As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Open source reduces development costs, frees internal developers to work on higher-order tasks, and accelerates time to market. Quite simply, open source is the way applications are developed today. Mike Pittenger addresses security in the age of open source in this presentation.
As presented by Patrick Carey in San Jose at a Lunch & Learn. Open source reduces development costs, frees internal developers to work on higher-order tasks, and accelerates time to market. Quite simply, open source is the way applications are developed today.
As presented by Mike Pittenger, VP of Security Strategy, at a lunch and learn on September 13, 2016.
Learn how your organization can:
* Know what's inside your code by identifying the open source you're using
* Map against known vulnerabilities and accelerate remediation efforts
* Take action to effectively secure and manage open source without impacting your agile SDLC
Secure application deployment in Apache CloudStackTim Mackey
At the Apache CloudStack Collaboration Conference in Montreal, I presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.
Secure application deployment in the age of continuous deliveryTim Mackey
As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Open source reduces development costs, frees internal developers to work on higher-order tasks, and accelerates time to market. Quite simply, open source is the way applications are developed today. Mike Pittenger addresses security in the age of open source in this presentation.
As presented by Patrick Carey in San Jose at a Lunch & Learn. Open source reduces development costs, frees internal developers to work on higher-order tasks, and accelerates time to market. Quite simply, open source is the way applications are developed today.
As presented by Mike Pittenger, VP of Security Strategy, at a lunch and learn on September 13, 2016.
Learn how your organization can:
* Know what's inside your code by identifying the open source you're using
* Map against known vulnerabilities and accelerate remediation efforts
* Take action to effectively secure and manage open source without impacting your agile SDLC
Secure application deployment in Apache CloudStackTim Mackey
At the Apache CloudStack Collaboration Conference in Montreal, I presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.
Secure application deployment in the age of continuous deliveryTim Mackey
As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
Presented September 15, 2016 by John Steven, CTO, Cigital; Mike Pittenger, VP Security Strategy, Black Duck
Today, open source comprises a critical component of software code in the average application, yet most organizations lack the visibility into and control of the open source they’re using. A 2016 analysis of 200 commercial applications showed that 67% contained known open source vulnerabilities. Whether it’s a SaaS solution you deliver to millions of customers, or an internal application developed for employees, addressing the open source visibility and control challenges is vital to ensuring proper software security.
Open source use is ubiquitous worldwide. It powers your mobile phone and your company’s most important cloud application. Securing mission critical applications must evolve to address open source as part of software security, complementing and extending the testing of in-house written code.
In this webinar by Cigital and Black Duck security experts, you’ll learn:
- The current state of application security management within the Software Development Lifecycle (SDLC)
- New security considerations organizations face in testing applications that combine open source and in-house written software.
- Steps you can take to automate and manage open source security as part of application development
This SlideShare will help you understand the shifting open source landscape and why open source security management is becoming more critical. You’ll also understand the high-level capabilities of the Black Duck Hub. You’ll also learn how, in just a few minutes, you can use your existing Protex Bill of Materials to uncover known open source security vulnerabilities lurking in your projects, how to monitor for newly discovered vulnerabilities, and how to take steps to remediate your open source vulnerability risk. Then you’ll be ready to get started by learning more about the integration in Black Duck Academy and using these tools on your own projects.
Where does your organization stand with open source risk management? How are you identifying and securing open source used in your code? Measure your organization against these four levels to find out.
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
Keeping applications secure, whether you're developing for internal use or for your customers, isn't easy. Today, applications are a mix of open source and custom code. Identifying and resolving security vulnerabilities in both requires the right tools and know-how. Black Duck and IBM are working together to help you keep your applications secure.
Slide deck on the security aspects of using Open Source Software. Focused on the Apache HTTP Server project, this deck discusses general topics like what Open Source software is, what the prevailing myths surrounding it are and how the open development process works to ensure the result is secure.
You need to establish clear operational and security processes around your app and container usage. Join this session to see how enterprise IT can use accelerate business agility, implement DevOps processes, and achieve greater security and control.
Security in the age of open source - Myths and misperceptionsTim Mackey
As delivered at Interop ITX 2017.
The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
As presented at LinuxCon/ContainerCon 2016:
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications.
Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment.
Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
The How and Why of Container Vulnerability ManagementTim Mackey
As presented at OpenShift Commons Sept 8, 2016.
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform.
In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.
Automating Open Source Security: A SANS Review of WhiteSourceWhiteSource
In this webinar, SANS's Serge Borso and WhiteSource's Rami Elron provide a product review of our solution. In this webinar, you will learn how WhiteSource's solution can be easily integrated into the software development lifecycle to, detect open source vulnerabilities in real time, prioritize and remediate vulnerabilities and automate policy enforcement throughout the SDLC.
As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by automating open source security risk management throughout the Software Development Lifecycle (SDLC)
We discuss the role software plays in information security and compare and contrast how many of the unique attributes of open source can present particular security challenges as opposed to proprietary/commercial software. We will examine the role open source has played in several high profile security incidents, drawing lessons learned from those incidents. We will also review the standards of “reasonableness” established by widely adopted security standards published by NIST and others and discuss the application of those standards to open source.
