RVAsec Bill Weinberg Open Source Hygiene Presentation

© 2014 Black Duck Software, Inc. Proprietary & Confidential All Rights Reserved.
OPEN SOURCE HYGIENE – MITIGATING SECURITY RISKS FROM
DEVELOPMENT, INTEGRATION, DISTRIBUTION AND DEPLOYMENT OF
OPEN SOURCE SOFTWARE
Bill Weinberg, Senior Director, Open Source Strategy, Black Duck Software
RVAsec – June 5, 2015

2 © 2015 Black Duck Software, Inc. All Rights Reserved.
PRESENTATION ABSTRACT
OSS Hygiene – Mitigating Security Risks from Development, Integration,
Distribution and Deployment of Open Source Software
Across the landscape of IT, Open Source Software (OSS) is pervasive and
ubiquitous. From the cloud and web to data centers; from the desktop to
mobile devices; and across a range of embedded and IoT applications, OSS
commands an ever-increasing, dominant share of the system software stack
and provides equally substantial swathes of enabling application middleware,
applications themselves, and tooling.
While rapid adoption of OSS demonstrably offers a range of advantages, the
community development model presents developers, integrators and
deployers with a set of accompanying challenges related to security,
operational, and legal risk. Historically, foremost among these concerns stood
license compliance and IP protection; however, with recent highly publicized
threats to OSS, security has joined these concerns and today dominates the
OSS adoption conversation.
This presentation will explore the role of and requirements for secure
development of and deployment with OSS.

YOUR SPEAKER
Bill Weinberg, Senior Director, Open Source Strategy – Black Duck
Software
Bill helps Fortune 1000 clients create sound approaches to enable, build,
and deploy software for intelligent devices, enterprise data centers, and
cloud infrastructure.
Working with FOSS since 1997, Bill also boasts more than thirty years
of experience in embedded and open systems, telecommunications,
and enterprise software. As a founding team-member at MontaVista
Software, Bill pioneered Linux as leading platform for intelligent and mobile
devices. During his tenure as Senior Analyst at OSDL (today, the Linux
Foundation), Bill ran Carrier Grade and Mobile Linux initiatives and worked
closely with foundation members, analyst firms, and the press. As General
Manager of the Linux Phone Standards Forum, he worked tireless to
establish standards for mobile telephony middleware.
Bill is also a prolific author and busy speaker on topics spanning
global FOSS adoption to real-time computing, IoT, legacy migration,
licensing, standardization, telecoms infrastructure, and mobile
applications. Learn more at http://www.linuxpundit.com/.

AGENDA
• Open Source – Present and Future
• The Open Source Vulnerability Landscape
• The Open Source Development Model
• Open Source Hygiene
• Q&A

5 © 2014 Black Duck Software, Inc. Proprietary & Confidential All Rights Reserved.
OPEN SOURCE IS
UNSTOPPABLE
The 2015 Future of Open Source Survey

78% OF COMPANIES
RUN ON OPEN SOURCE
LESS THAN 3%
DON’T USE OSS IN ANY WAY
CORPORATEUSE
@FUTUREOFOSS
#FUTUREOSS

CORPORATEUSE
2XSINCE 2010
USE OF OPEN SOURCE TO RUN
BUSINESS IT ENVIRONMENTS HAS GONE UP
@FUTUREOFOSS
#FUTUREOSS

INCREASING ABUNDANCE
Open Source Projects
Source: Black Duck Software
BLACK DUCK
KNOWLEDGEBASE
0
200000
400000
600000
800000
1000000
1200000
1400000
2007 2009 2011 2013 2015
CORPORATEUSE
@FUTUREOFOSS
#FUTUREOSS

OSS IMPACTS TECHNOLOGY
CLOUD BIG DATA OPERATING
SYSTEMS
CONNECTED
PRODUCT/IoT
TECHNOLOGY
@FUTUREOFOSS
#FUTUREOSS
OPEN SOURCE IS SO PERVASIVE THAT ALL SOFTWARE
CATEGORIES USE IT OR HAVE DEPENDENCIES ON IT

THE SECURITY OF
OPEN SOURCE
55%SAID OPEN SOURCE
DELIVERS SUPERIOR
SECURITY
46%GIVE OSS FIRST
CONSIDERATION
AMONG SECURITY
TECHNOLOGIES
HOWEVER,
67%DON’T MONITOR OPEN
SOURCE CODE FOR SECURITY
VULNERABILITIES.
SECURITY
@FUTUREOFOSS
#FUTUREOSS

THE OPEN SOURCE
VULNERABILITY LANDSCAPE
No worse (actually somewhat better) than
other types of software

WORRIED ABOUT OPEN SOURCE SECURITY?
“Through 2020, security and quality defects
publicly attributed to OSS projects will
increase significantly, driven by a growing
presence within high-profile, mission-critical
and mainstream IT workloads.”
Gartner, Road Map for Open-Source Success: Understanding
Quality and Security, Mark Driver, 3 March 2014.

