Lessons Learned From Heartbleed, Struts, and The Neglected 90%

891 views

Published on

Watch this insightful and witty discussion between two old pals, Wendy Nather, Security Research Director at 451 Research and Josh Corman, CTO at Sonatype on the state of application security today. They share their perspectives on the changing landscape of application development and how this is impacting common application security approaches. They agree the dramatic shift from source code to component based development has created an open source security gap. With component vulnerabilities becoming national news, Heartbleed, Struts and the promise of more to come, now is the time to stop using components with known vulnerabilities.

To learn more about Heartbleed and what it means for your company please visit http://www.sonatype.com/clm/spotlight-on-heartbleed

Published in: Software, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
891
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • We are in the business of open source governance, management and compliance (add in slide or on cover slide)

    Your Company Runs on Software – it must be trusted
  • Verizon Data Breach – Figure 16
    Web app is the top attack surface
  • Another way to show same thing as prior.
  • 7
  • 8
  • 9
  • 10
  • 11
  • Here are just a few examples so you can see that this risk is real…

    Bouncy Castle is a popular open source component… and even after critical security alerts were issued in 2009, 4000 companies still downloaded it 20,000 times.
    And that was five years after a better, safer replacement was issued.

    This is a level 10 critical security risk. Imagine the exposed applications out there… maybe some of them store your personal credit card data or other personal information.
  • This example is even worse… a version of httpclient with a broken SSL validation downloaded by 6,916 organizations 66,824 times more than a year after the alert.

    It wasn’t hard for us to find these examples… this just skims the surface.

    Some of you may have heard about the FBI Warning last year about Struts… a vulnerable – and old – version of this framework was used to hack into a handful of large organizations.It mde a lot of news. But people are still using it today.
  • This isn’t new – it’s new to us…it’s a maturity of the industry
    and components are new to the s/w industry

    Not sure the supplier is something worth shaking down…there aren’t big guys but more little guys…more like the kickstarter movement.
    Supplier means nothing b/c the Supplier is equivalent
    Can get data on how people use it but can’t necessarily get info on the people who make up the project or getting them to self-certify…

    Project level info we can get from the users

    Apache, Eclipse or JBOSS can work but over time that is becoming less important in the overall component landscape.

    Key is “what is everyone doing” – what are the behaviors that are good indicators of the quality of work that is produced in any project.
    # of people in project and # of commits is “braindead” what OHLO does…more elegant way is possible (MH)
  • You have at risk components flowing into your organization. It is an absolute fact.
    And we’re not just talking about security issues… you also have some quality issues and software licensing issues that make it illegal to use a component for a commercial use.
    It’s like building a car with parts manufactured by unknown vendors… and no criteria to be met.
  • Despite some efforts to manage component usage, it just isnt working…
    We know this because we know how many vulnerable components are downloaded…
    We know how many, on average, end up in your Nexus repository manager
    And we know how many, on average, end up in your applications
  • Sonatype presents a rare opportunity to do something concrete in the application security space.

    One of the 1st tools that comes close to remediation not just scan results and recommendation
  • We’ve talked a lot about the issues and the concerns, now what can you do about it?

    Sonatype specializes in accelerating open source usage, while minimizing risk not just in development but all throughout the software lifecycle.

    Tired of being told there is a problem, but it is up to you to figure out how to fix it?
    Weary of huge scan reports with false positives?
    Focusing primarily on source code instead of components?
    Bogged down by attempts to automate approval workflow?
    Waiting till after development is done to find security issues?

    When you add component security to complement your DAST and SAST efforts, you cover 100% of your application. And a little bit of investment in component security covers 90% of your application.
  • Thank you for sharing your valuable time with me. If you only remember ne thing from today, I hope it is this.

    Using vulnerable components is an easily avoidable risk.

  • Ask Brian for Struts example, pane 1
    Click onto pane and zoom in and zoom out
  • Lessons Learned From Heartbleed, Struts, and The Neglected 90%

