© copyright 2014 hewlett -packard development company, l.p. …h41382. · 2014-09-09 · software...
TRANSCRIPT
![Page 1: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/1.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
![Page 2: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/2.jpg)
7 Security Gaps in the "Neglected 90%" of Your Applications 3rd Party & Open Source Software Supply Chain Risks
Joshua Corman, Sonatype CTO Sep 2014 – HP Connect – Washington, DC
![Page 3: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/3.jpg)
SW SUPPLY CHAIN IN CONTEXT OF CYBERSECURITY BIG PICTURE
![Page 4: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/4.jpg)
KEY QUESTIONS
Where are Attackers most focused? Where are Defenders most focused? Which Activities have the most security impact?
![Page 5: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/5.jpg)
-2014 Verizon Data Breach Investigations Report
MOST ATTACKED: WEAK SOFTWARE IS #1 ATTACK VECTOR
![Page 6: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/6.jpg)
spending
7 9/9/2014 Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary
Software Security gets LEAST $ but MOST attacker focus
Host Security ~$10B
Data Security ~$5B
People Security ~$4B
Network Security ~$20B
Software Security ~$0.5B
LEAST SPENDING/PRIORITY: WEAK SOFTWARE
![Page 7: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/7.jpg)
spending
8 9/9/2014
attack risk
Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary
Host Security ~$10B
Data Security ~$5B
People Security ~$4B
Network Security ~$20B
Software Security ~$0.5B
Assembled 3rd Party & OpenSource Components
~90% of most applications
Almost No Spending
Written Code Scanning
Software Security gets LEAST $ but MOST attacker focus
LEAST SPENDING/PRIORITY: WEAK SW
Worse, within Software, existing dollars go to the 10% written
![Page 8: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/8.jpg)
Defensible Infrastructure
Operational Excellence
Situational Awareness
Counter-measures
@joshcorman @451wendy
10% Written
MOST IMPACT: BUY/BUILD DEFENSIBLE SOFTWARE
The software & hardware we build, buy, and deploy. 90% of software is assembled from 3rd
party & Open Source
![Page 9: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/9.jpg)
IS IT OPEN SEASON ON OPEN SOURCE?
![Page 10: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/10.jpg)
11 9/9/2014
Now that software is
ASSEMBLED… Our shared value becomes
our shared attack surface
THINK LIKE AN ATTACKER
![Page 11: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/11.jpg)
One risky component, now affects thousands of victims
ONE EASY TARGET
12 9/9/2014
THINK LIKE AN ATTACKER
![Page 12: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/12.jpg)
BEYOND HEARTBLEED: OPENSSL IN 2014 (17 IN NIST’S NVD THRU JULY 25)
13 9/9/2014
CVE-2014-3470 6/5/2014 CVSS Severity: 4.3 MEDIUM SEIMENS * CVE-2014-0224 6/5/2014 CVSS Severity: 6.8 MEDIUM SEIMENS * CVE-2014-0221 6/5/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0195 6/5/2014 CVSS Severity: 6.8 MEDIUM CVE-2014-0198 5/6/2014 CVSS Severity: 4.3 MEDIUM SEIMENS * CVE-2013-7373 4/29/2014 CVSS Severity: 7.5 HIGH CVE-2014-2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-2014-0139 4/15/2014 CVSS Severity: 5.8 MEDIUM CVE-2010-5298 4/14/2014 CVSS Severity: 4.0 MEDIUM CVE-2014-0160 4/7/2014 CVSS Severity: 5.0 MEDIUM HeartBleed CVE-2014-0076 3/25/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0016 3/24/2014 CVSS Severity: 4.3 MEDIUM CVE-2014-0017 3/14/2014 CVSS Severity: 1.9 LOW CVE-2014-2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-2013-7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-2013-4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-2013-6450 1/1/2014 CVSS Severity: 5.8 MEDIUM
As of today, internet scans by MassScan
reveal 300,000 of original 600,000 remain
unpatched or unpatchable
![Page 13: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/13.jpg)
-
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Req
uest
s in
Mill
ions
13 Billion Requests in 2013
Growth Drivers
Mobile Cloud
Web Apps Big Data
Component Usage Has Exploded
14
OPEN SOURCE USAGE IS EXPLODING
![Page 14: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/14.jpg)
Global Bank
Software Provider
Software Provider’s Customer
State University
Three-Letter Agency