Based on the National Vulnerability Database published by the National Institute of Standards and Technology (a repository by the U.S. government)
THE GROWTH IN SECURITY VULNERABILITIES
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
9,000
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
CVEs (Vulnernabilities) by Year
Jan 1, 2000 - May 11, 2015

OSS VULNERABILITY LANDSCAPE
Of 9,200 security vulnerabilities reported in
2014, 4,000 affected open source code.
– National Vulnerability Database & IBM X-Force

THE RISE OF “NAMED” VULNERABILITIES IN OSS

PENDING LEGISLATION – H.R. 5793 THE CYBER SUPPLY
CHAIN TRANSPARENCY AND REMEDIATION ACT (“THE
ROYCE BILL”)
3 Key Provisions:
• Vendors must provide a Bill of Materials of 3rd-Party and Open
Source Components (including versions)
• Vendors cannot use known vulnerable components if there is a
less vulnerable component available
• Software must be patchable/updateable (to address new
vulnerabilities when they are discovered)

THE OPEN SOURCE
DEVELOPMENT MODEL
Inherently (in)secure?

LINUS’ LAW
Given enough eyeballs, all bugs are shallow

User Community & Ecosystem
Developer Community
Core Developers
OPEN SOURCE DEVELOPMENT MODEL
• Core project developers create, maintain, curate code base
• Vet contributions from larger communities
• Focus on project goals – features, performance, etc.
Code

User Community & Ecosystem
Developer Community
Core Developers
OPEN SOURCE CODE CURATION MODEL
Code v1 Code v2 Code vN
CONTINUOUS INCREMENTAL IMPROVEMENT

OPEN SOURCE CODE QUALITY ASSURANCE
CODE
unterminated strings
unchecked function returns
Indices out of bounds memory leaks
faulty logic misconfigurationregressions
stray pointersback doors parameter reversal
improper type castsincorrect permissions
debug coderace conditions deprecated versions
priority inversion unitialized variablesprivilege violations
COMMUNITY
Maintainers,
developers, users
exercise, debug & improve code

THEORETICAL “TRIPLE FENCE” OF OSS SECURITY
Enterprise / OEM Integration
Distribution / Platform Creation
OSS Project Purview
Production
Code

OPEN SOURCE CODE SECURITY GAP
• Majority of eyes occupied elsewhere
• Minority of community is security-savvy
CODE
unterminated strings
unchecked function returns
Indices out of bounds memory leaks
faulty logic misconfigurationregressions
stray pointersback doors parameter reversal
improper type castsincorrect permissions
debug coderace conditions deprecated versions
priority inversion unitialized variablesprivilege violations
COMMUNITY

• Use-case specific errors
• Local misconfiguration
• LAN-based vulnerabilities
• Deployed deprecated s/w
versions
• Weak encryption
• Bad authentication
• Stolen credentials
• Viruses, Trojans & other
malware
• Denial of service attacks
• Weak passwords
• Unenforced security policy
• Phishing
• Man-in-the-middle attacks
• Forged certificates
• Spoofed MACs and IP
addresses
• Latent zero-day exploits
• Brute force decryption
THREATS RESISTANT TO COMMUNITY OVERSIGHT

OPEN SOURCE HYGIENE
Component-level best practices for
securing open source software

HYGIENE?
hy·giene /ˈhīˌjēn/ [‘hai dji:n]
conditions or practices conducive to maintaining health and
preventing disease, especially through cleanliness.
synonyms: cleanliness, sanitation, sterility, purity,
disinfection

Open Source Hygiene?

Open Source Hygiene is the
practice of cross referencing the
open source content of a company or
product software stack, module by
module, version by version, with
databases of known vulnerabilities of
those software components.

SECURITY TECHNOLOGIES – WHERE DOES OSS HYGIENE
FIT?
Intrusion
Detection
End-point
Security
Network
Security
Certifiable
Systems
Formal
Verification
Authentication
Code Quality
Tools
Binary
Obfuscation
Encryption
Capabilities &
Access Control
Policy
Enforcement
Patch/Update
Management
Configuration
Management
Auditing
& Logging
Physical
Security
Hardware
Mechanisms

OSS HYGIENE - VULNERABILITY DETECTION AND
REMEDIATION
Intrusion
Detection
End-point
Security
Network
Security
Certifiable
Systems
Formal
Verification
Authentication
Code Quality
Tools
Binary
Obfuscation
Encryption
Capabilities &
Access Control
Policy
Enforcement
Patch/Update
Management
Configuration
Management
Auditing
& Logging
Physical
Security
Hardware
Mechanisms
Open
Source
Hygiene

Software Composition Analysis (SCA)
YET ANOTHER SECURITY TECHNOLOGY
TERM

VERSIONS AND VULNERABILITIES
Component Version
Component Version
Component Version
Component Version
Component Version
BOM
Newer =
More
Secure