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And why it’s smart to assume that every application is an on-premise application.
The best of November’s application security and open security news (so far) follows in this week’s edition of Open Source Insight.
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...WhiteSource
In Collaboration with DevOps.com, WhiteSource's Shiri Ivtsan discussed in this webinar the main security challenges organizations face when using containers.
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...WhiteSource
In Collaboration with DevOps.com, WhiteSource's Shiri Ivtsan discusses in this webinar the current state of open source vulnerabilities management, the latest innovations in the open source security world and the best DevOps tools to protect organizations against open source vulnerabilities.
Presentation to The Operational Research Society on :Search Engines, Analytics and Semantics as part of the Developments In Analytics And Big Data Conference.
See www.Invotra.com for more information.
Integration and automation are cornerstones of DevOps. Black Duck Hub provides integrations to CI/CD solutions like Jenkins and TeamCity, but what if you are using a different solution or maybe even your own custom tools? Never fear! Black Duck Hub API's allow you to leverage Black Duck open source scanning and policies into your environment. In this session we'll roll up our sleeves and dig into some coding examples to show you how to do it.
Organizations of all sizes using automation and agile methodologies to improve the speed and reliability of their software development initiatives. In this session we will provide an overview and demonstrations of the various ways you can integrate Black Duck Hub with your CI/CD tools to manage open source risks throughout development.
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
Presented September 15, 2016 by John Steven, CTO, Cigital; Mike Pittenger, VP Security Strategy, Black Duck
Today, open source comprises a critical component of software code in the average application, yet most organizations lack the visibility into and control of the open source they’re using. A 2016 analysis of 200 commercial applications showed that 67% contained known open source vulnerabilities. Whether it’s a SaaS solution you deliver to millions of customers, or an internal application developed for employees, addressing the open source visibility and control challenges is vital to ensuring proper software security.
Open source use is ubiquitous worldwide. It powers your mobile phone and your company’s most important cloud application. Securing mission critical applications must evolve to address open source as part of software security, complementing and extending the testing of in-house written code.
In this webinar by Cigital and Black Duck security experts, you’ll learn:
- The current state of application security management within the Software Development Lifecycle (SDLC)
- New security considerations organizations face in testing applications that combine open source and in-house written software.
- Steps you can take to automate and manage open source security as part of application development
This SlideShare will help you understand the shifting open source landscape and why open source security management is becoming more critical. You’ll also understand the high-level capabilities of the Black Duck Hub. You’ll also learn how, in just a few minutes, you can use your existing Protex Bill of Materials to uncover known open source security vulnerabilities lurking in your projects, how to monitor for newly discovered vulnerabilities, and how to take steps to remediate your open source vulnerability risk. Then you’ll be ready to get started by learning more about the integration in Black Duck Academy and using these tools on your own projects.
Where does your organization stand with open source risk management? How are you identifying and securing open source used in your code? Measure your organization against these four levels to find out.
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
Keeping applications secure, whether you're developing for internal use or for your customers, isn't easy. Today, applications are a mix of open source and custom code. Identifying and resolving security vulnerabilities in both requires the right tools and know-how. Black Duck and IBM are working together to help you keep your applications secure.
Slide deck on the security aspects of using Open Source Software. Focused on the Apache HTTP Server project, this deck discusses general topics like what Open Source software is, what the prevailing myths surrounding it are and how the open development process works to ensure the result is secure.
You need to establish clear operational and security processes around your app and container usage. Join this session to see how enterprise IT can use accelerate business agility, implement DevOps processes, and achieve greater security and control.
Security in the age of open source - Myths and misperceptionsTim Mackey
As delivered at Interop ITX 2017.
The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
As presented at LinuxCon/ContainerCon 2016:
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications.
Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment.
Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
The How and Why of Container Vulnerability ManagementTim Mackey
As presented at OpenShift Commons Sept 8, 2016.
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform.
In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.
Automating Open Source Security: A SANS Review of WhiteSourceWhiteSource
In this webinar, SANS's Serge Borso and WhiteSource's Rami Elron provide a product review of our solution. In this webinar, you will learn how WhiteSource's solution can be easily integrated into the software development lifecycle to, detect open source vulnerabilities in real time, prioritize and remediate vulnerabilities and automate policy enforcement throughout the SDLC.
As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by automating open source security risk management throughout the Software Development Lifecycle (SDLC)
We discuss the role software plays in information security and compare and contrast how many of the unique attributes of open source can present particular security challenges as opposed to proprietary/commercial software. We will examine the role open source has played in several high profile security incidents, drawing lessons learned from those incidents. We will also review the standards of “reasonableness” established by widely adopted security standards published by NIST and others and discuss the application of those standards to open source.
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And why it’s smart to assume that every application is an on-premise application.
The best of November’s application security and open security news (so far) follows in this week’s edition of Open Source Insight.
