Software Security Assurance for DevOps
- 3. GROWING ATTACK
SURFACE
NEW DEPLOYMENT
MODELS
Web, Mobile, Cloud, IoT
Containers, IT and Small
Security Teams
• Which apps are people using?
• How do I set internal policy
requirements for app security?
• Is my private / sensitive data
exposed by apps?
• Who is developing the apps?
• How do we prioritize the work
for the resources I have?
• What do we test and how do
we test it?
• How do we staff and improve
skills and awareness?
OPEN SOURCE
Increasing Portion of Code Base
• What policies are in place for
open source use?
• How are those policies
enforced?
• Who is tracking usage for
new vulnerabilities
Application Security Challenges
- 4. Changing Attack Surface
Web applications
Cloud applications and services
IoT
4
“If perimeter control
is to remain the
paradigm of
cybersecurity, then
the number of
perimeters to defend
in the Internet of
Things is doubling
every 17 months.”
Dan Geer
In-Q-Tel
RSA 2015
- 5. Containers can be vulnerable by virtue
of the code that runs inside them
• OSS components running inside
containers represent potential attack
vectors
• Could cause problems for the
application itself
• Could cause more problems if the
container is running with the –
privileged flag set
Agile, Containers and DevOps
- 6. Up to 90%
Open Source
TODAY
50%
Open Source
2010
20%
Open Source
20051998
10%
Open Source
Open Source is the Foundation of Modern Applications
- 7. @FUTUREOFOSS
#FUTUREOSS
GROWING OPPORTUNITY
FOR POLICIES &
PROCEDURES
50%
Nearly
2016
INSIGHTS 4
@FUTUREOFOSS
#FUTUREOSS
UNDERSTANDING YOUR OPEN
SOURCE CODE
Top ways companies review
their code for open source
Development teams
manually keep track of
open source use
48% 30% 21%
Ask developers about
open source content
Use third party tools
to scan for open
source content
2016
INSIGHTS 4
@FUTUREOFOSS
#FUTUREOSS
HOW ARE COMPANIES
HANDLING KNOWN OPEN
SOURCE VULNERABILITIES?
of companies have
no process for
identifying,
tracking or
remediating known
open source
vulnerabilities
Nearly
1/3
2016
INSIGHTS 4
Everybody is using open source, but many organizations still do not have
adequate processes or tools in place to manage it.
Open Source Use has Outpaced Process Maturity
- 9. OPEN SOURCE CODE
DELIVERED CODE
Open Source Enters Your Code Through Many Channels…
DEVELOPER DOWNLOADS
OUTSOURCED DEVELOPMENT
THIRD PARTY LIBRARIES
CODE REUSE
APPROVED COMPONENTS
COMMERCIAL APPS
…and security, compliance & quality risks can come with it.
- 10. Open Source Vulnerabilities are Increasing
Reference: Black Duck Software knowledgebase, NVD, VulnDB
FREAK!SSL, TLS Vulnerability
0
500
1000
1500
2000
2500
3000
3500
4000
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016NVD Black Duck exclusive
- 11. Four Factors That Make Open Source Different
Easy access to code
Exploits readily availableVulnerabilities are public
Used Everywhere
- 12. Who’s Responsible for Open Source Security?
Commercial Code Open Source Code
• Dedicated security researchers
• Alerting and notification infrastructure
• Regular patch updates
Dedicated support team with SLA
• “Community”-based code analysis
• Monitor newsfeeds yourself
• No standard patching mechanism
Ultimately, you are responsible
- 15. Inside Out View
• “White-box”
• Parsing “static” (non-running) code and applying ‘taint analysis’
• Identifies the file and line of code of a vulnerability
Static Analysis (SAST)
SDLC Ecosystem
Analyze Design Implement Test Maintain
Static Analysis
When Used
• Coding phase
• Build verification
1x
6.5x
15x
100x
- 16. Outside In View
• “Black-box”
• Sending test HTTP requests to a running application
• Simulates a malicious user
Dynamic Analysis (DAST)
SDLC Ecosystem
Analyze Design Implement Test Maintain
1x
6.5x
15x
100x
When Used
• QA testing
• Pre-production testing
• Production (with caution)
Dynamic Analysis
- 17. Identifies all open source to the version level, at any stage of the SDL
Provides information on associated:
• License Risk
• Security Risk
• Operational Risk
Source Composition Analysis (SCA)
When Used
• Design
• First commit
• Continuous monitoring
SDLC Ecosystem
Analyze Design Implement Test Maintain
1x
6.5x
15x
100x
Open Source Selection Detection and Notification
- 19. Why Static Analysis and SCA?
Automated testing finds common
vulnerabilities in the code you write
They are good, not perfect
Different tools work better on different classes
of bugs
Many types of bugs are undetectable except by
trained security researchers
All possible
security vulnerabilities
FREAK!
Static
Analysis
Dynamic
Analysis
- 20. Fortify + Black Duck Technology Alliance
Address pervasive, rapidly-growing Security &
Compliance risks with Open Source
Gain visibility on risks across Custom Code and
Open Source Code
Integrate governance and remediation as part of
Software Security Assurance
Risks in Open
Source Code
(Black Duck Hub)
Manage Risks in Open
Source as part of
Fortify SSC
Risks in Custom
Code with SAST,
DAST, & RASP
- 22. Overview Shows Black Duck Results Within Fortify SSC
Open Source
vulnerabilities (3rd
Party Components)
from Black Duck
analysis
Custom Code
vulnerabilities from
Fortify SCA analysis
- 25. Continuous Integration Environment
Binary Repository Management
(Artifactory / Nexus)
Developers / IDE
(Eclipse)
Continuous Integration Server
(Jenkins / TeamCity / Bamboo)
Deployment Environments (Amazon
/ Docker / VMWare / Openstack)
Test Automation Tools
(Selenium / JUnit)
Quality Management Tools
Bug Tracking Tools
Source Control Management (Git,
CVS / Subversion / Perforce)
Build Tools (Maven / Bundler)
- 26. Continuous Integration Environment
Developers / IDE
(Eclipse)
Continuous Integration Server
(Jenkins / TeamCity / Bamboo)
Test Automation Tools
(Selenium / JUnit)
Quality Management Tools
Bug Tracking Tools
Source Control Management (Git,
CVS / Subversion / Perforce)
Build Tools (Maven / Bundler)
SAST / DAST / IAST
SAST / OSS
DAST / OSS
DAST / OSS
SAST / OSS
Binary Repository Management
(Artifactory / Nexus)
Deployment Environments (Amazon
/ Docker / VMWare / Openstack)
- 28. Speak with your heads of application security and software development and
find out…
• What policies exist for managing open source?
• Is there a list of components used in all applications?
• How are they creating the list?
• What controls do they have to ensure nothing gets through?
• How are they tracking vulnerabilities for all components over time?
• How do they account for the different testing requirements for custom code v.
open source?
• What is the best security automation strategy for your organization?
What can you do tomorrow?