><ul><ul><li>Fix code </li></ul></ul><ul><ul><li>Replace with secure alternative </li></ul></ul><ul><ul><li>Application Firewall </li></ul></ul>
    25. 25. Prevent <ul><li>For each OSS component </li></ul><ul><ul><li>Assign Owner </li></ul></ul><ul><ul><li>Implement appropriate strategy </li></ul></ul><ul><ul><ul><li>Treat as In-house Development </li></ul></ul></ul><ul><ul><ul><ul><li>Manage using existing SDL </li></ul></ul></ul></ul><ul><ul><ul><li>Treat as Out-Sourced Development </li></ul></ul></ul><ul><ul><ul><ul><li>Become a Contributing Developer </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Java Open Review project </li></ul></ul></ul></ul><ul><ul><ul><li>Treat As COTS </li></ul></ul></ul><ul><ul><ul><ul><li>Patch management </li></ul></ul></ul></ul><ul><ul><ul><li>Replace </li></ul></ul></ul><ul><li>Establish OSS Security Guidelines </li></ul><ul><ul><li>Approved List </li></ul></ul>
    26. 26. Summary <ul><li>Open Source Software is NOT inherently secure </li></ul><ul><ul><li>Widespread miss-understanding putting organizations at risk </li></ul></ul><ul><li>Open Source community should </li></ul><ul><ul><li>Adopt a Secure Development Life-cycle </li></ul></ul><ul><ul><li>Take advantage of the Java Open Review service </li></ul></ul><ul><li>Enterprises using Open Source Software must </li></ul><ul><ul><li>Asses impact of current OSS deployments </li></ul></ul><ul><ul><li>Remediate critical vulnerabilities found </li></ul></ul><ul><ul><li>Prevent further vulnerabilities by adopting appropriate security strategy </li></ul></ul>
    27. 27. Q&A David Harper [email_address] +44 118 983 2055
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.