SlideShare a Scribd company logo

How Component ID Methods Impact Open Source Risk Management Efficiency

ā€¢
ā€¢
Sonatype
Sonatype

1) Component identification methods like source code scanning, CPE name matching, and simple binary matching can result in inaccurate component identification with false positives and negatives. 2) Advanced Binary Fingerprinting, a patent-pending technique from Sonatype, can precisely identify components and versions even if modified, eliminating false results and enabling efficient risk analysis. 3) Sonatype pioneered component-based development and maintains the Central Repository, giving it unique expertise in component identification and supply chain management.

Software
1 of 7
Download to read offline
WHITEPAPER Snippets, Scans and Snap Decisions: how component identification methods impact the efficiency of open source risk management
Page 2 Snippets, Scans and Snap Decisions: How Component Identification Methods Impact the Efficiency of Open Source Risk Management Security, quality and licensing information is of little use if you havenā€™t precisely identified the component you are using. And, without both accurate and actionable component information, developers are not able to make the right component selection from the start. background For the most part, modern software is assembled, not written. Approximately 80-90% of a typical software application is comprised of third party components, most of which are open source. Custom business logic comprises the remaining 10 percent. This massive reliance on open source components has created aā€œsoftware supply chainā€and new challenges for managing software security, quality and intellectual property. Organiza- tions who rely on custom software are increasingly seeking visibility and control to manage risk and maximize benefit. But to properly manage open source components, you must know as much as possible about themā€”starting with precisely identifying them. Security, quality and licensing information is of little use if you havenā€™t precisely identified the component you are using. And, without both accurate and actionable component information, developers are not able to make the right component selection from the start. Component identification is far from straightforward. There are numerous approaches used to identify binary components. These include: ā€¢ Source Code Scanning ā€¢ Simple CPE Name Matching ā€¢ Simple Binary Matching ā€¢ Advanced Binary Fingerprinting
Page 3 Snippets, Scans and Snap Decisions: How Component Identification Methods Impact the Efficiency of Open Source Risk Management Source Code Scanning Source code scanning technologies examine custom code and flag potential matches against fingerprints of known open source code. Source code scanning is a thorough and effective mechanism for surfacing potentialā€˜snippetsā€™of open source code that might have been inserted into otherwise proprietary work. Source code scanning is, however, ineffective at precisely identify- ing the binary component with which that code is associated. This is because of the very nature of the component ecosystem. Com- ponents are enormously complex; each one is made up of hun- dreds of sub-assemblies (e.g. class files). Class files are commonly shared among components. Of the nearly 200 million class files in the Central Repository, there are fewer than 10 million unique class files being combined in myriad ways. Because of this highly commingled nature of the component ecosystem, source code scanners are unable to precisely match a ā€˜code snippetā€™ to a single binary component (and version). The code scanner will often find dozens to hundreds of potential matches, rendering the analysis of any security, quality or licens- ing information futile. Users of these technologies frequently report that theyā€œreceive too many false positivesā€or that the scanners requireā€œtoo much manual research.ā€ What they are really observing is that the tech- nology itself is not well suited to the task of binary matching. Source code scanning is ineffective at precisely identifying the binary component with which that code is associated. Users of source code scanners or simple binary matching frequently report that they ā€œreceive too many false positivesā€ or that the scanners require ā€œtoo much manual research.ā€ Advanced binary matching is both fast and precise. A large application can be analyzed and a precise bill of materials delivered in minutes.
