SlideShare a Scribd company logo

Securing Open Source Code in Enterprise

Asankhaya Sharma
Asankhaya Sharma

This document discusses securing open source code in enterprise applications. It notes that the number of open source libraries used is growing exponentially and the complexity has exploded, making it difficult to control what code is being used. It outlines threats from vulnerabilities, malicious libraries, typosquatting packages, and data exfiltration or command execution during builds. It then describes software composition analysis as a way to discover vulnerabilities and licenses in open source components through scanning applications and dependencies. It provides examples of scanning technologies and discusses mining for unidentified vulnerabilities using NLP and machine learning. Finally, it advocates integrating scanning into the CI/CD pipeline and following rules for responsible use of third party code.

Technology
1 of 26
Download to read offline
Securing Open Source Code in Enterprise Asankhaya Sharma
Open-Source Library Growth
Projection: > 400M Libraries by 2026
Complexity of Libraries has exploded For every 1 Java library you add to your projects, 4 others are added For every one library you add to a Node.js project, 9 others are added
SourceClear Scan of apache/spark
The Code Cocktail
Control Over What is in Your Code Has Changed Reference : http://anvaka.github.io/allnpmviz.an/ From YOU to: - Developer Tools - Open-Source Code - 3rd Party Developers
Threats using open source code - Vulnerabilities in open source libraries - Malicious libraries - Typosquatting package names - Data exfiltration - Command execution during build
Software Composition Analysis (SCA) Discover and identify software vulnerabilities and expose licenses for open source components Scanner Data
Scanning Technology App A v1.0 B v2.0 C v1.0 B v2.0 B v2.0 App A v1.0 B v2.0 C v1.0 Dependency Locked File Dependency GraphSCA Scanner
Scanning Technology App A v1.0 B v1.0 C v1.0 App A v1.0 B v2.0 C v1.0 Dependency File Dependency Graph App A v1.0 B v2.0 C v1.0 B v2.0 B v2.0 Resolved DependenciesSCA Scanner
System Dependencies Scanning SCA Scanner container ID A 1.0 amd64 B 1.0 all C 1.0 pod name A 1.0 amd64 B 1.0 all C 1.0 pod name A 1.0 amd64 B 1.0 all C 1.0 pod name A 1.0 amd64 B 1.0 all C 1.0
Vulnerabilities in Open Source Libraries ● Known Sources ○ CVEs / NVD ○ Advisories ○ Mailing list disclosures ● Unidentified issues ○ Commit logs ○ Bug reports ○ Change logs ○ Pull Requests Security Issues are often not reported or publicly mentioned How do we get the data?
Mining for unidentified vulnerabilities
NLP and Machine Learning for Harvesting Data https://asankhaya.github.io/pdf/automated-identification-of-security-issues-fr om-commit-messages-and-bug-reports.pdf
SCA Vendors
Evaluation Framework For Dependency Analysis EFDA is an open source project that allows users to test the dependency analysis tool of their choice and see how accurate the tool is. https://github.com/devsecops-community/efda
Software Supply Chain Source Control Management Continuous Delivery (CI/CD) ProductionDeveloper Software Composition Analysis
DevSecOps - Integrate SCA scanning in your CI pipeline - Create open source usage policy - Fail builds on high severity vulnerabilities - Gather data on open source libraries, vulnerabilities and licenses - Review bill of material (BOM) reports on what’s running in your applications
Rules for using 3rd party code 1. Know what you are using 2. Think about where it came from 3. Understand what it is doing 4. Avoid using vulnerable libraries
Thank you! ● Questions? ● Contact ○ Twitter: @asankhaya

Recommended

Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Black Duck by Synopsys
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
Madhavan Marimuthu
 
Donu’t Let Vulnerabilities Create a Hole in Your Organization
Donu’t Let Vulnerabilities Create a Hole in Your OrganizationDonu’t Let Vulnerabilities Create a Hole in Your Organization
Donu’t Let Vulnerabilities Create a Hole in Your Organization
DevOps.com
 
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Project
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
Sandeep Jayashankar
 
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
Steve Springett
 
Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018
John Willis
 

Recommended

Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Black Duck by Synopsys
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
Madhavan Marimuthu
 
