SlideShare a Scribd company logo

Best Practices for Managing Risk from Open Source Libraries and Components

Download as PPTX, PDF
Sonatype
Sonatype

The document summarizes a presentation on best practices for managing risk from open source libraries and components. The presentation was given by Jim Routh and Joshua Corman and covered the following topics: an introduction to the FS-ISAC Third Party Software Security Working Group; the group's recommended control types including policy management and enforcement for open source components; how software development has changed with most code now being assembled rather than written; and how component lifecycle management can help address issues by enforcing policies in the development process.

Technology
1 of 37
BEST PRACTICES FOR MANAGING RISK From Open Source Libraries and Components February 5th at 1pm ET Jim Routh & Joshua Corman
2 1/28/2016 FEATURED SPEAKERS JIM ROUTH, CISO JOSHUA CORMAN, CTO Certified with CSSLP & CISM Chairman of FS-ISAC Committee 20+ Years in Application Security Co-founder of Rugged Software Previously w/ Akamai & 451 Group Trusted Security Professional @joshcorman
TODAY’S AGENDA 3 1/28/2016 • What is the Third Party Security Working Group • What are the recommended control types • Why policy management & enforcement • What changed? • Dependence (disproportional) • Component Lifecycle Management in action
FS-ISAC Third Party Software Security Working Group Third Party Software Security Steering Committee Members 1. Jerry Brady, Morgan Stanley 2. Mark Connelly, Thomson Reuters 3. Mahi Dontamasetti, DTCC 4. Paul Fulton, Citi 5. Keith Gordon, Capital One 6. Royal Hansen, Goldman Sachs 7. Chauncey Holden, RBS Citizens Bank 8. Rich Jones, JP Morgan Chase 9. Ben Miron, GE 10. Jim Routh, Aetna Working Group Members 1. David Smith, Fidelity 2. Don Elkins, Morgan Stanley 3. Matt Levine, Goldman Sachs 4. David Hubley, Capital One 5. Tim Mathias, Thomson Reuters 6. Rishikesh Pande, Citi The Third Party Software Security Working Group was established with a mandate to analyze control options and develop specific recommendations on control types for member firms to consider adding to their vendor governance programs. These recommendations on control types are captured in the FS-ISAC Working Group whitepaper, “Appropriate Software Security Control Types for Third Party Service and Product Providers.”
FS-ISAC Third Party Software Security Working Group Recommended Control Types vBSIMM Process Maturity Binary Static Analysis Policy management and enforcement for consumption of open source libraries and components 1 2 3
FS-ISAC Third Party Software Security Working Group Control Types
FS-ISAC Third Party Software Security Working Group Control 3 - Policy management and enforcement for consumption of open source libraries and components This control type identifies consumable open source libraries for a given Financial Institution, identifies the security vulnerabilities by open source component and enables the Financial Institution to apply controls or governance over the acquisition and use of open source libraries.
FS-ISAC Third Party Software Security Working Group Component Usage Has Exploded Control 3 Open Source Policy Management
FS-ISAC Third Party Software Security Working Group Policy Management Capability
FS-ISAC Third Party Software Security Working Group FS-ISAC Third Party Software Security Working Group Whitepaper www.fs-isac.com
WHAT’S CHANGED?
COST, COMPLEXITY, AND RISK
CONSEQUENCES: VALUE & REPLACEABILITY http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/
CountermeasuresSituational AwarenessOperational ExcellenceDefensible Infrastructure
CountermeasuresSituational Awareness Operational Excellence Defensible Infrastructure
Countermeasures Situational Awareness Operational Excellence Defensible Infrastructure
Countermeasures Situational Awareness Operational Excellence Defensible Infrastructure
Life Rights CritInfr IP PII CCN Counter- measures Situational Awareness Operational Excellence Defensible Infrastructure REPLACEABILITY
90%Assembled Software Evolution Written 20 HOW MUCH CODE DO WE “WRITE” THESE DAYS?
90%Assembled Software Evolution Written 21 HOW MUCH CODE DO WE “WRITE” THESE DAYS?
Component Selection Open source usage is EXPLODING Yesterday’s source code is today’s OPEN SOURCE 201320122011200920082007 2010 2B1B500M 4B 6B 8B 13B
A Sea Change in Hacker Targeting Now that software is assembled… 23
Today’s approaches AREN’T WORKING Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION 46m vulnerable components downloaded ! 71% of repos have 1+ critical or severe vulnerability ! 90% of repos have 1+ critical vulnerability !
A Massive Supply Chain Problem No Visibility No Control No Fix No visibility to what components are used, where they are used and where there is risk No way to govern/enforce component usage. Policies are not integrated with development . No efficient way to fix existing flaws. 25
FROM THE FS-ISAC WHITE PAPER 27 • Enabling application architects to control versions of software. • Accelerating the development process by encouraging the consumption of open source libraries that are resilient. • Reduce operating costs since the cost of ripping out obsolete components from existing applications is high assuming the older versions can be identified in the first place.
CLM IN ACTION
BACK TO… CONTROL TYPES
Notional Exposure Active Risk Snapshot Report Repository Health Check Application Health Check What have I downloaded ? What’s in my repo? Are my apps vulnerable?
31 Global Bank Software Provider Software Provider’s Customer State University Three-Letter Agency Large Financial Exchange CVE-2013-2251: WIDESPREAD COMPROMISE
How can we choose the best components FROM THE START? Shift Upstream = ZTTR (Zero Time to Remediation) Analyze all components from within your IDE License, Security and Architecture data for each component, evaluated against your policy
Software Evolution 33 BIG IMPACTLittle Effort,
WE NEED BETTER LEVERAGE! Most security programs are getting a little bit better everywhere; but not sufficiently better anywhere... Earlier. Easier. Effective.
35 1/28/2016 DEVELOPERS & APPLICATION SECURITY: WHO’S RESPONSIBLE? Take the Survey: https://www.surveymonkey.com/s/Developers_and_App 63% of people concerned with open source
36 1/28/2016 “A new approach in the market is Component Lifecycle Management (CLM) which offers the ability to enforce policies in the development process.” LEARN MORE To learn more about the ‘Component Lifecycle Management Approach’, read the OVUM report. http://www.sonatype.com/resources/whitepapers
BEST PRACTICES FOR MANAGING RISK FROM OPEN SOURCE LIBRARIES AND COMPONENTS Thank you for attending today’s event, please contact us with any questions. http://www.sonatype.com/contact/general-inquiry