Page 4 Snippets, Scans and Snap Decisions: How Component Identification Methods Impact the Efficiency of Open Source Risk Management Simple CPE Name Matching This method first identifies CVE component vulnerability Group ID and version information using the Common Platform Enumera- tion (CPE) from the National Vulnerability Database (NVD). The CPE is intended to identify vulnerable products and not vulner- able artifacts. Using the CPE product and version to fuzzy match Group:Artifact:Version results in over identification, or false posi- tives, on the vulnerable artifact name. This approach works well on applications that have an ideal set of vulnerable components whose names align precisely with the CPE data or when there is only one matching artifact for Group:*:Version. For Example: CVE-2014-0014 CPE: cpe:/a:apache:struts:1.3.8 Vulnerable GAV: org.apache:struts-core:1.3.8 CPE Name Matching: org.apache.struts:struts-core:1.3.8 (True Positive) org.apache.struts:struts-taglib:1.3.8 (False Positive) org.apache.struts:struts-tiles:1.3.8 (False Positive) Without proper data curation, the effectiveness of this approach is limited to precision of the CPE classifications of the CVE data. CVE data often does not identify the root cause (vulnerable artifact) of the issue but identifies the platform the uses the vulnerable com- ponent. Without research into each CVE to identify the vulnerable artifact this method of matching will generate a high percentage of false negatives. Also when the component resides in multiple ā€œauthenticā€repositories, you will get a false negative unless you have all of the hashes from each repository. Using the CPE product and version to fuzzy match Group:Artifact:Version results in over identification, or false positives, on the vulnerable artifact name. Without research into each CVE to identify the vulnerable artifact this method of matching will generate a high percentage of false negatives.
Page 5 Snippets, Scans and Snap Decisions: How Component Identification Methods Impact the Efficiency of Open Source Risk Management Advanced Binary Fingerprinting is able to precisely identify components even when they have been repackaged, rebuilt, or otherwise altered. Simple Binary Matching Simple binary matching is used to match binaries based on crypto- graphic hashes of inspected components against a known library of component hashes. This allows precise identification of binary components provided they have not been modified in any way. Unfortunately, many users modify components in some way that alters the identifying signatures (e.g. re- packaging, rebuilding, combining components, removing unused classes, etc.). When binaries are altered, simple binary matching fails and components are not properly identified. As with Simple CPE Name Matching, the effectiveness of this ap- proach is limited to precision of the CPE classifications of the CVE data. CVE data often does not identify the root cause (vulnerable ar- tifact) of the issue and requires further manual research to be useful. Users of these technologies often reportā€œfalse negativesā€orā€œmisses.ā€ Also when the component resides in multipleā€œauthenticā€reposito- ries, you will get a false negative unless you have all of the hashes from each repository. Advanced Binary Fingerprinting To provide precise binary matching without the false positives of source code scanning or the false negatives of simple binary match- ing, Sonatype has invented a new, patent-pending method called Advanced Binary Fingerprinting. With this method, Sonatype is able to identify the unique combinations of subcomponents that are uniquely identifiable as the specific version of a given component. Advanced Binary Fingerprinting is able to precisely identify compo- nents even when they have been repackaged, rebuilt, or otherwise altered. This method allows proper assignment of security, quality and licensing data to a specific component and version. Advanced binary matching is both fast and precise. A large application can be analyzed and a precise bill of materials delivered in minutes.