Donu’t Let Vulnerabilities Create a Hole in Your Organization
Donu’t Let Vulnerabilities Create a Hole in Your OrganizationDonu’t Let Vulnerabilities Create a Hole in Your Organization
Donu’t Let Vulnerabilities Create a Hole in Your Organization
DevOps.com
 
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Project
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
Sandeep Jayashankar
 
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
Steve Springett
 
Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018
John Willis
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attack
Yadnyawalkya Tale
 
Digital Forensic Assignment Help
Digital Forensic Assignment HelpDigital Forensic Assignment Help
Digital Forensic Assignment Help
Global Web Tutors
 
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26
Ruby Meditation
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
Outpost24
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
Rahul Mohandas
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
SegInfo
 
Next Generation Infrastructure - Devops Enterprise Summit 2018
Next Generation Infrastructure - Devops Enterprise Summit 2018Next Generation Infrastructure - Devops Enterprise Summit 2018
Next Generation Infrastructure - Devops Enterprise Summit 2018
John Willis
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHub
Ahmed Zerouali
 
MOSP Walkthrough 2009
MOSP Walkthrough 2009MOSP Walkthrough 2009
MOSP Walkthrough 2009
Andrew Roughan
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Reverse Engineering Malware Workshop
Reverse Engineering Malware WorkshopReverse Engineering Malware Workshop
Reverse Engineering Malware Workshop
Mustafa Qasim
 
Breaking iOS Apps using Cycript
Breaking iOS Apps using CycriptBreaking iOS Apps using Cycript
Breaking iOS Apps using Cycript
n|u - The Open Security Community
 
Complete python toolbox for modern developers
Complete python toolbox for modern developersComplete python toolbox for modern developers
Complete python toolbox for modern developers
Jan Giacomelli
 
Apache ManifoldCF
Apache ManifoldCFApache ManifoldCF
Apache ManifoldCF
Piergiorgio Lucidi
 
Materials Project Validation, Provenance, and Sandboxes by Dan Gunter
Materials Project Validation, Provenance, and Sandboxes by Dan GunterMaterials Project Validation, Provenance, and Sandboxes by Dan Gunter
Materials Project Validation, Provenance, and Sandboxes by Dan Gunter
Dan Gunter
 
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs [CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
PROIDEA
 
Linux server penetration testing project
Linux server penetration testing projectLinux server penetration testing project
Linux server penetration testing project
Emad Soltani
 
ownR extended technical introduction
ownR extended technical introductionownR extended technical introduction
ownR extended technical introduction
Functional Analytics
 
Towards a Census of Free and Open Source Licenses
Towards a Census of Free and Open Source LicensesTowards a Census of Free and Open Source Licenses
Towards a Census of Free and Open Source Licenses
dmgerman
 
Open source technology
Open source technologyOpen source technology
Open source technologyaparnaz1
 
All You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source SoftwareAll You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source Software
Javier Perez
 

More Related Content

What's hot

Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attack
Yadnyawalkya Tale
 
Digital Forensic Assignment Help
Digital Forensic Assignment HelpDigital Forensic Assignment Help
Digital Forensic Assignment Help
Global Web Tutors
 
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26
Ruby Meditation
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
Outpost24
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
Rahul Mohandas
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
SegInfo
 
Next Generation Infrastructure - Devops Enterprise Summit 2018
Next Generation Infrastructure - Devops Enterprise Summit 2018Next Generation Infrastructure - Devops Enterprise Summit 2018
Next Generation Infrastructure - Devops Enterprise Summit 2018
John Willis
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHub
Ahmed Zerouali
 
MOSP Walkthrough 2009
MOSP Walkthrough 2009MOSP Walkthrough 2009
MOSP Walkthrough 2009
Andrew Roughan
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Reverse Engineering Malware Workshop
Reverse Engineering Malware WorkshopReverse Engineering Malware Workshop
Reverse Engineering Malware Workshop
Mustafa Qasim
 
Breaking iOS Apps using Cycript
Breaking iOS Apps using CycriptBreaking iOS Apps using Cycript
Breaking iOS Apps using Cycript
n|u - The Open Security Community
 
Complete python toolbox for modern developers
Complete python toolbox for modern developersComplete python toolbox for modern developers
Complete python toolbox for modern developers
Jan Giacomelli
 
