SlideShare a Scribd company logo

Open Source Security for Newbies - Best Practices

Black Duck by Synopsys
Black Duck by Synopsys

Are you new to Black Duck or open source security? Do you need a refresher? Understanding the fundamentals of open source security is critical to keeping your data and organization safe. During this session, we'll share best practices from the world's leading experts to help you establish a foundation for success.

Technology
1 of 35
Download to read offline
Open Source Security for Beginners - Best Practices
• Overview of open source risk • Designing a Successful Risk Mitigation Strategy • Planning for Vulnerability Remediation • Wrap up Agenda
What are possible security vulnerabilities in this home? • Physical and/or policy-based What are security threats to this home? • Are some threats more likely to occur than others? What would an attack look like? • Have any neighbors been robbed? How should one prioritize defenses? • What is an acceptable level or risk? Security Vocabulary
But security investment is often not aligned with actual risks
Virtually all Global 2000 companies use open source to run critical infrastructure. - Gartner Open Source Has Blown Past the Tipping Point © Black Duck Software 2017 | CONFIDENTIAL Open Source Projects (Millions) 70% of apps will run on OSS databases by 2018 50% of orgs face problems because of a lack of policy 2.5 0.1 0.2 0.5 1.5 1.0 2007 2009 2011 2013 2015 2017
Open Source in Commercial Software 22% of applications had >50% open source
7
License Risk • Open source license compliance • Ensure project dependencies are understood Operational risk • How well supported is a component? • Can you differentiate between “stable” and “dead”? • Are there more recent versions? Security Risk • Exploitable vulnerabilities in components • Old components with multiple vulnerabilities Open Source Risk Elements
Open Source Security
Open Source is Not Risk Free
Over 9,000 new vulnerabilities in open source since 2014 Over 80,000 total vulnerabilities in NVD, only 63 reference automated tools • 50 of those are for vulnerabilities reported in the tools • 13 are for vulnerabilities that could be identified by a fuzzer Over 34,000 known open source vulnerabilities since 2000 0 500 1000 1500 2000 2500 3000 3500 4000 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 NVD Black Duck exclusive
HIPAA + FTC Act + FDA Regulations + State laws + Enforcement actions + . . . . Open Source and Regulatory Requirements }= Reasonable Security
What Would Constitute “Reasonable Security”?
Practical Implications of Regulatory Standards A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Risk Assessment • Identify vulnerabilities in all covered software • Review of custom code to identify vulnerabilities • Monitor for new vulnerabilities
Practical Implications of Regulatory Standards (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). Risk Management • Have policies and controls in place to address identified risks in a timely manner
Signature-based Scanning File Information Extraction Build Process Monitoring Risk Assessment: Visibility to All Components is Key A 3-Pronged Strategy Chooses the best scan methods for: • Your Dev Tools • Your Business Goals • Your Risk Levels With Impactful Benefits • Automated • Multi-factor identification • Ensures accurate BOM • Broad language support • Identifies partial and modified components • Minimizes false positives / negatives • Streamlines disambiguation Signature-based Scanning Use contextual and file analysis: • File / Directory meta-data • File Content (SHA1 signatures) Build Process Monitoring Build process monitoring • External ID-based • Find Transitive Dependencies • Understand Relationships and Use • E.G. Maven, Gradle File Info Extraction Leverage additional component information • Package Management Files • Installation / SCM artifacts • Manifest Files • .Net Assemblies
