SlideShare a Scribd company logo

Aliens in Your Apps!

All Things Open
All Things Open

The document discusses the results of a survey on open source software usage and security practices. Some key findings include: - Over half of organizations have an open source policy but only two-thirds follow the policies. Top challenges are lack of enforcement and unclear expectations. - Most organizations do not have meaningful controls over the components used in applications and many have an incomplete view of license risks. - Few organizations actively monitor components for vulnerability changes or maintain an inventory of components used in production applications. Responsibilities for security are often unclear. - Application security practices often lag development speeds, with security analysis rarely performed early in the process. Training availability and developer interest in security is limited.

Technology
1 of 45
Download to read offline
ALIENS  IN  YOUR  APPS?   Are  you  using  components  with   known  vulnerabiliBes?   October  22,  2014  –  All  Things  Open   Ryan  Berg,  CSO,  Sonatype  
2   11/12/14  
3   11/12/14   www.Sonatype.com/RiskAssessments  
Our world runs on software, and software runs on open source components. For FOUR YEARS, we HAVE asked Those on the front lines — developers, architects, and managers, about how they're using Open source components, and how they're balancing the need for speed with the need for security. 3,353 THIS  YEAR   PEOPLE  SHARED  THEIR  VIEWS  
The TRUE State of OSS Security OSS POLICIES 56% have a policy and 68% follow policies. Top 3 challenges no enforcement/workaround are common, no security, not clear what’s expected PRACTICES 76% don’t have meaningful controls over what components are in their applications. 21% must prove use of secure components. 63% have incomplete view of license risk. COMPONENTS The Central Repository is used by 83%. Nexus component managers used 3-to-1 over others 84% of developers use Maven/Jar to build applications. STATE OF THE INDUSTRY Applications are the #1 attack vector leading to breach 13 billion open source component requests annually 11 million developers worldwide 90% of a typical application is is now open source components 46 million vulnerable open source components downloaded annually APP SECURITY 6 in 10 don’t track vulnerabilities over time. 77% have never banned a component. 31% suspected an open source breach.
Open  source  component  use  has  exploded   Source:  1Sonatype,  Inc.  analysis  of  the  (Maven)  Central  Repository;  2IDC     13  BILLION   Open  Source  soVware   Component  requests   2013  2012  2011  2009  2008  2007   2010   2B  1B  500M   4B   6B   8B   13B   11  MILLION   developers  worldwide   2 1
...to help build your applications Most applications are now assembled from hundreds of open source components…often reflecting as much as 90% of an application. ...and satisfy demand. Open source helps meet accelerated development demand required for these growth drivers. ASSEMBLED WRITTEN Open Source Software is essential
Heartbleed  raises  awareness   Q:  Has  your  organizaBon  had  a  breach  that  can  be  aributed  to  a   vulnerability  in  an  open  source  component  or  dependency  in  the   last  12  months?    
Not  uncommon  (if  you  look)   1-­‐in-­‐10  had  or  suspected  an  open  source  related  breach  in  the   past  12  months  
We  care  (shhh  don’t  tell  we  don’t  really)   Q:  Has  your  organizaBon  ever  banned  use  of  an  open  source  component,   library  or  project?  
Proof  is  in  the  pudding   More  than  1-­‐in-­‐3  say  their  open  source  policy  doesn’t  cover  security.   Q:  How  does  your  open  source  policy  address  security   vulnerabiliBes?     Source:  2014  Sonatype  Open  Source  Development  and  ApplicaBon  Security  Survey  
But  what  about  developers  …   Even  when  component  versions  are  updated  4-­‐5  =mes  a  year  to  fix  known   security,  license  or  quality  issues.   Q:  Does  someone  acBvely  monitor  your  components  for  changes  in   vulnerability  data?    
At  least  it’s  good  in  producXon?   Q:  Does  your  organizaBon  maintain  an  inventory  of  open  source   components  used  in  producBon  applicaBons?  
Which  way  are  the  fingers  poinXng?   Q:  Who  has  responsibility  for  tracking  &  resolving  newly  discovered  component   vulnerabiliBes  in  *producBon*  applicaBons?     In 2013, 50% Named AppDev In 2013, 8% Named AppSec
ARE  OPEN  SOURCE  POLICIES  KEEPING   OUR  APPLICATIONS  SAFE?  
We  don’t  need  no  sXnking  policy!   Q:  Does  your  organizaBon  have  an  open  source  policy?  
We  have  a  policy,  mmm  bacon   Q:  Do  you  actually  follow  your  company’s  open  source  policy?    
Policy  without  controls  is?   Is  an  “Open  Source  Policy”  more  than  just  a  document?     Q:  How  well  does  your  organizaBon  control  which  components   are  used  in  development  projects?    
