appsec usa 2014 denver, colorado owasp a9: a year later are you still using components with known...
TRANSCRIPT
![Page 1: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/1.jpg)
AppSec USA AppSec USA 20142014
Denver, ColoradoDenver, Colorado
OWASP A9: A Year Later
Are you still using components with known vulnerabilities?
![Page 2: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/2.jpg)
2
Our world runs on software, and software runs on open source components. For
FOUR YEARS, we HAVE asked Those on the front lines — developers, architects, and
managers, about how they're using Open source components, and how they're balancing
the need for speed with the need for security.
3,353THIS YEAR
PEOPLE SHARED THEIR VIEWS
![Page 3: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/3.jpg)
3
The TRUE State of OSS Security
OSS POLICIES56% have a policy
and 68% follow policies.
Top 3 challengesno enforcement/workaround are common, no security, not clear
what’s expected
PRACTICES76% don’t have meaningful
controls over what components are in their applications.
21% must prove use of secure components.
63% have incomplete view of license risk.
COMPONENTSThe Central Repository
is used by 83%.
Nexus component managers used 3-to-1 over others
84% of developers use Maven/Jar to build applications.
STATE OF THE INDUSTRYApplications are the #1 attack
vector leading to breach
13 billion open source component requests annually
11 million developers worldwide
90% of a typical application is is now open source components
46 million vulnerable open source
components downloaded annually
APP SECURITY6 in 10 don’t track
vulnerabilities over time.
77% have never banned a component.
31% suspected an open source breach.
![Page 4: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/4.jpg)
4
Open source component use has exploded
• Source: 1Sonatype, Inc. analysis of the (Maven) Central Repository; 2IDC
13 BILLIONOpen Source software Component requests
201320122011200920082007 2010
2B1B500M 4B 6B 8B 13B
11 MILLIONdevelopers worldwide
2
1
![Page 5: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/5.jpg)
5
...to help build your applicationsMost applications are now assembled from hundreds of open source components…often reflecting as much as 90% of an application.
...and satisfy demand.Open source helps meet accelerated development demand required for these growth drivers.
ASSEMBLED
WRITTEN
Open Source Software is essential
![Page 6: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/6.jpg)
6
Q: Has your organization had a breach that can be attributed to a vulnerability in an open source component or dependency in the last 12 months?
Heartbleed raises awareness
![Page 7: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/7.jpg)
7
1-in-10 had or suspected an open source related breach in the past 12 months
Not Uncommon (if you look)
![Page 8: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/8.jpg)
8
• Q: Has your organization ever banned use of an open source component, library or project?
• Yet, 78% have never banned an open source component, library or project.
We Care (shhh don’t tell we don’t really)
![Page 9: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/9.jpg)
9
More than 1-in-3 say their open source policy doesn’t cover security.
• Q: How does your open source policy address security vulnerabilities?
• Source: 2014 Sonatype Open Source Development and Application Security Survey
Proof is in the Pudding
![Page 10: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/10.jpg)
10
Even when component versions are updated 4-5 times a year to fix known security, license or quality issues1.
• Q: Does someone actively monitor your components for changes in vulnerability data?
But What About Developers …
![Page 11: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/11.jpg)
11
• Q: Does your organization maintain an inventory of open source components used in production applications?
At Least it’s Good in Production?
![Page 12: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/12.jpg)
12
• Q: Who has responsibility for tracking & resolving newly discovered component vulnerabilities in *production* applications?
In 2013, 50% Named AppDev
In 2013, 8% Named AppSec
Which Way are the Fingers Pointing?
![Page 13: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/13.jpg)
Are open source policies keeping our applications safe?
![Page 14: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/14.jpg)
14
• Q: Does your organization have an open source policy?
We Don’t Need No Stinking Policy!
![Page 15: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/15.jpg)
15
• Q: Do you actually follow your company’s open source policy?
We Have a Policy, mmm Bacon
![Page 16: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/16.jpg)
16
Is an “Open Source Policy” more than just a document?
• Q: How well does your organization control which components are used in development projects?
Policy Without Controls Is?
![Page 17: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/17.jpg)
17
But control is not unanimous.