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...WhiteSource
In Collaboration with DevOps.com, WhiteSource's Shiri Ivtsan discussed in this webinar the main security challenges organizations face when using containers.
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...WhiteSource
In Collaboration with DevOps.com, WhiteSource's Shiri Ivtsan discusses in this webinar the current state of open source vulnerabilities management, the latest innovations in the open source security world and the best DevOps tools to protect organizations against open source vulnerabilities.
Presentation to The Operational Research Society on :Search Engines, Analytics and Semantics as part of the Developments In Analytics And Big Data Conference.
See www.Invotra.com for more information.
Integration and automation are cornerstones of DevOps. Black Duck Hub provides integrations to CI/CD solutions like Jenkins and TeamCity, but what if you are using a different solution or maybe even your own custom tools? Never fear! Black Duck Hub API's allow you to leverage Black Duck open source scanning and policies into your environment. In this session we'll roll up our sleeves and dig into some coding examples to show you how to do it.
Organizations of all sizes using automation and agile methodologies to improve the speed and reliability of their software development initiatives. In this session we will provide an overview and demonstrations of the various ways you can integrate Black Duck Hub with your CI/CD tools to manage open source risks throughout development.
Docker is revolutionizing the way organizations build and deploy applications. But while containers make it easier to development teams to package applications with all their dependencies, they make it harder for operations teams to control what software is deployed into production. In this session you will see how Black Duck Hub helps development and operations teams maintain complete visibility and control of the open source in their containers.
With a record-breaking 1,300 respondents, the 2015 Future of Open Source Survey results highlight record levels of corporate participation in open source, as well as the greater impact OSS is having on technology and security. Yet, this year's results also reveal a reported lack of formal company policies and processes for consuming and managing open source and its associated legal, operational, and security risks.
Learn more at www.blackducksoftware.com/future-of-open-source
User Experience for the 100% - making your intranet accessible to everyone!Invotra
What does accessibility mean to you? Paul Zimmerman, COO at Invotra discusses the importance of making your intranet accessible to everyone.
You can see Paul delivering the presentation here: https://vimeo.com/190862301
At the Apache CloudStack Collaboration Conference in Montreal, Tim Mackey (Senior Technical Evangelist at Black Duck Software) presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.
A question of trust - understanding Open Source risksTim Mackey
As presented at the Bay Area Cyber Security Meetup on January 25th, 2018.
Open source development paradigms have become the norm for most software development. This is regardless of whether you're making the next great IoT device, a new container microservice, or desktop application. While open source components are often viewed as free, and definately help solve problems in a scalable way, using them in a secure manner requires an understanding of how open source development really works.
In this sesssion, I covered how secure development practices with data center regulations can benefit from an understanding of open source development. Specifically, we looked at fork management, community engagement and patch management. We ended with an open source maturity model.
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
James Brown, Director of Cloud Computing & Security Architecture, Alert Logic covers:
• The shared security model: what security you are responsible for to protect your content, applications, systems and networks vs AWS.
• Overview of the OWASP Top 10 most critical web application security risks (such as SQL injections)
• Best practices for how to protect your environment from the latest threats
This is the latest version of the State of the DevSecOps presentation, which was given by Stefan Streichsbier, founder of guardrails.io, as the keynote for the Singapore Computer Society - DevSecOps Seminar in Singapore on the 13th January 2020.
Automotive safety has been a major concern for manufacturers everywhere and now the threat of automotive hacking looms. Your team may be familiar with safety standards and defensive coding techniques but do you know how to handle security threats at the code level? What can you do next to transform your processes and development strategies?
Join automotive experts from Rogue Wave Software for the first in a three-part series on securing your code and solidifying processes to ensure safe, defect-free software. By educating teams and understanding proven techniques, you’ll be able to take the next step towards less risk and more value for your applications.
In this first one-hour webinar you'll learn:
- Techniques to protect your automotive software systems from risk
- Tools that accelerate compliance with security and safety standards
- Tips to ensure defects are eliminated as early as possible
Network intrusion. Information theft. Outside reprogramming of systems. These examples are just a few of the several reasons why software security is becoming increasingly more important to all industries. No system is immune, so it’s more important than ever to understand why secure code matters and how to create safer applications.
With this presentation you'll learn how to:
-Protect your systems from risk
-Comply with security standards
-Ensure the entire codebase is bulletproof
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
Security should be integrated into every phase of the container application development life cycle, from build to ship to run. On August 31st, we hosted an online meetup to discuss the issues that need be addressed to achieve continuous security for containers.
The presentation included speakers from Rancher Labs (www.rancher.com), NeuVector (www.neuvector.com) and Black Duck Software (www.blackducksoftware.com) who discussed:
- Best practices for preparing your environment for secure deployment
- How to secure containers during run-time
- Actionable next steps to protect your applications
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
Agenda:
- SDLC vs S-SDLC
- Mobile development security process
- What tools using for security testing?
- How to integrate into existing processes?
- What additionally you can do?
