create a unified view of your application security program – black duck hub and threadfix
TRANSCRIPT
© 2016 Denim Group – All Rights Reserved
Create a Unified View of Your Application
Security Program – Black Duck Hub and
ThreadFix
December 16th, 2016
Dan CornellCTO, Denim Group
Mike PittengerVice President of Security Strategy, Black Duck
© 2016 Denim Group – All Rights Reserved
Agenda
• State of Application Security
• Black Duck Hub Overview
• ThreadFix Overview
• ThreadFix / Black Duck Hub Integration
• Components: Open Source and Internal
8 of the top 10 Software Companies
(70 of the top 100)
6 of the top 8Mobile Handset Vendors
6 of the top 10 Investment Banks
24Countries
250+Employees
2,000Customers
About Black Duck
40Founded
2002
Of The Fortune
100
Up to 90%Open Source
TODAY
50%Open Source
2010
20%Open Source
20051998
10%Open Source
Open Source Changed the Way Applications are Built
Custom & Commercial Code
Open Source Software
Source
Open Source is the modern architecture
OpenSSL
Introduced: 2011
Discovered: 2014
Heartbleed
GNU C Library
Introduced: 2000
Discovered: 2015
Ghost
QEMU
Introduced: 2004
Discovered: 2015
Venom
Bash
Introduced: 1989
Discovered: 2014
Shellshock
OpenSSL
Introduced: 1990's
Discovered: 2015
Freak
FREAK!
Consequences Can Be Costly When You Can’t Control What You Can’t See
Why Aren’t We Finding These in Testing?
• Static analysis• Testing of source code or binaries for unknown security vulnerabilities in custom code
• Advantages in buffer overflow, some types of SQL injection
• Provides results in source code
• Dynamic analysis
• Testing of compiled application in a staging environment to detect unknown security vulnerabilities in custom code
• Advantages in injection errors, XSS
• Provides results by URL, must be traced to source
What’s Missing?
• Automated testing finds common vulnerabilities
in the code you write
• They are good, not perfect
• Different tools work better on different
classes of bugs
• Many types of bugs are undetectable except
by trained security researchers
There Are No Perfect Answers
All possible
security vulnerabilities
FREAK!
Identifiable with Static
Analysis
Identifiable with
Dynamic Analysis
0
500
1000
1500
2000
2500
3000
3500
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
The Threat Landscape Constantly Changes
National Vulnerability Database (NVD) Black Duck Extended Vulnerability Data (EVD)
• VulnDB (Open Source Vulnerability Database)• In 2015, over 3,000 new vulnerabilities in open source
• Since 2004, over 74,000 vulnerabilities have been disclosed by NVD. • 63 reference automated tools
• 50 of those are for vulnerabilities reported in the tools
• 13 are for vulnerabilities that could be identified by a fuzzer
DEVELOPER DOWNLOADS
OUTSOURCED DEVELOPMENT
THIRD PARTY LIBRARIES
CODE REUSE
APPROVED COMPONENTS
COMMERCIAL APPS
OPEN SOURCE CODE
We Have Little Control Over How Open Source Enters The Code Base
To manage open source risks you need an end-to-end approach
INVENTORY
Open Source
Components
in Your Code
MAP
Components
to Known
Vulnerabilities
IDENTIFY
License &
Code Quality
Risks
TRACK
Policy Violations
& Remediation
Progress
ALERT
When New
Vulnerabilities
Affect Your Code
Automation and policy management
Integration with DevOps tools and processes
Key Takeaways
• Open source is here to stay (and growing)
• Open source saves development costs and accelerates time to
market
• Open Source Security isn’t covered by traditional tools
• Static analysis is good, but doesn't help with open source
vulnerabilities
• Identify open source with known vulnerabilities, early in the SDL
• New paradigm requires new methodologies
• Visibility to open source and continuous monitoring is required.
© 2016 Denim Group – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your applications and vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to
developers in the tools they
are already using
© 2016 Denim Group – All Rights Reserved
Create a consolidated view of
your applications and
vulnerabilities
© 2016 Denim Group – All Rights Reserved
Translate vulnerabilities to
developers in the tools they
are already using
© 2016 Denim Group – All Rights Reserved
ThreadFix
www.threadfix.it
Black Duck Hub
www.blackducksoftware.com
Questions and Contact
© 2016 Denim Group – All Rights Reserved
About Denim Group
Denim Group is the leading secure software development firm,
serving as a trusted advisor on matters of software risk and security.
Our flagship ThreadFix product accelerates the process of software
vulnerability remediation, reflecting the company's understanding of
what it takes to fix application vulnerabilities faster.