Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Open Source Libraries - Managing Risk in Cloud


Published on

In recent months we have seen several critical security threat because of third party libraries used in software products and services, Heartbleed, POODLE is a great example of it but things are not limited here since we have large threat landscape because of huge consumption of external third party components in cloud application development. Security threat will not stop ever since new attack vectors will keep coming in these open/external sources components but what is important here is how we handle risks due to these third party libraries.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Open Source Libraries - Managing Risk in Cloud

  1. 1. Open Source Libraries - Managing Risk in Cloud SUMAN SOURAV
  2. 2. OWASP Top 10 2013 A9. Using components with known vulnerabilities  Prevalence : Widespread  Detectability: Difficult
  3. 3. Agenda  Software Development & Open Source Components  Emerging Threats & Landscape  Defense Strategy & Solution  Practical challenges
  4. 4. Disclaimer Not endorsing any tools
  5. 5. About me  Defensive Security Professional having 10+ years of experience  Specialize in Secure SDLC implementation  Building security strategy for the organization Threat Modeling/Secure Code Review/Penetration Testing/Security Test Automation Secure Coding Trainer, Security QA Testing Trainer, Speaker  SAFECode & Null Singapore
  6. 6.  At least 75% of organizations rely on open source as the foundation of their applications.  The (Maven) Central Repository — the largest source of open source components for developers — handled thirteen billion download requests in a year. Is open source important? Reference -Sonatype
  7. 7. 0 10 20 30 40 50 60 70 80 90 100 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Open Source Component Usage Product 1 Product 2 Product 3 A case study
  8. 8. Why to worry?
  9. 9.  More than 80 per cent of a typical software application is comprised of open source components and frameworks.  Collectively, Global 500 organizations downloaded more than 2.8 million insecure components in one year  There were more than 46 million downloads of insecure versions of the 31 most popular open source security libraries and web frameworks. Quantitative Analysis Reference- Sonatype
  10. 10. Threat Landscape
  11. 11.  44% of enterprises have no policies governing open source component use in their app development .  77% of those that have adopted open source component policies have never banned a single component  79% do not need to prove they are using components free of security vulnerabilities.  63% fail to monitor for changes in vulnerability data for open source software components Survey Results Reference- Sonatype
  12. 12.  Open source components may have :  Execution of arbitrary code  XSS  Injection  Denial of Service  Insecure Cryptographic function…….. Why we should take this seriously ?
  13. 13. Wakeup Call-April 7th ,2014
  14. 14. Again in October 2014
  15. 15. Java Deserialization vulnerability “combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).” websphere-jboss-jenkins-opennms-and-your-application-have-in- common-this-vulnerability/ Recent Vulnerabilities
  16. 16. What else ?
  17. 17. Vulnerable Components Utilization Reference : Sonatype
  18. 18.  Don’t know about the vulnerable components  Don’t know how to check before use  No mechanism to update the current status  Lack of preventive mechanism Challenges for the developers
  19. 19. OWASP Initiatives
  20. 20.  OWASP Good Component Practices Project  OWASP Dependency Track Project
  21. 21. Best Strategy to Manage
  22. 22.  Centralize component repository  Integrate with the build process  Update vulnerability database  Generate Automated alert for any critical issues Continuous Testing
  23. 23. Secure-SDLC – Enforcement point DEVELOPMENT BUILD AND DEPLOY STAGINGREQUIREMENTS External Repositories Security Policy DESIGN Repository SCM Tools Security Test Automation Threat Modeling SCA Tools/IDE Plugins VS/PT/IASTComponents Monitoring Production Monitoring firewall National Vulnerability Database
  24. 24. Continuous Testing- In a Nutshell Build Environment Fix Vulnerabilities Integrate With Build Upload to Server Execute Scan Generate report SA Developers Reporting Server Audit and Re-upload Login
  25. 25. Demo
  26. 26. Continuous Monitoring & Remediation
  27. 27. Exact Match Similar Match Unknown Exact Match Similar Match Unknown Removing known vulnerable Identify and analyze the security issues Challenges
  28. 28. Implementation Strategy Phase 1 • Web Product Build Integration Phase 2 • Metadata of Unsupported External components • Governance of Supported Phase 3 • Improvement of External Components • Metadata for Internal Components Phase 4 • Vulnerability database for internal components • Link with Tool
  29. 29. Suman Sourav @SumanS0urav