More Related Content
Similar to Welcome & The State of Open Source Security
![UiPath Automation Suite Installation (Hands-On) [2/3]](https://cdn.slidesharecdn.com/ss_thumbnails/automationsuitecommunitysession2-251015095633-a6d862f1-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
Welcome & The State of Open Source Security
- 2.
- 3.
- 4. Download the App! DownloadBizzabo from the App Store or Google Play. Search for FLIGHT Amsterdam & Press Join Or Visit www.events.bizzabo.com/flightemeaevents.bizzabo.com/flightemea/app
- 6.
- 7. CLOSING PANEL OSS asa Competitive Advantage Gordon Haff, Red Hat Philip Botha, Entersekt Bill Ledingham, Black Duck
- 8. BREAKOUT SESSIONS Located inlobby: Bar Lounge & Henry Hudson 2 2 Technical Tracks 13 Unique Sessions
- 9.
- 10. The State ofOpen Source Security
- 11. Uniquely, Black Duckhas the technology, the skilled teams, the dedicated resources and the commitment to: • conduct cutting-edge open source research • gather open source data and analyze it • share the findings with the community • and drive the secure use of open source that will enable continuous innovation. Black Duck’s Center for Open Source Research & Innovation
- 12. 2 Research Approaches SurveyEmpirical Research
- 13. 2017 Open SourceSecurity & Risk Analysis Code bases: 1,071 Industries: 15 Average age: 5 years Black Duck’s Center for Open Source Research and Innovation (COSRI)
- 14.
- 15. Open source isPre-Eminent; It IS TODAY’S architecture THE FOUNDATION for nearly all applications, operating systems, cloud computing, databases, big data and more
- 16. Open Source Usageis Ubiquitous Worldwide Once an insignificant component in application development, open source is an essential element in today’s app-driven world
- 17. Open Source EssentialTo Development Strategy >65%leverage OSS to speed application development >55%leverage OSS for production infrastructure
- 18. Open Source AdoptionPace Continues 65%of companies surveyed v. 60% in 2015 Use of OSS increased in
- 19.
- 20. Effectively Managing OpenSource Risk INVENTORY Open Source Components in Your Code MAP Components to Known Vulnerabilities IDENTIFY License & Code Quality Risks TRACK Policy Violations & Remediation Progress ALERT When New Vulnerabilities Affect Your Code Automation and policy management Integration with DevOps tools and processes
- 21. Growing Opportunity forPolicies & Procedures 50%of companies have NO formal policy for selecting and approving open source code Nearly
- 22. Existing Policies RarelyEnforced Nearly 50% of companies who have policies either don’t enforce them or they can be bypassed
- 23. Companies Aren’t TrackingTheir Open Source Code 47%of companies don’t have formal processes in place to track OS code
- 24. Understanding Your OpenSource Code Development teams manually keep track of open source use Ask developers about open source content Use third party tools to scan for open source content 48% 30% 21% OF THE 53% THAT CLAIM TO TRACK TOP WAYS COMPANIES REVIEW THEIR CODE FOR OPEN SOURCE
- 25. Lack of Visibilityis a Major Challenge Most audit clients had no listing of the open source components components known to code owners 45% unique open source components in each application 147
- 26.
- 27. How Are CompaniesHandling Known Open Source Vulnerabilities? of companies have no process for identifying, tracking or remediating known open source vulnerabilities Nearly 1/3
- 28. Chances Are YouHave Vulnerabilities Known To The World At Large 67% of the applications had known vulnerabilities
- 30. They miss opensource vulnerabilities that are too complex and hidden deep in the code Fact: SAST & DAST tools miss open source vulnerabilities SAST/DAST tools find vulnerabilities in custom code
- 31. Detection & Remediationof Open Source of vulnerabilities are detected and remediated manually 41% of vulnerabilities are detected and remediated through third parties 10% of vulnerabilities are detected and remediated automatically 19%
- 32. Who is HandlingKnown Open Source Vulnerabilities? of all companies no one has responsibility for identifying and tracking remediation In over 1/2 Interestingly, development organizations are 33% more likely to be responsible for identifying and tracking remediation of known open source vulnerabilities than security organizations
- 33. • Old vulnerabilitiescontinue to be targeted • Likelihood of an exploit rises as vulnerability ages • Variants of exploits makes mitigation harder • Solution: Patch early Known Vulnerabilities Are Attractive to Attackers Source: Kenna Security
- 34. • The averagevulnerability was disclosed over 5 years prior to our testing • Vulnerable components are added to applications • More vulnerabilities are disclosed as code base ages • Lack of visibility to components and vulnerabilities means public exploits are successful These Aren’t New Problems 1,894 days was the average age of the vulnerability since disclosure
- 35.