Don’t  worry  we  got  it   But  control  is  not  unanimous.   Q:  Who  in  your  organizaBon  has  PRIMARY  responsibility  for  open   source  policy/governance?    
But  do  I  care?   Q:  How  would  you  characterize  your  developers’  interest  in   applicaBon  security?     Source: 2013 and 2014 Sonatype Open Source Development and
It’s  the  ApplicaXons  Stupid  
Hey  if  it  works  …  ship  it!   Q:  When  selecBng  components,  which  characterisBcs  would  be   most  helpful  to  you?  (choose  four)   Source: 2014 Sonatype Open Source Development and Application
This  security  thing  is  such  a  drag  …  Bacon   Q:  What  applicaBon  security  training  is  available  to  you?  (mulBple   selecBons  possible)      
Cleanup  on  Aisle  9,  Cleanup  on  Aisle  9   AppDev  runs  at  Agile  &  DevOps  speed.  Is  security  is  keeping  pace?   Q:  At  what  point  in  the  development  process  does  your   organizaBon  perform  applicaBon  security  analysis?  Q:  (mulBple   selecBons  possible)      
With  Open  Source  Come   License  ConsideraXons  
You  mean  licenses  maber?   Yet,  licensing  data  is  considered  helpful  to  67%  of  respondents  when  selec=ng   open  source  components  to  use.   Q:  Are  open  source  licensing  risks  or  liabiliBes  a  top  concern  in   your  posiBon?    
Why  yes,  I  believe  it  does   Q:  Does  your  organizaBon/policy  manage  the  use  of  components   by  license  types?  (e.g.,  GPL,  copyleV)?  
Defend  Your  Socware  Against  Common   Vulnerability  Types    (tongue  in  cheek)  
#1     THE  INFECTOR   A vulnerable component that many other components depend upon.
Number  of  Dependent   Components   8781     Downloads   6,987,246   CVSS  Score   6.8   MTTR   229   Unique  OrganizaBons   72,156   CVE-­‐2011-­‐2894   Spring  Framework  3.0.0  through  3.0.5,  Spring  Security  3.0.0  through  3.0.5  and  2.0.0  through  2.0.6,  and  possibly   other  versions  deserialize  objects  from  untrusted  sources,  which  allows  remote  aackers  to  bypass  intended   security  restricBons  and  execute  untrusted  code  by  (1)  serializing  a  java.lang.Proxy  instance  and  using   InvocaBonHandler,  or  (2)  accessing  internal  AOP  interfaces,  as  demonstrated  using  deserializaBon  of  a   DefaultListableBeanFactory  instance  to  execute  arbitrary  commands  via  the  java.lang.RunBme  class.     Its always Spring somewhere
#2     THE  IMPOSTOR   A vulnerable component that is also very popular.
An  App  just  isn’t  an  App  without  XML   Number  of  Dependent   Components   4003     Downloads   3,797,847   CVSS   5   MTTR   867   Unique  OrganizaBons   119,569   CVE-­‐2009-­‐2625   XMLScanner.java  in  Apache  Xerces2  Java,  as  used  in  Sun  Java  RunBme  Environment  (JRE)  in  JDK  and  JRE  6  before   Update  15  and  JDK  and  JRE  5.0  before  Update  20,  and  in  other  products,  allows  remote  aackers  to  cause  a   denial  of  service  (infinite  loop  and  applicaBon  hang)  via  malformed  XML  input,  as  demonstrated  by  the   Codenomicon  XML  fuzzing  framework.    
A vulnerable component with a security vulnerability from many years ago. #3     THE  FORGOTTEN  
We  are  sXll  using  that?   Number  of  Dependent   Components   75     Downloads   324,765   CVSS   6.8   Unique  OrganizaBons   119,569   CVE-­‐2003-­‐1516   The  org.apache.xalan.processor.XSLProcessorVersion  class  in  Java  Plug-­‐in  1.4.2_01  allows  signed  and  unsigned   applets  to  share  variables,  which  violates  the  Java  security  model  and  could  allow  remote  aackers  to  read  or   write  data  belonging  to  a  signed  applet.  
A popular component with neither a declared nor observable license. #4     THE  UNDESIRABLE  
No  license,  no  worries   Number  of  Dependent   Components       1164   Number  of  Downloads    182,145     Latest  Release  Date   May-­‐11-­‐2006   Unique  OrganizaBons    8,383   jstl:1.2  java  standard  template  library  implementaBon  
A popular component with a declared license but no proof of source. #5     THE  UNPROVEN  
I  am  what  I  say  I  am   Number  of  Dependent   Components       1190   Number  of  Downloads    19,621   Last  Release  Date    Jan-­‐12-­‐2011   Unique  OrganizaBons    1,026,964   asm:3.3.1  java  bytecode  analysis  framework    
A popular component that hasn’t been updated in more than 5 years. #6     THE  LIVING  DEAD  
One  release  …  Ever!   Number  of  Dependent   Components       305   Number  of  Downloads    432,468   Last  Release    Nov-­‐8-­‐2005   Unique  OrganizaBons    14,454   jakarta-­‐regexp:1.4  regular  expression  parsing  library  
41   11/12/14   Complimentary  assessment  to  ID  aliens  in  your  apps:   www.Sonatype.com/RiskAssessments  
MATTERS  MOST  
(Many  were  upset  that  bacon  was  not  an  opXon)   Q:  What  is  your  favorite  pizza  topping?  
…and  prefer  beer  4-­‐to-­‐1  over  wine.   Q:  What  do  you  like  to  drink  with  your  pizza?  
Thank You! rberg@sonatype.com