    1. 1. LESSONS LEARNED FROM HEARTBLEED, STRUTS, AND THE Neglected 90% Wendy Nather, Security Research Director, 451 Research, @451wendy Josh Corman, CTO, Sonatype, @joshcorman
    2. 2. FEATURED SPEAKERS WENDY NATHER, SECURITY RESEARCH DIRECTOR, 451 RESEARCH JOSHUA CORMAN, CTO CISO of Texas Education Agency Security Director, Swiss Bank Corp Co-author of ‘The Cloud Security Rules’ Co-founder of Rugged Software Previously w/ Akamai & 451 Group Trusted Security Professional @joshcorman@451wendy https://451research.com/ http://www.sonatype.com/
    3. 3. STATE OF THE UNION
    4. 4. Web Apps are the Top Attack Surface --- 2014 Verizon Data Breach Investigations Report @joshcorman@451wendy
    5. 5. spending attack risk Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary Spending and risk are out of sync AppSec gets LEAST $ but MOST attacker focus Worse, within AppSec, existing dollars go to the 10% written Host Security ~$10B Data Security ~$5B People Security ~$4B Network Security ~$20B Application Security ~$0.5B Assembled 3rd Party & OpenSource Components ~90% of most applications Almost No Spending SAST/DAST on Written @joshcorman@451wendy
    6. 6. Spending and risk are OUT OF SYNC Component Layer 3rd Party & OpenSource Database, OS, Firmware, Network Presentation Layer, Business Logic DEPENDENCE CURRENT SPENDING @joshcorman@451wendy
    7. 7. Application Security Technology Roadmap Q. What is your status of implementation for this technology? n=198-205. Source: 451 Research Information Security – Wave 16 | 32% 35% 36% 38% 40% 1% 1% 1% 1% 2% 2% 2% 3% 4% 3% 3% 4% 4% 5% 58% 52% 51% 50% 47% 3% 9% 6% 4% 3% Multifactor Authentication for Web-based Applications Application Security Testing – External Interface Fuzzing or Testing Vulnerability Assessment Database Security Application Security Testing – Code or Binary Analysis-based Vulnerability Assessment Web Application Firewall (WAF) In Use Now (Not Including Pilots) In Pilot/Evaluation (Budget Has Already Been Allocated) In Near-term Plan (In Next 6 Months) In Long-term Plan (6-18 Months) Past Long-term Plan (Later Than 18 Months Out) Not in Plan @joshcorman@451wendy
    8. 8. 2013 vs. 2012 Spending Change for Application Security Technologies Q. How will your spending on this technology change in 2013 as compared to 2012? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 | 1% 1% 75% 77% 73% 72% 70% 16% 16% 19% 24% 24% Database Security Multifactor Authentication for Web-based Applications Application Security Testing – External Interface Fuzzing or Web Application Firewall (WAF) Application Security Testing – Code or Binary Analysis- based Less Spending About the Same More Spending @joshcorman@451wendy
    9. 9. 2014 vs. 2013 Spending Change for Application Security Technologies Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Resarch Information Security – Wave 16 | 1% 3% 2% 70% 68% 63% 60% 58% 21% 26% 28% 32% 34% Application Security Testing – External Interface Fuzzing or Multifactor Authentication for Web-based Applications Database Security Web Application Firewall (WAF) Application Security Testing – Code or Binary Analysis- based Less Spending About the Same More Spending @joshcorman@451wendy
    10. 10. 2014 vs. 2013 Spending Change for Information Security Technologies Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 | 5% 4% 3% 4% 4% 4% 5% 6% 3% 3% 2% 2% 4% 9% 4% 3% 3% 11% 1% 9% 2% 5% 5% 4% 1% 4% 13% 1% 2% 3% 5% 8% 2% 3% 6% 10% 8% 10% 5% 8% 2% 2% 7% 4% 83% 83% 82% 84% 82% 83% 80% 78% 76% 71% 79% 76% 74% 69% 72% 73% 70% 71% 65% 71% 66% 64% 63% 64% 68% 58% 63% 62% 53% 66% 63% 60% 51% 49% 58% 52% 54% 51% 51% 54% 46% 50% 48% 53% 48% 32% 44% 42% 7% 10% 10% 10% 11% 11% 13% 14% 15% 16% 17% 18% 19% 20% 20% 21% 21% 21% 22% 23% 23% 24% 26% 26% 26% 27% 28% 29% 29% 30% 31% 32% 33% 34% 34% 35% 36% 36% 37% 37% 39% 40% 40% 42% 42% 44% 46% 46% Anti-spam/Email Security Patch Management Penetration Testing Anti-spyware Hard Drive Encryption Laptop Encryption Anti-virus Host Intrusion Detection and/or Prevention (HIDS/HIPS) Secure File Transfer Computer Forensics Email/Messaging Archiving/Compliance