Your SlideShare is downloading. ×
0
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Best Practices for Managing Risk from Open Source Libraries and Components
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Best Practices for Managing Risk from Open Source Libraries and Components

595

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
595
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Best Practices for Managing Risk from Open Source Libraries and Components February 5th at 1pm ET Jim Routh & Joshua Corman
  • 2. FEATURED SPEAKERS JIM ROUTH, CISO JOSHUA CORMAN, CTO Certified with CSSLP & CISM Co-founder of Rugged Software Chairman of FS-ISAC Committee Previously w/ Akamai & 451 Group 20+ Years in Application Security Trusted Security Professional @joshcorman 2 2/13/2014
  • 3. TODAY’S AGENDA • What is the Third Party Security Working Group • What are the recommended control types • Why policy management & enforcement • What changed? • Dependence (disproportional) • Component Lifecycle Management in action 3 2/13/2014
  • 4. Third Party Software Security The Third Party Software Security Working Group was established with a mandate to analyze control options and develop specific recommendations on control types for member firms to consider adding to their vendor governance programs. These recommendations on control types are captured in the FS-ISAC Working Group whitepaper, “Appropriate Software Security Control Types for Third Party Service and Product Providers.” Steering Committee Members Working Group Members 1. 2. 3. 4. 5. 6. 7. 1. 2. 3. 4. 5. 6. Jerry Brady, Morgan Stanley Mark Connelly, Thomson Reuters Mahi Dontamasetti, DTCC Paul Fulton, Citi Keith Gordon, Capital One Royal Hansen, Goldman Sachs Chauncey Holden, RBS Citizens Bank 8. Rich Jones, JP Morgan Chase 9. Ben Miron, GE 10. Jim Routh, Aetna FS-ISAC Third Party Software Security Working Group David Smith, Fidelity Don Elkins, Morgan Stanley Matt Levine, Goldman Sachs David Hubley, Capital One Tim Mathias, Thomson Reuters Rishikesh Pande, Citi
  • 5. Recommended Control Types 1 vBSIMM Process Maturity 2 3 Binary Static Analysis Policy management and enforcement for consumption of open source libraries and components FS-ISAC Third Party Software Security Working Group
  • 6. Control Types FS-ISAC Third Party Software Security Working Group
  • 7. Control 3 - Policy management and enforcement for consumption of open source libraries and components This control type identifies consumable open source libraries for a given Financial Institution, identifies the security vulnerabilities by open source component and enables the Financial Institution to apply controls or governance over the acquisition and use of open source libraries. FS-ISAC Third Party Software Security Working Group
  • 8. Component Usage Has Exploded Control 3 Open Source Policy Management FS-ISAC Third Party Software Security Working Group
  • 9. Policy Management Capability FS-ISAC Third Party Software Security Working Group
  • 10. FS-ISAC Third Party Software Security Working Group Whitepaper www.fs-isac.com FS-ISAC Third Party Software Security Working Group
  • 11. WHAT’S CHANGED?
  • 12. COST, COMPLEXITY, AND RISK
  • 13. CONSEQUENCES: VALUE & REPLACEABILITY http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/
  • 14. Operational Excellence Defensible Infrastructure Situational Awareness Countermeasures
  • 15. Operational Excellence Defensible Infrastructure Situational Awareness Countermeasures
  • 16. Situational Awareness Operational Excellence Defensible Infrastructure Countermeasures
  • 17. Countermeasures Situational Awareness Operational Excellence Defensible Infrastructure
  • 18. REPLACEABILITY Life Countermeasures Situational Awareness Operational Excellence Defensible Infrastructure Rights CritInfr IP PII CCN
  • 19. Software Evolution HOW MUCH CODE DO WE “WRITE” THESE DAYS? Written 20 Assembled 90%
  • 20. Software Evolution HOW MUCH CODE DO WE “WRITE” THESE DAYS? Written 21 Assembled 90%
  • 21. Open source usage is EXPLODING Yesterday’s source code is today’s OPEN SOURCE Component Selection 2007 2008 2009 2010 2011 2012 500M 2013 1B 2B 4B 6B 8B 13B
  • 22. A Sea Change in Hacker Targeting Now that software is assembled… 23
  • 23. Today’s approaches 90% 46m vulnerable components downloaded of repos have 1+ critical vulnerability ! AREN’T WORKING 71% of repos have 1+ critical or severe vulnerability ! Component COMPONENT SELECTION Selection ! DEVELOPMENT BUILD AND DEPLOY PRODUCTION
  • 24. A Massive Supply Chain Problem No No visibility to what components are used, where they are used and where there is risk Visibility No No way to govern/enforce component usage. Policies are not integrated with development . Control No Fix 25 No efficient way to fix existing flaws.
  • 25. FROM THE FS-ISAC WHITE PAPER • Enabling application architects to control versions of software. • Accelerating the development process by encouraging the consumption of open source libraries that are resilient. • Reduce operating costs since the cost of ripping out obsolete components from existing applications is high assuming the older versions can be identified in the first place. 27
  • 26. CLM IN ACTION
  • 27. BACK TO… CONTROL TYPES
  • 28. Notional Exposure Active Risk Application Health Check Repository Health Check Snapshot Report What’s in my repo? What have I downloaded ? Are my apps vulnerable?
  • 29. CVE-2013-2251: WIDESPREAD COMPROMISE Global Bank Software Provider Software Provider’s Customer State University Three-Letter Agency Large Financial Exchange 31
  • 30. How can we choose the best components FROM THE START? Analyze all components from within your IDE License, Security and Architecture data for each component, evaluated against your policy Shift Upstream = ZTTR (Zero Time to Remediation)
  • 31. Software Evolution Little Effort, 33 BIG IMPACT
  • 32. WE NEED BETTER LEVERAGE! Most security programs are getting a little bit better everywhere; but not sufficiently better anywhere... Earlier. Easier. Effective.
  • 33. DEVELOPERS & APPLICATION SECURITY: WHO’S RESPONSIBLE? 63% of people concerned with open source Take the Survey: https://www.surveymonkey.com/s/Developers_and_App 35 2/13/2014
  • 34. LEARN MORE “A new approach in the market is Component Lifecycle Management (CLM) which offers the ability to enforce policies in the development process.” To learn more about the „Component Lifecycle Management Approach‟, read the OVUM report. http://www.sonatype.com/resources/whitepapers 36 2/13/2014
  • 35. BEST PRACTICES FOR MANAGING RISK FROM OPEN SOURCE LIBRARIES AND COMPONENTS Thank you for attending today’s event, please contact us with any questions. http://www.sonatype.com/contact/general-inquiry

×