Page 6 Snippets, Scans and Snap Decisions: How Component Identification Methods Impact the Efficiency of Open Source Risk Management Types of Component Matching Description Pros Cons Source Code Scanning This technology examines custom code and flags potential matches against fingerprints of known open source code. Thorough and effective method for identifying potential ā€œsnippetsā€of open source code that may have been inserted in otherwise proprietary work. Not effective at precisely matching a code ā€œsnippetā€ with a single binary component and version. A source code scanner may find dozens or hundreds of potential matches requiring additional manual research. Simple CPE Name Matching This method first identifies CVE component vulnerability Group ID and version information using the Common Platform Enumeration (CPE) from the National Vulnerability Database (NVD). The CPE is intended to identify vulnerable products and not vulnerable artifacts. This approach works well on applications that have an ideal set of vulnerable components whose names align precisely with the CPE data or when there is only one matching artifact for Group:*:Version. The effectiveness of this approach is limited to precision of the CPE classifications of the CVE data. CVE data often does not identify the root cause (vulnerable artifact) of the issue but identifies the platform the uses the vulnerable component. Without research into each CVE to identify the vulnerable artifact this method of matching will generate a high percentage of false negatives. Simple Binary Matching Simple binary matching is used to match binaries based on cryptographic hashes of inspected components against a known library of component hashes. Allows precise identification of binary components as long as they have not been modified in any way. Many users modify components in some way that alters the identifying signatures (e.g. re- packaging, rebuilding, combining components, removing unused classes, etc.). When binaries are altered, simple binary matching fails and components are not properly identified. Users report false negatives or misses. Advanced Binary Fingerprinting Patent-pending method of identifying the unique combinations of subcomponents that are unique to a specific component version, as well as other component dependencies. Precisely identifies a component version with known security or license vulnerabilities regardless of whether it has been modified. Eliminates false negatives and false positives to produce accurate analyses very quickly. Java and NuGet components currently offered, but quickly expanding to include javascript and npm.
Page 7 Sonatype Inc. ā€¢ 8161 Maple Lawn Drive, Suite 250 ā€¢ Fulton, MD 20759 ā€¢ 1.877.866.2836 ā€¢ www.sonatype.com 2015. Sonatype Inc. All Rights Reserved. Sonatype helps organizations build better software, even faster. Like a traditional supply chain, software applications are built by assembling open source and third party components streaming in from a wide variety of public and internal sources. While re-use is far faster than custom code, the flow of components into and through an organization remains complex and inefficient. Sonatypeā€™s Nexus platform applies proven supply chain principles to increase speed, efficiency and quality by optimizing the component supply chain. Sonatype has been on the forefront of creating tools to to improve developer efficiency and quality since the inception of the Central Repository and Apache Maven in 2001, and the company continues to serve as the steward of the Central Repository serving 17.2 Billion component download requests in 2014 alone. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com For more information about Sonatype, visit www.sonatype.com The Sonatype Advantage Sonatype brings practical intelligence to compo- nent-based software development. Sonatype offers distinct advantages to organizations that need to improve visibility and control over the open source components that they use in software development. ā€¢ Sonatype pioneered component-based soft- ware development as the creators of the Apache Maven build system and the Nexus repository manager. ā€¢ Sonatype is also the steward of the (Maven) Central Repository, the industryā€™s primary source for open source components, contain- ing nearly 700,000 components and serving 17 billion requests last year. ā€¢ Sonatype is the only vendor to offer action- able component security, quality, and licensing information directly into the tools developers use every day. ā€¢ Sonatype is the only vendor offering patent- pending Advanced Binary Matching to quickly and precisely identify components, even if they have been altered or repackaged. This unique technology minimizesā€œfalse positivesā€and eliminates time-consuming manual research. ā€¢ Sonatype is the only vendor to provide real- time update notifications to alert users when a component they are using has been updated or changed. ā€¢ Sonatype is the only vendor to analyze all component dependencies, enabling quick and precise identification of potential issues, even if theyā€™re nested deep within a complex dependency tree.