- 38.
- 39. Some Variant CouldAttack
- 40. Top 10 MostCommon Components with High Risk Components Percent of Apps Analyzed High-Risk Vulns Found per Component Apache Commons FileUpload 13.8% 3 Apache Commons Collections 11.8% 2 Apache Tomcat 10.1% 11 Spring Framework 9.9% 2 OpenSSL 8.3% 27 Apache Geronimo 4.6% 4 zlib 4.2% 4 Apache Struts 3.9% 20 PNG reference library: libpng - libpng-stable 3.3% 9 libxml2 2.2% 7
- 41. Open Source Vulnerabilitieson the Rise 0 500 1000 1500 2000 2500 3000 3500 4000 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 More than 10,000 new vulnerabilities in open source since 2014
- 42. Significant Levels ofRisk Across All Industries
- 43.
- 44. The Value ofOpen Source is Clear Reduces development costs Frees developers to differentiate and innovate apps Accelerates time to market
- 45. Challenges Remain Open SourceSecurity and Management Practices Have Not Kept Pace With Rapid Adoption In the Wake of High Profile Breaches, More Emphasis Likely on Security.
- 46. Sustained Innovation &Momentum Creating more ways to use more open source more securely • Research • Data Gathering/Analysis • Information Sharing • Community
- 47.
- 48. BREAKOUT SESSIONS Located inlobby: Security/Technology Track: Bar Lounge Legal/M&A Track: Henry Hudson 2
Editor's Notes
- #2 With great pleasure, I welcome you to the first European Black Duck flight conference! As we approach our cruising altitude I just wanted to cover a few items to make sure your Flight experience is as smooth as it can be.
- #3 I’m Bob Canaway, Chief Marketing Officer of Black Duck, and I’m grateful for having so many of our customers and partners here today. I’m also grateful for the hard work that the Black Duck team put together to pull together such a high quality event. Lastly I would like to thank all of our speakers for taking time to present and share with the rest of the Black Duck community.
- #4 First of all, we have a wifi access for attendees.
- #5 Next, all of the information you need is in our bizzabo application. It has the full agenda, an agenda builder, and more. If you haven’t already, please take a moment to click this link and install…
- #6 OK, the link is probably too hard to click from the audience… if you’re quick you can scan this QR code, otherwise there is one inside your packet you got at registration. Moving away from logistics, let’s talk about what we have in store for you over the rest of today.
- #7 We have some great speakers lined up for keynotes. We are going to start with the state of open source this morning followed later by Black Duck’s CEO Lou Shipley.
- #8 And then we end the day with an inspirational panel moderated by Lou discussing how open source provided major companies with huge benefits and allowed major and rapid innovation.
- #9 On to the breakout sessions. In the Flight app, you will find all of the details about the session. They are all located in Henry Hudson 2 and the Bar Lounge, both in the lobby. I know it’s going to be tough to choose from the 13 unique session, so you will be able to find the presentations after the conference in the Flight app.
- #10 Being the first european black duck conference I wanted to share some of the statistics with you. Thanks to very dedicated work by the black duck team and the excitement of the black duck community, there are over 75 people in this room representing 13 countries, and over 50 companies!
- #13 Survey of over 2000 people 1000 applications studied…
- #14 Describe on-demand business When and why we are brought in Characteristics of the applications tested
- #16 Not just what you use as the building blocks to create an application, but how you develop, integrate, test and deploy the application Operating systems cited as top technology area where OSS is being used, surpassing Big Data and Cloud Computing from previous year. Doesn’t make sense until you reflect and see how the notion of an operating system is being redefined through the use of containers. Alpine Linux, Unikernels. Stripped down, task specific o/s
- #21 To manage open source vulnerabilities you need to need to go beyond the testing phase and work throughout the product lifecycle – before, during, and after development. Inventory Open Source – You can’t manage what you don’t see so the first priority is ensuring you have a full, accurate, and current listing of open source used in your applications & containers. Map Known Vulnerabilities – You need a reliable list of known vulnerabilities for your open source and since no single source is complete you need to get this data from multiple sources. Identify Other Risks – Security isn’t the only open source risk to be managed. You also need to manage license compliance and project/code quality risks. You want a single solution that can cover all three. Manage Policies and Remediation Activities – It can be difficult to keep track of your open source risk mitigation efforts. Ideally you want a solution that helps you track these activities. Monitor and Alert for New Vulnerabilities – Since vulnerabilities are often reported months or even years after they enter the code you need a solution that helps you monitor threats to your apps long after they leave development. Big Idea #1: Agile Development is becoming the norm so you need open source vulnerability management to fit seamlessly with your agile tools and processes. This means: You want these capabilities to be automated You want the ability to define policies up front that can automatically flag open source use and security violations throughout the development lifecycle. You want integrations with your other DevOps and Security tools to allow you to control build processes, invoke workflows, and fold open source metrics into reports and dashboards. Question: Which pieces of a potential solution do you have already and which are you missing?
