aliens in your apps! are you using components with known vulnerabilities?

45
ALIENS IN YOUR APPS? Are you using components with known vulnerabilities? October 22, 2014 – All Things Open Ryan Berg, CSO, Sonatype

Upload: sonatype

Post on 14-Jun-2015

366 views

Category:

Software


0 download

DESCRIPTION

This presentation was given by Ryan Berg, Sonatype CSO, at the All Things Open conference in Raleigh, NC. We all know that Open Source brings speed, innovation, cost savings and more to our development efforts. It also brings risk. Bash, Heartbleed, Struts – anyone? Join this session to hear the latest research on the most risky open source component types – the alien invaders hiding in your software. And learn best practices to manage your risk based on the 11,000 people who shared their experiences in the 4 year industry-wide study on open source development and application security. Among the surprising results… - 1-in-3 organizations had or suspected an open source breach in the last 12 months - Only 16% of participants must prove they are not using components with known vulnerabilities - 64% don’t track changes in open source vulnerability data

TRANSCRIPT

Page 1: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

ALIENS IN YOUR APPS?Are you using components with known vulnerabilities?

October 22, 2014 – All Things OpenRyan Berg, CSO, Sonatype

Page 2: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

2 04/13/2023

Page 3: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

3 04/13/2023

www.Sonatype.com/RiskAssessments

Page 4: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Our world runs on software, and software runs on open source components. For

FOUR YEARS, we HAVE asked Those on the front lines — developers, architects, and

managers, about how they're using Open source components, and how they're balancing

the need for speed with the need for security.

3,353THIS YEAR

PEOPLE SHARED THEIR VIEWS

Page 5: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

The TRUE State of OSS Security

OSS POLICIES56% have a policy

and 68% follow policies.

Top 3 challengesno enforcement/workaround are common, no security, not

clear what’s expected

PRACTICES76% don’t have meaningful

controls over what components are in their applications.

21% must prove use of secure components.

63% have incomplete view of license risk.

COMPONENTSThe Central Repository

is used by 83%.

Nexus component managers

used 3-to-1 over others

84% of developers use Maven/Jar to build

applications.

STATE OF THE INDUSTRY

Applications are the #1 attack

vector leading to breach

13 billion open source component requests annually

11 million developers worldwide

90% of a typical application is

is now open source components

46 million vulnerable open source

components downloaded annually

APP SECURITY6 in 10 don’t track

vulnerabilities over time.

77% have never banned a component.

31% suspected an open source breach.

Page 6: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Open source component use has exploded

Source: 1Sonatype, Inc. analysis of the (Maven) Central Repository; 2IDC

13 BILLIONOpen Source software Component requests

201320122011200920082007 2010

2B1B500M 4B 6B 8B 13B

11 MILLIONdevelopers worldwide

2

1

Page 7: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

...to help build your applicationsMost applications are now assembled from hundreds of open source components…often reflecting as much as 90% of an application.

...and satisfy demand.Open source helps meet accelerated development demand required for these growth drivers.

ASSEMBLED

WRITTEN

Open Source Software is essential

Page 8: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Heartbleed raises awareness

Q: Has your organization had a breach that can be attributed to a vulnerability in an open source component or dependency in the last 12 months?

Page 9: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Not uncommon (if you look)

1-in-10 had or suspected an open source related breach in the past 12 months

Page 10: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

We care (shhh don’t tell we don’t really)

Q: Has your organization ever banned use of an open source component, library or project?

Page 11: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Proof is in the puddingMore than 1-in-3 say their open source policy doesn’t cover security.

Q: How does your open source policy address security vulnerabilities?

Source: 2014 Sonatype Open Source Development and Application Security Survey

Page 12: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

But what about developers …Even when component versions are updated 4-5 times a year to fix known security, license or quality issues.

Q: Does someone actively monitor your components for changes in vulnerability data?

Page 13: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

At least it’s good in production?

Q: Does your organization maintain an inventory of open source components used in production applications?

Page 14: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Which way are the fingers pointing?Q: Who has responsibility for tracking & resolving newly discovered component vulnerabilities in *production* applications?

In 2013, 50% Named AppDev

In 2013, 8% Named AppSec

Page 15: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

ARE OPEN SOURCE POLICIES KEEPING OUR APPLICATIONS SAFE?

