secure application deployment in the age of continuous delivery

Secure Application Deployment in the Age of Continuous Delivery

OPENSOURCE: Open Standards

#whoami – Tim Mackey

• Current roles: Senior Technical Evangelist; Occasional coder• Previously XenServer Community Manager

• Cool things I’ve done• Designed laser communication systems• Early designer of retail self-checkout machines• Embedded special relativity algorithms into industrial control system

• Find me• Twitter: @TimInTech ( https://twitter.com/TimInTech )• SlideShare: slideshare.net/TimMackey• LinkedIn: www.linkedin.com/in/mackeytim

https://twitter.com/TimInTech

http://www.linkedin.com/in/mackeytim

Security reality

You can only protect what you know

about.Defense in depth

matters.

Attacks are big business

In 2015, 89% of data breaches had a financial or espionage motive

Source: Verizon 2016 Data Breach Report

Attackers decide what’s valuable …

… and they have little fear.

EASY ACCESS TO SOURCE CODE

Open source ubiquity makes it ready target

OPEN SOURCE ISN’T MORE OR LESS SECURE THAN

CLOSED SOURCE – ITS JUST EASIER TO

ACCESSVULNERABILITIES ARE PUBLICIZED

EXPLOITS ARE PUBLISHED

Anatomy of a new attack

Potential Attack

Iterate

Test against platforms

Document

Don’t forget PR department

Deploy

DEVELOPER DOWNLOADS

OUTSOURCED DEVELOPMENT

THIRD PARTY LIBRARIES

CODE REUSE

APPROVED COMPONENTS

COMMERCIAL APPS

OPEN SOURCE CODE

Open source enters through many channels…

…and vulnerabilities can come with it.

CLOSED SOURCE COMMERCIAL CODE• DEDICATED SECURITY RESEARCHERS• ALERTING AND NOTIFICATION INFRASTRUCTURE• REGULAR PATCH UPDATES• DEDICATED SUPPORT TEAM WITH SLA

OPEN SOURCE CODE• “COMMUNITY”-BASED CODE ANALYSIS• MONITOR NEWSFEEDS YOURSELF• NO STANDARD PATCHING MECHANISM• ULTIMATELY, YOU ARE RESPONSIBLE

Who is responsible for code and security?

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 20150

500

1000

1500

2000

2500

3000

3500Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd

Reference: Black Duck Software Knowledgebase, NVD

Increasing number of OSS vulnerabilities

Automated tools miss most open source vulnerabilities

Static & Dynamic Analysis Only discover common vulnerabilities

3,000+ disclosed in 2014Less than 1% found by automated tools

Undiscovered vulnerabilities are too complex and nuanced

All possible security vulnerabilities

What do these all have in common?

Heartbleed Shellshock GhostFreak Venom

Since:

Discovered:

2011

2014

1989

2014

1990’s

2015

2000

2015

2004

2015

Discovered by:

Component: OpenSSL

Riku, Antti, Matti, Mehta

Bash

Chazelas

OpenSSL

Beurdouche

GNU C library

Qualys researchers

QEMU

GeffnerAll w

ere found by researchers;

not

SAST/DAST tools

Understand application contents

Source: 2016 Open Source Security Report

Misaligned security investment

Distinct areas of risk

• Open source license compliance• Ensure project dependencies are understood

• Use of vulnerable open source components• Is component a fork or dependency?• How is component linked?

• Operational risk• Can you differentiate between “stable” and “dead”?• Is there a significant change set in your future?• API versioning• Security response process for project

Total Quality Management Philosophies

• Detect problems before product ships• Select components based on trust• Continuously identify issues and

improve• Empower employees to solve

problems• Implement the Deming Cycle• Plan for change and analyze risk• Do execute the plan in small steps• Check the results against the plan• Act on results to improve future

outcomes• Manage with facts

Software development lifecycle

Idea

Spec

Design

Code

Test

Release

Software development lifecycle – threat model

Idea

Spec

Design

Code

Test

Release

• As part of the specification and design, threat models are often created.