Recommended

Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
Lionel Medina
 
SecureWorld Seattle Vulnerability Mgmt Nov 11 2015
SecureWorld Seattle Vulnerability Mgmt Nov 11 2015SecureWorld Seattle Vulnerability Mgmt Nov 11 2015
SecureWorld Seattle Vulnerability Mgmt Nov 11 2015Kevin Murphy
 
Mini IT Security Assessment
Mini IT Security AssessmentMini IT Security Assessment
Mini IT Security Assessment
GuardEra Access Solutions, Inc.
 
Software Vulnerabilities Risk Remediation
Software Vulnerabilities Risk RemediationSoftware Vulnerabilities Risk Remediation
Software Vulnerabilities Risk Remediation
Bruce Hafner
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
newbie2019
 
A Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingA Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration Testing
YogeshIJTSRD
 
Reorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsReorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's Threats
Lumension
 
Software Vulnerability management
Software Vulnerability management Software Vulnerability management
Software Vulnerability management
Kishor Datta Gupta
 

Recommended

Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
Lionel Medina
 
SecureWorld Seattle Vulnerability Mgmt Nov 11 2015
SecureWorld Seattle Vulnerability Mgmt Nov 11 2015SecureWorld Seattle Vulnerability Mgmt Nov 11 2015
SecureWorld Seattle Vulnerability Mgmt Nov 11 2015Kevin Murphy
 
Mini IT Security Assessment
Mini IT Security AssessmentMini IT Security Assessment
Mini IT Security Assessment
GuardEra Access Solutions, Inc.
 
Software Vulnerabilities Risk Remediation
Software Vulnerabilities Risk RemediationSoftware Vulnerabilities Risk Remediation
Software Vulnerabilities Risk Remediation
Bruce Hafner
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
newbie2019
 
A Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingA Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration Testing
YogeshIJTSRD
 
Reorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsReorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's Threats
Lumension
 
Software Vulnerability management
Software Vulnerability management Software Vulnerability management
Software Vulnerability management
Kishor Datta Gupta
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
EC-Council
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro video
Chad Loeven
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
Donald E. Hester
 
Best vulnerability assessment training
Best vulnerability assessment trainingBest vulnerability assessment training
Best vulnerability assessment training
AdarshMathuri
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseLumension
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Tripwire
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected
Tripwire
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVault
AlienVault
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best Practices
Ivanti
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in ics
Mayur Mehta
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
AlienVault
 
The OCTAVE Method
The OCTAVE MethodThe OCTAVE Method
The OCTAVE Method
Raul Calzada
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
EC-Council
 
An Overview Of The Singularity Project
An Overview Of The Singularity ProjectAn Overview Of The Singularity Project
An Overview Of The Singularity Projectalanocu
 