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
Tsaela Pinto, Director of Knowledge R&D at WhiteSource, spoke at the Azure DevOps meetup in Tel Aviv about how develpers should part in maintaining open source security
All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.
Application security meetup k8_s security with zero trust_29072021lior mazor
The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
Are you new to Black Duck or open source security? Do you need a refresher? Understanding the fundamentals of open source security is critical to keeping your data and organization safe. During this session, we'll share best practices from the world's leading experts to help you establish a foundation for success.
Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group
Effective application security programs rely on multiple sources for vulnerability data – from traditional static and dynamic testing, interactive testing, to manual and 3rd-party testing. Unfortunately, many organizations fail to consider the impact of open source software use and reuse on their security posture. This webinar will demonstrate how Black Duck Hub can identify security issues associated with open source usage and how ThreadFix’s correlation engine can provide a comprehensive view of an organization’s application security posture. In addition, the webinar demonstrates how ThreadFix’s HotSpot detection technology identifies security issues created by internally developed components – providing a complete of both open source and proprietary component usage.
Similar to Secure application deployment in the age of continuous delivery (20)
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included:
A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises.
For more information, please visit us at www.blackducksoftware.com
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys
Basma Shahadat, Lead Research Engineer presented at Black Duck Flight West 2018. Security checking in the early stages of the SDLC is critical. This session will demonstrate how Proofpoint is taking proactive steps to reduce risk by integrating Black Duck into Proofpoint’s continuous integration pipeline to detect open source vulnerabilities during the product build. For more information, please visit us at https://www.blackducksoftware.com/
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...Black Duck by Synopsys
Utsav Sanghani, Product Manager, Integrations and Alliance at Synopsys presented on how to "Black Duck your Code Faster with Black Duck Integrations." For more information, please visit www.blackducksoftware.com
Black Duck On-Demand-Audits von über 1.100
kommerziellen Anwendungen im Jahr 2017
verdeutlichen die ständigen Herausforderungen, vor
denen Unternehmen stehen, um Open Source effektiv
zu erkennen und zu sichern.
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...Black Duck by Synopsys
At Flight Amsterdam, Fenna Douwenga, Associate, Bird & Bird provided practical tips on open source licenses, intellectual property rights, and trade secrets. During the presentation Fenna reviewed, everlasting conflict between patents, copyright and open source and how it can be overcome. Additionally, the new European Trade Secrets Directive was discussed and how some of the requirements therein may for instance conflict with the GNU General Public license. Furthermore, a quick outline of the influence of Brexit on licenses closed under UK law was given and how potential problems can be prevented.
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
Flight Amsterdam Presentation by Daniel Hedley and Georgie Collins, Partners, Irwin Mitchell looked at the intersection of the GDPR and open source software management and the laws which govern how organisations must respond to data breaches (including GDPR and NISD), how to prepare for a data breach, and what to do if the worst happens.
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealBlack Duck by Synopsys
Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group
Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys
A big news week for Synopsys and Black Duck as Gartner releases the 2018 Gartner Magic Quadrant for Application Security Testing and the 2018 Open Source Rookies of the Year are announced. More on these stories and the hottest open source security and cybersecurity news in this week’s Open Source Insight!
2018 is the Open Source Rookies report’s 10th anniversary, brought to you by Black Duck by Synopsys. This infographic shows the impressive number of projects started in 2017 and the distribution across the world and a wide range of categories. Narrowing them down was hard! The open source community continues to produce innovative and influential open source projects.
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans.
Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys
Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software security program while Black Duck Technology Evangelist, Tim Mackey, takes a look at building application security into the heart of DevOps. Plus, a report that may give you nightmares on the malicious possibilities of AI. All the cybersecurity and open source security news fit to print lies ahead for your reading pleasure…
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...Black Duck by Synopsys
This week’s Open Source Insight features a powerful visualization tool displaying the world’s biggest data breaches at name brands such as Ebay, Equifax, Anthem, and Target. The White House and British Foreign Office have condemned a cyber-attack launched by the Russian military on Ukraine and hint at reprisals. Black Duck brings open source vulnerability detection to Kubernetes, and Synopsys will host Elevate, an evening thought leadership event at Embedded World 2018 featuring an elite group of international cyber security experts leading a discussion about IoT and embedded systems security threats and solutions.
Read on for all the open source security and cybersecurity news you need to know this week.
Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys
Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical devices, voting machines, automobiles, and critical infrastructure safe in a world of increasing application risk.
Read on for open source security and cybersecurity in Open Source Insight for February 9th, 2018.
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys
This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.
Presentation by Jared Jageler, David Adler, Noelia Duchovny, and Evan Herrnstadt, analysts in CBO’s Microeconomic Studies and Health Analysis Divisions, at the Association of Environmental and Resource Economists Summer Conference.
This session provides a comprehensive overview of the latest updates to the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (commonly known as the Uniform Guidance) outlined in the 2 CFR 200.
