appsec usa 2014 denver, colorado owasp a9: a year later are you still using components with known...
TRANSCRIPT
AppSec USA AppSec USA 20142014
Denver, ColoradoDenver, Colorado
OWASP A9: A Year Later
Are you still using components with known vulnerabilities?
2
Our world runs on software, and software runs on open source components. For
FOUR YEARS, we HAVE asked Those on the front lines — developers, architects, and
managers, about how they're using Open source components, and how they're balancing
the need for speed with the need for security.
3,353THIS YEAR
PEOPLE SHARED THEIR VIEWS
3
The TRUE State of OSS Security
OSS POLICIES56% have a policy
and 68% follow policies.
Top 3 challengesno enforcement/workaround are common, no security, not clear
what’s expected
PRACTICES76% don’t have meaningful
controls over what components are in their applications.
21% must prove use of secure components.
63% have incomplete view of license risk.
COMPONENTSThe Central Repository
is used by 83%.
Nexus component managers used 3-to-1 over others
84% of developers use Maven/Jar to build applications.
STATE OF THE INDUSTRYApplications are the #1 attack
vector leading to breach
13 billion open source component requests annually
11 million developers worldwide
90% of a typical application is is now open source components
46 million vulnerable open source
components downloaded annually
APP SECURITY6 in 10 don’t track
vulnerabilities over time.
77% have never banned a component.
31% suspected an open source breach.
4
Open source component use has exploded
• Source: 1Sonatype, Inc. analysis of the (Maven) Central Repository; 2IDC
13 BILLIONOpen Source software Component requests
201320122011200920082007 2010
2B1B500M 4B 6B 8B 13B
11 MILLIONdevelopers worldwide
2
1
5
...to help build your applicationsMost applications are now assembled from hundreds of open source components…often reflecting as much as 90% of an application.
...and satisfy demand.Open source helps meet accelerated development demand required for these growth drivers.
ASSEMBLED
WRITTEN
Open Source Software is essential
6
Q: Has your organization had a breach that can be attributed to a vulnerability in an open source component or dependency in the last 12 months?
Heartbleed raises awareness
7
1-in-10 had or suspected an open source related breach in the past 12 months
Not Uncommon (if you look)
8
• Q: Has your organization ever banned use of an open source component, library or project?
• Yet, 78% have never banned an open source component, library or project.
We Care (shhh don’t tell we don’t really)
9
More than 1-in-3 say their open source policy doesn’t cover security.
• Q: How does your open source policy address security vulnerabilities?
• Source: 2014 Sonatype Open Source Development and Application Security Survey
Proof is in the Pudding
10
Even when component versions are updated 4-5 times a year to fix known security, license or quality issues1.
• Q: Does someone actively monitor your components for changes in vulnerability data?
But What About Developers …
11
• Q: Does your organization maintain an inventory of open source components used in production applications?
At Least it’s Good in Production?
12
• Q: Who has responsibility for tracking & resolving newly discovered component vulnerabilities in *production* applications?
In 2013, 50% Named AppDev
In 2013, 8% Named AppSec
Which Way are the Fingers Pointing?
Are open source policies keeping our applications safe?
14
• Q: Does your organization have an open source policy?
We Don’t Need No Stinking Policy!
15
• Q: Do you actually follow your company’s open source policy?
We Have a Policy, mmm Bacon
16
Is an “Open Source Policy” more than just a document?
• Q: How well does your organization control which components are used in development projects?
Policy Without Controls Is?
17
But control is not unanimous.
• Q: Who in your organization has PRIMARY responsibility for open source policy/governance?
Don’t Worry We Got It
18
• Q: How would you characterize your developers’ interest in application security?
• Source: 2013 and 2014 Sonatype Open Source Development and Application Security Survey
But do I Care?
It’s the Applications STupid
20
• Q: When selecting components, which characteristics would be most helpful to you? (choose four)
• Source: 2014 Sonatype Open Source Development and Application Security Survey
Hey if it Works … Ship It!
21
• Q: What application security training is available to you? (multiple selections possible)
This Security Thing is Such a Drag … Bacon
22
Application development runs at Agile & DevOps speed. Is security is keeping pace?
• Q: At what point in the development process does your organization perform application security analysis? Q: (multiple selections possible)
Cleanup on Aisle 9
With Open SOURCE COMESLICENSE CONSIDERATIONS
24
Yet, licensing data is considered helpful to 67% of respondents when selecting open source components to use.
• Q: Are open source licensing risks or liabilities a top concern in your position?
You Mean Licenses Matter?
25
• Q: Does your organization/policy manage the use of components by license types? (e.g., GPL, copyleft)?
Why Yes, I Believe it Does
#1 Avoid the 7 deadly Horses of the Component Apocalypse
#1 The Virus
28
Number of Dependent Components
8781
Downloads 6,987,246
CVSS Score 6.8
MTTR 229
Unique Organizations 72,156
CVE-2011-2894Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
Its Always Spring Somewhare
Life of the party
30
An App just isn’t an App without XML
Number of Dependent Components
4003
Downloads 3,797,847
CVSS 5
MTTR 867
Unique Organizations 119,569
CVE-2009-2625
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
The forgotten
32
We Are Still Using That?
Number of Dependent Components
75
Downloads 324,765
CVSS 6.8
Unique Organizations 119,569
CVE-2003-1516
The org.apache.xalan.processor.XSLProcessorVersion class in Java Plug-in 1.4.2_01 allows signed and unsigned applets to share variables, which violates the Java security model and could allow remote attackers to read or write data belonging to a signed applet.
The undesirable
34
No License, No Worries
Number of Dependent Components
1164
Number of Downloads 182,145
Latest Release Date May-11-2006
Unique Organizations 8,383
jstl:1.2 java standard template library implementation
the unproven
36
I am what I say I am
Number of Dependent Components
1190
Number of Downloads 19,621
Last Release Date Jan-12-2011
Unique Organizations 1,026,964
asm:3.3.1 java bytecode analysis framework
The unproven
The one hit wonder
39
The One-Hit Wonder– represents a component has only a single release, ever.
Number of Dependent Components
305
Number of Downloads 432,468
Last Release Nov-8-2005
Unique Organizations 14,454
jakarta-regexp:1.4 regular expression parsing library
One Release … Ever!
40
WHAT Matters MOST
42
(Many were upset that bacon was not an option)
• Q: What is your favorite pizza topping?
43
• Q: What do you like to drink with your pizza?
• …and prefer beer 4-to-1 over wine.