Q1 2016 Open Source Security Report: Glibc and Beyond

Q1 2016 Open Source Security Report: Glibc and Beyond

• 1.
  © 2016 BlackDuck Software, Inc. All Rights Reserved. Secure and Manage Your Open Source Software OPEN SOURCE VULNERABILITY REVIEW Q1, 2016
• 2.
  2 © 2016Black Duck Software, Inc. All Rights Reserved. HOW ARE VULNERABILITIES FOUND AND DISCLOSED? Over 6,000 new vulnerabilities in open source since 2014 Over 76,000 total vulnerabilities in NVD, only 63 reference automated tools • 50 of those are for vulnerabilities reported in the tools • 13 are for vulnerabilities that could be identified by a fuzzer 0 200 400 600 800 1,000 1,200 NVD Open Source Vulnerability Disclosures by Month Heartbleed Disclosure
• 3.
  3 © 2016Black Duck Software, Inc. All Rights Reserved. WHAT’S NEW IN THE FIRST 90 DAYS OF 2016 960 new vulnerabilities in open source components • ~20% increase over Q1 2015 • ~35% increase in high and critical vulnerabilities Popular components continue to be targets for research • Firefox – 61 new vulnerabilities • Debian Linux – 24 new vulnerabilities • OpenSSL – 11 new vulnerabilities • Apache Tomcat – 7 new vulnerabilities Good News! • WordPress – 0 new vulnerabilities • Drupal – 0 new vulnerabilities
• 4.
  4 © 2016Black Duck Software, Inc. All Rights Reserved. MOST COMMON VULNERABILITY TYPES CWE Frequency Buffer Errors 262 Information Leak/Disclosure 142 Input Validation 133 Cross Site Scripting 124 Improper Access Control 32 Cross Site Request Forgery 22 Credentials Management 21 Cryptographic Issues 16 Data Handling 16 Code 11 0 50 100 150 200 250 300 NVD - Top Ten CWE's Q1, 2016
• 5.
  5 © 2016Black Duck Software, Inc. All Rights Reserved. TOP “HONORS” FOR Q1 glibc and DROWN
• 6.
  6 © 2016Black Duck Software, Inc. All Rights Reserved. GLIBC VULNERABILITY CVE-2015-7547 Component: GNU C Standard Library CWE 119 – Buffer Errors Introduced to code base: 2008 Vulnerability disclosed: 02/18/2016 Recommendation: Upgrade immediately • Central component in all Linux distros • IT infrastructure • Mission critical applications • Internet of Things • Vulnerability affects a universally used protocol (DNS) • Attack can force an affected client to look up a malicious domain, then return a payload that exploits the buffer overflow in glibc • Can result in complete takeover of the system glibc Source: https://dankaminsky.com/2016/02/20/skeleton/#ciso Galaxy map of Ubunto Linux
• 7.
  7 © 2016Black Duck Software, Inc. All Rights Reserved. DROWN VULNERABILITY CVE-2016-0800 Component: OpenSSL CWE 200 – Information Leak/Disclosure Introduced to code base: 2010 Vulnerability disclosed: 03/01/2016 Recommendation: Upgrade immediately • Widely used encryption protocol • Apache and NGINX comprise 85% of web servers • Many Linux distros • Internet of Things • IT Infrastructure • Attacker can force “agreement” to a very weak cypher (SSL v2) • Man-in-the-middle can intercept/modify any communications between users and server Vulnerable at Disclosure (March 1) Vulnerable March 26 HTTPS — Top one million domains 25% 15% HTTPS — All browser- trusted sites 22% 16% HTTPS — All sites 33% 28% Source: https://drownattack.com/ * http://http://www.w3cook.com/webserver/summary/
• 8.
  8 © 2016Black Duck Software, Inc. All Rights Reserved. HONORABLE MENTION The Panama Papers Mossack Fonseca • 11.5 million (2.6 TB) confidential documents stolen • Details of over 200,000 off-shore entities and shell companies • Suspected attack vectors • Drupal 7.23 (2013) • 611 known vulnerabilities (including DROWN) • WordPress 4.1 (2014) • 435 known vulnerabilities • Outlook Web Access • Unpatched since 2009 • No encryption enabled
• 9.