Recommended

Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Sonatype
 
Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"
Sonatype
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Sonatype
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Sonatype
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
Sonatype
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 

Recommended

Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Sonatype
 
Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"
Sonatype
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Sonatype
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Sonatype
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
Sonatype
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
Sonatype
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
Sonatype
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
WhiteSource
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Jeff Williams
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
TekRevol LLC
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applications
ijtsrd
 
Secure develpment 2014
Secure develpment 2014Secure develpment 2014
Secure develpment 2014
Ariel Evans
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...
Venkatesh Prasad Ranganath
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Minded Security
 
43 automatic
43 automatic43 automatic
43 automatic
aissmsblogs
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
South Tyrol Free Software Conference
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Apps
mlogvinov
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure Coding
JPCERT Coordination Center
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Sonatype
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
n|u - The Open Security Community
 

More Related Content

What's hot

7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
Sonatype
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
Sonatype
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
WhiteSource
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Jeff Williams
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
TekRevol LLC
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applications
ijtsrd
 
Secure develpment 2014
Secure develpment 2014Secure develpment 2014
Secure develpment 2014
Ariel Evans
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...
Venkatesh Prasad Ranganath
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Minded Security
 
43 automatic
43 automatic43 automatic
43 automatic
aissmsblogs
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
South Tyrol Free Software Conference
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Apps
mlogvinov
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure Coding
JPCERT Coordination Center
 

What's hot (20)

7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applications
 
Secure develpment 2014
Secure develpment 2014Secure develpment 2014
Secure develpment 2014
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
43 automatic
43 automatic43 automatic
43 automatic
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Apps
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure Coding
 

Similar to Aliens in Your Apps!

Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Sonatype
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
n|u - The Open Security Community
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...
Sonatype
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
Jerika Phelps
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous Compliance
Source Code Control Limited
 
Trends in Software Composition Analysis: What to Expect in 2023
Trends in Software Composition Analysis: What to Expect in 2023Trends in Software Composition Analysis: What to Expect in 2023
Trends in Software Composition Analysis: What to Expect in 2023
Dev Software
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
Aryan G
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Black Duck by Synopsys
 
Open Source vs Proprietary
Open Source vs ProprietaryOpen Source vs Proprietary
Open Source vs Proprietary
M. Antoinette Jerom
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
Implications of Open Source Software Use (or Let's Talk Open Source)
Implications of Open Source Software Use (or Let's Talk Open Source)Implications of Open Source Software Use (or Let's Talk Open Source)
Implications of Open Source Software Use (or Let's Talk Open Source)
Gail Murphy
 
Software composition analysis in business 3.pdf
Software composition analysis in business 3.pdfSoftware composition analysis in business 3.pdf
Software composition analysis in business 3.pdf
Ciente
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Black Duck by Synopsys
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
HCLSoftware
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016
Minded Security
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 

Similar to Aliens in Your Apps! (20)

Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous Compliance
 
Trends in Software Composition Analysis: What to Expect in 2023
Trends in Software Composition Analysis: What to Expect in 2023Trends in Software Composition Analysis: What to Expect in 2023
Trends in Software Composition Analysis: What to Expect in 2023
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
Open Source vs Proprietary
Open Source vs ProprietaryOpen Source vs Proprietary
Open Source vs Proprietary
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Implications of Open Source Software Use (or Let's Talk Open Source)
Implications of Open Source Software Use (or Let's Talk Open Source)Implications of Open Source Software Use (or Let's Talk Open Source)
Implications of Open Source Software Use (or Let's Talk Open Source)
 
Software composition analysis in business 3.pdf
Software composition analysis in business 3.pdfSoftware composition analysis in business 3.pdf
Software composition analysis in business 3.pdf
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 

More from All Things Open

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of Observability
All Things Open
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best Practices
All Things Open
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public Policy
All Things Open
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
All Things Open
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil Nash
All Things Open
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScript
All Things Open
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?
All Things Open
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart Contract
All Things Open
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
All Things Open
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and Success
All Things Open
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with Background
All Things Open
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssembly
All Things Open
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in Haystacks
All Things Open
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit Intercept
All Things Open
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship Program
All Things Open
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open Source
All Things Open
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache Beam
All Things Open
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in control
All Things Open
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
All Things Open
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
All Things Open
 

More from All Things Open (20)

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of Observability
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best Practices
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public Policy
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil Nash
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScript
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart Contract
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and Success
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with Background
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssembly
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in Haystacks
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit Intercept
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship Program
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open Source
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache Beam
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in control
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
 

Recently uploaded

Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 

Recently uploaded (20)

Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 

Aliens in Your Apps!