More Related Content

What's hot

Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
EC-Council
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro video
Chad Loeven
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
Donald E. Hester
 
Best vulnerability assessment training
Best vulnerability assessment trainingBest vulnerability assessment training
Best vulnerability assessment training
AdarshMathuri
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseLumension
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Tripwire
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected
Tripwire
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVault
AlienVault
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best Practices
Ivanti
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in ics
Mayur Mehta
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
AlienVault
 
The OCTAVE Method
The OCTAVE MethodThe OCTAVE Method
The OCTAVE Method
Raul Calzada
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 

What's hot (19)

Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro video
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
 
Best vulnerability assessment training
Best vulnerability assessment trainingBest vulnerability assessment training
Best vulnerability assessment training
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your Enterprise
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVault
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best Practices
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in ics
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
 
The OCTAVE Method
The OCTAVE MethodThe OCTAVE Method
The OCTAVE Method
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 

Similar to Best Practices for Managing Risk from Open Source Libraries and Components

7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
EC-Council
 
An Overview Of The Singularity Project
An Overview Of The Singularity ProjectAn Overview Of The Singularity Project
An Overview Of The Singularity Projectalanocu
 
US AI Safety Institute and Trustworthy AI Details.
US AI Safety Institute and Trustworthy AI Details.US AI Safety Institute and Trustworthy AI Details.
US AI Safety Institute and Trustworthy AI Details.
Bob Marcus
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
Sonatype
 
I Series User Management
I Series User ManagementI Series User Management
I Series User Management
SJeffrey23
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
HCLSoftware
 
Hacking appliances
Hacking appliancesHacking appliances
Hacking appliances
Jonathan Suldo
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real WorldMark Curphey
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nist
Naveen Koyi
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Penetration testing in agile software
Penetration testing in agile softwarePenetration testing in agile software
Penetration testing in agile software
ijcisjournal
 
Aliens in Your Apps!
Aliens in Your Apps!Aliens in Your Apps!
Aliens in Your Apps!
All Things Open
 
The uncool-security-hygiene
The uncool-security-hygieneThe uncool-security-hygiene
The uncool-security-hygiene
Thiagu Haldurai
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 

Similar to Best Practices for Managing Risk from Open Source Libraries and Components (20)

7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
 
An Overview Of The Singularity Project
An Overview Of The Singularity ProjectAn Overview Of The Singularity Project
An Overview Of The Singularity Project
 
US AI Safety Institute and Trustworthy AI Details.
US AI Safety Institute and Trustworthy AI Details.US AI Safety Institute and Trustworthy AI Details.
US AI Safety Institute and Trustworthy AI Details.
 
ISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJ
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
 
I Series User Management
I Series User ManagementI Series User Management
I Series User Management
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
Hacking appliances
Hacking appliancesHacking appliances
Hacking appliances
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nist
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Penetration testing in agile software
Penetration testing in agile softwarePenetration testing in agile software
Penetration testing in agile software
 
Aliens in Your Apps!
Aliens in Your Apps!Aliens in Your Apps!
Aliens in Your Apps!
 
The uncool-security-hygiene
The uncool-security-hygieneThe uncool-security-hygiene
The uncool-security-hygiene
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 

More from Sonatype

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
Sonatype
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
Sonatype
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
Sonatype
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
Sonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
Sonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Sonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
Sonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
Sonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
Sonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Sonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Sonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
Sonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
Sonatype
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
Sonatype
 

More from Sonatype (20)