Risk Assessment: Completeness of Risk Information © Black Duck Software 2017 | CONFIDENTIAL
Prioritizing & Fixing Security Vulnerabilities
Not all applications are equally important • Determine which are most critical to accomplishing business goals • Determine “acceptable risk” for others Step 1 – Risk Rank Your Applications
How severe is the issue? • CVSS Scores • High, medium, low How is it exploited? • Local access or network • Authentication required? • Complex or simple? Is an exploit publicly available? Step 2 – Prioritize Your Vulnerabilities
What damage can an attacker do? • Read data • Modify data • Denial of Service • Execute unauthorized code or commands • Gain privileges / assume identity • Bypass protection mechanism • Hide activities Prioritize Your Vulnerabilities
Common Weakness Enumerators (CWE)
CWE Defines Technical Impact 23 Technical Impact of SQL Injection: • Read application data • Bypass protection mechanism • Modify application data
Finite number of options 1. Patch 2. Rip and replace 3. Punt 4. Compensating Control Step 4 – Risk Reduction
Is the vulnerability isolated? Is a patch available? Are you prepared to manage your own branch of the code? Patch
With what? • Use resources like OpenHub to make sure you aren’t adding vulnerabilities • Look at changes to determine LoE • Consider a substitute/similar functioning component Rip and Replace Source: openhub.net
Risk is acceptable in terms of business goals and risk appetite • For most applications, removing all vulnerabilities is not necessary Are you using the vulnerable portion of the code? Punt
Can be a substitute for replacing/updating the code Can be a stopgap to mitigate risk until you can remediate Examples • IPS/IDS rules • WAF rules • Centralized data cleansing/input validation Step 4 – Use Compensating Controls
Establishing an OS Security Monitoring Strategy
Application Security Goal: Move “Left” in the SDLC Analyze Design Implement Test Maintain 1x 6.5x 15x 100x Source: IBM Systems Sciences Institute Earlier Visibility to Vulnerabilities Pays Dividends
The Right Tool at the Right Time SDLC Ecosystem Analyze Design Implement Test Maintain Security Intelligence (including data sources) Open Source Selection Detection and Notification IAST Dynamic Analysis Static Analysis Manual Penetration Testing Vulnerability Assessment
• Build and automatically enforce OSS policies • Identify OSS components early in the SDLC • Automatically create and maintain bills of material • Continuously monitor threat environment for new vulnerabilities Open Source Best Practices Reqs • OSS Policies • Application Criticality Ranking • OSS Risk Parameters • License Risk • Security Risk • Operational Risk Design • OSS Selection • Design Review • License Risk • Security Risk • Operational Risk Code • OSS Detection • Automatically detect and alert on non- conforming components • Correlation with Bills of Material Test • OSS Enforcement • Detect and alert on non-conforming components • Correlation with Bills of Material Release • OSS Monitoring • Timely OSS Vulnerability Identification & Reporting • Bug Severity • Remediation Advice
Continued adoption of open source • Value far exceeds controllable risks Increased regulatory oversight • FDA, PCI, HIPAA, FTC Act 5 • GDPR Increased focus on IT infrastructure • Vulnerability scanners don’t cover all open source risks What to Expect in 2018
• Determine which applications are most critical to your organization’s business goals • Create roadmap for ranking, prioritizing, and addressing vulnerabilities based on their technical impact • Design a OS risk monitoring strategy with your team • Know the regulations that impact you + coordinate with internal compliance teams • Move left to improve vulnerability protection over time • Communicate plan with teams and stakeholders Key Takeaways
Questions?

