Secure application deployment in the age of continuous delivery
-
Upload
black-duck-software -
Category
Government & Nonprofit
-
view
107 -
download
2
Transcript of Secure application deployment in the age of continuous delivery
Secure Application Deployment in the Age of Continuous Delivery
OPENSOURCE: Open Standards
#whoami – Tim Mackey
• Current roles: Senior Technical Evangelist; Occasional coder• Previously XenServer Community Manager
• Cool things I’ve done• Designed laser communication systems• Early designer of retail self-checkout machines• Embedded special relativity algorithms into industrial control system
• Find me• Twitter: @TimInTech ( https://twitter.com/TimInTech )• SlideShare: slideshare.net/TimMackey• LinkedIn: www.linkedin.com/in/mackeytim
Security reality
You can only protect what you know
about.Defense in depth
matters.
Attacks are big business
In 2015, 89% of data breaches had a financial or espionage motive
Source: Verizon 2016 Data Breach Report
Attackers decide what’s valuable …
… and they have little fear.
EASY ACCESS TO SOURCE CODE
Open source ubiquity makes it ready target
OPEN SOURCE ISN’T MORE OR LESS SECURE THAN
CLOSED SOURCE – ITS JUST EASIER TO
ACCESSVULNERABILITIES ARE PUBLICIZED
EXPLOITS ARE PUBLISHED
Anatomy of a new attack
Potential Attack
Iterate
Test against platforms
Document
Don’t forget PR department
Deploy
DEVELOPER DOWNLOADS
OUTSOURCED DEVELOPMENT
THIRD PARTY LIBRARIES
CODE REUSE
APPROVED COMPONENTS
COMMERCIAL APPS
OPEN SOURCE CODE
Open source enters through many channels…
…and vulnerabilities can come with it.
CLOSED SOURCE COMMERCIAL CODE• DEDICATED SECURITY RESEARCHERS• ALERTING AND NOTIFICATION INFRASTRUCTURE• REGULAR PATCH UPDATES• DEDICATED SUPPORT TEAM WITH SLA
OPEN SOURCE CODE• “COMMUNITY”-BASED CODE ANALYSIS• MONITOR NEWSFEEDS YOURSELF• NO STANDARD PATCHING MECHANISM• ULTIMATELY, YOU ARE RESPONSIBLE
Who is responsible for code and security?
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 20150
500
1000
1500
2000
2500
3000
3500Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd
Reference: Black Duck Software Knowledgebase, NVD
Increasing number of OSS vulnerabilities
Automated tools miss most open source vulnerabilities
Static & Dynamic Analysis Only discover common vulnerabilities
3,000+ disclosed in 2014Less than 1% found by automated tools
Undiscovered vulnerabilities are too complex and nuanced
All possible security vulnerabilities
What do these all have in common?
Heartbleed Shellshock GhostFreak Venom
Since:
Discovered:
2011
2014
1989
2014
1990’s
2015
2000
2015
2004
2015
Discovered by:
Component: OpenSSL
Riku, Antti, Matti, Mehta
Bash
Chazelas
OpenSSL
Beurdouche
GNU C library
Qualys researchers
QEMU
GeffnerAll w
ere found by researchers;
not
SAST/DAST tools
Understand application contents
Source: 2016 Open Source Security Report
Misaligned security investment
Distinct areas of risk
• Open source license compliance• Ensure project dependencies are understood
• Use of vulnerable open source components• Is component a fork or dependency?• How is component linked?
• Operational risk• Can you differentiate between “stable” and “dead”?• Is there a significant change set in your future?• API versioning• Security response process for project
Total Quality Management Philosophies
• Detect problems before product ships• Select components based on trust• Continuously identify issues and
improve• Empower employees to solve
problems• Implement the Deming Cycle• Plan for change and analyze risk• Do execute the plan in small steps• Check the results against the plan• Act on results to improve future
outcomes• Manage with facts
Software development lifecycle
Idea
Spec
Design
Code
Test
Release
Software development lifecycle – threat model
Idea
Spec
Design
Code
Test
Release
• As part of the specification and design, threat models are often created.
Software development lifecycle – static analysis
Idea
Spec
Design
Code
Test
Release
• As part of the specification and design, threat models are often created. • During code creation and
commits, static analysis is performed
Software development lifecycle – dynamic analysis
Idea
Spec
Design
Code
Test
Release
• As part of the specification and design, threat models are often created. • During code creation and
commits, static analysis is performed• Testing usually includes some
form of dynamic testing
Traditional operations release process
Deploy
Measure
ScaleMonitor
Assess
Release
Update Spec
Oops – a vulnerability is disclosed – now what?