Large Financial Exchange
Hundreds of Other Sites
STRUTS
![Page 15: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/15.jpg)
TRUE? W/ MANY EYEBALLS, ALL BUGS ARE SHALLOW? E.G. STRUTS
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
10.0
9.0
8.0
7.0
6.0
5.0
4.0
3.0
2.0
1.0
CVE-2005-3745
CVE-2006-1546 CVE-2006-1547
CVE-2006-1548 CVE-2008-6504 CVE-2008-6505
CVE-2008-2025 CVE-2007-6726 CVE-2008-6682
CVE-2010-1870
CVE-2011-2087
CVE-2011-1772
CVE-2011-2088 CVE-2011-5057
CVE-2012-0392 CVE-2012-0391
CVE-2012-0393
CVE-2012-0394
CVE-2012-1006 CVE-2012-1007
CVE-2012-0838
CVE-2012-4386
CVE-2012-4387
CVE-2013-1966 CVE-2013-2115 CVE-2013-1965
CVE-2013-2134 CVE-2013-2135
CVE-2013-2248
CVE-2013-2251 CVE-2013-4316
CVE-2013-4310
CVE-2013-6348 CVE-2014-0094
CVSS
Latent 7-11 yrs
![Page 16: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/16.jpg)
In 2013, 4,000 organizations downloaded a version of Bouncy Castle
with a level 10 vulnerability
20,000 TIMES …
MORE THAN FIVE YEARS
after the vulnerability was fixed
NATIONAL CYBER AWARENESS SYSTEM Original Release Date:
03/30/2009 CVE-2007-6721
Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0
BOUNCY CASTLE
![Page 17: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/17.jpg)
In December 2013,
6,916 DIFFERENT organizations downloaded
a version of httpclient with broken ssl validation (cve-2012-5783)
66,824 TIMES …
More than ONE YEAR AFTER THE ALERT
NATIONAL CYBER AWARENESS SYSTEM Original Release Date:
11/04/2012 CVE-2012-5783
Apache Commons HttpClient 3.x CVSS v2 Base Score: 5.8 MEDIUM Impact Subscore: 4.9 Exploitability Subscore: 8.6
HTTPCLIENT 3.X
![Page 18: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/18.jpg)
THE REAL IMPLICATIONS OF HEARTBLEED
![Page 19: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/19.jpg)
HEARTBLEED + (UNPATCHABLE) INTERNET OF THINGS == ___ ?
In Our Bodies In Our Homes
In Our Infrastructure In Our Cars
![Page 20: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/20.jpg)
IS IT TIME FOR A SOFTWARE SUPPLY CHAIN?
![Page 21: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/21.jpg)
ELEGANT PROCUREMENT TRIO
22 9/9/2014
1) Ingredients: Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk: …and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY) 3) Remediation: …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
![Page 22: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/22.jpg)
In 2013, 4,000 organizations downloaded a version of Bouncy Castle
with a level 10 vulnerability
20,000 TIMES …
MORE THAN FIVE YEARS
after the vulnerability was fixed
NATIONAL CYBER AWARENESS SYSTEM Original Release Date:
03/30/2009 CVE-2007-6721
Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0
PROCUREMENT TRIO + BOUNCY CASTLE
![Page 23: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/23.jpg)
1) AS OPEN SOURCE USAGE EXPANDS, SO DO THE RISKS
24 9/9/2014
![Page 24: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/24.jpg)
-
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Req
uest
s in
Mill
ions
13 Billion Requests in 2013
Growth Drivers
Mobile Cloud
Web Apps Big Data
Component Usage Has Exploded
25
OPEN SOURCE USAGE IS EXPLODING
![Page 25: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/25.jpg)
2) SECURITY BUDGETS ARE OUT OF SYNC WITH RISK AND REALITY
26 9/9/2014
![Page 26: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/26.jpg)
-2014 Verizon Data Breach Investigations Report
MOST ATTACKED: WEAK SOFTWARE IS #1 ATTACK VECTOR
![Page 27: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/27.jpg)
spending
28 9/9/2014
attack risk
Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary
Host Security ~$10B
Data Security ~$5B
People Security ~$4B
Network Security ~$20B
Software Security ~$0.5B
Assembled 3rd Party & OpenSource Components
~90% of most applications
Almost No Spending
Written Code Scanning
Software Security gets LEAST $ but MOST attacker focus
LEAST SPENDING/PRIORITY: WEAK SW
Worse, within Software, existing dollars go to the 10% written
![Page 28: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/28.jpg)
3) PARETO PRINCIPLE 2.0? (THE “90/10” RULE): LOW EFFORT AND BIG GAINS
29 9/9/2014
![Page 29: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/29.jpg)
90% Assembled
Software Evolution
Written
30
HOW MUCH CODE DO WE “WRITE” THESE DAYS?