With a focus on the 2024 revisions issued by the Office of Management and Budget (OMB), participants will gain insight into the key changes affecting federal grant recipients. The session will delve into critical regulatory updates, providing attendees with the knowledge and tools necessary to navigate and comply with the evolving landscape of federal grant management.
Learning Objectives:
- Understand the rationale behind the 2024 updates to the Uniform Guidance outlined in 2 CFR 200, and their implications for federal grant recipients.
- Identify the key changes and revisions introduced by the Office of Management and Budget (OMB) in the 2024 edition of 2 CFR 200.
- Gain proficiency in applying the updated regulations to ensure compliance with federal grant requirements and avoid potential audit findings.
- Develop strategies for effectively implementing the new guidelines within the grant management processes of their respective organizations, fostering efficiency and accountability in federal grant administration.
What is the point of small housing associations.pptxPaul Smith
Given the small scale of housing associations and their relative high cost per home what is the point of them and how do we justify their continued existance
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
A process server is a authorized person for delivering legal documents, such as summons, complaints, subpoenas, and other court papers, to peoples involved in legal proceedings.
Many ways to support street children.pptxSERUDS INDIA
By raising awareness, providing support, advocating for change, and offering assistance to children in need, individuals can play a crucial role in improving the lives of street children and helping them realize their full potential
Donate Us
https://serudsindia.org/how-individuals-can-support-street-children-in-india/
#donatefororphan, #donateforhomelesschildren, #childeducation, #ngochildeducation, #donateforeducation, #donationforchildeducation, #sponsorforpoorchild, #sponsororphanage #sponsororphanchild, #donation, #education, #charity, #educationforchild, #seruds, #kurnool, #joyhome
Understanding the Challenges of Street ChildrenSERUDS INDIA
By raising awareness, providing support, advocating for change, and offering assistance to children in need, individuals can play a crucial role in improving the lives of street children and helping them realize their full potential
Donate Us
https://serudsindia.org/how-individuals-can-support-street-children-in-india/
#donatefororphan, #donateforhomelesschildren, #childeducation, #ngochildeducation, #donateforeducation, #donationforchildeducation, #sponsorforpoorchild, #sponsororphanage #sponsororphanchild, #donation, #education, #charity, #educationforchild, #seruds, #kurnool, #joyhome
Russian anarchist and anti-war movement in the third year of full-scale warAntti Rautiainen
Anarchist group ANA Regensburg hosted my online-presentation on 16th of May 2024, in which I discussed tactics of anti-war activism in Russia, and reasons why the anti-war movement has not been able to make an impact to change the course of events yet. Cases of anarchists repressed for anti-war activities are presented, as well as strategies of support for political prisoners, and modest successes in supporting their struggles.
Thumbnail picture is by MediaZona, you may read their report on anti-war arson attacks in Russia here: https://en.zona.media/article/2022/10/13/burn-map
Links:
Autonomous Action
http://Avtonom.org
Anarchist Black Cross Moscow
http://Avtonom.org/abc
Solidarity Zone
https://t.me/solidarity_zone
Memorial
https://memopzk.org/, https://t.me/pzk_memorial
OVD-Info
https://en.ovdinfo.org/antiwar-ovd-info-guide
RosUznik
https://rosuznik.org/
Uznik Online
http://uznikonline.tilda.ws/
Russian Reader
https://therussianreader.com/
ABC Irkutsk
https://abc38.noblogs.org/
Send mail to prisoners from abroad:
http://Prisonmail.online
YouTube: https://youtu.be/c5nSOdU48O8
Spotify: https://podcasters.spotify.com/pod/show/libertarianlifecoach/episodes/Russian-anarchist-and-anti-war-movement-in-the-third-year-of-full-scale-war-e2k8ai4
2. #whoami – Tim Mackey
• Current roles: Senior Technical Evangelist; Occasional coder
• Previously XenServer Community Manager
• Cool things I’ve done
• Designed laser communication systems
• Early designer of retail self-checkout machines
• Embedded special relativity algorithms into industrial control system
• Find me
• Twitter: @TimInTech ( https://twitter.com/TimInTech )
• SlideShare: slideshare.net/TimMackey
• LinkedIn: www.linkedin.com/in/mackeytim
6. EASY ACCESS TO SOURCE CODE
Open source ubiquity makes it ready target
OPEN SOURCE ISN’T
MORE OR LESS
SECURE THAN
CLOSED SOURCE –
ITS JUST EASIER TO
ACCESS
VULNERABILITIES ARE PUBLICIZED
EXPLOITS ARE PUBLISHED
7. Anatomy of a new attack
Potential Attack
Iterate
Test against platforms
Document
Don’t forget PR department
Deploy
8. DEVELOPER DOWNLOADS
OUTSOURCED DEVELOPMENT
THIRD PARTY LIBRARIES
CODE REUSE
APPROVED COMPONENTS
COMMERCIAL APPS
OPEN SOURCE CODE
Open source enters through many channels…
…and vulnerabilities can come with it.