Software development lifecycle – static analysis

Idea

Spec

Design

Code

Test

Release

• As part of the specification and design, threat models are often created. • During code creation and

commits, static analysis is performed

Software development lifecycle – dynamic analysis

Idea

Spec

Design

Code

Test

Release

• As part of the specification and design, threat models are often created. • During code creation and

commits, static analysis is performed• Testing usually includes some

form of dynamic testing

Traditional operations release process

Deploy

Measure

ScaleMonitor

Assess

Release

Update Spec

Oops – a vulnerability is disclosed – now what?

DEVELOP SCM BUILD PACKAGE DEPLOY PRODUCTION

BUG TRACKING

REMEDIATE AND TRACK LICENSE COMPLIANCE AND SECURITY VULNERABILITIES

FULL APP SEC VISIBILITY INTEGRATION

BUILD / CI SERVERSCAN APPLICATIONS

WITH EACH BUILD VIA CI INTEGRATION

DELIVERY PIPELINESCAN APPLICATIONS AND CONTAINERS BEFORE DELIVERY

CONTINUOUS MONITORING OF VULNERABILITIES

Integrations matter …

Containers for application management

Knowledge is key. Can you keep up?

glibc

BugReported

July 2015

Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow


glibc

VulnIntroduce

d

May 2008

glibc

BugReported

July 2015

CVE-2015-7547

CVE Assigned

Feb 16-2016

Low Security RiskVuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow


glibc

VulnIntroduce

d

May 2008

CVE-2015-7547

CVE Assigned

Feb 16-2016

glibc

BugReported

July 2015

NationalVulnerabilityDatabase

VulnPublished

Feb 18-2016

Moderate Security RiskLow Security RiskVuln: CVE-2015-7547: glibc getaddrinfo

stack-based buffer overflow


glibc

VulnIntroduce

d

NationalVulnerabilityDatabase

VulnPublished

YouFind It

May 2008

CVE-2015-7547

CVE Assigned

Feb 16-2016 Feb 18-2016

glibc

BugReported

July 2015

Patches Available

YouFix It

Highest Security RiskModerate Security

RiskLow Security RiskVuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

Source: Future of Open Source 2016 Survey

A complete solution …

Choose Open Source

Proactively choose secure, supported

open source

SELECT

InventoryOpen Source

Map ExistingVulnerabilities

Maintain accurate list of open source components

throughout the SDL

Identify vulnerabilities

during development

VERIFY

Track New Vulnerabilities

Alert newly disclosed

vulnerabilities in production

MONITORREMEDIATE

FixVulnerabilities

Tell developers how to

remediate

OVER TWO HUNDRED THIRTYE M P L O Y E E S

27USE BLACK DUCK

SOFTWARE

AWARD FOR INNOVATION

GARTNER GROUP “COOL

VENDOR”

INNOVATIVE TECHNOLOGY OF

THE YEAR - SECURITY

7 YEARS IN A ROW FOR SECURITY INNOVATION

RANKED #38 OUT OF 500 SECURITY

COMPANIES

7 YEARS IN A ROW

6 of the top 8 mobile handset vendors

7 of the top 10 SOFTWARE COMPANIES (44% OF TOP 100)

24 COUNTRIES

6 of the top 10 banks

FORTUNE 100

Black Duck Created an Industry

8,500WEBSITES

350BILLION LINES OF CODE

2,400LICENSE TYPES

1.5MILLION PROJECTS

76,000VULNERABILITIES

Comprehensive KnowledgeBase

• Largest database of open source project information in the world.

• Vulnerabilities coverage extended through partnership with Risk Based Security.

• The KnowledgeBase is essential for identifying and solving open source issues.

We need your help

Knowledge is power• Know what’s running and why• Define proactive vulnerability response process• Don’t let technology hype cycle dictate security

Invest in defense in depth models• Don’t rely on perimeter security to do heavy lifting• Do look at hypervisor & container trends in security• Make developers and ops teams part of the solution• Do embed security into deployment process

Together we can build a more secure data center

Free tools to help

• Docker Container Security Scanner• https://info.blackducksoftware.com/Security-Scan.html

• 14 Day Free Trial to Black Duck Hub• https://info.blackducksoftware.com/Demo.html

• Red Hat Atomic Host Integration (Requires Black Duck Hub)• atomic scan --scanner blackduck [container]

https://info.blackducksoftware.com/Security-Scan.html

https://info.blackducksoftware.com/Demo.html

secure application deployment in the age of continuous delivery

Government & Nonprofit