Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automate and Enhance Application Security Analysis


Published on

Presented by Dave Meurer, Sr. Manager Technical Alliances at Synopsys at DevSecOps 101: Containers, Clouds, and Apps in Boston on May 16th, 2019.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Automate and Enhance Application Security Analysis

  1. 1. © 2019 Synopsys, Inc.1 Dave Meurer, Sr. Manager Technical Alliances at Synopsys May 16, 2019 DevSecOps 101, Q2 - Cambridge, MA Automate and Enhance Application Security Analysis
  2. 2. © 2019 Synopsys, Inc.2 Modern software = Proprietary code + Open source components + API usage + Application Configuration …inherent risks
  3. 3. © 2019 Synopsys, Inc.3 The fundamental issue… Codebase Commercial third-party code Purchasing • Licensing? • Security? • Quality? • Support? Open source OPERATIONAL FACTORS Which versions of code are being used, and how old are they (dead projects)? LEGAL RISK Which licenses are used, and do they match anticipated use of the code? SECURITY RISK Which components have vulnerabilities, and what are they? Management visibility—not! “Many open-source assets are either undermanaged or altogether unmanaged.” —Gartner, 2017
  4. 4. © 2019 Synopsys, Inc.4 Open Source Security and Risk Assessment • Fourth year • 1,200+ Black Duck Audits on codebases • Data anonymized and aggregated reports/2019-open-source-security-risk-analysis.html
  5. 5. © 2019 Synopsys, Inc.5 Black Duck Audits: 1,200+ codebases across all industries Industry Distribution Enterprise Software/SaaS 23% Healthcare, Health Tech, Life Sciences 11% Financial Services & FinTech 10% Big Data, AI, BI, Machine Learning 9% Retail & E-Commerce 7% Aerospace, Aviation, Automotive, Transportation, Logistics 6% Internet & Software Infrastructure 5% Internet of Things 5% Telecommunications & Wireless 4% Cybersecurity 3% Virtual Reality, Gaming, Entertainment, Media 3% Manufacturing, Industrials, Robotics 3% Internet and Mobile Apps 3% Marketing Tech 2% EdTech 2% Computer Hardware & Semiconductors 2% Energy & CleanTech 1%
  6. 6. © 2019 Synopsys, Inc.6 Open source is pervasive of the 2018 audited code analyzed was open source of audited codebases contained open source of audited codebases contained more than 50% open source
  7. 7. © 2019 Synopsys, Inc.7 And more than they know… • Few targets were able to produce a list with any confidence • When they could, it tended to be about 50% accurate Average codebase audited by Black Duck contained 298 open source components (up from 257 last year)
  8. 8. © 2019 Synopsys, Inc.8 Open source license compliance remains critical Percentage of codebases with license conflicts Contained components with license conflicts Contained some form of GPL conflict
  9. 9. © 2019 Synopsys, Inc.9 Open source is all about responsible shared re-use Percentage of code bases with common components Contained components that were more than four years out-of-date or had no development activity in the last two years
  10. 10. © 2019 Synopsys, Inc.10 0 2,000 4,000 6,000 8,000 10,000 12,000 14,000 16,000 18,000 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Open source vulnerabilities are commonplace, and organizations are failing to protect against them of the audited codebases contained vulnerabilities contained high-risk vulnerabilities
  11. 11. © 2019 Synopsys, Inc.11 CVE-2000-0388 Reporting date May 9, 1990 Impact A buffer overflow when processing the TERMCAP environment variable in FreeBSD 3.4 and prior could result in a local exploit resulting in privilege escalation Mitigation Update the FreeBSD operating environment to a modern version A vulnerability older than many developers and found within the 2018 OSSRA dataset contained vulnerabilities over 10 years old
  12. 12. © 2019 Synopsys, Inc.12 Apache Struts CVE-2018-11776 The life of a vulnerability BDSA (full details) CVE (number) Aug 22nd Introduced v2.0.5 Feb 2007 Disclosure Reported by Man Yue Mo Patch available Aug, 21st Vendor Notified Aug 9 CVE (CPE, CVSS, CWE) Nov 1st BDSA Team identified 23 additional vulnerable versions [ ]
  13. 13. © 2019 Synopsys, Inc.13 Strategy & Planning Maturity Action Plan (MAP) Building Security In Maturity Model (BSIMM) Dynamic Application Security Testing Managed Services Static Application Security Testing Penetration Testing Mobile Application Security Testing Professional Services Industry Solutions Architecture and Design Security Training DevSecOps Integration Cloud Security Synopsys Software Security and Quality Portfolio Integrated Tools Seeker & Defensics Dynamic Analysis Coverity Static Analysis Black Duck Software Composition Analysis =Available on the Polaris platform
  14. 14. © 2019 Synopsys, Inc.14 14
  15. 15. © 2018 Synopsys, Inc.15 Synopsys Pivotal Integrations Pivotal Application Service (PAS) Pivotal Container Service (PKS) Pivotal Concourse Black Duck Seeker Service Broker BETA Service Broker GA Deployment GA Detect GA OpsSight TEST
  16. 16. © 2018 Synopsys, Inc.16 CF CLI / App Mgr Black Duck PCF solution architecture - v2 Developer droplet blobstore app scan metadata Downloads and scans droplet contents Cloud Controller Diego Cell cf create-service Service Instance cf bind-service cf push Black Duck Web Server Open Source Software Risks: Security, License, Operational Black Duck Service Broker “droplet” perceiver core (preceptor) scanner “droplet” façade cf-java-client
  17. 17. © 2018 Synopsys, Inc.17 Key takeaways Open source usage is key to modern applications • Create a robust strategy to benefit from it • Train all development and operations teams to identify critical components Engage with open source communities • Awareness of new features, critical issues and patches occurs at the community level • Foster a sense of engagement and shared ownership within your development teams Open source governance starts with developers • Train all developers to understand the license implications of the component selections • Ensure that when a component version is cached for future use that it’s patched regularly
  18. 18. Thank You