![Page 30: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/30.jpg)
90% Assembled
Software Evolution
Written
31
HOW MUCH CODE DO WE “WRITE” THESE DAYS?
![Page 31: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/31.jpg)
Defensible Infrastructure
Operational Excellence
Situational Awareness
Counter-measures
@joshcorman @451wendy
10% Written
MOST IMPACT: BUY/BUILD DEFENSIBLE SOFTWARE
The software & hardware we build, buy, and deploy. 90% of software is assembled from 3rd
party & Open Source
![Page 32: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/32.jpg)
4) YOU USE A SOFTWARE SUPPLY CHAIN. HOW WELL DO YOU MANAGE IT?
33 9/9/2014
![Page 33: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/33.jpg)
APPLICATION PLATFORMS & TOOLS
COMPONENT VERSION COMPONENTS PROJECTS
DELIVERY INTEGRATION SELECTION SUPPLY SUPPLIER
OPTIMIZATION (MONITORING)
Supply Chain Management
![Page 34: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/34.jpg)
35 9/9/2014
Compound Project Consumer “Part”
Discovery Repair Discovery Repair Aware Recovery
Airbag Airbag Airbag
Car X Airbag Airbag Mary’s GM
![Page 35: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/35.jpg)
36 9/9/2014
Compound Project Consumer “Part”
Discovery Repair Discovery Repair Aware Recovery
Airbag Airbag Airbag
Car X Airbag Airbag Mary’s GM
Struts Airbag Airbag
Bank of America Airbag Airbag
Sally Bank Customer
Struts Airbag Airbag
IBM WebSphere Airbag Airbag
Bank of America…
Bouncy Castle Airbag Airbag
20,000 Applications Airbag Airbag
x ??? Users
![Page 36: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/36.jpg)
TRUE COSTS & LEAST COST AVOIDERS: DOWNSTREAM
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
![Page 37: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/37.jpg)
38 9/9/2014
Compound Parts Product Part (Bolt) End Consumer
Discovery Repair Discovery Repair Aware Recovery Aware Recovery
Foo_0
IBM WebSphere
CIGNA X.com
Foo_1
Foo_2
Foo_3
Foo_4
Foo_5
Foo_6
Foo_7
Foo_8
Foo_9
Foo_ 10
Foo_11
Foo_0
Foo_1
Foo_2
Foo_3
Foo_4
Foo_5
Foo_6
Foo_7
Foo_8
Foo_9
Foo_ 10
Foo_11
Foo_0
Foo_1
Foo_2
Foo_3
Foo_4
Foo_5
Foo_6
Foo_7
Foo_8
Foo_9
Foo_ 10
Foo_11
Struts 2
![Page 38: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/38.jpg)
39 9/9/2014
X Axis: Time (Days) following initial HeartBleed disclosure and patch availability Y Axis: Number of products included in the vendor vulnerability disclosure Z Axis (circle size): Exposure as measured by the CVE CVSS score
COMMERCIAL RESPONSES TO OPENSSL
![Page 39: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/39.jpg)
5) EMPOWER YOUR DEVELOPERS. THEY’RE YOUR FRONT LINE DEFENSE.
40 9/9/2014
![Page 40: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/40.jpg)
How can we choose the best components
FROM THE START?
Shift Upstream = ZTTR (Zero Time to Remediation)
Analyze all components from within your IDE
License, Security and Architecture data for each component, evaluated against your policy
@joshcorman @451wendy
![Page 41: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/41.jpg)
6) MANUAL POLICIES JUST DON’T WORK IN A SECURE DEVELOPMENT LIFECYCLE.
42 9/9/2014
![Page 42: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/42.jpg)
If you’re not using secure
COMPONENTS you’re not building secure
APPLICATIONS
Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT
SELECTION
![Page 43: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/43.jpg)
Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT
SELECTION
Today’s approaches
AREN’T WORKING
46m vulnerable
components downloaded
!
71% of apps have 1+
critical or severe
vulnerability
!
90% of
repositories have 1+ critical
vulnerability
!
![Page 44: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/44.jpg)
7) AGILE DEVELOPMENT REQUIRES AGILE SECURITY.