Apache ManifoldCF
Apache ManifoldCFApache ManifoldCF
Apache ManifoldCF
Piergiorgio Lucidi
 
Materials Project Validation, Provenance, and Sandboxes by Dan Gunter
Materials Project Validation, Provenance, and Sandboxes by Dan GunterMaterials Project Validation, Provenance, and Sandboxes by Dan Gunter
Materials Project Validation, Provenance, and Sandboxes by Dan Gunter
Dan Gunter
 
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs [CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
PROIDEA
 
Linux server penetration testing project
Linux server penetration testing projectLinux server penetration testing project
Linux server penetration testing project
Emad Soltani
 
ownR extended technical introduction
ownR extended technical introductionownR extended technical introduction
ownR extended technical introduction
Functional Analytics
 
Towards a Census of Free and Open Source Licenses
Towards a Census of Free and Open Source LicensesTowards a Census of Free and Open Source Licenses
Towards a Census of Free and Open Source Licenses
dmgerman
 

What's hot (20)

Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attack
 
Digital Forensic Assignment Help
Digital Forensic Assignment HelpDigital Forensic Assignment Help
Digital Forensic Assignment Help
 
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
Next Generation Infrastructure - Devops Enterprise Summit 2018
Next Generation Infrastructure - Devops Enterprise Summit 2018Next Generation Infrastructure - Devops Enterprise Summit 2018
Next Generation Infrastructure - Devops Enterprise Summit 2018
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHub
 
MOSP Walkthrough 2009
MOSP Walkthrough 2009MOSP Walkthrough 2009
MOSP Walkthrough 2009
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Reverse Engineering Malware Workshop
Reverse Engineering Malware WorkshopReverse Engineering Malware Workshop
Reverse Engineering Malware Workshop
 
Breaking iOS Apps using Cycript
Breaking iOS Apps using CycriptBreaking iOS Apps using Cycript
Breaking iOS Apps using Cycript
 
Complete python toolbox for modern developers
Complete python toolbox for modern developersComplete python toolbox for modern developers
Complete python toolbox for modern developers
 
Apache ManifoldCF
Apache ManifoldCFApache ManifoldCF
Apache ManifoldCF
 
Materials Project Validation, Provenance, and Sandboxes by Dan Gunter
Materials Project Validation, Provenance, and Sandboxes by Dan GunterMaterials Project Validation, Provenance, and Sandboxes by Dan Gunter
Materials Project Validation, Provenance, and Sandboxes by Dan Gunter
 
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs [CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
 
Linux server penetration testing project
Linux server penetration testing projectLinux server penetration testing project
Linux server penetration testing project
 
ownR extended technical introduction
ownR extended technical introductionownR extended technical introduction
ownR extended technical introduction
 
Towards a Census of Free and Open Source Licenses
Towards a Census of Free and Open Source LicensesTowards a Census of Free and Open Source Licenses
Towards a Census of Free and Open Source Licenses
 

Similar to Securing Open Source Code in Enterprise

Open source technology
Open source technologyOpen source technology
Open source technologyaparnaz1
 
All You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source SoftwareAll You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source Software
Javier Perez
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track Introduction
Sergey Sotnikov
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
sparkfabrik
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Clark Everetts
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
sparkfabrik
 
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Michael Noll
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
Tao Xie
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
Alexander Leonov
 
Q1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and BeyondQ1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and Beyond
Black Duck by Synopsys
 
GPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators FamiliesGPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators Families
Mohamed BOUSSAA
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Chetan Khatri
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
Ivanti
 
Stack overflow code_laundering
Stack overflow code_launderingStack overflow code_laundering
Stack overflow code_laundering
Foutse Khomh
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
Pawel Krawczyk
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Know What’s in Your Containers! Manage and Secure all Open Source that Compos...
Know What’s in Your Containers! Manage and Secure all Open Source that Compos...Know What’s in Your Containers! Manage and Secure all Open Source that Compos...
Know What’s in Your Containers! Manage and Secure all Open Source that Compos...
DevOps.com
 
Introducing Kafka's Streams API
Introducing Kafka's Streams APIIntroducing Kafka's Streams API
Introducing Kafka's Streams API
confluent
 

Similar to Securing Open Source Code in Enterprise (20)

Open source technology
Open source technologyOpen source technology
Open source technology
 