Recommended

Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
Ā 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
Ā 
Understanding & Addressing OWASPā€™s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASPā€™s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASPā€™s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASPā€™s Newest Top Ten Threat: Using Components wi...Sonatype
Ā 
Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Sonatype
Ā 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsSonatype
Ā 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilitySonatype
Ā 
Aliens in Your Apps!
Aliens in Your Apps!Aliens in Your Apps!
Aliens in Your Apps!All Things Open
Ā 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply ChainMark Sherman
Ā 

Recommended

Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
Ā 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
Ā 
Understanding & Addressing OWASPā€™s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASPā€™s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASPā€™s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASPā€™s Newest Top Ten Threat: Using Components wi...Sonatype
Ā 
Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Sonatype
Ā 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsSonatype
Ā 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilitySonatype
Ā 
Aliens in Your Apps!
Aliens in Your Apps!Aliens in Your Apps!
Aliens in Your Apps!All Things Open
Ā 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply ChainMark Sherman
Ā 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesSonatype
Ā 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementSonatype
Ā 
Veracode - InglĆŖs
Veracode - InglĆŖsVeracode - InglĆŖs
Veracode - InglĆŖsDeServ - Tecnologia e ServƧos
Ā 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - OverviewStephen Durrant
Ā 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeVeracode
Ā 
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Sonatype
Ā 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
Ā 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
Ā 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
Ā 
PCI and Vulnerability Assessments - Whatā€™s Missing?
PCI and Vulnerability Assessments - Whatā€™s Missing?PCI and Vulnerability Assessments - Whatā€™s Missing?
PCI and Vulnerability Assessments - Whatā€™s Missing?Black Duck by Synopsys
Ā 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - PrintAndrew Kanikuru
Ā 
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...South Tyrol Free Software Conference
Ā 
2.Public Vulnerability Databases
2.Public Vulnerability Databases2.Public Vulnerability Databases
2.Public Vulnerability Databasesphanleson
Ā 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFixVirtual Forge
Ā 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
Ā 
SAST vs. DAST: Whatā€™s the Best Method For Application Security Testing?
SAST vs. DAST: Whatā€™s the Best Method For Application Security Testing?SAST vs. DAST: Whatā€™s the Best Method For Application Security Testing?
SAST vs. DAST: Whatā€™s the Best Method For Application Security Testing?Cigital
Ā 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
Ā 
Accuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersAccuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersLarry Suto
Ā 
Analyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsAnalyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsLarry Suto
Ā 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
Ā 
SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...
SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...
SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...Emerasoft, solutions to collaborate
Ā 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersPVS-Studio
Ā 

More Related Content

What's hot

A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesSonatype
Ā 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementSonatype
Ā 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - OverviewStephen Durrant
Ā 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeVeracode
Ā 
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Sonatype
Ā 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
Ā 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
Ā 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
Ā 
PCI and Vulnerability Assessments - Whatā€™s Missing?
PCI and Vulnerability Assessments - Whatā€™s Missing?PCI and Vulnerability Assessments - Whatā€™s Missing?
PCI and Vulnerability Assessments - Whatā€™s Missing?Black Duck by Synopsys
Ā 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - PrintAndrew Kanikuru
Ā 
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...South Tyrol Free Software Conference
Ā 
2.Public Vulnerability Databases
2.Public Vulnerability Databases2.Public Vulnerability Databases
2.Public Vulnerability Databasesphanleson
Ā 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFixVirtual Forge
Ā 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
Ā 
SAST vs. DAST: Whatā€™s the Best Method For Application Security Testing?
SAST vs. DAST: Whatā€™s the Best Method For Application Security Testing?SAST vs. DAST: Whatā€™s the Best Method For Application Security Testing?
SAST vs. DAST: Whatā€™s the Best Method For Application Security Testing?Cigital
Ā 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
Ā 
Accuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersAccuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersLarry Suto
Ā 
Analyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsAnalyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsLarry Suto
Ā 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
Ā 

What's hot (20)

A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
Ā 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
Ā 
Veracode - InglĆŖs
Veracode - InglĆŖsVeracode - InglĆŖs
Veracode - InglĆŖs
Ā 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - Overview
Ā 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracode
Ā 
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Ā 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Ā 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Ā 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
Ā 
PCI and Vulnerability Assessments - Whatā€™s Missing?
PCI and Vulnerability Assessments - Whatā€™s Missing?PCI and Vulnerability Assessments - Whatā€™s Missing?
PCI and Vulnerability Assessments - Whatā€™s Missing?
Ā 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
Ā 
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
Ā 
2.Public Vulnerability Databases
2.Public Vulnerability Databases2.Public Vulnerability Databases
2.Public Vulnerability Databases
Ā 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
Ā 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Ā 
SAST vs. DAST: Whatā€™s the Best Method For Application Security Testing?
SAST vs. DAST: Whatā€™s the Best Method For Application Security Testing?SAST vs. DAST: Whatā€™s the Best Method For Application Security Testing?
SAST vs. DAST: Whatā€™s the Best Method For Application Security Testing?
Ā 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps World
Ā 
Accuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersAccuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scanners
Ā 
Analyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsAnalyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application Firewalls
Ā 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Ā 

Similar to How Component ID Methods Impact Open Source Risk Management Efficiency

SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...
SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...
SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...Emerasoft, solutions to collaborate
Ā 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersPVS-Studio
Ā 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
Ā 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
Ā 
Zero day malware detection
Zero day malware detectionZero day malware detection
Zero day malware detectionsujeeshkumarj
Ā 
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...Andrey Karpov
Ā 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarFind Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarWhiteSource
Ā 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codeAndrey Karpov
Ā 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability ManagementIRJET Journal
Ā 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyDevOps.com
Ā 
Software composition analysis in business 3.pdf
Software composition analysis in business 3.pdfSoftware composition analysis in business 3.pdf
Software composition analysis in business 3.pdfCiente
Ā 
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...Stefano Dalla Palma
Ā 
PVS-Studio's New Message Suppression Mechanism
PVS-Studio's New Message Suppression MechanismPVS-Studio's New Message Suppression Mechanism
PVS-Studio's New Message Suppression MechanismAndrey Karpov
Ā 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
Ā 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependenciesthariyarox
Ā 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software DependenciesTharindu Edirisinghe
Ā 

Similar to How Component ID Methods Impact Open Source Risk Management Efficiency (20)

SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...
SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...
SCA del Software Open Source: come interpretarlo per evitare problemi di sicu...
Ā 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
Ā 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Ā 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Ā 
Zero day malware detection
Zero day malware detectionZero day malware detection
Zero day malware detection
Ā 
VSEC Sourcecode Review Service Profile
VSEC Sourcecode Review Service ProfileVSEC Sourcecode Review Service Profile
VSEC Sourcecode Review Service Profile
Ā 
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
Ā 
proposal
proposalproposal
proposal
Ā 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarFind Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Ā 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ code
Ā 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability Management
Ā 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Ā 
Software composition analysis in business 3.pdf
Software composition analysis in business 3.pdfSoftware composition analysis in business 3.pdf
Software composition analysis in business 3.pdf
Ā 
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
Ā 
PVS-Studio's New Message Suppression Mechanism
PVS-Studio's New Message Suppression MechanismPVS-Studio's New Message Suppression Mechanism
PVS-Studio's New Message Suppression Mechanism
Ā 
test
testtest
test
Ā 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
Ā 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependencies
Ā 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependencies
Ā 
network-host-reconciliation
network-host-reconciliationnetwork-host-reconciliation
network-host-reconciliation
Ā 

More from Sonatype

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019Sonatype
Ā 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
Ā 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
Ā 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
Ā 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOpsSonatype
Ā 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps SurveySonatype
Ā 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseSonatype
Ā 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
Ā 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandSonatype
Ā 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealSonatype
Ā 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way ForwardSonatype
Ā 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizSonatype
Ā 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
Ā 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsSonatype
Ā 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
Ā 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
Ā 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
Ā 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
Ā 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsSonatype
Ā 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure AutomationSonatype
Ā 

More from Sonatype (20)

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
Ā 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Ā 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
Ā 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Ā 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
Ā 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
Ā 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
Ā 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
Ā 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Ā 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
Ā 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
Ā 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
Ā 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
Ā 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Ā 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Ā 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Ā 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Ā 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
Ā 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
Ā 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
Ā 

Recently uploaded

why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
Ā 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
Ā 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
Ā 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
Ā 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
Ā 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
Ā 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
Ā 
Russian Call Girls in Karol Bagh Aasnvi āž”ļø 8264348440 šŸ’‹šŸ“ž Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi āž”ļø 8264348440 šŸ’‹šŸ“ž Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi āž”ļø 8264348440 šŸ’‹šŸ“ž Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi āž”ļø 8264348440 šŸ’‹šŸ“ž Independent Escort S...soniya singh
Ā 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
Ā 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
Ā 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
Ā 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
Ā 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
Ā 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
Ā 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
Ā 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
Ā 
Call Girls in Naraina Delhi šŸ’ÆCall Us šŸ”8264348440šŸ”
Call Girls in Naraina Delhi šŸ’ÆCall Us šŸ”8264348440šŸ”Call Girls in Naraina Delhi šŸ’ÆCall Us šŸ”8264348440šŸ”
Call Girls in Naraina Delhi šŸ’ÆCall Us šŸ”8264348440šŸ”soniya singh
Ā 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
Ā 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
Ā 