Vulnerability/Risk Assessment/Scanning (of Infrastructure) File Integrity Monitoring SSL VPNs Secure Instant Messaging Email Encryption Application Security Testing – External Interface Fuzzing or Key Management and/or Public Key Infrastructure Web Content Filtering Threat Intelligence Two-factor (Strong) Authentication for Infrastructure (e.g., Single Sign-on IT Security Training/Education/Awareness Anti-botnet Multifactor Authentication for Web-based Applications Information or Digital Rights Management Database Security Advanced Anti-malware Response Managed Security Service Provider (MSSP) Policy and Configuration Management Tokenization Web Application Firewall (WAF) IT GRC (Governance, Risk, Compliance) Network Data-loss Prevention Solutions Application Security Testing – Code or Binary Analysis-based Mobile Device Security (Not MDM) Network Intrusion Detection and/or Prevention (NIDS/NIPS) Network Firewalls Event Log Management System Virtualization Security Application-aware Firewall Identity Management Unified Threat Management (UTM) Endpoint Data-loss Prevention Solutions Network Access Control (NAC) Cloud Security Security Information Event Management (SIEM) Mobile Device Management Less Spending About the Same More Spending @joshcorman@451wendy
    11. 11. 2014 vs. 2013 Spending Change for Information Security Technologies Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 | 5% 4% 3% 4% 4% 4% 5% 6% 3% 3% 2% 2% 4% 9% 4% 3% 3% 11% 1% 9% 2% 5% 5% 4% 1% 4% 13% 1% 2% 3% 5% 8% 2% 3% 6% 10% 8% 10% 5% 8% 2% 2% 7% 4% 83% 83% 82% 84% 82% 83% 80% 78% 76% 71% 79% 76% 74% 69% 72% 73% 70% 71% 65% 71% 66% 64% 63% 64% 68% 58% 63% 62% 53% 66% 63% 60% 51% 49% 58% 52% 54% 51% 51% 54% 46% 50% 48% 53% 48% 32% 44% 42% 7% 10% 10% 10% 11% 11% 13% 14% 15% 16% 17% 18% 19% 20% 20% 21% 21% 21% 22% 23% 23% 24% 26% 26% 26% 27% 28% 29% 29% 30% 31% 32% 33% 34% 34% 35% 36% 36% 37% 37% 39% 40% 40% 42% 42% 44% 46% 46% Anti-spam/Email Security Patch Management Penetration Testing Anti-spyware Hard Drive Encryption Laptop Encryption Anti-virus Host Intrusion Detection and/or Prevention (HIDS/HIPS) Secure File Transfer Computer Forensics Email/Messaging Archiving/Compliance Vulnerability/Risk Assessment/Scanning (of Infrastructure) File Integrity Monitoring SSL VPNs Secure Instant Messaging Email Encryption Application Security Testing – External Interface Fuzzing or Key Management and/or Public Key Infrastructure Web Content Filtering Threat Intelligence Two-factor (Strong) Authentication for Infrastructure (e.g., Single Sign-on IT Security Training/Education/Awareness Anti-botnet Multifactor Authentication for Web-based Applications Information or Digital Rights Management Database Security Advanced Anti-malware Response Managed Security Service Provider (MSSP) Policy and Configuration Management Tokenization Web Application Firewall (WAF) IT GRC (Governance, Risk, Compliance) Network Data-loss Prevention Solutions Application Security Testing – Code or Binary Analysis-based Mobile Device Security (Not MDM) Network Intrusion Detection and/or Prevention (NIDS/NIPS) Network Firewalls Event Log Management System Virtualization Security Application-aware Firewall Identity Management Unified Threat Management (UTM) Endpoint Data-loss Prevention Solutions Network Access Control (NAC) Cloud Security Security Information Event Management (SIEM) Mobile Device Management Less Spending About the Same More Spending @joshcorman@451wendy
    12. 12. Below the Security Poverty Line … • Little to no IT expertise • More likely to use open source because it’s free • No resources to monitor open source use or test it for vulnerabilities • Disproportionately dependent on third party vendors • Limited span of control • Configuration and tuning decisions • Architecture and strategy decisions • Risk management • Information asymmetry @joshcorman@451wendy
    13. 13. What do we mean by the ‘Neglected 90%’ 90%AssembledWritten @joshcorman@451wendy
    14. 14. Defensible Infrastructure Operational Excellence Situational Awareness Counter- measures What Security Approach Has the Most Impact? @joshcorman@451wendy