  9 © 2016Black Duck Software, Inc. All Rights Reserved. WHAT IS SPECIAL ABOUT OPEN SOURCE VULNERABILITIES?
• 10.
  10 © 2016Black Duck Software, Inc. All Rights Reserved. WE HAVE LITTLE CONTROL OVER HOW OPEN SOURCE ENTERS THE CODE BASE Open Source Community Internally Developed Code Outsourced Code Legacy Code Reused Code Supply Chain Code Third Party Code Delivered Code Open source code introduced i a y ways… …a d absorbed i to final code.
• 11.
  11 © 2016Black Duck Software, Inc. All Rights Reserved. OPEN SOURCE: EASY TARGETS Used everywhere Easy access to code Vulnerabilities are publicized Exploits readily available
• 12.
  12 © 2016Black Duck Software, Inc. All Rights Reserved. WHO’S RESPONSIBLE FOR SECURITY? Commercial Code Open Source Code • Dedicated security researchers • Alerting and notification infrastructure • Regular patch updates • Dedicated support team with SLA • “community”-based code analysis • Monitor newsfeeds yourself • No standard patching mechanism • Ultimately, you are responsible
• 13.
  13 © 2016Black Duck Software, Inc. All Rights Reserved. HOW ARE COMPANIES ADDRESSING THIS TODAY? NOT WELL. Manual tabulation • Architectural Review Board • End of SDLC • High effort and low accuracy • No controls Spreadsheet-based inventory • Dependent on developer best effort or memory • Difficult maintenance • Not source of truth Tracking vulnerabilities • No single responsible entity • Manual effort and labor intensive • Unmanageable (11/day) • Match applications, versions, components, vulnerabilities Vulnerability detection • Run monthly/quarterly vulnerability assessment tools (e.g., Nessus, Nexpose) against all applications to identify exploitable instances
• 14.
  14 © 2016Black Duck Software, Inc. All Rights Reserved. WHAT SECURITY TEAMS CAN DO
• 15.
  15 © 2016Black Duck Software, Inc. All Rights Reserved. A SOFTWARE BILL OF MATERIALS SOLVES THE PROBLEM • Components and serial numbers • Unique to each vehicle VIN • Can track defective parts to unique vehicles • Complete analysis of open source components • Unique to each project or application • Security, license, and operational risk surfaced
• 16.
  16 © 2016Black Duck Software, Inc. All Rights Reserved. A SOLUTION TO SOLVING THIS PROBLEM WOULD INCLUDE THESE COMPONENTS Choose Open Source Inventory Open Source Map Existing Vulnerabilities Track New Vulnerabilities Maintain accurate list of open source components throughout the SDL Identify vulnerabilities during development Alert on new vulnerabilities and map to applications Proactively choose secure, supported open source GUIDE VERIFY/ENFORCE MONITOR
• 17.
  17 © 2016Black Duck Software, Inc. All Rights Reserved. KEY TAKEAWAYS 1. Use appropriate tools to identify bugs in the code you write • Understand the strengths and weakness of each 2. Create and maintain an inventory (Bill of Materials) of all open source • Update with each build or release 3. Monitor the threat space for information on new vulnerabilities • New vulnerabilities change your security profile 4. Patch quickly • Attackers respond quickly, we must also
• 18.
  18 © 2016Black Duck Software, Inc. All Rights Reserved. WHAT CAN YOU DO TOMORROW? Speak with your head of application development and find out: • What policies exist? • Is there a list of components? • How are they creating the list? • What controls do they have to ensure nothing gets through? • How are they tracking vulnerabilities for all components over time?
• 19.
  19 © 2016Black Duck Software, Inc. All Rights Reserved. 7 of the top 10 Software companies, and 44 of the top 100 6 of the top 8 Mobile handset vendors 6 of the top 10 Investment Banks 24 Countries 230 Employees 1,600Customers 27 of the Fortune 100 ABOUT BLACK DUCK Award for Innovation Four Years in the “Software 500” Largest Software Companies Six Years in a row for Innovation Gartner Group “Cool Vendor” “Top Place to Work,” The Boston Globe 2014