open source libraries - managing risk in cloud

Open Source Libraries - Managing Risk in Cloud

SUMAN SOURAV

OWASP Top 10 2013

A9. Using components with known vulnerabilities

Prevalence : Widespread

Detectability: Difficult

Agenda

Software Development & Open Source Components

Emerging Threats & LandscapeDefense Strategy & SolutionPractical challenges

Disclaimer

Not endorsing any tools

About me Defensive Security Professional having 10+ years of

experience Specialize in Secure SDLC implementation

Building security strategy for the organizationThreat Modeling/Secure Code Review/Penetration

Testing/Security Test AutomationSecure Coding Trainer, Security QA Testing Trainer,

Speaker SAFECode & Null Singapore

At least 75% of organizations rely on open source as the foundation of their applications.

The (Maven) Central Repository — the largest source of open source components for developers — handled thirteen billion download requests in a year.

Is open source important?

Reference -Sonatype

Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-150

10

20

30

40

50

60

70

80

90

100

Open Source Component UsageProduct 1 Product 2 Product 3

A case study

Why to worry?

More than 80 per cent of a typical software application is comprised

of open source components and frameworks.

Collectively, Global 500 organizations downloaded more than 2.8

million insecure components in one year

There were more than 46 million downloads of insecure versions of

the 31 most popular open source security libraries and web

frameworks.

Quantitative Analysis

Reference- Sonatype

Threat Landscape

44% of enterprises have no policies governing open source component use in their app development .

77% of those that have adopted open source component policies have never banned a single component

79% do not need to prove they are using components free of security vulnerabilities.

63% fail to monitor for changes in vulnerability data for open source software components

Survey Results

Reference- Sonatype

Open source components may have : Execution of arbitrary code XSS Injection Denial of Service Insecure Cryptographic function……..

Why we should take this seriously ?

Wakeup Call-April 7th ,2014

canyonero.org

Again in October 2014

Java Deserialization vulnerability

“combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).”

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

Recent Vulnerabilities

What else ?

Vulnerable Components Utilization

Reference : Sonatype

Don’t know about the vulnerable components Don’t know how to check before use No mechanism to update the current status Lack of preventive mechanism

Challenges for the developers

OWASP Initiatives

OWASP Good Component Practices Project

OWASP Dependency Track Project

Best Strategy to Manage

Centralize component repository

Integrate with the build process

Update vulnerability database

Generate Automated alert for any critical issues

Continuous Testing

Secure-SDLC – Enforcement point

DEVELOPMENT BUILD AND DEPLOY STAGINGREQUIREMENTS

External Repositor

ies

Security Policy

DESIGN

Repository

SCM Tools

Security Test

Automation

Threat Modelin

g

SCA Tools/IDE Plugins

VS/PT/IASTComponent

s Monitoring

Production

Monitoring

firewall National Vulnerability Database

Continuous Testing- In a Nutshell

BuildEnvironment

FixVulnerabilities

IntegrateWith Build

Upload toServer

ExecuteScan

Generatereport

SA

Developers

ReportingServer

Audit andRe-upload

Login

Demo

Continuous Monitoring & Remediation

Exact Match

Similar Match

Unknown

Exact Match Similar Match Unknown

Removing known vul-nerable components

Identify and analyze the security is-sues

Challenges

Implementation Strategy

Phase 1• Web Product

Build Integration

Phase 2• Metadata of

Unsupported External components

• Governance of Supported Components

Phase 3• Improvement

of External Components

• Metadata for Internal Components

Phase 4• Vulnerability

database for internal components

• Link with Tool

Suman Sourav@SumanS0urav

https://sg.linkedin.com/in/sumansourav