• Q: Who in your organization has PRIMARY responsibility for open source policy/governance?
Don’t Worry We Got It
![Page 18: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/18.jpg)
18
• Q: How would you characterize your developers’ interest in application security?
• Source: 2013 and 2014 Sonatype Open Source Development and Application Security Survey
But do I Care?
![Page 19: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/19.jpg)
It’s the Applications STupid
![Page 20: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/20.jpg)
20
• Q: When selecting components, which characteristics would be most helpful to you? (choose four)
• Source: 2014 Sonatype Open Source Development and Application Security Survey
Hey if it Works … Ship It!
![Page 21: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/21.jpg)
21
• Q: What application security training is available to you? (multiple selections possible)
This Security Thing is Such a Drag … Bacon
![Page 22: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/22.jpg)
22
Application development runs at Agile & DevOps speed. Is security is keeping pace?
• Q: At what point in the development process does your organization perform application security analysis? Q: (multiple selections possible)
Cleanup on Aisle 9
![Page 23: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/23.jpg)
With Open SOURCE COMESLICENSE CONSIDERATIONS
![Page 24: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/24.jpg)
24
Yet, licensing data is considered helpful to 67% of respondents when selecting open source components to use.
• Q: Are open source licensing risks or liabilities a top concern in your position?
You Mean Licenses Matter?
![Page 25: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/25.jpg)
25
• Q: Does your organization/policy manage the use of components by license types? (e.g., GPL, copyleft)?
Why Yes, I Believe it Does
![Page 26: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/26.jpg)
#1 Avoid the 7 deadly Horses of the Component Apocalypse
![Page 27: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/27.jpg)
#1 The Virus
![Page 28: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/28.jpg)
28
Number of Dependent Components
8781
Downloads 6,987,246
CVSS Score 6.8
MTTR 229
Unique Organizations 72,156
CVE-2011-2894Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
Its Always Spring Somewhare
![Page 29: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/29.jpg)
Life of the party
![Page 30: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/30.jpg)
30
An App just isn’t an App without XML
Number of Dependent Components
4003
Downloads 3,797,847
CVSS 5
MTTR 867
Unique Organizations 119,569
CVE-2009-2625
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
![Page 31: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/31.jpg)
The forgotten
![Page 32: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/32.jpg)
32
We Are Still Using That?
Number of Dependent Components
75
Downloads 324,765
CVSS 6.8
Unique Organizations 119,569
CVE-2003-1516
The org.apache.xalan.processor.XSLProcessorVersion class in Java Plug-in 1.4.2_01 allows signed and unsigned applets to share variables, which violates the Java security model and could allow remote attackers to read or write data belonging to a signed applet.
![Page 33: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/33.jpg)
The undesirable
![Page 34: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/34.jpg)
34
No License, No Worries
Number of Dependent Components
1164
Number of Downloads 182,145
Latest Release Date May-11-2006
Unique Organizations 8,383
jstl:1.2 java standard template library implementation
![Page 35: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/35.jpg)
the unproven
![Page 36: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/36.jpg)
36
I am what I say I am
Number of Dependent Components
1190
Number of Downloads 19,621
Last Release Date Jan-12-2011
Unique Organizations 1,026,964
asm:3.3.1 java bytecode analysis framework
![Page 37: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/37.jpg)
The unproven
![Page 38: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/38.jpg)
The one hit wonder
![Page 39: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/39.jpg)
39
The One-Hit Wonder– represents a component has only a single release, ever.
Number of Dependent Components
305
Number of Downloads 432,468
Last Release Nov-8-2005
Unique Organizations 14,454
jakarta-regexp:1.4 regular expression parsing library
One Release … Ever!
![Page 40: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/40.jpg)
40
![Page 41: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/41.jpg)
WHAT Matters MOST
![Page 42: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/42.jpg)
42
(Many were upset that bacon was not an option)
• Q: What is your favorite pizza topping?
![Page 43: AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?](https://reader035.vdocuments.mx/reader035/viewer/2022062404/551be4d1550346c3588b5f95/html5/thumbnails/43.jpg)
43
• Q: What do you like to drink with your pizza?
• …and prefer beer 4-to-1 over wine.