Open Source Libraries - Managing Risk in Cloud
-
Upload
suman-sourav-csslp -
Category
Software
-
view
198 -
download
1
Transcript of Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
SUMAN SOURAV
OWASP Top 10 2013
A9. Using components with known vulnerabilities
Prevalence : Widespread
Detectability: Difficult
Agenda
Software Development & Open Source Components
Emerging Threats & LandscapeDefense Strategy & SolutionPractical challenges
Disclaimer
Not endorsing any tools
About me Defensive Security Professional having 10+ years of
experience Specialize in Secure SDLC implementation
Building security strategy for the organizationThreat Modeling/Secure Code Review/Penetration
Testing/Security Test AutomationSecure Coding Trainer, Security QA Testing Trainer,
Speaker SAFECode & Null Singapore
At least 75% of organizations rely on open source as the foundation of their applications.
The (Maven) Central Repository — the largest source of open source components for developers — handled thirteen billion download requests in a year.
Is open source important?
Reference -Sonatype
Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-150
10
20
30
40
50
60
70
80
90
100
Open Source Component UsageProduct 1 Product 2 Product 3
A case study
Why to worry?
More than 80 per cent of a typical software application is comprised
of open source components and frameworks.
Collectively, Global 500 organizations downloaded more than 2.8
million insecure components in one year
There were more than 46 million downloads of insecure versions of
the 31 most popular open source security libraries and web
frameworks.
Quantitative Analysis
Reference- Sonatype
Threat Landscape
44% of enterprises have no policies governing open source component use in their app development .
77% of those that have adopted open source component policies have never banned a single component
79% do not need to prove they are using components free of security vulnerabilities.
63% fail to monitor for changes in vulnerability data for open source software components
Survey Results
Reference- Sonatype
Open source components may have : Execution of arbitrary code XSS Injection Denial of Service Insecure Cryptographic function……..
Why we should take this seriously ?
Wakeup Call-April 7th ,2014
canyonero.org
Again in October 2014
Java Deserialization vulnerability
“combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).”
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
Recent Vulnerabilities
What else ?
Vulnerable Components Utilization
Reference : Sonatype
Don’t know about the vulnerable components Don’t know how to check before use No mechanism to update the current status Lack of preventive mechanism
Challenges for the developers
OWASP Initiatives
OWASP Good Component Practices Project
OWASP Dependency Track Project
Best Strategy to Manage
Centralize component repository
Integrate with the build process
Update vulnerability database
Generate Automated alert for any critical issues
Continuous Testing
Secure-SDLC – Enforcement point
DEVELOPMENT BUILD AND DEPLOY STAGINGREQUIREMENTS
External Repositor
ies
Security Policy
DESIGN
Repository
SCM Tools
Security Test
Automation
Threat Modelin
g
SCA Tools/IDE Plugins
VS/PT/IASTComponent
s Monitoring
Production
Monitoring
firewall National Vulnerability Database
Continuous Testing- In a Nutshell
BuildEnvironment
FixVulnerabilities
IntegrateWith Build
Upload toServer
ExecuteScan
Generatereport
SA
Developers
ReportingServer
Audit andRe-upload
Login
Demo
Continuous Monitoring & Remediation
Exact Match
Similar Match
Unknown
Exact Match Similar Match Unknown
Removing known vul-nerable components
Identify and analyze the security is-sues
Challenges
Implementation Strategy
Phase 1• Web Product
Build Integration
Phase 2• Metadata of
Unsupported External components
• Governance of Supported Components
Phase 3• Improvement
of External Components
• Metadata for Internal Components
Phase 4• Vulnerability
database for internal components
• Link with Tool
Suman Sourav@SumanS0urav
https://sg.linkedin.com/in/sumansourav