  • 1. ALIENS  IN  YOUR  APPS?   Are  you  using  components  with   known  vulnerabiliBes?   October  22,  2014  –  All  Things  Open   Ryan  Berg,  CSO,  Sonatype  
  • 3. 3   11/12/14   www.Sonatype.com/RiskAssessments  
  • 4. Our world runs on software, and software runs on open source components. For FOUR YEARS, we HAVE asked Those on the front lines — developers, architects, and managers, about how they're using Open source components, and how they're balancing the need for speed with the need for security. 3,353 THIS  YEAR   PEOPLE  SHARED  THEIR  VIEWS  
  • 5. The TRUE State of OSS Security OSS POLICIES 56% have a policy and 68% follow policies. Top 3 challenges no enforcement/workaround are common, no security, not clear what’s expected PRACTICES 76% don’t have meaningful controls over what components are in their applications. 21% must prove use of secure components. 63% have incomplete view of license risk. COMPONENTS The Central Repository is used by 83%. Nexus component managers used 3-to-1 over others 84% of developers use Maven/Jar to build applications. STATE OF THE INDUSTRY Applications are the #1 attack vector leading to breach 13 billion open source component requests annually 11 million developers worldwide 90% of a typical application is is now open source components 46 million vulnerable open source components downloaded annually APP SECURITY 6 in 10 don’t track vulnerabilities over time. 77% have never banned a component. 31% suspected an open source breach.
  • 6. Open  source  component  use  has  exploded   Source:  1Sonatype,  Inc.  analysis  of  the  (Maven)  Central  Repository;  2IDC     13  BILLION   Open  Source  soVware   Component  requests   2013  2012  2011  2009  2008  2007   2010   2B  1B  500M   4B   6B   8B   13B   11  MILLION   developers  worldwide   2 1
  • 7. ...to help build your applications Most applications are now assembled from hundreds of open source components…often reflecting as much as 90% of an application. ...and satisfy demand. Open source helps meet accelerated development demand required for these growth drivers. ASSEMBLED WRITTEN Open Source Software is essential
  • 8. Heartbleed  raises  awareness   Q:  Has  your  organizaBon  had  a  breach  that  can  be  aributed  to  a   vulnerability  in  an  open  source  component  or  dependency  in  the   last  12  months?    
  • 9. Not  uncommon  (if  you  look)   1-­‐in-­‐10  had  or  suspected  an  open  source  related  breach  in  the   past  12  months  
  • 10. We  care  (shhh  don’t  tell  we  don’t  really)   Q:  Has  your  organizaBon  ever  banned  use  of  an  open  source  component,   library  or  project?  
  • 11. Proof  is  in  the  pudding   More  than  1-­‐in-­‐3  say  their  open  source  policy  doesn’t  cover  security.   Q:  How  does  your  open  source  policy  address  security   vulnerabiliBes?     Source:  2014  Sonatype  Open  Source  Development  and  ApplicaBon  Security  Survey  
  • 12. But  what  about  developers  …   Even  when  component  versions  are  updated  4-­‐5  =mes  a  year  to  fix  known   security,  license  or  quality  issues.   Q:  Does  someone  acBvely  monitor  your  components  for  changes  in   vulnerability  data?    
  • 13. At  least  it’s  good  in  producXon?   Q:  Does  your  organizaBon  maintain  an  inventory  of  open  source   components  used  in  producBon  applicaBons?  
  • 14. Which  way  are  the  fingers  poinXng?   Q:  Who  has  responsibility  for  tracking  &  resolving  newly  discovered  component   vulnerabiliBes  in  *producBon*  applicaBons?     In 2013, 50% Named AppDev In 2013, 8% Named AppSec
  • 15. ARE  OPEN  SOURCE  POLICIES  KEEPING   OUR  APPLICATIONS  SAFE?  
  • 16. We  don’t  need  no  sXnking  policy!   Q:  Does  your  organizaBon  have  an  open  source  policy?  
  • 17. We  have  a  policy,  mmm  bacon   Q:  Do  you  actually  follow  your  company’s  open  source  policy?    
  • 18. Policy  without  controls  is?   Is  an  “Open  Source  Policy”  more  than  just  a  document?     Q:  How  well  does  your  organizaBon  control  which  components   are  used  in  development  projects?    
  • 19. Don’t  worry  we  got  it   But  control  is  not  unanimous.   Q:  Who  in  your  organizaBon  has  PRIMARY  responsibility  for  open   source  policy/governance?    
  • 20. But  do  I  care?   Q:  How  would  you  characterize  your  developers’  interest  in   applicaBon  security?     Source: 2013 and 2014 Sonatype Open Source Development and
  • 22. Hey  if  it  works  …  ship  it!   Q:  When  selecBng  components,  which  characterisBcs  would  be   most  helpful  to  you?  (choose  four)   Source: 2014 Sonatype Open Source Development and Application