- #22 Bob
- #23 Bob – so the math on this --- only 25% reported having them and enforcing them
- #24 Know what you have. Require accountability. Software Supply chain.
- #26 The applications we analyzed, on average, included over 100 unique open source components. If that number surprises you, it also surprises our customers. In our on-demand business, we request a listing of the components the customer believes they use in advance. The vast majority are unable to produce one – they simply don’t know what they are using. However, when they can produce an anticipated inventory, or bill of materials, it includes less than half of the components we find. In other words, while most organizations believe they are using 40-50 components – b/c they have that bill of materials – they are actually using 100 or more.
- #29 Let’s put a positive spin on this statistic. The good news here is that 1/3 of the applications included components with no vulnerable components. I want to emphasize that we believe open source is a good thing, and it’s adoption rate tells us that the world agrees. However, if you’re using open source and not tracking carefully what you’re using, chances are you have vulnerabilities in that code. We found that 2/3’s of the applications we analyzed included open source components with known vulnerabilities, published in NIST’s national vulnerability database.
- #30 Severity Matters When Dealing with Risk
- #31 Automated testing finds common vulnerabilities in the code you write They are good, not perfect Different tools work better on different classes of bugs Many types of bugs are undetectable except by trained security researchers Big Idea: SAST/DAST tools simply have not shown that they are reliable at finding open source vulnerabilities. Of the 3000+ vulns reported in 2014, less than 1% were found by SAST/DAST tools. If automated security analysis tools and penetration testing tools were effective at finding vulnerabilities in open source, those famous vulnerabilities would have been found long ago. Big Idea #2: No one technique can find every vulnerability – this is why teams need to deploy a mix of static and dynamic testing solutions ALONG WITH AN OPEN SOURCE VULNERABILITY MANAGEMENT SOLUTION LIKE BLACK DUCK. Question: What application security tools does your team use now? Have they been useful in finding known open source vulnerabilities? If not, why do you think that is.
- #42 Open source vulnerabilities are typically found at a rate of about 2,000 – 2,500 each year, or 5-7 every day. In 2014 we saw a spike in the 6 month period following the disclosure of Heartbleed, as research into common components became popular. It then went down to more typical levels in 2015. What is interesting about this is not just how many vulnerabilities are found, but HOW they are found. While lots of companies use open source, and lots of companies use security testing tools and undoubtedly test the open source they are using, security issues are found almost exclusively by security researchers. The simple bugs that result from coding errors are often caught by other developers – or by testing by the open source community – before new builds are released. Security bugs found in the wild, however, are simply too complex to be identified by tools like static or dynamic analysis. While, admittedly, we didn’t review each of the over 76,000 entries in the National Vulnerability Database, we did search for the names of tools (assuming that the tool vendors would want attribution for bugs found by their tools)>
- #45 Talking Points – LOU: What is open source? Think of it as puzzle pieces – you can assemble combinations of them when assembling code Benefits of open source are critical to high-growth tech companies We’ve seen many organizations change their posture to open source. over the past few years. It's now viewed much more strategically and organizations are increasingly giving back to the community. They’re no longer just consumers.
- #46 No more network security. Need to protect the application as most applications are internet-facing or network connected.
- #48 Are we going repeat the research? Why don’t we see these in the news everyday? Should we be worried about using open source? Will open source adoption continue to accelerate?
- #49 On to the breakout sessions. In the Flight app, you will find all of the details about the session. They are all located in Henry Hudson 2 and the Bar Lounge, both in the lobby. I know it’s going to be tough to choose from the 13 unique session, so you will be able to find the presentations after the conference in the Flight app.