Recommended

Making the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationMaking the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Black Duck by Synopsys
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
Black Duck by Synopsys
 
The Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementThe Case for Continuous Open Source Management
The Case for Continuous Open Source Management
Black Duck by Synopsys
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Black Duck by Synopsys
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Black Duck by Synopsys
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 

Recommended

Making the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationMaking the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Black Duck by Synopsys
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
Black Duck by Synopsys
 
The Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementThe Case for Continuous Open Source Management
The Case for Continuous Open Source Management
Black Duck by Synopsys
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Black Duck by Synopsys
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Black Duck by Synopsys
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Black Duck by Synopsys
 
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
Black Duck by Synopsys
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Black Duck by Synopsys
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Great Wide Open
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Black Duck by Synopsys
 
Collaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingCollaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on Giving
Black Duck by Synopsys
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
Black Duck by Synopsys
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Black Duck by Synopsys
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
The Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityThe Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and Cybersecurity
Black Duck by Synopsys
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
Technical Writing for Consultants
Technical Writing for ConsultantsTechnical Writing for Consultants
Technical Writing for Consultants
Dilum Bandara
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Black Duck by Synopsys
 
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
Black Duck by Synopsys
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 

More Related Content

What's hot

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Black Duck by Synopsys
 
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
Black Duck by Synopsys
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Black Duck by Synopsys
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Great Wide Open
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Black Duck by Synopsys
 
Collaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingCollaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on Giving
Black Duck by Synopsys
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
Black Duck by Synopsys
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Black Duck by Synopsys
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
The Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityThe Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and Cybersecurity
Black Duck by Synopsys
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
Technical Writing for Consultants
Technical Writing for ConsultantsTechnical Writing for Consultants
Technical Writing for Consultants
Dilum Bandara
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Black Duck by Synopsys
 
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
Black Duck by Synopsys
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 

What's hot (20)

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
 
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
 
Collaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingCollaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on Giving
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
The Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityThe Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and Cybersecurity
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Technical Writing for Consultants
Technical Writing for ConsultantsTechnical Writing for Consultants
Technical Writing for Consultants
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
 
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 

Similar to Open Source Security for Newbies - Best Practices

PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
Jim Piechocki
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
Rogue Wave Software
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open Source
Black Duck by Synopsys
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Denim Group
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and compliance
SPAN Infotech (India) Pvt Ltd
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 

Similar to Open Source Security for Newbies - Best Practices (20)

PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open Source
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and compliance
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 

More from Black Duck by Synopsys

FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubFLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
Black Duck by Synopsys
 
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...
Black Duck by Synopsys
 
Open-Source- Sicherheits- und Risikoanalyse 2018
Open-Source- Sicherheits- und Risikoanalyse 2018Open-Source- Sicherheits- und Risikoanalyse 2018
Open-Source- Sicherheits- und Risikoanalyse 2018
Black Duck by Synopsys
 
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...
Black Duck by Synopsys
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
Black Duck by Synopsys
 
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealFLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
Black Duck by Synopsys
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
Black Duck by Synopsys
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub
Black Duck by Synopsys
 
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Black Duck by Synopsys
 
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Black Duck by Synopsys
 
Open Source Rookies and Community
Open Source Rookies and CommunityOpen Source Rookies and Community
Open Source Rookies and Community
Black Duck by Synopsys
 
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Black Duck by Synopsys
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Black Duck by Synopsys
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Black Duck by Synopsys
 
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...
Black Duck by Synopsys
 
Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...
Black Duck by Synopsys
 
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsOpen Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Black Duck by Synopsys
 
20 Billion Reasons for IoT Security
20 Billion Reasons for IoT Security20 Billion Reasons for IoT Security
20 Billion Reasons for IoT Security
Black Duck by Synopsys
 
Open Source Insight: IoT Security, Tech Due Diligence, and Software Security ...
Open Source Insight: IoT Security, Tech Due Diligence, and Software Security ...Open Source Insight: IoT Security, Tech Due Diligence, and Software Security ...
Open Source Insight: IoT Security, Tech Due Diligence, and Software Security ...
Black Duck by Synopsys
 
Open Source Insight: Banking and Open Source, 2018 CISO Report, GDPR Looming
Open Source Insight: Banking and Open Source, 2018 CISO Report, GDPR Looming Open Source Insight: Banking and Open Source, 2018 CISO Report, GDPR Looming
Open Source Insight: Banking and Open Source, 2018 CISO Report, GDPR Looming
Black Duck by Synopsys
 

More from Black Duck by Synopsys (20)

FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubFLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
 
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...
 
Open-Source- Sicherheits- und Risikoanalyse 2018
Open-Source- Sicherheits- und Risikoanalyse 2018Open-Source- Sicherheits- und Risikoanalyse 2018
Open-Source- Sicherheits- und Risikoanalyse 2018
 
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealFLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub
 
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
 
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
 
Open Source Rookies and Community
Open Source Rookies and CommunityOpen Source Rookies and Community
Open Source Rookies and Community
 
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
 
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...
 
Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...
 
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsOpen Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
 
20 Billion Reasons for IoT Security
20 Billion Reasons for IoT Security20 Billion Reasons for IoT Security
20 Billion Reasons for IoT Security
 
Open Source Insight: IoT Security, Tech Due Diligence, and Software Security ...
Open Source Insight: IoT Security, Tech Due Diligence, and Software Security ...Open Source Insight: IoT Security, Tech Due Diligence, and Software Security ...
Open Source Insight: IoT Security, Tech Due Diligence, and Software Security ...
 
Open Source Insight: Banking and Open Source, 2018 CISO Report, GDPR Looming
Open Source Insight: Banking and Open Source, 2018 CISO Report, GDPR Looming Open Source Insight: Banking and Open Source, 2018 CISO Report, GDPR Looming
Open Source Insight: Banking and Open Source, 2018 CISO Report, GDPR Looming
 

Recently uploaded

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 

Recently uploaded (20)

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 

Open Source Security for Newbies - Best Practices

  • 1. Open Source Security for Beginners - Best Practices
  • 2. • Overview of open source risk • Designing a Successful Risk Mitigation Strategy • Planning for Vulnerability Remediation • Wrap up Agenda
  • 3. What are possible security vulnerabilities in this home? • Physical and/or policy-based What are security threats to this home? • Are some threats more likely to occur than others? What would an attack look like? • Have any neighbors been robbed? How should one prioritize defenses? • What is an acceptable level or risk? Security Vocabulary
  • 4. But security investment is often not aligned with actual risks
  • 5. Virtually all Global 2000 companies use open source to run critical infrastructure. - Gartner Open Source Has Blown Past the Tipping Point © Black Duck Software 2017 | CONFIDENTIAL Open Source Projects (Millions) 70% of apps will run on OSS databases by 2018 50% of orgs face problems because of a lack of policy 2.5 0.1 0.2 0.5 1.5 1.0 2007 2009 2011 2013 2015 2017
  • 6. Open Source in Commercial Software 22% of applications had >50% open source
  • 7. 7
  • 8. License Risk • Open source license compliance • Ensure project dependencies are understood Operational risk • How well supported is a component? • Can you differentiate between “stable” and “dead”? • Are there more recent versions? Security Risk • Exploitable vulnerabilities in components • Old components with multiple vulnerabilities Open Source Risk Elements
  • 10. Open Source is Not Risk Free
  • 11. Over 9,000 new vulnerabilities in open source since 2014 Over 80,000 total vulnerabilities in NVD, only 63 reference automated tools • 50 of those are for vulnerabilities reported in the tools • 13 are for vulnerabilities that could be identified by a fuzzer Over 34,000 known open source vulnerabilities since 2000 0 500 1000 1500 2000 2500 3000 3500 4000 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 NVD Black Duck exclusive
  • 12. HIPAA + FTC Act + FDA Regulations + State laws + Enforcement actions + . . . . Open Source and Regulatory Requirements }= Reasonable Security
  • 14. Practical Implications of Regulatory Standards A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Risk Assessment • Identify vulnerabilities in all covered software • Review of custom code to identify vulnerabilities • Monitor for new vulnerabilities
  • 15. Practical Implications of Regulatory Standards (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). Risk Management • Have policies and controls in place to address identified risks in a timely manner
  • 16. Signature-based Scanning File Information Extraction Build Process Monitoring Risk Assessment: Visibility to All Components is Key A 3-Pronged Strategy Chooses the best scan methods for: • Your Dev Tools • Your Business Goals • Your Risk Levels With Impactful Benefits • Automated • Multi-factor identification • Ensures accurate BOM • Broad language support • Identifies partial and modified components • Minimizes false positives / negatives • Streamlines disambiguation Signature-based Scanning Use contextual and file analysis: • File / Directory meta-data • File Content (SHA1 signatures) Build Process Monitoring Build process monitoring • External ID-based • Find Transitive Dependencies • Understand Relationships and Use • E.G. Maven, Gradle File Info Extraction Leverage additional component information • Package Management Files • Installation / SCM artifacts • Manifest Files • .Net Assemblies