9. CLOSED SOURCE COMMERCIAL CODE
• DEDICATED SECURITY RESEARCHERS
• ALERTING AND NOTIFICATION INFRASTRUCTURE
• REGULAR PATCH UPDATES
• DEDICATED SUPPORT TEAM WITH SLA
OPEN SOURCE CODE
• “COMMUNITY”-BASED CODE ANALYSIS
• MONITOR NEWSFEEDS YOURSELF
• NO STANDARD PATCHING MECHANISM
• ULTIMATELY, YOU ARE RESPONSIBLE
Who is responsible for code and security?
10. 0
500
1000
1500
2000
2500
3000
3500
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Open Source Vulnerabilities Reported Per Year
BDS-exclusive nvd
Reference: Black Duck Software Knowledgebase, NVD
Increasing number of OSS vulnerabilities
11. Automated tools miss most open source vulnerabilities
Static & Dynamic Analysis
Only discover common vulnerabilities
3,000+ disclosed in 2014
Less than 1% found by automated tools
Undiscovered vulnerabilities are
too complex and nuanced
All possible security
vulnerabilities
12. What do these all have in common?
Heartbleed Shellshock GhostFreak Venom
Since:
Discovered:
2011
2014
1989
2014
1990’s
2015
2000
2015
2004
2015
Discovered by:
Component: OpenSSL
Riku, Antti,
Matti, Mehta
Bash
Chazelas
OpenSSL
Beurdouche
GNU C library
Qualys researchers
QEMU
Geffner
16. Distinct areas of risk
• Open source license compliance
• Ensure project dependencies are understood
• Use of vulnerable open source components
• Is component a fork or dependency?
• How is component linked?
• Operational risk
• Can you differentiate between “stable” and “dead”?
• Is there a significant change set in your future?
• API versioning
• Security response process for project
17. Total Quality Management Philosophies
• Detect problems before product ships
• Select components based on trust
• Continuously identify issues and improve
• Empower employees to solve problems
• Implement the Deming Cycle
• Plan for change and analyze risk
• Do execute the plan in small steps
• Check the results against the plan
• Act on results to improve future outcomes
• Manage with facts
19. Software development lifecycle – threat model
Idea
Spec
Design
Code
Test
Release
• As part of the specification and
design, threat models are often
created.
20. Software development lifecycle – static analysis
Idea
Spec
Design
Code
Test
Release
• As part of the specification and
design, threat models are often
created.
• During code creation and
commits, static analysis is
performed
21. Software development lifecycle – dynamic analysis
Idea
Spec
Design
Code
Test
Release
• As part of the specification and
design, threat models are often
created.