EXAMPLE ENTERPRISE SOFTWARE BUILD (CI)
WORKFLOW
Developer
Source Code
Artifact Repository
1. Request
Build
2. Fetch
Sources
3. Resolve
Dependen-
cies
5. Publish
Artifacts,
Build
Metadata
6. Build
Results
4. Perform
Build

EXAMPLE ENTERPRISE SOFTWARE BUILD (CI)
WORKFLOW
Developer
Source Code
Artifact Repository
1. Request
Build
2. Fetch
Sources
3. Resolve
Dependen-
cies
5. Publish
Artifacts,
Build
Metadata
6. Build
Results
4. Perform
Build
OSS

OSS HYGIENE COMPLEMENTS SECURITY
TESTING
ANALYZE DESIGN CODE TEST MAINTAIN
Static
Analysis
Dynamic
Analysis
Penetration
Testing
Rule-based
Vulnerability Testing
OSS POLICIES OSS SELECTION OSS DETECTION OSS ALERTING OSS MONITORING
OPEN SOURCE HYGIENE
SOFTWARE DEVELOPMENT LIFE-CYCLE
RELEASE

Technical
• Vulnerability db schemas
• Integration in workflows
• Build tools, manifests
• Scan cycle time/speed
• 100s build/day
• DevOps
• Comprehensive scanning
• Sheer volume
• Repo locations
• Language support
• Modified OSS & snippets
• Missing versioning
• Source and Binary
Social / Managerial
• OSS management policy
• “Organic” OSS selection,
ingress and integration
• Industry norms
• Can’t/won’t remediate
• Architecture issues
• Version dependencies
• Using forked versions
• Warning fatigue
• Hundreds or thousands
of OSS components
OSS HYGIENE CHALLENGES

Extenuating Factors
• Regulated/Unregulated (cuts both ways)
• Dependence on CVSS in triage (simplistic / misleading)
• Impact of social media (Tweets correlate with exploits)
REMEDIATION TIMES BY INDUSTRY
0
50
100
150
200
Cloud
Infrastructure
Education Financial
Services
Healthcare
Daystoremediate Source: NopSec

THE ROAD TO SECURE OSS USE – BEST PRACTICES
 Identify OSS in use
 Map known vulnerabilities
 ID and assess risk
 Monitor for new
vulnerabilities
 Review vuln details
 Assess CVE impact
 Rank / tier app risk
 Triage and develop
remediation plan
 Track remediation
 Inventory & track usage
 Configure risk policies
and actions
 Determine approval
request workflow and
management

OSS REMEDIATION / TRIAGE
CONSIDERATIONS
Comparable to other types of software
• Severity of vulnerability (CVSS and other rankings)
• Number of vulnerabilities / component
• Existence/availability of exploits (if known)
• Context of vulnerability (internet/customer facing vs. internal)
• Availability of patches or other remediation
• Existence of comparable functionality in alternate OSS tech
• Willingness / capability to patch / maintain OSS forks

Manual Procedure Automated Process
Speed Slow Faster
Timeliness Seldom Automatic
Accuracy Low High
Comprehensiveness With Difficulty Configurable
Latency Weeks / Months Hours
Workflow Impact Disruptive Transparent
Repeatable / Traceable Almost Never Always
Remediation Subjective Policy-based
Cost FTEs CapEx / OpEx
OSS HYGIENE – THE NEED FOR
AUTOMATION

• Scan code to automatically identify
open source in use
• Map known security vulnerabilities
• Assess licenses, versions,
community activity (operational risk)
• Identify open source in use with
potential high-risk
IDENTIFY VULNERABILITIES IN OSS SOFTWARE
PORTFOLIOS

REMEDIATION DASHBOARDS
• Review CVSS and its impact on
each project
• Assess, triage and prioritize
vulnerabilities
• Schedule and track planned
and actual remediation dates

Benefits
• Brings OSS components
up to date
• Breaks open 3rd party
code box
• Also fights version
proliferation
Limitations
• Only effective as current
version / patch set
• Effective for OSS only
• Primary focus on source
code (cf. BAT)
OSS HYGIENE – PROS AND CONS

CONCLUSION
OSS Hygiene addresses a critical function in application security
• Focus on version deprecation as a source of vulnerabilities
• Streamlines identification and remediation of exploitable OSS components
OSS Hygiene is NOT
• Source code analysis tool or method (it uses community resources)
• A replacement for other security tools (it complements them)
• A marketing gimmick (real organizations present real requirements)
OSS Hygiene is an actionable methodology
• Can be implemented manually and/or with tools/mechanisms in place
• Benefits from fast and accurate scanning of software portfolios
• Best when employed as part of disciplined OSS management practices

RVAsec Bill Weinberg Open Source Hygiene Presentation

More Related Content

What's hot

Viewers also liked

Similar to RVAsec Bill Weinberg Open Source Hygiene Presentation

More from Black Duck by Synopsys

Recently uploaded

RVAsec Bill Weinberg Open Source Hygiene Presentation

Editor's Notes