All You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source SoftwareAll You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source Software
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track Introduction
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
 
Q1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and BeyondQ1 2016 Open Source Security Report: Glibc and Beyond
Q1 2016 Open Source Security Report: Glibc and Beyond
 
GPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators FamiliesGPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators Families
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
 
Stack overflow code_laundering
Stack overflow code_launderingStack overflow code_laundering
Stack overflow code_laundering
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Know What’s in Your Containers! Manage and Secure all Open Source that Compos...
Know What’s in Your Containers! Manage and Secure all Open Source that Compos...Know What’s in Your Containers! Manage and Secure all Open Source that Compos...
Know What’s in Your Containers! Manage and Secure all Open Source that Compos...
 
Introducing Kafka's Streams API
Introducing Kafka's Streams APIIntroducing Kafka's Streams API
Introducing Kafka's Streams API
 

More from Asankhaya Sharma

9 types of people you find on your team
9 types of people you find on your team9 types of people you find on your team
9 types of people you find on your team
Asankhaya Sharma
 
Design and Implementation of the Security Graph Language
Design and Implementation of the Security Graph LanguageDesign and Implementation of the Security Graph Language
Design and Implementation of the Security Graph Language
Asankhaya Sharma
 
Secure Software Development
Secure Software DevelopmentSecure Software Development
Secure Software Development
Asankhaya Sharma
 
Verified Subtyping with Traits and Mixins
Verified Subtyping with Traits and MixinsVerified Subtyping with Traits and Mixins
Verified Subtyping with Traits and Mixins
Asankhaya Sharma
 
Specifying compatible sharing in data structures
Specifying compatible sharing in data structuresSpecifying compatible sharing in data structures
Specifying compatible sharing in data structures
Asankhaya Sharma
 
Exploiting undefined behaviors for efficient symbolic execution
Exploiting undefined behaviors for efficient symbolic executionExploiting undefined behaviors for efficient symbolic execution
Exploiting undefined behaviors for efficient symbolic execution
Asankhaya Sharma
 
DIDAR: Database Intrusion Detection with Automated Recovery
DIDAR: Database Intrusion Detection with Automated RecoveryDIDAR: Database Intrusion Detection with Automated Recovery
DIDAR: Database Intrusion Detection with Automated Recovery
Asankhaya Sharma
 
Developer-focused Software Security
Developer-focused Software SecurityDeveloper-focused Software Security
Developer-focused Software Security
Asankhaya Sharma
 
Visualizing Symbolic Execution with Bokeh
Visualizing Symbolic Execution with BokehVisualizing Symbolic Execution with Bokeh
Visualizing Symbolic Execution with Bokeh
Asankhaya Sharma
 
Crafting a Successful Engineering Career
Crafting a Successful Engineering CareerCrafting a Successful Engineering Career
Crafting a Successful Engineering Career
Asankhaya Sharma
 
Certified Reasoning for Automated Verification
Certified Reasoning for Automated VerificationCertified Reasoning for Automated Verification
Certified Reasoning for Automated Verification
Asankhaya Sharma
 
Last Days of Academy
Last Days of AcademyLast Days of Academy
Last Days of Academy
Asankhaya Sharma
 
SayCheese Ad
SayCheese AdSayCheese Ad
SayCheese Ad
Asankhaya Sharma
 

More from Asankhaya Sharma (13)

9 types of people you find on your team
9 types of people you find on your team9 types of people you find on your team
9 types of people you find on your team
 
Design and Implementation of the Security Graph Language
Design and Implementation of the Security Graph LanguageDesign and Implementation of the Security Graph Language
Design and Implementation of the Security Graph Language
 
Secure Software Development
Secure Software DevelopmentSecure Software Development
Secure Software Development
 
Verified Subtyping with Traits and Mixins
Verified Subtyping with Traits and MixinsVerified Subtyping with Traits and Mixins
Verified Subtyping with Traits and Mixins
 
Specifying compatible sharing in data structures
Specifying compatible sharing in data structuresSpecifying compatible sharing in data structures
Specifying compatible sharing in data structures
 
Exploiting undefined behaviors for efficient symbolic execution
Exploiting undefined behaviors for efficient symbolic executionExploiting undefined behaviors for efficient symbolic execution
Exploiting undefined behaviors for efficient symbolic execution
 