Page 16: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

We don’t need no stinking policy!

Q: Does your organization have an open source policy?

Page 17: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

We have a policy, mmm bacon

Q: Do you actually follow your company’s open source policy?

Page 18: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Policy without controls is?Is an “Open Source Policy” more than just a document?

Q: How well does your organization control which components are used in development projects?

Page 19: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Don’t worry we got itBut control is not unanimous.

Q: Who in your organization has PRIMARY responsibility for open source policy/governance?

Page 20: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

But do I care?

Q: How would you characterize your developers’ interest in application security?

Source: 2013 and 2014 Sonatype Open Source Development and Application Security Survey

Page 21: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

It’s the Applications Stupid

Page 22: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Hey if it works … ship it!

Q: When selecting components, which characteristics would be most helpful to you? (choose four)

Source: 2014 Sonatype Open Source Development and Application Security Survey

Page 23: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

This security thing is such a drag … Bacon

Q: What application security training is available to you? (multiple selections possible)

Page 24: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Cleanup on Aisle 9, Cleanup on Aisle 9AppDev runs at Agile & DevOps speed. Is security is keeping pace?

Q: At what point in the development process does your organization perform application security analysis? Q: (multiple selections possible)

Page 25: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

With Open Source ComeLicense Considerations

Page 26: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

You mean licenses matter?Yet, licensing data is considered helpful to 67% of respondents when selecting open source components to use.

Q: Are open source licensing risks or liabilities a top concern in your position?

Page 27: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Why yes, I believe it does

Q: Does your organization/policy manage the use of components by license types? (e.g., GPL, copyleft)?

Page 28: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Defend Your Software Against Common Vulnerability Types

(tongue in cheek)

Page 29: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

#1 THE INFECTORA vulnerable component that many other components depend upon.

Page 30: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Number of Dependent Components

8781

Downloads 6,987,246

CVSS Score 6.8

MTTR 229

Unique Organizations 72,156

CVE-2011-2894Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.

Its always Spring somewhere

Page 31: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

#2 THE IMPOSTORA vulnerable component that is also very popular.

Page 32: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

An App just isn’t an App without XML

Number of Dependent Components

4003

Downloads 3,797,847

CVSS 5

MTTR 867

Unique Organizations 119,569

CVE-2009-2625

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Page 33: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

A vulnerable component with a security vulnerability from many years ago.

#3 THE FORGOTTEN

Page 34: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

We are still using that?

Number of Dependent Components

75

Downloads 324,765

CVSS 6.8

Unique Organizations 119,569

CVE-2003-1516

The org.apache.xalan.processor.XSLProcessorVersion class in Java Plug-in 1.4.2_01 allows signed and unsigned applets to share variables, which violates the Java security model and could allow remote attackers to read or write data belonging to a signed applet.

Page 35: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

A popular component with neither a declared nor observable license.

#4 THE UNDESIRABLE

Page 36: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

No license, no worries

Number of Dependent Components

1164

Number of Downloads 182,145

Latest Release Date May-11-2006

Unique Organizations 8,383

jstl:1.2 java standard template library implementation

Page 37: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

A popular component with a declared license but no proof of source.

#5 THE UNPROVEN

Page 38: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

I am what I say I am

Number of Dependent Components

1190

Number of Downloads 19,621

Last Release Date Jan-12-2011

Unique Organizations 1,026,964

asm:3.3.1 java bytecode analysis framework

Page 39: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

A popular component that hasn’t been updated in more than 5 years.

#6 THE LIVING DEAD

Page 40: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

One release … Ever!

Number of Dependent Components

305

Number of Downloads 432,468

Last Release Nov-8-2005

Unique Organizations 14,454

jakarta-regexp:1.4 regular expression parsing library

Page 41: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

41 04/13/2023

Complimentary assessment to ID aliens in your apps:www.Sonatype.com/RiskAssessments

Page 42: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

MATTERS MOST

Page 43: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

(Many were upset that bacon was not an option)

Q: What is your favorite pizza topping?

Page 44: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

…and prefer beer 4-to-1 over wine.

Q: What do you like to drink with your pizza?

Page 45: Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Thank You!

[email protected]