45 9/9/2014
![Page 45: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/45.jpg)
RUGGED DEVOPS AND GENE’S “THREE WAYS”
1) Systems Thinking 2) Amplify Feedback Loops 3) Culture of Continuous Experimentation
& Learning
![Page 46: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/46.jpg)
ADOPT A "DEVSECOPS" MINDSET
Policies, Models, Templates
IT Operations Intelligence and Security Intelligence
Requirements
Prevent Issues
Detect Issues
Remediate/ Change
Build Assemble
Test
Deploy
Predict Issues
Monitoring and Analytics
Source: Neil MacDonald Gartner
![Page 47: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/47.jpg)
THE ADAPTIVE SECURITY ARCHITECTURE
Continuous Monitoring
and Analytics
Divert Attackers
Investigate/Forensics
Remediate/ Make Change
Detect Incidents
Harden and Isolate Systems
Prevent Incidents
Baseline Systems
Confirm and Prioritize
Contain Incidents
Proactive Exposure Assessment
Design/Model change
Predict Attacks
Predict Prevent
Detect Respond
Source: Neil MacDonald Gartner
![Page 48: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/48.jpg)
1. AS OPEN SOURCE USAGE EXPANDS, SO DO THE RISKS
2. SECURITY BUDGETS ARE OUT OF SYNC WITH RISK AND REALITY
3. PARETO PRINCIPLE 2.0? (THE “90/10” RULE): LOW EFFORT AND BIG GAINS
4. YOU USE A SOFTWARE SUPPLY CHAIN. HOW WELL DO YOU MANAGE IT?
5. EMPOWER YOUR DEVELOPERS. THEY’RE YOUR FRONT LINE DEFENSE
6. MANUAL POLICIES JUST DON’T WORK IN A SECURE DEVELOPMENT LIFECYCLE
7. AGILE DEVELOPMENT REQUIRES AGILE SECURITY 49 9/9/2014
![Page 49: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/49.jpg)
“Sonatype presents a rare opportunity to do something concrete in the application security space. One of the 1st tools that comes close to remediation not just scan results and recommendations.” -- Wendy Nather
![Page 50: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/50.jpg)
https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
![Page 51: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/51.jpg)
CAN YOU ANSWER THESE 3 QUESTIONS? 1. What open source components do you use? 2. Where? 3. Are there known vulnerabilities?
![Page 52: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/52.jpg)
Announcing a
NEW BREED of Application Security Open
Source
Static Dynamic
![Page 53: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/53.jpg)
AVAILABLE TODAY IN FORTIFY ON DEMAND
![Page 54: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/54.jpg)
• Summary: The number of components analyzed, including security issues and licenses used
• Bill of Materials: A complete list of the components used in your application
• Security Analysis: Known security threats by vulnerability and severity level
• Quality Analysis: Details component age, fingerprint verification & adherence to policies
• License Analysis: License descriptors for every component & license implication for your application
SONATYPE OPEN SOURCE VISIBILITY REPORT PROVIDES:
![Page 55: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/55.jpg)
![Page 56: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/56.jpg)
Lists Sonatype published report here.
Customer accesses PDF report here.
Sonatype materials available in the FoD Help Center
FULLY ENABLED:
![Page 57: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/57.jpg)
http://www.sonatype.com/fortify/report
http://www.sonatype.com/fortify
Visit this page to get a detailed walk-thru of the Open Source Visibility Report.
Visit this page to find out more about Sonatype and HP Fortify on Demand. Download the product brief, FAQ and more.
FULLY EXPLAINED
![Page 58: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/58.jpg)
Developer friendly – makes it easy to find and fix problems early.
Visibility and control. Automated and integrated policy enforcement throughout the software lifecycle.
Proactive and ongoing for continued trust.
SONATYPE’S FULL CLM OFFERING
SONATYPE CLM
![Page 59: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/59.jpg)
HOW TO LEARN MORE…
Visit Sonatype’s Booth Visit http://www.sonatype.com/fortify
Contact Sonatype, [email protected] Contact Fortify on Demand, [email protected]
![Page 60: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/60.jpg)
THANK YOU
@JOSHCORMAN @SONATYPE
61 9/9/2014
![Page 61: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/61.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 62
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session BB3168 Speakers Joshua Corman
Please give me your feedback
![Page 62: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/62.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
![Page 63: © Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-09 · Software Security ~$0.5B . Assembled 3. rd Party & OpenSource Components ~90% of most applications](https://reader035.vdocuments.us/reader035/viewer/2022070816/5f1027fb7e708231d447b92b/html5/thumbnails/63.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.