Recently uploaded (20)

why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
Ā 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
Ā 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
Ā 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
Ā 
Call Girls In Mukherjee Nagar šŸ“± 9999965857 šŸ¤© Delhi šŸ«¦ HOT AND SEXY VVIP šŸŽ SE...
Call Girls In Mukherjee Nagar šŸ“± 9999965857 šŸ¤© Delhi šŸ«¦ HOT AND SEXY VVIP šŸŽ SE...Call Girls In Mukherjee Nagar šŸ“± 9999965857 šŸ¤© Delhi šŸ«¦ HOT AND SEXY VVIP šŸŽ SE...
Call Girls In Mukherjee Nagar šŸ“± 9999965857 šŸ¤© Delhi šŸ«¦ HOT AND SEXY VVIP šŸŽ SE...
Ā 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
Ā 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
Ā 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
Ā 
Russian Call Girls in Karol Bagh Aasnvi āž”ļø 8264348440 šŸ’‹šŸ“ž Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi āž”ļø 8264348440 šŸ’‹šŸ“ž Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi āž”ļø 8264348440 šŸ’‹šŸ“ž Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi āž”ļø 8264348440 šŸ’‹šŸ“ž Independent Escort S...
Ā 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Ā 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
Ā 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Ā 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
Ā 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Ā 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Ā 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
Ā 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
Ā 
Call Girls in Naraina Delhi šŸ’ÆCall Us šŸ”8264348440šŸ”
Call Girls in Naraina Delhi šŸ’ÆCall Us šŸ”8264348440šŸ”Call Girls in Naraina Delhi šŸ’ÆCall Us šŸ”8264348440šŸ”
Call Girls in Naraina Delhi šŸ’ÆCall Us šŸ”8264348440šŸ”
Ā 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
Ā 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
Ā 

