reduce the risk of open source security vulnerabilities

1Protecode Inc. 2014

Reducing the Risk of

Open Source Security Vulnerabilities

June 18th 2014

Protecode Inc. 2014 2

Agenda

Definitions

NIST (National Institute of Standards and Technology)

and the NVD (National Vulnerability Database)

– Understanding the data– Sources of vulnerabilities (OSS vs. Proprietary)

Strategies for discovering vulnerabilities

Addressing the root cause

Q & A

Normand Glaude,COO, Protecode

nglaude@protecode.com

Arthur Hicken,Evangelist, Parasoft

arthur.hicken@parasoft.com

Protecode Inc. 2014 3

What is a Security Vulnerability?

According to NIST:“Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.”

Source: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf

According to Microsoft:“A security vulnerability is a weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of that product.”

Source: http://technet.microsoft.com/en-us/library/cc751383.aspx

Protecode Inc. 2014 4

NVD Nomenclature

CVE: Common Vulnerabilities and Exposures– Known Vulnerability

CCSS: Common Configuration Scoring System– A severity

CPE: Common Platform Enumeration– An owner, product and version.

CCE: Common Configuration Enumeration– A system configuration

CWE: Common Weakness Enumeration– A code, design or architecture weakness

Protecode Inc. 2014 5

Security Vulnerabilities (CVEs)

1999

2000

2001

2002

2003

2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

0

1000

2000

3000

4000

5000

6000

7000

8000

TotalNon-OSSOSS

Protecode Inc. 2014 6

OSS Inside

OSS Inside

OSS Inside

OSS Inside

OSS Inside

OSS Inside

OSS Inside

OSS Inside

OSS Inside

OSS Inside

OSS Inside OSS Inside

OSS Inside

OSS Inside ?

OSS Inside

OSS Inside

OSS Inside

Top 10 ListHighest number of CVEs (last 15 years)

Open Source ProjectLinux KernelMozilla FirefoxMozilla SeaMonkeyMozilla ThunderbirdRedHatPHPFreeBSDWiresharkMySQLMoodle

Proprietary ProductsMicrosoft WindowsGoogle ChromeApple MacOSMicrosoft Internet ExplorerSun/Oracle JRE/JDKSun/Oracle SolarisApple SafariOracle DatabaseCisco IOSApple iPhone OS

Protecode Inc. 2014 7

Finding Security Vulnerabilitiesin your Code

Find reported vulnerabilities posted on public databases– Consider the OSS components as part of your code– Build an up-to-date BOM (Bill of materials) for your software– Cross-reference vulnerability databases with the 3rd party

content in your BOM– Tools: open source content management tooling that

automatically cross-reference to public vulnerability databases

Uncover unreported vulnerabilities by doing code inspection– Extract all source code potentially exposed to external inputs– Look for code patterns known as prone to be vulnerable– Tools: static and flow analysis tooling that automatically scan

your code

Protecode Inc. 2014 8

Discovering Security Vulnerabilities

Protecode Inc. 2014 9

Addressing Known Security Vulnerabilities in OSS

Does it apply?

Upgrade!

Fix it yourself!

Find an alternative

Ignore and hope for the best???

Protecode Inc. 2014 10

Protecode Inc. 2014 11

Security Resources

CWE – Common Weakness Enumeration • http://cwe.mitre.org

OWASP - Open Web Application Security Project • http://www.owasp.org

PCI – Payment Card Industry Security Standards • https://www.pcisecuritystandards.org

Hack.me – Community based security learning project• https://hack.me

SAMATE - Software Assurance Metrics And Tool Evaluation• http://samate.nist.gov

Build Security In – Collaborative security effort • https://buildsecurityin.us-cert.gov

SWAMP• https://continuousassurance.org

Contact Us:

nglaude@protecode.comhttp://protecode.com

arthur.hicken@parasoft.comhttp://parasoft.com

Please type your questions into the chat box to the right.

Protecode Inc. 2014 12

info@protecode.comwww.protecode.com