Webinar – Streamling Your Tech Due Diligence Process for Software Assets

© 2019 Synopsys, Inc.1
Streamlining Your Tech Due Diligence Process
for Software Assets
Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center

Billions are spent each year on tech acquisitions
Annual worldwide tech and telecom deal flow
Source: 451 Research's MSA KnowledgeBase.
Includes disclosed and estimated values
$573B
acquisitions in 2018
68%
growth from 2017 to 2018
Top 5 industries
software

Why acquirers worry
• Governance processes vary by company size
• Time to market often prioritized over compliance
• Deeper pockets may draw compliance fire
“In deploying open-source tools, I&O leaders often create dependence on
individuals with pockets of tribal knowledge, leading to blind spots in
security and license compliance”
– Gartner - Four Steps to Adopt Open-Source Software as Part of the DevOps Toolchain (2019)

Tech due diligence often requires a trusted third party
Product / strategy
People
Process / tools
Architecture
Code
Acquirer DD team
or
Strategy consultant
Third-party audit:
Acquirers do not
typically get access
without a third party
Subjective
and qualitative
Objective
and quantitative

Modern application
=
Proprietary code
+
Open source components
+
API usage
+
Application
behavior and configuration

Background—Overview of Open Source
Understanding why open source development and governance matters

So what is “Open Source” anyway?
• Open Source Initiative Definition
– Open Source software is software that can be freely accessed, used, changed, and shared (in
modified or unmodified form) by anyone. Open source software is made by many people, and
distributed under licenses that comply with the Open Source Definition.
• Common Definition
– Open source software is software whose source code I have access to outside of a commercial
license agreement.
• What about commercial software?
– Commercial software can easily be created from open source components. Managing and securing
open source software is complicated, and open source within commercial software is even more so.
Note – Lots of legal nuance here so don’t take this as legal advice!

Equifax breach focused attention on open source

Open source license compliance remains critical
Percentage of codebases with license conflicts
Contained components
with license conflicts
Contained some form
of GPL conflict
Source: 2019 Synopsys Open Source Security and Risk Report

Indeterminate licenses are particularly challenging
Contained custom licenses
that had the potential to
cause conflict or needed
legal review
Contained components
that were “not licensed”

Open source components are third-party components

Example: Which version of OpenSSL do you have?

Being a security target is costly
Average cost of data breach:
$3.86 Million
Lost business:
$4.20 Million
Average time to identify
and contain a breach:
266 days
Source: 2018 Cost of Data Breach Study (US Data)
– Ponemon Institute

Open source vulnerability management is a challenge
Components
per codebase
257
298
Contained obsolete or
unmaintained
components
Unpatched vulnerabilities
decline 23%
Contained vulnerabilities
over 10 years old

So what is a vulnerability?
• IETF RFC 2828 Definition
– A flaw or weakness in a system's design, implementation, or operation and management that could
be exploited to violate the system's security policy
• Taxonomies
– There are many classification systems for software vulnerabilities, with the Common Weakness
Enumeration (CWE) being a common form. Weakness can be exploited to become vulnerabilities
which when disclosed become part of the Common Vulnerabilities and Exposures (CVE) List.
• Who can disclose a CVE?
– CVE disclosures occur through CVE Numbering Authorities (CNA). Originally only a limited number
of vendors participated. As of March 2019 over 90 organizations are CNAs including five
governmental ones. MITRE is the root CNA and the National Vulnerability Database (NVD) is the
most common query location.
I’m omitting a ton of detail here, so consider this the bare minimum

1649 Days
7 Days
A simple vulnerability: The tale of CVE-2017-5638
Struts 2.5
Released
May
2016
Struts 2.3
Forked
Struts 2.3
Released
November
2012
Commit
Merged
August
2012
Patches
Available
March 6
2017
March 7
2017
Disclosure
Published
NVD
Details
March 14
2017

Requirements to detect an OSS vulnerability
1. Source of security information
– Primary research from internal security team
– Free NVD data feed
– Sub license from third party security vendor
– Component distributions
– Open source risk analysis
2. Ability to identify components
– Versions and forks matter
– Open source can be in code or binary form
– Embedded within commercial software
– Not always managed via package managers
3. Current patch status
– Patch must be compatible
– Upstream could change behaviors

Risk is a function of the full stack – not just app
“CNCF Interactive Landscape” application
• Cloud Native Computing Foundation provides a web based
application to browse for partner technology providers.
Application Details
• 40K Source Lines of Code
• Node.js application framework
• Containerized and deployed on Kubernetes
• 0.05% of code in use is custom
• 99.5% of code is in the stack
• Risks present at all layers of the stack
Source: CNCF Presentation: How good is our code?

