Recommended
Recommended
More Related Content
What's hot
What's hot (19)
Similar to Automate and Enhance Application Security Analysis
Similar to Automate and Enhance Application Security Analysis (20)
More from Carlos Andrés García
More from Carlos Andrés García (8)
Recently uploaded
Recently uploaded (20)
Automate and Enhance Application Security Analysis
- 1. © 2019 Synopsys, Inc.1 Dave Meurer, Sr. Manager Technical Alliances at Synopsys dmeurer@synopsys.com May 16, 2019 DevSecOps 101, Q2 - Cambridge, MA Automate and Enhance Application Security Analysis
- 2. © 2019 Synopsys, Inc.2 Modern software = Proprietary code + Open source components + API usage + Application Configuration …inherent risks
- 3. © 2019 Synopsys, Inc.3 The fundamental issue… Codebase Commercial third-party code Purchasing • Licensing? • Security? • Quality? • Support? Open source OPERATIONAL FACTORS Which versions of code are being used, and how old are they (dead projects)? LEGAL RISK Which licenses are used, and do they match anticipated use of the code? SECURITY RISK Which components have vulnerabilities, and what are they? Management visibility—not! “Many open-source assets are either undermanaged or altogether unmanaged.” —Gartner, 2017
- 4. © 2019 Synopsys, Inc.4 Open Source Security and Risk Assessment • Fourth year • 1,200+ Black Duck Audits on codebases • Data anonymized and aggregated https://www.synopsys.com/software-integrity/resources/analyst- reports/2019-open-source-security-risk-analysis.html
- 5. © 2019 Synopsys, Inc.5 Black Duck Audits: 1,200+ codebases across all industries Industry Distribution Enterprise Software/SaaS 23% Healthcare, Health Tech, Life Sciences 11% Financial Services & FinTech 10% Big Data, AI, BI, Machine Learning 9% Retail & E-Commerce 7% Aerospace, Aviation, Automotive, Transportation, Logistics 6% Internet & Software Infrastructure 5% Internet of Things 5% Telecommunications & Wireless 4% Cybersecurity 3% Virtual Reality, Gaming, Entertainment, Media 3% Manufacturing, Industrials, Robotics 3% Internet and Mobile Apps 3% Marketing Tech 2% EdTech 2% Computer Hardware & Semiconductors 2% Energy & CleanTech 1%
- 6. © 2019 Synopsys, Inc.6 Open source is pervasive of the 2018 audited code analyzed was open source of audited codebases contained open source of audited codebases contained more than 50% open source
- 7. © 2019 Synopsys, Inc.7 And more than they know… • Few targets were able to produce a list with any confidence • When they could, it tended to be about 50% accurate Average codebase audited by Black Duck contained 298 open source components (up from 257 last year)
- 8. © 2019 Synopsys, Inc.8 Open source license compliance remains critical Percentage of codebases with license conflicts Contained components with license conflicts Contained some form of GPL conflict
- 9. © 2019 Synopsys, Inc.9 Open source is all about responsible shared re-use Percentage of code bases with common components Contained components that were more than four years out-of-date or had no development activity in the last two years
- 10. © 2019 Synopsys, Inc.10 0 2,000 4,000 6,000 8,000 10,000 12,000 14,000 16,000 18,000 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Open source vulnerabilities are commonplace, and organizations are failing to protect against them of the audited codebases contained vulnerabilities contained high-risk vulnerabilities
- 11. © 2019 Synopsys, Inc.11 CVE-2000-0388 Reporting date May 9, 1990 Impact A buffer overflow when processing the TERMCAP environment variable in FreeBSD 3.4 and prior could result in a local exploit resulting in privilege escalation Mitigation Update the FreeBSD operating environment to a modern version A vulnerability older than many developers and found within the 2018 OSSRA dataset contained vulnerabilities over 10 years old
- 12. © 2019 Synopsys, Inc.12 Apache Struts CVE-2018-11776 The life of a vulnerability BDSA (full details) CVE (number) Aug 22nd Introduced v2.0.5 Feb 2007 Disclosure Reported by Man Yue Mo Patch available Aug, 21st Vendor Notified Aug 9 CVE (CPE, CVSS, CWE) Nov 1st BDSA Team identified 23 additional vulnerable versions [ ]
- 13. © 2019 Synopsys, Inc.13 Strategy & Planning Maturity Action Plan (MAP) Building Security In Maturity Model (BSIMM) Dynamic Application Security Testing Managed Services Static Application Security Testing Penetration Testing Mobile Application Security Testing Professional Services Industry Solutions Architecture and Design Security Training DevSecOps Integration Cloud Security Synopsys Software Security and Quality Portfolio Integrated Tools Seeker & Defensics Dynamic Analysis Coverity Static Analysis Black Duck Software Composition Analysis =Available on the Polaris platform
- 14. © 2019 Synopsys, Inc.14 14
