Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?

96 views

Published on

Mitun Zavery
Senior Engineer at Sonatype

Bad actors have recognized the power of open source and are now beginning to create their own attack opportunities. This new form of assault, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. In this session, Mitun will explain how both security and developers must work together to stop this trend. Or, risk losing the entire open source ecosystem.

Analyze, and detail, the events leading to today’s “all-out” attack on the OSS industry
Define what the future of open source looks like in today’s new normal

Outline how developers can step into the role of security, to protect themselves, and the millions of people depending on them

Published in: Technology
  • Be the first to comment

  • Be the first to like this

DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?

  1. 1. Mitun Zavery Senior Solutions Architect, Sonatype @MitunZavery Open Source Developers are the front line. A Shifting landscape of attacks…
  2. 2. - in partnership with -
  3. 3. Source: Sonatype OSS Download Volumes
  4. 4. @MitunZavery 80 - 90% of code is sourced from external suppliers
  5. 5. The economics of cybercrime
  6. 6. In 2016 Cybercrime was estimated to be worth 450 Billion Dollars Organized Cybercrime is the most profitable type of crime In 2016 The illicit drug trade was estimated to be worth 435 Billion Dollars
  7. 7. Organized Cybercrime is the most profitable type of crime • Guess which one has the least risk to the criminal? • Guess which is growing the fastest? • Guess which one is the hardest to prosecute? • Guess which one is predicted to reach 2,100 Billion Dollars by 2019? • Guess which one is predicted to reach 6,000 Billion Dollars by 2021? @spoole167
  8. 8. 0 1000 2000 3000 4000 5000 6000 2013 2014 2015 2016 2017 2018 2019 2020 2021 Cybercrime Drug trade Slide Credit: Steve Pool @spool167 Drugs are not a growth Industry
  9. 9. That’s about $800 for every person on the planet Slide Credit: Steven Pool @spool167
  10. 10. Crypto Currency: Cybercrime’s new best friend. “I have nothing of value in my application” Your server has CPU cycles Your visitors have CPU cycles Your build infra has CPU cycles Crypto Currency allows the attack to be directly monetized.
  11. 11. Jenkins under attack “So far, $3.4 million has been mined.”
  12. 12. 2013 CVE-2013-2251 • Network exploitable • Medium access complexity • No authentication required for exploit • Allows unauthorized disclosure of information • Allows unauthorized modification • Allows disruption of service
  13. 13. Widespread Compromise post disclosure
  14. 14. 2014
  15. 15. 18,330,958 78% downloads were vulnerable 2015 COMMONS COLLECTION CWE-502 23,476,966 total downloads in 2016 https://wvusoldier.wordpress.com/2016/09/05/some-extra-details-on-hospital-ransomware-you-probably-didnt-know/
  16. 16. 5 Month Opportunity to Take Corrective ActionLarge Scale Exploit March 9 Equifax applications breached through Struts2 vulnerability AprMar May Jun Jul Aug Sept March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 July 29 Breach is discovered by Equifax. Sept 7 A new RCE vulnerability is announced and fixed. CVE-2017-9805 Probing Hack Crisis Management
  17. 17. TIME TO RESPOND BEFORE EXPLOIT Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 201 1 2012 2013 2104 2015 10 20 30 40 50 0 AverageDaystoExploit Average 45 15 2017
  18. 18. Complex Interdependencies
  19. 19. 100:1developers outnumber application security
  20. 20. @mitunzavery
  21. 21. What are the right things to do?
  22. 22. 1945: W. Edwards Deming
  23. 23. Traditional Supply Chain Software Supply Chain
  24. 24. We are not the first INDUSTRYto face a supply chain CHALLENGE
  25. 25. Source: xkcd
  26. 26. @mitunzavery ”A set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality"
  27. 27. When you climb the mountain every day, it’s easier. @mitunzavery
  28. 28. Automation Requires Accuracy False positives and false negatives inhibit automation. The real cost of developers spending time chasing and remediating incorrect data is not always obvious
  29. 29. Automation Requires Accuracy Examine and match OSS components via file names and package manifests It’s prone to error. Filenames can (and have been known to) be renamed to match whitelists
  30. 30. The Anatomy of a False Positive
  31. 31. Name based matching incorrectly associates risk Issue Sonatype Cause Sonatype Vendor 1 Vendor 2 Vendor 3 OWASP DepCheck CVE-2012- xxxx poi- scratchpad True Negative False Positive False Positive False Positive False Positive CVE-2014- xxxx poi-ooxml True Negative False Positive True Negative False Positive False Positive CVE-2014- xxxx poi-ooxml True Negative False Positive True Negative False Positive False Positive CVE-2014- xxxx poi- scratchpad True Negative False Positive False Positive False Positive False Positive CVE-2017- xxxx poi-examples True Negative False Positive True Negative False Positive False Positive CVE-2017- xxxx poi-ooxml True Negative False Positive False Positive False Positive False Positive Vendor Component Name: Apache POI 3.7 Vendor Scanned Component: org.apache.poi:poi-3.7.jar CPE from NVD: cpe:2.3:a:apache:poi Savings: Research time to prove false positives. Rework time to upgrade when not required
  32. 32. The True Cost of False-Positives and False-Negatives
  33. 33. Automated decisions require high quality data • False positives and incorrect issue identification incur research costs or an upgrade costs • False negatives leave you at risk Component Sonatype Vendor 1 Vendor 2 OWASP DepCheck Commons Collections 3.2 & 3.2.1 1 True Negative 2 True Positives 1 False Positive 1 False Negative 1 Incorrect ID 1 True Negative 2 Incorrect IDs 1 True Negative 1 Incorrect ID Active MQ 12 True Negatives 2 True Positives 2 True Negatives 1 True Positive 10 False Positives 1 False Negative 2 True Positives 12 False Positives Apache MyFaces 2.0.8 1 True Negative 1 True Positive 1 True Negative 1 True Positive 1 False Positive 1 False Negative 1 True Positive 1 True Negative Apache POI 2.5.1-final-200408 6 True Negative 6 True Negative 6 False Positives 6 False Positives ICU for Java 3.4.1 7 True Negatives 7 True Negatives 7 False Positives jQuery 1.11.2 1 True Positive 1 False Negative 1 False Positive 1 True Positive Spring Transaction 3.0.5 10 True Negatives 10 True Negatives 10 False Positives 10 False Positives mysql-connector-java-5.1.40 98 True Negatives 98 False Positives Rich Faces 4.0 Final 3 True Positives 3 False Negatives 1 False Negative 2 Incorrect IDs
  34. 34. Name Based Matching Creates Rework and Risk. False positives are the Silent killer
  35. 35. 6000 Components analyzed (~1531 artifact discrepancies) • 4500 Non Issues • 1034 True Positives (1 in 6 is a valid finding) • 5330 False Positives when CPE was part of the component name • 2969 False Negatives when CPE was not in the component name
  36. 36. Providing Accurate Data Isn’t Easy
  37. 37. How to Enable Developers To Build Secure Software Do not Force developers to use tools designed for security
  38. 38. How to Enable Developers To Build Secure Software Provide remediation guidance
  39. 39. Control risk across every phase of the Software Development Lifecycle
  40. 40. DevCDCI Prod QA UAT Block Bad Stuff Policy Enforcement Build Public Component Repositories DeployRepository Developers Policy Enforcement Source Control Monitored for new issues Early Feedback

×