• During code creation and
commits, static analysis is
performed
• Testing usually includes some
form of dynamic testing
23. Oops – a vulnerability is disclosed – now what?
DEVELOP SCM BUILD PACKAGE DEPLOY PRODUCTION
BUG TRACKING
REMEDIATE AND TRACK
LICENSE COMPLIANCE AND
SECURITY VULNERABILITIES
FULL APP SEC VISIBILITY
INTEGRATION
BUILD / CI SERVER
SCAN APPLICATIONS
WITH EACH BUILD VIA CI
INTEGRATION
DELIVERY PIPELINE
SCAN APPLICATIONS
AND CONTAINERS
BEFORE DELIVERY
CONTINUOUS
MONITORING OF
VULNERABILITIES
26. Knowledge is key. Can you keep up?
glibc
Bug
Reported
July 2015
Vuln: CVE-2015-7547: glibc getaddrinfo stack-
based buffer overflow
27. Knowledge is key. Can you keep up?
glibc
Bug
Reported
July 2015
Vuln: CVE-2015-7547: glibc getaddrinfo stack-
based buffer overflow
28. Knowledge is key. Can you keep up?
glibc
Vuln
Introduced
May 2008
glibc
Bug
Reported
July 2015
CVE-2015-
7547
CVE
Assigned
Feb 16-2016
Low Security Risk
Vuln: CVE-2015-7547: glibc getaddrinfo stack-
based buffer overflow
29. Knowledge is key. Can you keep up?
glibc
Vuln
Introduced
May 2008
CVE-2015-
7547
CVE
Assigned
Feb 16-2016
glibc
Bug
Reported
July 2015
National
Vulnerability
Database
Vuln
Published
Feb 18-2016
Moderate Security Risk
Low Security Risk
Vuln: CVE-2015-7547: glibc getaddrinfo stack-
based buffer overflow
30. Knowledge is key. Can you keep up?
glibc
Vuln
Introduced
National
Vulnerability
Database
Vuln
Published
You
Find It
May 2008
CVE-2015-
7547
CVE
Assigned
Feb 16-2016 Feb 18-2016
glibc
Bug
Reported
July 2015
Patches
Available
You
Fix It
Highest Security Risk
Moderate Security Risk
Low Security Risk
Vuln: CVE-2015-7547: glibc getaddrinfo stack-
based buffer overflow
31. Knowledge is key. Can you keep up?
glibc
Vuln
Introduced
National
Vulnerability
Database
Vuln
Published
You
Find It
May 2008
CVE-2015-
7547
CVE
Assigned
Feb 16-2016 Feb 18-2016
glibc
Bug
Reported
July 2015
Patches
Available
You
Fix It
Highest Security Risk
Moderate Security Risk
Low Security Risk
Vuln: CVE-2015-7547: glibc getaddrinfo stack-
based buffer overflow
33. A complete solution …
Choose Open
Source
Proactively choose
secure, supported
open source
SELECT
Inventory
Open Source
Map Existing
Vulnerabilities
Maintain accurate list of
open source
components throughout
the SDL
Identify vulnerabilities
during development
VERIFY
Track New
Vulnerabilities
Alert newly disclosed
vulnerabilities in
production
MONITORREMEDIATE
Fix
Vulnerabilities
Tell developers
how to remediate
34. OVER TWO HUNDRED THIRTY
E M P L O Y E E S
27USE BLACK DUCK
SOFTWARE
AWARD FOR
INNOVATION
GARTNER GROUP
“COOL VENDOR”
INNOVATIVE TECHNOLOGY
OF THE YEAR - SECURITY
7 YEARS IN A ROW FOR
SECURITY INNOVATION
RANKED #38 OUT OF 500
SECURITY COMPANIES
7 YEARS IN A ROW
6 of the top 8 mobile handset vendors
7 of the top 10 SOFTWARE COMPANIES (44% OF TOP 100)
24 COUNTRIES
6 of the top 10 banks
FORTUNE 100
Black Duck Created an Industry
35. 8,500
WEBSITES
350
BILLION LINES OF CODE
2,400
LICENSE TYPES
1.5
MILLION PROJECTS
76,000
VULNERABILITIES
Comprehensive KnowledgeBase
• Largest database of open source project
information in the world.
• Vulnerabilities coverage extended through
partnership with Risk Based Security.
• The KnowledgeBase is essential for
identifying and solving open source issues.
36. We need your help
Knowledge is power
• Know what’s running and why
• Define proactive vulnerability response process
• Don’t let technology hype cycle dictate security
Invest in defense in depth models
• Don’t rely on perimeter security to do heavy lifting
• Do look at hypervisor & container trends in security
• Make developers and ops teams part of the solution
• Do embed security into deployment process
Together we can build a more secure data center
37. Free tools to help
• Docker Container Security Scanner
• https://info.blackducksoftware.com/Security-Scan.html
• 14 Day Free Trial to Black Duck Hub
• https://info.blackducksoftware.com/Demo.html
• Red Hat Atomic Host Integration (Requires Black Duck Hub)
• atomic scan --scanner blackduck [container]
Editor's Notes
Image: http://morguefile.com/p/209940
http://www.istockphoto.com/photo/computer-crime-concept-gm516607038-89059287?st=9174601
Source: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
Every year since 2008, Verizon have published a report on the attempted data breaches occurring within their data centers. For 2015, they found close to 90% of them had either a financial or espionage component to them. This report is well worth the read, and there are a few key findings in this report we should all be aware of.
Costs of data breaches are heavily skewed towards legal consultation and forensics, and not to the public components of credit monitoring or lawsuits
Despite some vulnerabilities having been public for years, there remain vulnerable components in use
Some of those components simply may not have a patch forthcoming for a variety of reasons.
Despite years of organizations spending energy protecting against attacks, it remains up to the attacker to define what’s valuable. Consider the case of ransomware. A police department in the town next to where I live was subjected to a raonsomeware attack. For roughly 500 USD in bitcoin, the attackers would decrypt the booking and evidence records they had just crypto locked. As an attacker, they likely had no knowledge of who they had attacked or what they had locked up. What mattered was the ransom, and that they had a police organization’s files didn’t factor into the equation.
Let’s take a little bit of time and look at how an attack is created. Potential attackers have a number of tools at their disposal, and use a number of different tactics. In this case, the attacker wishes to create an attack on a given component. In order to be effective, they have two primary models. First they can actively contribute code in a highly active area of the component with an objective of planting a back door of some form. The hope being that their code will fail to be recognized as suspect given how quickly the area of code is evolving.
Second they can look for areas of code which are stable, and the longer they’ve bene stable, the better. The reason for this is simple, old code is likely written by someone who isn’t with the project any longer, or perhaps doesn’t recall all assumptions present at the time the code was written. After all, its been long understood that even with the best developers, assumptions change and old code doesn’t keep up.
The goal in both cases being to create an attack against the component, so they test, and fail, and iterate against the component until they’re successful or move on. Assuming they’re successful, they create a deployment tool and document the tool for others. Of course, given the publicity received by some recent vulnerabilities, a little PR goes a long way.