- 15. © 2018 Synopsys, Inc.15 Synopsys Pivotal Integrations Pivotal Application Service (PAS) Pivotal Container Service (PKS) Pivotal Concourse Black Duck Seeker Service Broker BETA Service Broker GA Deployment GA Detect GA OpsSight TEST
- 16. © 2018 Synopsys, Inc.16 CF CLI / App Mgr Black Duck PCF solution architecture - v2 Developer droplet blobstore app scan metadata Downloads and scans droplet contents Cloud Controller Diego Cell cf create-service Service Instance cf bind-service cf push Black Duck Web Server Open Source Software Risks: Security, License, Operational Black Duck Service Broker “droplet” perceiver core (preceptor) scanner “droplet” façade cf-java-client
- 17. © 2018 Synopsys, Inc.17 Key takeaways Open source usage is key to modern applications • Create a robust strategy to benefit from it • Train all development and operations teams to identify critical components Engage with open source communities • Awareness of new features, critical issues and patches occurs at the community level • Foster a sense of engagement and shared ownership within your development teams Open source governance starts with developers • Train all developers to understand the license implications of the component selections • Ensure that when a component version is cached for future use that it’s patched regularly
Editor's Notes
- The risk issue is unpatched software, not open source use … A lot of cases The open source community does an exemplary job of issuing patches, often at a much faster pace than their proprietary counterparts Vulnerabilities affect both Proprietary and OSS… and the key to patching software IS KNOWING WHAT SOFTWARE YOU HAVE
- Fundamentally every organization is a software company whether they believe they are or not.
- Remove projects with less than 1,000 files – percentage becomes 99% Last year was 57%, year before was 37% Most of the software analyzed were from companies who build software versus software that supports their enterprise… MEANING – proprietary code is the value. Gartner and Forrester state 90% of IT orgs use OSS in mission critical workloads And 90% of OSS is found in new codebases THE REPORT Breaks down the percentages by industry.,
- Black Duck scans indicate that the 20 most popular licenses cover approximately 98% of the open source in use. The OSI and the open source community have done a commendable job in reducing the multitude of open source licenses seen a decade ago
- If these are not identified and tracked, components become out of date – which essentially puts the ownership of that version on the and owns the responsibility of the code… proprietary problem because the open source community has evolved The most common vulnerability found was CVE-2012- 6708, jQuery before 1.9.0 vulnerable to cross-site scripting (XSS) attacks.
- 2017 – over 14,000 vulns 2018 – over 16,000 1999-2016, no year had more than 8,000 60%: TREND IS BETTER - Last year it was 78%
- The average age of vulnerabilities identified 6.6 years
- As some of you may know, this is one of my favorite open source components... not actually to use, but it demo's so well. In this case we are looking at an August vulnerability, CVE-2018-11776... which is a 9.3 out of 10 in the CVSS 2.0 scale. On Aug 21st, this vulnerability was disclosed. It was reported that a handful of versions could be exploited with remote code execution. On the same day, the Apache published an updated version. Now patches typically aren't built in a day, so there is a process that is followed, called the Vulnerability Embargo Process. That means a responsible security researcher, such as Man Yue Mo, discovers a vulnerability, and then notifies the vendor. This occurred on Aug 9th, and the Apache Struts project worked with Man Yue Mo to create the patch. An interesting thing to note, is that vulnerabilities tend to exist in projects well before they are discovered. In this case.... Version 2.0.5 is where this vulnerability was introduced, some 11 1/2 years ago. NOW... the very next day, within 24 hrs, Black Duck published full details about this vulnerability. That includes things like how to fix it, what a workaround may be, all sorts of technical data and CVSS scoring. What you found on the CVE detail, was a number and a description... it looked like this: ANOTHER thing to note, is initially, this vulnerability was thought to only affect a handful of versions, however, the Black Duck Security Advisory team found 23 additional versions that were affected, and reported this back to Apache Struts. Now this page that you see here, was currently awaiting analysis until... Nov 1st, some 2 months after the vulnerability was disclosed. So, if you were only using the CVE list, you would have a number, and a description, but couldn't tell if it was high, medium, low - if there was a workaround or a fix... and ... ... this is 2 months too late, as hackers are automating exploitability these days when vulnerabilities are disclosed.