Are there any flaws in the design that
could lead to security vulnerabilities?
Security risks can be present across the software stack
Does the company track and
manage open source use
and the security risks that
come with it?
Was the code produced
with any defects or
security weaknesses?
Are there any exploitable
vulnerabilities or data
protection issues?
Proprietary
code
OSS +
third-party
code
OSS +
third-party
code
OSS +
third-party
code
Architecture

Design and process issues pose integration challenges
Are there any flaws in the design that could
be adding time or cost to the process?
Was the code produced with
any defects or process flaws?
Proprietary
code
OSS +
third-party
code
OSS +
third-party
code
OSS +
third-party
code
Architecture

Dissecting the security design decisions of
modern applications
Example: An IoT application is more than just firmware

IoT security requires multiple disciplines
• Limited CPU resources
• Limited RAM for features
• C/C++ typical
• MQTT common protocol
• Responsive application
• View device data
• View historical information
Web UI
4
4
• Lightweight protocol
• High volume
• Pub/Sub interface
MQTT Broker
Encrypted data
published via MQTT2
IoT Device
• iOS/Android application
• Configure device
• View device data
• Receive notifications
Mobile Interface1
Configure
via Bluetooth
represents constraints
in the system
3
Data stored
for analysis
Analysis Engine
Authentication
and
Authorization
Analysis
Engine MQTT
WebSocket
Core
Data
• Avoid MITM
• Certification
of image
OTA

Identify security targets from platform requirements
Design Goal:
Select an IoT toolchain meeting
product and cost requirements
Role: Security Architect with CISO and Product Owner guidance
Tasks and requirements:
1. Select platform supporting desired protocols
• Protocol implementations must be resilient
2. Select candidate vendor or open source stack
3. Validate protocols against cost and stability
• Define protocol fuzzing framework
4. Report on security targets during developmentConcern:
Device instability leading to data
disclosure and reputational damage

Select development frameworks and environment
Role: Development Lead with Product Owner guidance
Design Goal:
Select frameworks
capable of meeting time
to market and security
targets
Tasks and requirements
1. Select languages based on security reqs
2. Define build environment
3. Identify commercial and open source
frameworks and libraries
• Define governance for security updates
4. Enable IDE security plugins
5. Enable build time CI analysis
Concern:
Identify intrinsic security
issues and potential rework
costs

Continuous security assessments during development
Role: Developer with Development Lead guidance
Development Goal:
Identify security weaknesses
prior to code commits
Tasks:
1. Transparent security review during coding
• No disruption to existing workflows
2. Remediation and contextual guidance
• Lower defect costs by shifting left
Concern:
Poor security training and
developer engagement

Continuous security assessments during build
Role: Release Engineer with guidance from QA and Product Owner
Release Goal:
Ensure release meets quality,
security and functional targets
Tasks and requirements:
1. Build triggered from merge/pull request
2. Detailed scans run parallel to build process
3. Optionally fail builds based on security
targets/exceptions
4. Centralized security progress tracking
Concern:
Identify weak code coverage
and limited security testing

Confirm governance and security target progress
Role: Security Architect
Governance Goal:
Ensure release meets security
and functional targets
Tasks:
1. Centralized review of security results
2. Review by common taxonomy
• (OWASP Top 10, SANS Top 25)
3. Triage issue status via defect workflows
4. Measure progress against governance targets
5. Define security targets for future releases
Concern:
Identify whether continuous
improvement is part of the culture
or if issues recur with each cycle

Web services APIs also impact risk profiles
API Lifecycle
• Twitter API shutdown August 2018
• Google+ shutdown April 2019
• Salesforce API versioning
Data usage and control
• GDPR data processor vs data controller
• Data sovereignty and jurisdiction
• Data mashups and inference scenarios
Data and privacy breaches
• Facebook API tokens
• [24]7.io and Delta, Kmart, Sears
• Third-party data bleeds
• Phone home tracking
• CVE-2018-1002105 in Kubernetes API

Focus on risk identification
Start with open source and account for other development risks

Why Black Duck leads Open Source risk management
Singular focus on Open Source governance and risk management
Powered by a Knowledge Base designed for the realities of open source development
Delivering actionable Open Source security information in near real-time

Key due diligence questions for open source usage
Is there a complete list of open source components in use?
How was it created and how is it maintained? How complete and accurate is it?
What policies are defined for the use of open source?
How are they enforced? Are they compatible with the pace of development?
How are open source vulnerabilities being tracked?
How disruptive would the next Equifax or Heartbleed scale vulnerability be?
Does the application patch strategy include open source awareness?
What are the patch and update processes for each component? How are patches vetted?
How is open source usage in commercial applications identified?
If vulnerable open source components are used in binaries, are vendors addressing patches?

Portfolio – Audit Services
Proprietary
code
OSS +
third-party
code
OSS +
third-party
code
OSS +
third-party
code
Architecture
Open Source and
Third-Party Code Audit
Open Source Risk
Assessment
Web Services and
API Risk Audit
Penetration Test Audit
Static Application
Security Test Audit
Quantitative Code
Quality Audit
Qualitative Code Quality Audit
Security Controls Design Analysis
Encryption Algorithm Detection Audit

Build secure, high-quality software faster

Webinar – Streamling Your Tech Due Diligence Process for Software Assets

More Related Content

What's hot

Similar to Webinar – Streamling Your Tech Due Diligence Process for Software Assets

More from Synopsys Software Integrity Group

Recently uploaded

Webinar – Streamling Your Tech Due Diligence Process for Software Assets