Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... ·...
Transcript of Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... ·...
![Page 1: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/1.jpg)
Tackling the Risks of
Open Source Security
Elad TzurChannel Director EMEA & APAC at
WhiteSource
![Page 2: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/2.jpg)
Case Study – Equifax
![Page 3: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/3.jpg)
Data Breach – Sequence of Events
![Page 4: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/4.jpg)
Enough Time to Respond
• Time Equifax had to patch
• Attack period
• Time between detection and notice
About 8-9 Weeks
About 10 Weeks
About 6 Weeks
![Page 5: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/5.jpg)
Incident Aftermath
• Equifax admitted the thieves stole personal and sensitive data
• The data taken affected as many as 143 million people, roughly half of US population
• The breach is labelled as the largest & worst corporate data breach in history
![Page 6: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/6.jpg)
Impact on Equifax
![Page 7: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/7.jpg)
Stock Still Didn’t Rebound
Down 24.3%Worth $4.17B in Market Cap
![Page 8: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/8.jpg)
58% are using Struts
(any version)
Apache Struts Adoption Statistics
According to WhiteSource Research
20% are exposed to the 2
specific Equifax CVEs
Organizations on the
latest (patched) Struts version –
1.3%
![Page 9: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/9.jpg)
02OSS Security vs.
Proprietary Code Security
4 Things Every CISO Needs To Know About
Open Source Security
01Open Source Risk Is On The Rise
04Shift Left & Delegate
Security Responsibilities
03 Efficiency & Noise Reduction
![Page 10: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/10.jpg)
01Open Source Risk
Is On The Rise
![Page 11: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/11.jpg)
Security Spending
Is Expected To Reach
$96 Billionin 2018, But…
Application
Endpoint
Network
Servers
Dat
a
0101
![Page 12: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/12.jpg)
Are You Investing Enough in AppSec?
Source: Ponemon Institute: The Increasing Risk to Enterprise Applications
Gaps in Security Risks and the Allocation of Spending The Level of Risk (# of
Breaches Multiplied By
Severity)
The Level of
Annual Spending
(Investment) in IT Security
0%
5%
10%
15%
20%
25%
30%
35%
40%
Application Endpoints Networks Data Servers
Risk Level Annual Spending %
01
![Page 13: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/13.jpg)
Open Source Components Account For
60%-80% Of The Average Software Product
5%-10%
1998
30%-50%
2008
60%-80%
2018
Proprietary Code
Open Source Code
Source: North Bridge Future Of Open Source Survey
01
![Page 14: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/14.jpg)
Number Of New CVEs Discovered
More Than Doubled YoY in 2017
0
2000
4000
6000
8000
10000
12000
14000
16000
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
# of VulnerabilitiesSource: Common Vulnerabilities and Exposures
01
![Page 15: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/15.jpg)
02OSS Security vs.
Proprietary Code Security
![Page 16: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/16.jpg)
Potential or suspected
vulnerabilities (SAST & DAST)
Nature of
Findings
Known & validated vulnerabilities (number of
CVEs more than doubled in 2017)
PROPRIETARY VULNERABILITIESOPEN SOURCE VULNERABILITIES
Open Source Security is a Different Game02
No public information available
Need to analyze and come up with
a fix
Typically post coding
All information is publicly available
Fix suggestions are available (87% of OSS
vulnerabilities have a fix)
Continuous monitoring (incl. post release)
What Do
Hackers
Know?
How to Fix?
When to
Scan?
Why is it so different than protecting your proprietary code?
![Page 17: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/17.jpg)
03Efficiency & Noise
Reduction
![Page 18: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/18.jpg)
On average, 70%* of reported
security vulnerabilities
in open source libraries
are not referenced
by the developers’ code.
Effective vs Ineffective
* Based on preliminary research by WhiteSource
Open Source Code
70%
30%
Ineffective
Effective
03
![Page 19: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/19.jpg)
04 Shift Left & Delegate
Security Responsibilities
![Page 20: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/20.jpg)
Automate Security Tools To Improve Coverage While
Reducing Friction
04
Security DevOps Developers
![Page 21: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/21.jpg)
The cost of fixing security and quality issues is rising significantly,
as the development cycle advances.
Source: Ponemon Institute Research
Coding
$80/Defect
Build
$240/Defect
QA & Security
$960/Defect
Production
$7,600/Defect
04Detect Issues As Early As Possible
Cost of fixing issues reduced by 90% when detected in the build vs post release
![Page 22: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/22.jpg)
WhiteSource | At a Glance
Founded
2011
ISO 27001
Certified
Offices:
New York
Boston
London
Tel Aviv
300%Growth for 3
Consecutive
Years
Over
400Customers Worldwide
3 OEMs
Over
Scores Strongest Current Offering
in Forrester's Wave Report
Portfolio Company
![Page 23: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/23.jpg)
WhiteSource Scores Strongest Offering by Forrester®
“WhiteSource Software
offers strong support for
proactive vulnerability
management, policy
management and SDLC
integration”
The Forrester Wave™: Software
Composition Analysis (SCA) Q1 2017
![Page 24: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/24.jpg)
Some of Our Customers
![Page 25: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/25.jpg)
Summary – Open Source Security
Reality
CVE-2017-5638 is just one example.
Thousands of vulnerabilities found in OSS
yearly
Good News
The OSS community is great at identifying
security issues & patching quickly – just like
in the Equifax case
Problem
OSS consumers i.e. developers or app
security personnel are slow to react
Solution
Must be combination of technology and
mindset shift
![Page 26: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/26.jpg)
Q&A Session
![Page 27: Tackling the Risks of Open Source Securityweb-control.ru/f/upravleniye_open_source_na_vsekh... · 2020-04-09 · Summary –Open Source Security Reality CVE-2017-5638 is just one](https://reader033.fdocuments.us/reader033/viewer/2022060501/5f1b7329267f1806db260b6d/html5/thumbnails/27.jpg)
THANK YOU