How Component ID Methods Impact Open Source Risk Management Efficiency

  • 1. WHITEPAPER Snippets, Scans and Snap Decisions: how component identification methods impact the efficiency of open source risk management
  • 2. Page 2 Snippets, Scans and Snap Decisions: How Component Identification Methods Impact the Efficiency of Open Source Risk Management Security, quality and licensing information is of little use if you havenā€™t precisely identified the component you are using. And, without both accurate and actionable component information, developers are not able to make the right component selection from the start. background For the most part, modern software is assembled, not written. Approximately 80-90% of a typical software application is comprised of third party components, most of which are open source. Custom business logic comprises the remaining 10 percent. This massive reliance on open source components has created aā€œsoftware supply chainā€and new challenges for managing software security, quality and intellectual property. Organiza- tions who rely on custom software are increasingly seeking visibility and control to manage risk and maximize benefit. But to properly manage open source components, you must know as much as possible about themā€”starting with precisely identifying them. Security, quality and licensing information is of little use if you havenā€™t precisely identified the component you are using. And, without both accurate and actionable component information, developers are not able to make the right component selection from the start. Component identification is far from straightforward. There are numerous approaches used to identify binary components. These include: ā€¢ Source Code Scanning ā€¢ Simple CPE Name Matching ā€¢ Simple Binary Matching ā€¢ Advanced Binary Fingerprinting
  • 3. Page 3 Snippets, Scans and Snap Decisions: How Component Identification Methods Impact the Efficiency of Open Source Risk Management Source Code Scanning Source code scanning technologies examine custom code and flag potential matches against fingerprints of known open source code. Source code scanning is a thorough and effective mechanism for surfacing potentialā€˜snippetsā€™of open source code that might have been inserted into otherwise proprietary work. Source code scanning is, however, ineffective at precisely identify- ing the binary component with which that code is associated. This is because of the very nature of the component ecosystem. Com- ponents are enormously complex; each one is made up of hun- dreds of sub-assemblies (e.g. class files). Class files are commonly shared among components. Of the nearly 200 million class files in the Central Repository, there are fewer than 10 million unique class files being combined in myriad ways. Because of this highly commingled nature of the component ecosystem, source code scanners are unable to precisely match a ā€˜code snippetā€™ to a single binary component (and version). The code scanner will often find dozens to hundreds of potential matches, rendering the analysis of any security, quality or licens- ing information futile. Users of these technologies frequently report that theyā€œreceive too many false positivesā€or that the scanners requireā€œtoo much manual research.ā€ What they are really observing is that the tech- nology itself is not well suited to the task of binary matching. Source code scanning is ineffective at precisely identifying the binary component with which that code is associated. Users of source code scanners or simple binary matching frequently report that they ā€œreceive too many false positivesā€ or that the scanners require ā€œtoo much manual research.ā€ Advanced binary matching is both fast and precise. A large application can be analyzed and a precise bill of materials delivered in minutes.
  • 4. Page 4 Snippets, Scans and Snap Decisions: How Component Identification Methods Impact the Efficiency of Open Source Risk Management Simple CPE Name Matching This method first identifies CVE component vulnerability Group ID and version information using the Common Platform Enumera- tion (CPE) from the National Vulnerability Database (NVD). The CPE is intended to identify vulnerable products and not vulner- able artifacts. Using the CPE product and version to fuzzy match Group:Artifact:Version results in over identification, or false posi- tives, on the vulnerable artifact name. This approach works well on applications that have an ideal set of vulnerable components whose names align precisely with the CPE data or when there is only one matching artifact for Group:*:Version. For Example: CVE-2014-0014 CPE: cpe:/a:apache:struts:1.3.8 Vulnerable GAV: org.apache:struts-core:1.3.8 CPE Name Matching: org.apache.struts:struts-core:1.3.8 (True Positive) org.apache.struts:struts-taglib:1.3.8 (False Positive) org.apache.struts:struts-tiles:1.3.8 (False Positive) Without proper data curation, the effectiveness of this approach is limited to precision of the CPE classifications of the CVE data. CVE data often does not identify the root cause (vulnerable artifact) of the issue but identifies the platform the uses the vulnerable com- ponent. Without research into each CVE to identify the vulnerable artifact this method of matching will generate a high percentage of false negatives. Also when the component resides in multiple ā€œauthenticā€repositories, you will get a false negative unless you have all of the hashes from each repository. Using the CPE product and version to fuzzy match Group:Artifact:Version results in over identification, or false positives, on the vulnerable artifact name. Without research into each CVE to identify the vulnerable artifact this method of matching will generate a high percentage of false negatives.
