aliens in your apps! are you using components with known vulnerabilities?
DESCRIPTION
This presentation was given by Ryan Berg, Sonatype CSO, at the All Things Open conference in Raleigh, NC. We all know that Open Source brings speed, innovation, cost savings and more to our development efforts. It also brings risk. Bash, Heartbleed, Struts – anyone? Join this session to hear the latest research on the most risky open source component types – the alien invaders hiding in your software. And learn best practices to manage your risk based on the 11,000 people who shared their experiences in the 4 year industry-wide study on open source development and application security. Among the surprising results… - 1-in-3 organizations had or suspected an open source breach in the last 12 months - Only 16% of participants must prove they are not using components with known vulnerabilities - 64% don’t track changes in open source vulnerability dataTRANSCRIPT
ALIENS IN YOUR APPS?Are you using components with known vulnerabilities?
October 22, 2014 – All Things OpenRyan Berg, CSO, Sonatype
2 04/13/2023
Our world runs on software, and software runs on open source components. For
FOUR YEARS, we HAVE asked Those on the front lines — developers, architects, and
managers, about how they're using Open source components, and how they're balancing
the need for speed with the need for security.
3,353THIS YEAR
PEOPLE SHARED THEIR VIEWS
The TRUE State of OSS Security
OSS POLICIES56% have a policy
and 68% follow policies.
Top 3 challengesno enforcement/workaround are common, no security, not
clear what’s expected
PRACTICES76% don’t have meaningful
controls over what components are in their applications.
21% must prove use of secure components.
63% have incomplete view of license risk.
COMPONENTSThe Central Repository
is used by 83%.
Nexus component managers
used 3-to-1 over others
84% of developers use Maven/Jar to build
applications.
STATE OF THE INDUSTRY
Applications are the #1 attack
vector leading to breach
13 billion open source component requests annually
11 million developers worldwide
90% of a typical application is
is now open source components
46 million vulnerable open source
components downloaded annually
APP SECURITY6 in 10 don’t track
vulnerabilities over time.
77% have never banned a component.
31% suspected an open source breach.
Open source component use has exploded
Source: 1Sonatype, Inc. analysis of the (Maven) Central Repository; 2IDC
13 BILLIONOpen Source software Component requests
201320122011200920082007 2010
2B1B500M 4B 6B 8B 13B
11 MILLIONdevelopers worldwide
2
1
...to help build your applicationsMost applications are now assembled from hundreds of open source components…often reflecting as much as 90% of an application.
...and satisfy demand.Open source helps meet accelerated development demand required for these growth drivers.
ASSEMBLED
WRITTEN
Open Source Software is essential
Heartbleed raises awareness
Q: Has your organization had a breach that can be attributed to a vulnerability in an open source component or dependency in the last 12 months?
Not uncommon (if you look)
1-in-10 had or suspected an open source related breach in the past 12 months
We care (shhh don’t tell we don’t really)
Q: Has your organization ever banned use of an open source component, library or project?
Proof is in the puddingMore than 1-in-3 say their open source policy doesn’t cover security.
Q: How does your open source policy address security vulnerabilities?
Source: 2014 Sonatype Open Source Development and Application Security Survey
But what about developers …Even when component versions are updated 4-5 times a year to fix known security, license or quality issues.
Q: Does someone actively monitor your components for changes in vulnerability data?
At least it’s good in production?
Q: Does your organization maintain an inventory of open source components used in production applications?
Which way are the fingers pointing?Q: Who has responsibility for tracking & resolving newly discovered component vulnerabilities in *production* applications?
In 2013, 50% Named AppDev
In 2013, 8% Named AppSec
ARE OPEN SOURCE POLICIES KEEPING OUR APPLICATIONS SAFE?
We don’t need no stinking policy!
Q: Does your organization have an open source policy?
We have a policy, mmm bacon
Q: Do you actually follow your company’s open source policy?
Policy without controls is?Is an “Open Source Policy” more than just a document?
Q: How well does your organization control which components are used in development projects?
Don’t worry we got itBut control is not unanimous.
Q: Who in your organization has PRIMARY responsibility for open source policy/governance?
But do I care?
Q: How would you characterize your developers’ interest in application security?
Source: 2013 and 2014 Sonatype Open Source Development and Application Security Survey
It’s the Applications Stupid
Hey if it works … ship it!
Q: When selecting components, which characteristics would be most helpful to you? (choose four)
Source: 2014 Sonatype Open Source Development and Application Security Survey
This security thing is such a drag … Bacon
Q: What application security training is available to you? (multiple selections possible)
Cleanup on Aisle 9, Cleanup on Aisle 9AppDev runs at Agile & DevOps speed. Is security is keeping pace?
Q: At what point in the development process does your organization perform application security analysis? Q: (multiple selections possible)
With Open Source ComeLicense Considerations
You mean licenses matter?Yet, licensing data is considered helpful to 67% of respondents when selecting open source components to use.
Q: Are open source licensing risks or liabilities a top concern in your position?
Why yes, I believe it does
Q: Does your organization/policy manage the use of components by license types? (e.g., GPL, copyleft)?
Defend Your Software Against Common Vulnerability Types
(tongue in cheek)
#1 THE INFECTORA vulnerable component that many other components depend upon.
Number of Dependent Components
8781
Downloads 6,987,246
CVSS Score 6.8
MTTR 229
Unique Organizations 72,156
CVE-2011-2894Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
Its always Spring somewhere
#2 THE IMPOSTORA vulnerable component that is also very popular.
An App just isn’t an App without XML
Number of Dependent Components
4003
Downloads 3,797,847
CVSS 5
MTTR 867
Unique Organizations 119,569
CVE-2009-2625
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
A vulnerable component with a security vulnerability from many years ago.
#3 THE FORGOTTEN
We are still using that?
Number of Dependent Components
75
Downloads 324,765
CVSS 6.8
Unique Organizations 119,569
CVE-2003-1516
The org.apache.xalan.processor.XSLProcessorVersion class in Java Plug-in 1.4.2_01 allows signed and unsigned applets to share variables, which violates the Java security model and could allow remote attackers to read or write data belonging to a signed applet.
A popular component with neither a declared nor observable license.
#4 THE UNDESIRABLE
No license, no worries
Number of Dependent Components
1164
Number of Downloads 182,145
Latest Release Date May-11-2006
Unique Organizations 8,383
jstl:1.2 java standard template library implementation
A popular component with a declared license but no proof of source.
#5 THE UNPROVEN
I am what I say I am
Number of Dependent Components
1190
Number of Downloads 19,621
Last Release Date Jan-12-2011
Unique Organizations 1,026,964
asm:3.3.1 java bytecode analysis framework
A popular component that hasn’t been updated in more than 5 years.
#6 THE LIVING DEAD
One release … Ever!
Number of Dependent Components
305
Number of Downloads 432,468
Last Release Nov-8-2005
Unique Organizations 14,454
jakarta-regexp:1.4 regular expression parsing library
41 04/13/2023
Complimentary assessment to ID aliens in your apps:www.Sonatype.com/RiskAssessments
MATTERS MOST
(Many were upset that bacon was not an option)
Q: What is your favorite pizza topping?
…and prefer beer 4-to-1 over wine.
Q: What do you like to drink with your pizza?
Thank You!