tackling the risks of open source securityweb-control.ru/f/upravleniye_open_source_na_vsekh... ·...
TRANSCRIPT
Tackling the Risks of
Open Source Security
Elad TzurChannel Director EMEA & APAC at
WhiteSource
Case Study – Equifax
Data Breach – Sequence of Events
Enough Time to Respond
• Time Equifax had to patch
• Attack period
• Time between detection and notice
About 8-9 Weeks
About 10 Weeks
About 6 Weeks
Incident Aftermath
• Equifax admitted the thieves stole personal and sensitive data
• The data taken affected as many as 143 million people, roughly half of US population
• The breach is labelled as the largest & worst corporate data breach in history
Impact on Equifax
Stock Still Didn’t Rebound
Down 24.3%Worth $4.17B in Market Cap
58% are using Struts
(any version)
Apache Struts Adoption Statistics
According to WhiteSource Research
20% are exposed to the 2
specific Equifax CVEs
Organizations on the
latest (patched) Struts version –
1.3%
02OSS Security vs.
Proprietary Code Security
4 Things Every CISO Needs To Know About
Open Source Security
01Open Source Risk Is On The Rise
04Shift Left & Delegate
Security Responsibilities
03 Efficiency & Noise Reduction
01Open Source Risk
Is On The Rise
Security Spending
Is Expected To Reach
$96 Billionin 2018, But…
Application
Endpoint
Network
Servers
Dat
a
0101
Are You Investing Enough in AppSec?
Source: Ponemon Institute: The Increasing Risk to Enterprise Applications
Gaps in Security Risks and the Allocation of Spending The Level of Risk (# of
Breaches Multiplied By
Severity)
The Level of
Annual Spending
(Investment) in IT Security
0%
5%
10%
15%
20%
25%
30%
35%
40%
Application Endpoints Networks Data Servers
Risk Level Annual Spending %
01
Open Source Components Account For
60%-80% Of The Average Software Product
5%-10%
1998
30%-50%
2008
60%-80%
2018
Proprietary Code
Open Source Code
Source: North Bridge Future Of Open Source Survey
01
Number Of New CVEs Discovered
More Than Doubled YoY in 2017
0
2000
4000
6000
8000
10000
12000
14000
16000
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
# of VulnerabilitiesSource: Common Vulnerabilities and Exposures
01
02OSS Security vs.
Proprietary Code Security
Potential or suspected
vulnerabilities (SAST & DAST)
Nature of
Findings
Known & validated vulnerabilities (number of
CVEs more than doubled in 2017)
PROPRIETARY VULNERABILITIESOPEN SOURCE VULNERABILITIES
Open Source Security is a Different Game02
No public information available
Need to analyze and come up with
a fix
Typically post coding
All information is publicly available
Fix suggestions are available (87% of OSS
vulnerabilities have a fix)
Continuous monitoring (incl. post release)
What Do
Hackers
Know?
How to Fix?
When to
Scan?
Why is it so different than protecting your proprietary code?
03Efficiency & Noise
Reduction
On average, 70%* of reported
security vulnerabilities
in open source libraries
are not referenced
by the developers’ code.
Effective vs Ineffective
* Based on preliminary research by WhiteSource
Open Source Code
70%
30%
Ineffective
Effective
03
04 Shift Left & Delegate
Security Responsibilities
Automate Security Tools To Improve Coverage While
Reducing Friction
04
Security DevOps Developers
The cost of fixing security and quality issues is rising significantly,
as the development cycle advances.
Source: Ponemon Institute Research
Coding
$80/Defect
Build
$240/Defect
QA & Security
$960/Defect
Production
$7,600/Defect
04Detect Issues As Early As Possible
Cost of fixing issues reduced by 90% when detected in the build vs post release
WhiteSource | At a Glance
Founded
2011
ISO 27001
Certified
Offices:
New York
Boston
London
Tel Aviv
300%Growth for 3
Consecutive
Years
Over
400Customers Worldwide
3 OEMs
Over
Scores Strongest Current Offering
in Forrester's Wave Report
Portfolio Company
WhiteSource Scores Strongest Offering by Forrester®
“WhiteSource Software
offers strong support for
proactive vulnerability
management, policy
management and SDLC
integration”
The Forrester Wave™: Software
Composition Analysis (SCA) Q1 2017
Some of Our Customers
Summary – Open Source Security
Reality
CVE-2017-5638 is just one example.
Thousands of vulnerabilities found in OSS
yearly
Good News
The OSS community is great at identifying
security issues & patching quickly – just like
in the Equifax case
Problem
OSS consumers i.e. developers or app
security personnel are slow to react
Solution
Must be combination of technology and
mindset shift
Q&A Session
THANK YOU