  • 23. This  security  thing  is  such  a  drag  …  Bacon   Q:  What  applicaBon  security  training  is  available  to  you?  (mulBple   selecBons  possible)      
  • 24. Cleanup  on  Aisle  9,  Cleanup  on  Aisle  9   AppDev  runs  at  Agile  &  DevOps  speed.  Is  security  is  keeping  pace?   Q:  At  what  point  in  the  development  process  does  your   organizaBon  perform  applicaBon  security  analysis?  Q:  (mulBple   selecBons  possible)      
  • 25. With  Open  Source  Come   License  ConsideraXons  
  • 26. You  mean  licenses  maber?   Yet,  licensing  data  is  considered  helpful  to  67%  of  respondents  when  selec=ng   open  source  components  to  use.   Q:  Are  open  source  licensing  risks  or  liabiliBes  a  top  concern  in   your  posiBon?    
  • 27. Why  yes,  I  believe  it  does   Q:  Does  your  organizaBon/policy  manage  the  use  of  components   by  license  types?  (e.g.,  GPL,  copyleV)?  
  • 28. Defend  Your  Socware  Against  Common   Vulnerability  Types    (tongue  in  cheek)  
  • 29. #1     THE  INFECTOR   A vulnerable component that many other components depend upon.
  • 30. Number  of  Dependent   Components   8781     Downloads   6,987,246   CVSS  Score   6.8   MTTR   229   Unique  OrganizaBons   72,156   CVE-­‐2011-­‐2894   Spring  Framework  3.0.0  through  3.0.5,  Spring  Security  3.0.0  through  3.0.5  and  2.0.0  through  2.0.6,  and  possibly   other  versions  deserialize  objects  from  untrusted  sources,  which  allows  remote  aackers  to  bypass  intended   security  restricBons  and  execute  untrusted  code  by  (1)  serializing  a  java.lang.Proxy  instance  and  using   InvocaBonHandler,  or  (2)  accessing  internal  AOP  interfaces,  as  demonstrated  using  deserializaBon  of  a   DefaultListableBeanFactory  instance  to  execute  arbitrary  commands  via  the  java.lang.RunBme  class.     Its always Spring somewhere
  • 31. #2     THE  IMPOSTOR   A vulnerable component that is also very popular.
  • 32. An  App  just  isn’t  an  App  without  XML   Number  of  Dependent   Components   4003     Downloads   3,797,847   CVSS   5   MTTR   867   Unique  OrganizaBons   119,569   CVE-­‐2009-­‐2625   XMLScanner.java  in  Apache  Xerces2  Java,  as  used  in  Sun  Java  RunBme  Environment  (JRE)  in  JDK  and  JRE  6  before   Update  15  and  JDK  and  JRE  5.0  before  Update  20,  and  in  other  products,  allows  remote  aackers  to  cause  a   denial  of  service  (infinite  loop  and  applicaBon  hang)  via  malformed  XML  input,  as  demonstrated  by  the   Codenomicon  XML  fuzzing  framework.    
  • 33. A vulnerable component with a security vulnerability from many years ago. #3     THE  FORGOTTEN  
  • 34. We  are  sXll  using  that?   Number  of  Dependent   Components   75     Downloads   324,765   CVSS   6.8   Unique  OrganizaBons   119,569   CVE-­‐2003-­‐1516   The  org.apache.xalan.processor.XSLProcessorVersion  class  in  Java  Plug-­‐in  1.4.2_01  allows  signed  and  unsigned   applets  to  share  variables,  which  violates  the  Java  security  model  and  could  allow  remote  aackers  to  read  or   write  data  belonging  to  a  signed  applet.  
  • 35. A popular component with neither a declared nor observable license. #4     THE  UNDESIRABLE  
  • 36. No  license,  no  worries   Number  of  Dependent   Components       1164   Number  of  Downloads    182,145     Latest  Release  Date   May-­‐11-­‐2006   Unique  OrganizaBons    8,383   jstl:1.2  java  standard  template  library  implementaBon  
  • 37. A popular component with a declared license but no proof of source. #5     THE  UNPROVEN  
  • 38. I  am  what  I  say  I  am   Number  of  Dependent   Components       1190   Number  of  Downloads    19,621   Last  Release  Date    Jan-­‐12-­‐2011   Unique  OrganizaBons    1,026,964   asm:3.3.1  java  bytecode  analysis  framework    
  • 39. A popular component that hasn’t been updated in more than 5 years. #6     THE  LIVING  DEAD  
  • 40. One  release  …  Ever!   Number  of  Dependent   Components       305   Number  of  Downloads    432,468   Last  Release    Nov-­‐8-­‐2005   Unique  OrganizaBons    14,454   jakarta-­‐regexp:1.4  regular  expression  parsing  library  
  • 41. 41   11/12/14   Complimentary  assessment  to  ID  aliens  in  your  apps:   www.Sonatype.com/RiskAssessments  
  • 43. (Many  were  upset  that  bacon  was  not  an  opXon)   Q:  What  is  your  favorite  pizza  topping?  
  • 44. …and  prefer  beer  4-­‐to-­‐1  over  wine.   Q:  What  do  you  like  to  drink  with  your  pizza?