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
 

Recently uploaded

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 

Best Practices for Managing Risk from Open Source Libraries and Components

  • 1. BEST PRACTICES FOR MANAGING RISK From Open Source Libraries and Components February 5th at 1pm ET Jim Routh & Joshua Corman
  • 2. 2 1/28/2016 FEATURED SPEAKERS JIM ROUTH, CISO JOSHUA CORMAN, CTO Certified with CSSLP & CISM Chairman of FS-ISAC Committee 20+ Years in Application Security Co-founder of Rugged Software Previously w/ Akamai & 451 Group Trusted Security Professional @joshcorman
  • 3. TODAY’S AGENDA 3 1/28/2016 • What is the Third Party Security Working Group • What are the recommended control types • Why policy management & enforcement • What changed? • Dependence (disproportional) • Component Lifecycle Management in action
  • 4. FS-ISAC Third Party Software Security Working Group Third Party Software Security Steering Committee Members 1. Jerry Brady, Morgan Stanley 2. Mark Connelly, Thomson Reuters 3. Mahi Dontamasetti, DTCC 4. Paul Fulton, Citi 5. Keith Gordon, Capital One 6. Royal Hansen, Goldman Sachs 7. Chauncey Holden, RBS Citizens Bank 8. Rich Jones, JP Morgan Chase 9. Ben Miron, GE 10. Jim Routh, Aetna Working Group Members 1. David Smith, Fidelity 2. Don Elkins, Morgan Stanley 3. Matt Levine, Goldman Sachs 4. David Hubley, Capital One 5. Tim Mathias, Thomson Reuters 6. Rishikesh Pande, Citi The Third Party Software Security Working Group was established with a mandate to analyze control options and develop specific recommendations on control types for member firms to consider adding to their vendor governance programs. These recommendations on control types are captured in the FS-ISAC Working Group whitepaper, “Appropriate Software Security Control Types for Third Party Service and Product Providers.”
  • 5. FS-ISAC Third Party Software Security Working Group Recommended Control Types vBSIMM Process Maturity Binary Static Analysis Policy management and enforcement for consumption of open source libraries and components 1 2 3
  • 6. FS-ISAC Third Party Software Security Working Group Control Types
  • 7. FS-ISAC Third Party Software Security Working Group Control 3 - Policy management and enforcement for consumption of open source libraries and components This control type identifies consumable open source libraries for a given Financial Institution, identifies the security vulnerabilities by open source component and enables the Financial Institution to apply controls or governance over the acquisition and use of open source libraries.
  • 8. FS-ISAC Third Party Software Security Working Group Component Usage Has Exploded Control 3 Open Source Policy Management
  • 9. FS-ISAC Third Party Software Security Working Group Policy Management Capability
  • 10. FS-ISAC Third Party Software Security Working Group FS-ISAC Third Party Software Security Working Group Whitepaper www.fs-isac.com
  • 13. CONSEQUENCES: VALUE & REPLACEABILITY http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/
  • 14.
  • 19. Life Rights CritInfr IP PII CCN Counter- measures Situational Awareness Operational Excellence Defensible Infrastructure REPLACEABILITY
  • 20. 90%Assembled Software Evolution Written 20 HOW MUCH CODE DO WE “WRITE” THESE DAYS?
  • 21. 90%Assembled Software Evolution Written 21 HOW MUCH CODE DO WE “WRITE” THESE DAYS?
  • 22. Component Selection Open source usage is EXPLODING Yesterday’s source code is today’s OPEN SOURCE 201320122011200920082007 2010 2B1B500M 4B 6B 8B 13B
  • 23. A Sea Change in Hacker Targeting Now that software is assembled… 23
  • 24. Today’s approaches AREN’T WORKING Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION 46m vulnerable components downloaded ! 71% of repos have 1+ critical or severe vulnerability ! 90% of repos have 1+ critical vulnerability !
  • 25. A Massive Supply Chain Problem No Visibility No Control No Fix No visibility to what components are used, where they are used and where there is risk No way to govern/enforce component usage. Policies are not integrated with development . No efficient way to fix existing flaws. 25
  • 26.
  • 27. FROM THE FS-ISAC WHITE PAPER 27 • Enabling application architects to control versions of software. • Accelerating the development process by encouraging the consumption of open source libraries that are resilient. • Reduce operating costs since the cost of ripping out obsolete components from existing applications is high assuming the older versions can be identified in the first place.
  • 30. Notional Exposure Active Risk Snapshot Report Repository Health Check Application Health Check What have I downloaded ? What’s in my repo? Are my apps vulnerable?
  • 31. 31 Global Bank Software Provider Software Provider’s Customer State University Three-Letter Agency Large Financial Exchange CVE-2013-2251: WIDESPREAD COMPROMISE
  • 32. How can we choose the best components FROM THE START? Shift Upstream = ZTTR (Zero Time to Remediation) Analyze all components from within your IDE License, Security and Architecture data for each component, evaluated against your policy
  • 34. WE NEED BETTER LEVERAGE! Most security programs are getting a little bit better everywhere; but not sufficiently better anywhere... Earlier. Easier. Effective.
  • 35. 35 1/28/2016 DEVELOPERS & APPLICATION SECURITY: WHO’S RESPONSIBLE? Take the Survey: https://www.surveymonkey.com/s/Developers_and_App 63% of people concerned with open source
  • 36. 36 1/28/2016 “A new approach in the market is Component Lifecycle Management (CLM) which offers the ability to enforce policies in the development process.” LEARN MORE To learn more about the ‘Component Lifecycle Management Approach’, read the OVUM report. http://www.sonatype.com/resources/whitepapers
  • 37. BEST PRACTICES FOR MANAGING RISK FROM OPEN SOURCE LIBRARIES AND COMPONENTS Thank you for attending today’s event, please contact us with any questions. http://www.sonatype.com/contact/general-inquiry