Now there are responsible researchers who follow a similar workflow, and they legitimately attempt to work with component creators to disclose vulnerabilities. They too will publish results, but are less interested in creating the an attack beyond a proof of concept.
http://www.istockphoto.com/photo/person-in-hooded-sweater-using-a-laptop-on-wooden-table-gm464503138-58544934?st=cf78f31
http://www.istockphoto.com/photo/cloud-computing-gm518556682-90104967
https://www.cesg.gov.uk/guidance/open-source-software-%E2%80%93-exploring-risk-good-practice-guide-38
If you’re using commercial software, the vendor is responsible for best practice deployment guidance, the notification of any security vulnerabilities and ultimately patches and workarounds for disclosed vulnerabilities. This is part of the deliverable they provide in return for their license fee.
If you’re using open source software, that process becomes partly your responsibility. To illustrate the level of information you have to work with, let’s look at a media-wiki maintenance release from December 2015.
“various special pages resulted in fata errors” – this clearly is something which needs resolution, but which pages? How do you test?
“1.24.6 marks the end of support for 1.24.x” – this is good to know, but I hope it was published elsewhere.
“However, 1.24.5 had issues (along with other versions) so it was thought fair to fix them” – This is a good thing, but can we expect this treatment in the future? From the title, we also have a fix for 1.23.x, but what other versions?
There is one thing we should all notice from this data: The vulnerable code was present for years until discovery. What may not be known, is that these vulnerabilities were found by researchers, not analysis tools.
Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
On July 13 2015, the bug report associated with what would ultimately become CVE-2015-7547 was created.
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT)
http://cve.mitre.org/cve/cna.html
https://openclipart.org/detail/200681/primary-patch
Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
The report indicated that a traditional buffer management issue was present. Specifically it said “this change causes the thisanssizp pointer variable used in the recvfrom function on line 1282 to use the wrong size if a new buffer is created after the thisanssizp address has been changed at line 1257” and indicated that the result would be “The program will crash if the calculated size of the buffer used is 0. The recvfrom function will not crash, but any further accesses to the buffer where the bytes read was 0 from the recvfrom function will crash the program. ”
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT)
http://cve.mitre.org/cve/cna.html
https://openclipart.org/detail/200681/primary-patch
Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
On Feb 16, 2016, a CVE assignment was made to the bug list, and it further indicated the problem was introduced in May of 2008 in version 2.9.
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT)
http://cve.mitre.org/cve/cna.html
https://openclipart.org/detail/200681/primary-patch
Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
It wasn’t until two days later that the NVD (national vulnerability database) was updated to reflect the vulnerability. This meant that a staggered awareness situation ensued. When disclosures are staggered, there is an increased potential that a bad actor can take advantage of the situation. It’s important to note that this NVD entry came through US-CERT. One important thing to notice is that unlike the bug report, the overview contains significantly more actionable information (e.g. indicating that DNS is impacted “a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module”
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT)
http://cve.mitre.org/cve/cna.html
https://openclipart.org/detail/200681/primary-patch
Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
Of course all most data center operators really want is to secure their environment, so the question really becomes “how to do that”. For an indication of how that plays out, we’ll look at VMware’s response as an example. The first thing most vendors do is create some form of security advisory, which in this case is “VMware Knowledge Base article 2144032”. In it they list the then current information about their exposure to the vulnerability. Often times, it’s minimal, but as they investigate, details are fleshed out. On February 22nd, they amended the KB article and created a security advisory “VMware Security Advisory VMSA-2016-0002” which included details on a patch for ESXi 5.5 and then updated a day later for a patch in ESXi 6.0. It’s not the least bit uncommon for some subordinate products, including older versions, to take longer to patch and on March 29th updates were announced to cover “vCenter Server Appliance (VCSA), 5.0 U3f, 5.1 U3c, and 5.5 U3c”
Once you’ve a patch, then you can start working on resolving the issue in your infrastructure.
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT)
http://cve.mitre.org/cve/cna.html
https://openclipart.org/detail/200681/primary-patch
https://www.youtube.com/watch?v=hkryI6eapOA
http://blogs.vmware.com/security/2016/02/vmware-products-and-cve-2015-7547-glibc-getaddrinfo-security-issue.html
Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
From a timeline perspective, we’re looking at close to eight years from time of bug to vulnerability resolution. For much of that time, the impact was unknown. Starting in July of 2015, the scope of the issue started to be known, but close to seven months were required for investigation, triage, development of a fix and public disclosure to occur. Once the bug was known, the risk of exploitation increased slightly until that disclosure, but following the disclosure risk goes up dramatically. That’s one reason why knowing what’s running in your environment is so important. The overall goal being to reduce the time between disclosure and fix.
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT)
http://cve.mitre.org/cve/cna.html
https://openclipart.org/detail/200681/primary-patch
https://www.youtube.com/watch?v=hkryI6eapOA
Source: Future of Open Source 2016 survey: https://www.blackducksoftware.com/2016-future-of-open-source
Docker Container Security Scanner
https://info.blackducksoftware.com/Security-Scan.html
14 Day Free Trial to Black Duck Hub
https://info.blackducksoftware.com/Demo.html
Red Hat Atomic Host Integration (Requires Black Duck Hub)
atomic scan --scanner blackduck [container]