  • 5. Page 5 Snippets, Scans and Snap Decisions: How Component Identification Methods Impact the Efficiency of Open Source Risk Management Advanced Binary Fingerprinting is able to precisely identify components even when they have been repackaged, rebuilt, or otherwise altered. Simple Binary Matching Simple binary matching is used to match binaries based on crypto- graphic hashes of inspected components against a known library of component hashes. This allows precise identification of binary components provided they have not been modified in any way. Unfortunately, many users modify components in some way that alters the identifying signatures (e.g. re- packaging, rebuilding, combining components, removing unused classes, etc.). When binaries are altered, simple binary matching fails and components are not properly identified. As with Simple CPE Name Matching, the effectiveness of this ap- proach is limited to precision of the CPE classifications of the CVE data. CVE data often does not identify the root cause (vulnerable ar- tifact) of the issue and requires further manual research to be useful. Users of these technologies often reportā€œfalse negativesā€orā€œmisses.ā€ Also when the component resides in multipleā€œauthenticā€reposito- ries, you will get a false negative unless you have all of the hashes from each repository. Advanced Binary Fingerprinting To provide precise binary matching without the false positives of source code scanning or the false negatives of simple binary match- ing, Sonatype has invented a new, patent-pending method called Advanced Binary Fingerprinting. With this method, Sonatype is able to identify the unique combinations of subcomponents that are uniquely identifiable as the specific version of a given component. Advanced Binary Fingerprinting is able to precisely identify compo- nents even when they have been repackaged, rebuilt, or otherwise altered. This method allows proper assignment of security, quality and licensing data to a specific component and version. Advanced binary matching is both fast and precise. A large application can be analyzed and a precise bill of materials delivered in minutes.
  • 6. Page 6 Snippets, Scans and Snap Decisions: How Component Identification Methods Impact the Efficiency of Open Source Risk Management Types of Component Matching Description Pros Cons Source Code Scanning This technology examines custom code and flags potential matches against fingerprints of known open source code. Thorough and effective method for identifying potential ā€œsnippetsā€of open source code that may have been inserted in otherwise proprietary work. Not effective at precisely matching a code ā€œsnippetā€ with a single binary component and version. A source code scanner may find dozens or hundreds of potential matches requiring additional manual research. Simple CPE Name Matching This method first identifies CVE component vulnerability Group ID and version information using the Common Platform Enumeration (CPE) from the National Vulnerability Database (NVD). The CPE is intended to identify vulnerable products and not vulnerable artifacts. This approach works well on applications that have an ideal set of vulnerable components whose names align precisely with the CPE data or when there is only one matching artifact for Group:*:Version. The effectiveness of this approach is limited to precision of the CPE classifications of the CVE data. CVE data often does not identify the root cause (vulnerable artifact) of the issue but identifies the platform the uses the vulnerable component. Without research into each CVE to identify the vulnerable artifact this method of matching will generate a high percentage of false negatives. Simple Binary Matching Simple binary matching is used to match binaries based on cryptographic hashes of inspected components against a known library of component hashes. Allows precise identification of binary components as long as they have not been modified in any way. Many users modify components in some way that alters the identifying signatures (e.g. re- packaging, rebuilding, combining components, removing unused classes, etc.). When binaries are altered, simple binary matching fails and components are not properly identified. Users report false negatives or misses. Advanced Binary Fingerprinting Patent-pending method of identifying the unique combinations of subcomponents that are unique to a specific component version, as well as other component dependencies. Precisely identifies a component version with known security or license vulnerabilities regardless of whether it has been modified. Eliminates false negatives and false positives to produce accurate analyses very quickly. Java and NuGet components currently offered, but quickly expanding to include javascript and npm.
  • 7. Page 7 Sonatype Inc. ā€¢ 8161 Maple Lawn Drive, Suite 250 ā€¢ Fulton, MD 20759 ā€¢ 1.877.866.2836 ā€¢ www.sonatype.com 2015. Sonatype Inc. All Rights Reserved. Sonatype helps organizations build better software, even faster. Like a traditional supply chain, software applications are built by assembling open source and third party components streaming in from a wide variety of public and internal sources. While re-use is far faster than custom code, the flow of components into and through an organization remains complex and inefficient. Sonatypeā€™s Nexus platform applies proven supply chain principles to increase speed, efficiency and quality by optimizing the component supply chain. Sonatype has been on the forefront of creating tools to to improve developer efficiency and quality since the inception of the Central Repository and Apache Maven in 2001, and the company continues to serve as the steward of the Central Repository serving 17.2 Billion component download requests in 2014 alone. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com For more information about Sonatype, visit www.sonatype.com The Sonatype Advantage Sonatype brings practical intelligence to compo- nent-based software development. Sonatype offers distinct advantages to organizations that need to improve visibility and control over the open source components that they use in software development. ā€¢ Sonatype pioneered component-based soft- ware development as the creators of the Apache Maven build system and the Nexus repository manager. ā€¢ Sonatype is also the steward of the (Maven) Central Repository, the industryā€™s primary source for open source components, contain- ing nearly 700,000 components and serving 17 billion requests last year. ā€¢ Sonatype is the only vendor to offer action- able component security, quality, and licensing information directly into the tools developers use every day. ā€¢ Sonatype is the only vendor offering patent- pending Advanced Binary Matching to quickly and precisely identify components, even if they have been altered or repackaged. This unique technology minimizesā€œfalse positivesā€and eliminates time-consuming manual research. ā€¢ Sonatype is the only vendor to provide real- time update notifications to alert users when a component they are using has been updated or changed. ā€¢ Sonatype is the only vendor to analyze all component dependencies, enabling quick and precise identification of potential issues, even if theyā€™re nested deep within a complex dependency tree.