5. About me
Defensive Security Professional having 10+ years of
experience
Specialize in Secure SDLC implementation
Building security strategy for the organization
Threat Modeling/Secure Code Review/Penetration
Testing/Security Test Automation
Secure Coding Trainer, Security QA Testing Trainer,
Speaker
SAFECode & Null Singapore
6. At least 75% of organizations rely on open
source as the foundation of their applications.
The (Maven) Central Repository — the largest
source of open source components for
developers — handled thirteen billion
download requests in a year.
Is open source important?
Reference -Sonatype
9. More than 80 per cent of a typical software application is comprised of
open source components and frameworks.
Collectively, Global 500 organizations downloaded more than 2.8
million insecure components in one year
There were more than 46 million downloads of insecure versions of the
31 most popular open source security libraries and web frameworks.
Quantitative Analysis
Reference- Sonatype
11. 44% of enterprises have no policies governing open source
component use in their app development .
77% of those that have adopted open source component policies
have never banned a single component
79% do not need to prove they are using components free of
security vulnerabilities.
63% fail to monitor for changes in vulnerability data for open source
software components
Survey Results
Reference- Sonatype
12. Open source components may have :
Execution of arbitrary code
XSS
Injection
Denial of Service
Insecure Cryptographic function……..
Why we should take this seriously ?
15. Java Deserialization vulnerability
“combining the readObject() methods of various classes
which are available on the classpath of the vulnerable
application an attacker can execute functions (including
calling Runtime.exec() to execute local OS commands).”
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-
websphere-jboss-jenkins-opennms-and-your-application-
have-in-common-this-vulnerability/
Recent Vulnerabilities
18. Don’t know about the vulnerable components
Don’t know how to check before use
No mechanism to update the current status
Lack of preventive mechanism
Challenges for the developers
22. Centralize component repository
Integrate with the build process
Update vulnerability database
Generate Automated alert for any critical issues
Continuous Testing
24. Continuous Testing- In a Nutshell
Build
Environment
Fix
Vulnerabilities
Integrate
With Build
Upload to
Server
Execute
Scan
Generate
report
SA
Developers
Reporting
Server
Audit and
Re-upload
Login