DIDAR: Database Intrusion Detection with Automated Recovery
DIDAR: Database Intrusion Detection with Automated RecoveryDIDAR: Database Intrusion Detection with Automated Recovery
DIDAR: Database Intrusion Detection with Automated Recovery
 
Developer-focused Software Security
Developer-focused Software SecurityDeveloper-focused Software Security
Developer-focused Software Security
 
Visualizing Symbolic Execution with Bokeh
Visualizing Symbolic Execution with BokehVisualizing Symbolic Execution with Bokeh
Visualizing Symbolic Execution with Bokeh
 
Crafting a Successful Engineering Career
Crafting a Successful Engineering CareerCrafting a Successful Engineering Career
Crafting a Successful Engineering Career
 
Certified Reasoning for Automated Verification
Certified Reasoning for Automated VerificationCertified Reasoning for Automated Verification
Certified Reasoning for Automated Verification
 
Last Days of Academy
Last Days of AcademyLast Days of Academy
Last Days of Academy
 
SayCheese Ad
SayCheese AdSayCheese Ad
SayCheese Ad
 

Recently uploaded

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 

Recently uploaded (20)

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 

Securing Open Source Code in Enterprise

  • 1. Securing Open Source Code in Enterprise Asankhaya Sharma
  • 3. Projection: > 400M Libraries by 2026
  • 4. Complexity of Libraries has exploded For every 1 Java library you add to your projects, 4 others are added For every one library you add to a Node.js project, 9 others are added
  • 5. SourceClear Scan of apache/spark
  • 7. Control Over What is in Your Code Has Changed Reference : http://anvaka.github.io/allnpmviz.an/ From YOU to: - Developer Tools - Open-Source Code - 3rd Party Developers
  • 8. Threats using open source code - Vulnerabilities in open source libraries - Malicious libraries - Typosquatting package names - Data exfiltration - Command execution during build
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14. Software Composition Analysis (SCA) Discover and identify software vulnerabilities and expose licenses for open source components Scanner Data
  • 15. Scanning Technology App A v1.0 B v2.0 C v1.0 B v2.0 B v2.0 App A v1.0 B v2.0 C v1.0 Dependency Locked File Dependency GraphSCA Scanner
  • 16. Scanning Technology App A v1.0 B v1.0 C v1.0 App A v1.0 B v2.0 C v1.0 Dependency File Dependency Graph App A v1.0 B v2.0 C v1.0 B v2.0 B v2.0 Resolved DependenciesSCA Scanner
  • 17. System Dependencies Scanning SCA Scanner container ID A 1.0 amd64 B 1.0 all C 1.0 pod name A 1.0 amd64 B 1.0 all C 1.0 pod name A 1.0 amd64 B 1.0 all C 1.0 pod name A 1.0 amd64 B 1.0 all C 1.0
  • 18. Vulnerabilities in Open Source Libraries ● Known Sources ○ CVEs / NVD ○ Advisories ○ Mailing list disclosures ● Unidentified issues ○ Commit logs ○ Bug reports ○ Change logs ○ Pull Requests Security Issues are often not reported or publicly mentioned How do we get the data?
  • 19. Mining for unidentified vulnerabilities
  • 20. NLP and Machine Learning for Harvesting Data https://asankhaya.github.io/pdf/automated-identification-of-security-issues-fr om-commit-messages-and-bug-reports.pdf
  • 22. Evaluation Framework For Dependency Analysis EFDA is an open source project that allows users to test the dependency analysis tool of their choice and see how accurate the tool is. https://github.com/devsecops-community/efda
  • 23. Software Supply Chain Source Control Management Continuous Delivery (CI/CD) ProductionDeveloper Software Composition Analysis
  • 24. DevSecOps - Integrate SCA scanning in your CI pipeline - Create open source usage policy - Fail builds on high severity vulnerabilities - Gather data on open source libraries, vulnerabilities and licenses - Review bill of material (BOM) reports on what’s running in your applications
  • 25. Rules for using 3rd party code 1. Know what you are using 2. Think about where it came from 3. Understand what it is doing 4. Avoid using vulnerable libraries
  • 26. Thank you! ● Questions? ● Contact ○ Twitter: @asankhaya