Application Securityin the age ofOpen Source

© Black Duck Software 2016

7 of the top 10 Software Companies (44 of the top 100)

6 of the top 8Mobile Handset Vendors

6 of the top 10 Investment Banks

24Countries

240+Employees

1,600Customers

About Black Duck

27Founded

2002

But security investment is often not aligned with actual risks

Up to 90%Open Source

TODAY

50%Open Source

2010

20%Open Source

20051998

10%Open Source

Open source is the foundation of modern applications

DEVELOPER DOWNLOADS

OUTSOURCED DEVELOPMENT

THIRD PARTY LIBRARIES

CODE REUSE

APPROVED COMPONENTS

COMMERCIAL APPS

OPEN SOURCE CODE

It enters your code through many channels…

…and open source vulnerabilities can come with it.

Most applications contain untracked open source & vulnerabilities

0

500

1000

1500

2000

2500

3000

3500

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

nvd vulndb-exclusive

Over 30,000 open source vulnerabilities have been reported since 2000

© Black Duck Software 2016 8

CVE-2014-0160 (Heartbleed)OpenSSL

Community Health Systems4.5 million patient records compromised

CVE-2013-4810JBOSS

23,000 sites vulnerable200 known compromised sites

Many of these vulnerabilities have had huge impacts

When vulnerabilities are discovered,it’s a race between you and hackers

VulnIntroduced

NationalVulnerabilityDatabase

VulnDiscovered

YouFind It

YouFIX It

ExploitsPublished

HackersHack

Highest Security Risk

© Black Duck Software 2016 10

So…who’s responsible for keeping your open source software secure?

?

• Dedicated security researchers• Security advisory notifications• Automated patch deployment • Support teams and SLAs

© Black Duck Software 2016 11

With commercial software, the vendor has your back

• The “community” reports vulns• Monitor newsfeeds yourself• No standard patching mechanisms• Most open source is unsupported

© Black Duck Software 2016 12

With open source, you have to watch your own

How are most companies managing open source today?

SPORADIC VULN TRACKING• No single responsible entity• Labor intensive manual effort• Unmanageable (~11 new vulns/day)

SPREADSHEET INVENTORY• Requires consistent developer input• Difficult to maintain• Not a full/accurate list of actual usage

PERIODIC VULN SCANNING• Monthly/quarterly vulnerability assessments

(with Nessus, Nexpose, etc.)• Difficult to scale• Limited insight into open source vulns

MANUAL DISCOVERY• Cumbersome processes• Occurs at end of SDLC• High effort and low accuracy• No ongoing controls

#FAIL

OpenSSLIntroduced: 2011Discovered: 2014

Heartbleed

GNU C LibraryIntroduced: 2000Discovered: 2015

Ghost

QEMUIntroduced: 2004Discovered: 2015

Venom

BashIntroduced: 1989Discovered: 2014

Shellshock

OpenSSLIntroduced: 1990'sDiscovered: 2015

Freak

FREAK!

What do these vulnerabilities have in common?

All were found by security researchers – not SAST / DAST tools.

But most open source vulnerabilities are too complex and too deep in the code to be found by automated SAST/DAST tools.

© Black Duck Software 2016 15

Fact: SAST & DAST tools miss open source vulnerabilities

Automated SAST/DAST tools are good at finding vulnerabilities in the code written by your developers

To manage open source risks you need an end-to-end approach

INVENTORYOpen Source Componentsin Your Code

MAPComponents

to Known Vulnerabilities

IDENTIFYLicense &

Code Quality Risks

TRACKPolicy Violations & Remediation

Progress

ALERTWhen New

Vulnerabilities Affect Your Code

Automation and policy management

Integration with DevOps tools and processes

© Black Duck Software 2016 17

No one tool does it all

Static Application Security Testing

• Analyzes source code

• Finds unknown vulns

• SQL injection

• Cross-site scripting

• Buffer overflows, etc.

Good for custom code

Dynamic Application Security Testing

• Tests running apps

• Finds configuration, authentication, and other session defects

• Usually HTTP/API testing only

Good for finished apps

Open SourceVuln Management

• Scans for open source components

• Finds known vulns

• Monitors for new vulns

Best for OSS vulns

• Is there a list of open source in use?

• How do they create and maintain it?

• What open source policies exist?

• How do they enforce them?

• Do they track open source vulnerabilities?

• Are they prepared for the next Heartbleed?

Talk with your head ofapplication development

18© Black Duck Software 2016

Find all open source in your apps & containers

Map open source to known vulnerabilities

Identify open source license risks

Manage polices and remediation activities

Get alerts for newly reported vulnerabilities

Integrate with your agile development tools

Secure & Manage Open Source with Black Duck Hub

Know Your Code®