DEVELOP SCM BUILD PACKAGE DEPLOY PRODUCTION
BUG TRACKING
REMEDIATE AND TRACK LICENSE COMPLIANCE AND SECURITY VULNERABILITIES
FULL APP SEC VISIBILITY INTEGRATION
BUILD / CI SERVERSCAN APPLICATIONS
WITH EACH BUILD VIA CI INTEGRATION
DELIVERY PIPELINESCAN APPLICATIONS AND CONTAINERS BEFORE DELIVERY
CONTINUOUS MONITORING OF VULNERABILITIES
Integrations matter …
Containers for application management
Knowledge is key. Can you keep up?
glibc
BugReported
July 2015
Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
Knowledge is key. Can you keep up?
glibc
BugReported
July 2015
Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
Knowledge is key. Can you keep up?
glibc
VulnIntroduce
d
May 2008
glibc
BugReported
July 2015
CVE-2015-7547
CVE Assigned
Feb 16-2016
Low Security RiskVuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
Knowledge is key. Can you keep up?
glibc
VulnIntroduce
d
May 2008
CVE-2015-7547
CVE Assigned
Feb 16-2016
glibc
BugReported
July 2015
NationalVulnerabilityDatabase
VulnPublished
Feb 18-2016
Moderate Security RiskLow Security RiskVuln: CVE-2015-7547: glibc getaddrinfo
stack-based buffer overflow
Knowledge is key. Can you keep up?
glibc
VulnIntroduce
d
NationalVulnerabilityDatabase
VulnPublished
YouFind It
May 2008
CVE-2015-7547
CVE Assigned
Feb 16-2016 Feb 18-2016
glibc
BugReported
July 2015
Patches Available
YouFix It
Highest Security RiskModerate Security
RiskLow Security RiskVuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
Knowledge is key. Can you keep up?
glibc
VulnIntroduce
d
NationalVulnerabilityDatabase
VulnPublished
YouFind It
May 2008
CVE-2015-7547
CVE Assigned
Feb 16-2016 Feb 18-2016
glibc
BugReported
July 2015
Patches Available
YouFix It
Highest Security RiskModerate Security
RiskLow Security RiskVuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
Source: Future of Open Source 2016 Survey
A complete solution …
Choose Open Source
Proactively choose secure, supported
open source
SELECT
InventoryOpen Source
Map ExistingVulnerabilities
Maintain accurate list of open source components
throughout the SDL
Identify vulnerabilities
during development
VERIFY
Track New Vulnerabilities
Alert newly disclosed
vulnerabilities in production
MONITORREMEDIATE
FixVulnerabilities
Tell developers how to
remediate
OVER TWO HUNDRED THIRTYE M P L O Y E E S
27USE BLACK DUCK
SOFTWARE
AWARD FOR INNOVATION
GARTNER GROUP “COOL
VENDOR”
INNOVATIVE TECHNOLOGY OF
THE YEAR - SECURITY
7 YEARS IN A ROW FOR SECURITY INNOVATION
RANKED #38 OUT OF 500 SECURITY
COMPANIES
7 YEARS IN A ROW
6 of the top 8 mobile handset vendors
7 of the top 10 SOFTWARE COMPANIES (44% OF TOP 100)
24 COUNTRIES
6 of the top 10 banks
FORTUNE 100
Black Duck Created an Industry
8,500WEBSITES
350BILLION LINES OF CODE
2,400LICENSE TYPES
1.5MILLION PROJECTS
76,000VULNERABILITIES
Comprehensive KnowledgeBase
• Largest database of open source project information in the world.
• Vulnerabilities coverage extended through partnership with Risk Based Security.
• The KnowledgeBase is essential for identifying and solving open source issues.
We need your help
Knowledge is power• Know what’s running and why• Define proactive vulnerability response process• Don’t let technology hype cycle dictate security
Invest in defense in depth models• Don’t rely on perimeter security to do heavy lifting• Do look at hypervisor & container trends in security• Make developers and ops teams part of the solution• Do embed security into deployment process
Together we can build a more secure data center
Free tools to help
• Docker Container Security Scanner• https://info.blackducksoftware.com/Security-Scan.html
• 14 Day Free Trial to Black Duck Hub• https://info.blackducksoftware.com/Demo.html
• Red Hat Atomic Host Integration (Requires Black Duck Hub)• atomic scan --scanner blackduck [container]