    15. 15. IS IT OPEN SEASON ON OPEN SOURCE?
    16. 16. Now that software is 90% ASSEMBLED… @joshcorman@451wendy
    17. 17. One risky component, multiplied thousands of times: ONE EASY TARGET @joshcorman@451wendy
    18. 18. Global Bank Software Provider Software Provider’s Customer State University Three-Letter Agency Large Financial Exchange Hundreds of Other Sites @joshcorman@451wendy
    19. 19. Is it true, with many eyeballs, all bugs are SHALLOW? 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 10.0 9.0 8.0 7.0 6.0 5.0 4.0 3.0 2.0 1.0 CVE-2005-3745 CVE-2006-1546 CVE-2006-1547 CVE-2006-1548 CVE-2008-6504 CVE-2008-6505 CVE-2008-2025 CVE-2007-6726 CVE-2008-6682 CVE-2010-1870 CVE-2011-2087 CVE-2011-1772 CVE-2011-2088 CVE-2011-5057 CVE-2012-0392 CVE-2012-0391 CVE-2012-0393 CVE-2012-0394 CVE-2012-1006 CVE-2012-1007 CVE-2012-0838 CVE-2012-4386 CVE-2012-4387 CVE-2013-1966 CVE-2013-2115 CVE-2013-1965 CVE-2013-2134 CVE-2013-2135 CVE-2013-2248 CVE-2013-2251 CVE-2013-4316 CVE-2013-4310 CVE-2013-6348 CVE-2014-0094 @joshcorman@451wendy
    20. 20. In 2013, 4,000 organizations downloaded a version of Bouncy Castle with a level 10 vulnerability 20,000 TIMES … MORE THAN FIVE YEARS after the vulnerability was fixed NATIONAL CYBER AWARENESS SYSTEM Original Release Date: 03/30/2009 CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 @joshcorman@451wendy
    21. 21. In December 2013, 6,916 DIFFERENT organizations downloaded a version of httpclient with broken ssl validation (cve-2012-5783) 66,824 TIMES … More than ONE YEAR AFTER THE ALERT NATIONAL CYBER AWARENESS SYSTEM Original Release Date: 11/04/2012 CVE-2012-5783 Apache Commons HttpClient 3.x CVSS v2 Base Score: 5.8 MEDIUM Impact Subscore: 4.9 Exploitability Subscore: 8.6 @joshcorman@451wendy
    22. 22. THE REAL IMPLICATIONS OF HEARTBLEED
    23. 23. Heartbleed + Internet of Things = ? In Our Bodies In Our Homes @joshcorman@451wendy
    24. 24. IS IT TIME FOR A SOFTWARE SUPPLY CHAIN? (and /or software liability)
    25. 25. APPLICATION PLATFORMS & TOOLS COMPONENT VERSION COMPONENTSPROJECTS DELIVERYINTEGRATIONSELECTIONSUPPLYSUPPLIER OPTIMIZATION (MONITORING) Supply Chain Management @joshcorman@451wendy
    26. 26. If you’re not using secure COMPONENTS you’re not building secure APPLICATIONS Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION @joshcorman@451wendy
    27. 27. Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION Today’s approaches AREN’T WORKING 46m vulnerable components downloaded ! 71% of apps have 1+ critical or severe vulnerability ! 90% of repositories have 1+ critical vulnerability ! @joshcorman@451wendy
    28. 28. “Sonatype presents a rare opportunity to do something concrete in the application security space. One of the 1st tools that comes close to remediation not just scan results and recommendations.” -- Wendy Nather @joshcorman@451wendy
    29. 29. Problem discovery Problem remediation “Scan and scold” Source code scanning Approval-centric workflow Empower developers Component analysis Automated policy across lifecycle Policy enforcement throughout SLC A NEW APPROACH CURRENT METHODS SONATYPE CLM Scans after development @joshcorman@451wendy
    30. 30. Don’t use vulnerable components. It’s an AVOIDABLE RISK 2013 Data Breach Investigations Report “Some organizations will be a target REGARDLESS of what they do, but most become a target BECAUSE of what they do.” @joshcorman@451wendy
    31. 31. How can we choose the best components FROM THE START? Shift Upstream = ZTTR (Zero Time to Remediation) Analyze all components from within your IDE License, Security and Architecture data for each component, evaluated against your policy @joshcorman@451wendy
    32. 32. How do we prevent future bleeding hearts? -- 3 step action plan @joshcorman@451wendy LEARN MORE “The combination of growing component usage, coupled with lack of security, requires us to urgently re-evaluate traditional application security approaches.” http://www.sonatype.com/clm/spotlight-on-heartbleed www.sonatype.com/neglected90
    33. 33. LESSONS LEARNED FROM HEARTBLEED, STRUTS AND THE NEGLECTED 90%

    ×