stranger danger: securing third party components (tech2020)
TRANSCRIPT
snyk.io
Stranger DangerGuy Podjarny, Snyk
@guypod
snyk.io
Open Source Is AwesomeShare Your Work
Reuse What Others Built Focus on Creating Your Own New Thing
snyk.io
Open Source Usage Has Exploded
snyk.io
78% of Enterprisesuse Open Source
snyk.io
Is Security a Concern When Adopting OSS?
Number 1 concern: 13% Number 2 concern: 29% Number 3 concern: 21%
(Total: 63%)
Source: Wipro
snyk.io
Open Source != Closely Inspected
snyk.io
Open Source != SecureOpen Source != Insecure Either!
snyk.io
Heartbleed
snyk.io
Shellshock
snyk.io
Logjam
snyk.io
Open Source is Less Tested For Security
OS Project Owners not aware/budgeted for security OS consumers not engaged/aware of code
snyk.io
Attackers Are Targeting Open Source
One vulnerability, many victims
snyk.io
How Do We Consume OSS?
snyk.io
2000: Select Open Source Providers
Apache, Linux, IBM, OpenSSL…
snyk.io
2015: Open Source Marketplaces
Everybody is a provider
snyk.io
Ubuntu apt:~54,000 packages
(trusty/LTS 14)
snyk.io
Docker Hub:~150,000 repos
~150M pulls (to-date)
snyk.io
Node.js npm:~250,000 packages
~10M downloads/day
snyk.io
Your App
snyk.io
Your Code
Your App
snyk.io
Each Dependency Is A Security Risk
snyk.io
Do You Know Which Dependencies
You Have?
snyk.io
Do you know, for EVERY SINGLE DEPENDENCY
if its developers have any
Security Expertise?
snyk.io
Do you know, for EVERY SINGLE DEPENDENCY
if it went through any
Security Testing?
snyk.io
Do you know, for EVERY SINGLE DEPENDENCY
if it has
Known Vulnerabilities?
snyk.io
~30% of Docker Hub images carry
Known Vulnerabilities High Priority known vulnerabilites, to be exact
Source: BanyanOps Analysis
snyk.io
~14% of npm Packages Carry Known Vulnerabilities
~80% of Snyk users found vulns in their apps
Source: Snyk data, Mar 2016
snyk.io
~59% of Reported Vulnerabilities in Maven Packages Remain Unfixed Mean Time to Repair: 390 days
MTTR for CVSS 10: 265 days
Source: Josh Corman & Dan Geer
snyk.io
Do You Have Known Vulnerabilities In Your Code?
Do you even know?
snyk.io
What Can You Do?
snyk.io
Not Use Third Parties
snyk.io
Third PartyBinaries
Third PartyCode
snyk.io
1. Track & Update Your Dep’s
snyk.io
Aptitude-based (Ubuntu, Debian, etc): dpkg -l RPM-based (Fedora, RHEL, etc): rpm -qa
pkg*-based (OpenBSD, FreeBSD, etc): pkg_info Portage-based (Gentoo, etc): equery list or eix -I
pacman-based (Arch Linux, etc): pacman -Q Cygwin: cygcheck --check-setup --dump-only *
Slackware: slapt-get --installed
http://unix.stackexchange.com/questions/20979/how-do-i-list-all-installed-programs
Tracking Outdated Binaries
snyk.io
Node/Rubynpm/bundle outdated
Track Outdated Code(command line)
Python pip list --outdated
Java Maven Dep's Plugin
snyk.io
Track Outdated Code(SaaS)
GreenKeeper (Node.js) Gemnasium (Ruby)
Requires.io (Python)Libraries.io (all)
snyk.io
1. Know What You’re Using 2. Drop What You Don’t Need
snyk.io
Find Unused Binaries (sort by last use date)
UbuntuUnusedPkg
Fedora rpmusage
snyk.io
Find Unused Code(show unreferenced packages)
Node.js depcheck
Rubygem stale
Java Maven Dep's Plugin
snyk.io
1. Know What You’re Using 2. Drop What You Don’t Need
3. Find & Fix Current Vulns
snyk.io
Find Known Vulnerabilitiesin Binaries
(by checking security updates)
Ubuntu usn
Auto Sec Updates
Fedora yum security
Auto Sec Updates
snyk.io
Find Known Vulnerabilitiesin Code
(Looking in vuln DB, upgrade to fix)
Client Side JS RetireJS
Ruby rubysec
Java OWASP Dep's Check
snyk.io
Find & Fix Known Vulnerabilities
in npm dep’s
snyk.io
To Fix, Upgrade Could be hard for
indirect dependencies
snyk.io
Can’t Upgrade? You can: - Drop The Dependency - Apply a security patch
- Prevent Exploits via WAF rules
snyk.io
Test for Known Vulnerabilities in Build (CI) & Deploys (CD)
snyk.io
1. Know What You’re Using 2. Drop What You Don’t Need
3. Find & Fix Current Vulns4. Monitor For New Vulns
snyk.io
Newly Disclosed Vulnerabilities Are Found On Old Code
snyk.io
Register to Security Alerts
Platform Specific UbuntuNode.js
OpenSSL(your vendor sec list)
Broad Lists US-CERT
NVD OSVDB
snyk.io
1. Know What You’re Using 2. Drop What You Don’t Need
3. Find & Fix Current Vulns4. Monitor For New Vulns
5. Stay Alert
snyk.io
The Risk Doesn’t End withKnown Vulnerabilities
snyk.io
Your Code
Your App
snyk.io
npm has 65,000+ publishers
snyk.io
Do you know, for EVERY SINGLE CONTRIBUTOR
if they’ve been…
Compromised?
snyk.io
Developers are targeted as a Distribution Channel
Ex: iOS Malware via Xcode Ghost
snyk.io
Do you know, for EVERY SINGLE CONTRIBUTOR
if they are…
MALICIOUS?
snyk.io
Open Source Maintenance is… complicated.
snyk.io
If one component was evil, Would you know?
snyk.io
Isolate each system
snyk.io
use low-privilege users
snyk.io
Monitor Outbound Communication
snyk.io
Don’t Trust Your Own AppTo the extent you can…
snyk.io
Stay Alert
snyk.io
1. Know What You’re Using 2. Drop What You Don’t Need
3. Find & Fix Current Vulns4. Monitor For New Vulns
5. Stay Alert
snyk.io
Open Source Is Awesome
snyk.io
Open Source Is AwesomePlease Enjoy Responsibly
Questions? Guy Podjarny, Snyk
@guypod