Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by automating open source security risk management throughout the Software Development Lifecycle (SDLC)
4. Our problem: A global authentication pandemic
• Phishing attacks cost global organizations billions every year
• One out of 5 fraudulent transactions originate in the mobile channel
• More than 90% of mobile apps contain basic vulnerabilities
LinkedIn suffers data breach
NEWS
Zeus Botnet Eurograbber Steals
$47 Million
Don’t bank on your phone – it could
be hacked by Zeus ‘trojan horse’
New vulnerabilities
reported on a weekly
basis
Successful attacks
not even making
headlines anymore
5. • Founded in 2008 by 5 engineering
students
• One of the founders’ mother defrauded
• They wanted to do something that
matters
• Not daunted by current failings of
security solutions
• A novel approach with existing tech
A solution: Entersekt’s story
6. Going live in 2012: Nedbank as a case study
0
10
20
30
40
50
60
70
80
30-Jan…
03-Feb
07-Feb
11-Feb
15-Feb
19-Feb
23-Feb
27-Feb…
02-Mar
06-Mar
10-Mar
14-Mar
18-Mar
22-Mar
26-Mar…
30-Mar
03-Apr
07-Apr
11-Apr
15-Apr
19-Apr
23-Apr…
27-Apr
01-May
05-May
09-May
13-May
17-May
21-May…
25-May
29-May
02-Jun
06-Jun
10-Jun
14-Jun
18-Jun…
22-Jun
26-Jun
30-Jun
Attempts Fraud
Entersekt go-live
Nedbank does not even appear on
SARS e-filing phishing site!!
7. A growing global footprint
Johannesburg
Mauritius
Atlanta
Beirut
Dubai
Lagos
Minneapolis
Sydney
Amsterdam
Cape Town
Zurich
Palo Alto
14. Our open source challenges
1. Risk management
1. Approved open source?
2. How secure?
3. Can we be diligent and agile?
2. Multiple component groups
3. Ability to identify open source licenses
4. Scaling
1. Manual vulnerability assessment process
2. Getting behind with updates
15. And the winner was...
“Black Duck met Entersekt’s checklist of what
we needed in an open source vulnerability
management solution better than any other
vendor.“
16. 1. Seamless integration & ease of use
2. Relevant feedback
3. Earlier in the SDLC
4. Real-time and continuous monitoring
5. Automated Notifications
Black Duck Hub checks the boxes
17. 6. Easy-to-digest reports with minimal
false positives
7. Jenkins support & secure scanning
8. Code doesn’t leave intranet
9. Identify open source licenses
Black Duck Hub checks the boxes (cont.)
19. In an ideal world
BUILD
Tool:
Docker/Maven
DEPLOY
•DEV
•QA
•INT
•LT
Tool: Docker
TEST
•J Unit
•Automated
Tool: Docker
Release?
RELEASE
•PROD
•Release reposCOMMIT
Tool: Git
OS SECURITY
Tool: Black Duck Hub
STATIC CODE ANALYSIS
Tool: SonarQube
DASHBOARD
Tool: Docker
ALERTS
Tools: Slack/email
Pull Request
Merge Master
20. • Urgent vs important
• Build pipelines challenges
• Jenkins jobs different in each
team/project
• Black Duck sometimes executed manually
• CIs block each other
• Vulnerability triage
• No best practice/standard
• Maintenance owner
Reality bites
21. Lessons learned
• Improve CI runtime
• Internal Black Duck “policy”
• A champion per team
• Policy management (phase II)
• Email & Jira integration (phase III)
• Implement a standard pipeline framework