  • 17. Risk Assessment: Completeness of Risk Information © Black Duck Software 2017 | CONFIDENTIAL
  • 19. Not all applications are equally important • Determine which are most critical to accomplishing business goals • Determine “acceptable risk” for others Step 1 – Risk Rank Your Applications
  • 20. How severe is the issue? • CVSS Scores • High, medium, low How is it exploited? • Local access or network • Authentication required? • Complex or simple? Is an exploit publicly available? Step 2 – Prioritize Your Vulnerabilities
  • 21. What damage can an attacker do? • Read data • Modify data • Denial of Service • Execute unauthorized code or commands • Gain privileges / assume identity • Bypass protection mechanism • Hide activities Prioritize Your Vulnerabilities
  • 23. CWE Defines Technical Impact 23 Technical Impact of SQL Injection: • Read application data • Bypass protection mechanism • Modify application data
  • 24. Finite number of options 1. Patch 2. Rip and replace 3. Punt 4. Compensating Control Step 4 – Risk Reduction
  • 25. Is the vulnerability isolated? Is a patch available? Are you prepared to manage your own branch of the code? Patch
  • 26. With what? • Use resources like OpenHub to make sure you aren’t adding vulnerabilities • Look at changes to determine LoE • Consider a substitute/similar functioning component Rip and Replace Source: openhub.net
  • 27. Risk is acceptable in terms of business goals and risk appetite • For most applications, removing all vulnerabilities is not necessary Are you using the vulnerable portion of the code? Punt
  • 28. Can be a substitute for replacing/updating the code Can be a stopgap to mitigate risk until you can remediate Examples • IPS/IDS rules • WAF rules • Centralized data cleansing/input validation Step 4 – Use Compensating Controls
  • 29. Establishing an OS Security Monitoring Strategy
  • 30. Application Security Goal: Move “Left” in the SDLC Analyze Design Implement Test Maintain 1x 6.5x 15x 100x Source: IBM Systems Sciences Institute Earlier Visibility to Vulnerabilities Pays Dividends
  • 31. The Right Tool at the Right Time SDLC Ecosystem Analyze Design Implement Test Maintain Security Intelligence (including data sources) Open Source Selection Detection and Notification IAST Dynamic Analysis Static Analysis Manual Penetration Testing Vulnerability Assessment
  • 32. • Build and automatically enforce OSS policies • Identify OSS components early in the SDLC • Automatically create and maintain bills of material • Continuously monitor threat environment for new vulnerabilities Open Source Best Practices Reqs • OSS Policies • Application Criticality Ranking • OSS Risk Parameters • License Risk • Security Risk • Operational Risk Design • OSS Selection • Design Review • License Risk • Security Risk • Operational Risk Code • OSS Detection • Automatically detect and alert on non- conforming components • Correlation with Bills of Material Test • OSS Enforcement • Detect and alert on non-conforming components • Correlation with Bills of Material Release • OSS Monitoring • Timely OSS Vulnerability Identification & Reporting • Bug Severity • Remediation Advice
  • 33. Continued adoption of open source • Value far exceeds controllable risks Increased regulatory oversight • FDA, PCI, HIPAA, FTC Act 5 • GDPR Increased focus on IT infrastructure • Vulnerability scanners don’t cover all open source risks What to Expect in 2018
  • 34. • Determine which applications are most critical to your organization’s business goals • Create roadmap for ranking, prioritizing, and addressing vulnerabilities based on their technical impact • Design a OS risk monitoring strategy with your team • Know the regulations that impact you + coordinate with internal compliance teams • Move left to improve vulnerability protection over time • Communicate plan with teams and stakeholders Key Takeaways