Presentation on theme: "AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?"— Presentation transcript:
AppSec USA 2014 Denver, Colorado OWASP A9: A Year Later Are you still using components with known vulnerabilities?
2 Our world runs on software, and software runs on open source components. For FOUR YEARS, we HAVE asked Those on the front lines — developers, architects, and managers, about how they're using Open source components, and how they're balancing the need for speed with the need for security. 3,353 THIS YEAR PEOPLE SHARED THEIR VIEWS
3 The TRUE State of OSS Security OSS POLICIES 56% have a policy and 68% follow policies. Top 3 challenges no enforcement/workaround are common, no security, not clear what’s expected PRACTICES 76% don’t have meaningful controls over what components are in their applications. 21% must prove use of secure components. 63% have incomplete view of license risk. COMPONENTS The Central Repository is used by 83%. Nexus component managers used 3-to-1 over others 84% of developers use Maven/Jar to build applications. STATE OF THE INDUSTRY Applications are the #1 attack vector leading to breach 13 billion open source component requests annually 11 million developers worldwide 90% of a typical application is is now open source components 46 million vulnerable open source components downloaded annually APP SECURITY 6 in 10 don’t track vulnerabilities over time. 77% have never banned a component. 31% suspected an open source breach.
4 Open source component use has exploded Source: 1 Sonatype, Inc. analysis of the (Maven) Central Repository; 2 IDC 13 BILLION OPEN SOURCE SOFTWARE COMPONENT REQUESTS B1B 500M 4B6B8B13B 11 MILLION DEVELOPERS WORLDWIDE 2 1
5...to help build your applications Most applications are now assembled from hundreds of open source components…often reflecting as much as 90% of an application....and satisfy demand. Open source helps meet accelerated development demand required for these growth drivers. ASSEMBLED WRITTEN Open Source Software is essential
6 Q: Has your organization had a breach that can be attributed to a vulnerability in an open source component or dependency in the last 12 months? Heartbleed raises awareness
7 1-in-10 had or suspected an open source related breach in the past 12 months Not Uncommon (if you look)
8 Q: Has your organization ever banned use of an open source component, library or project? Yet, 78% have never banned an open source component, library or project. We Care (shhh don’t tell we don’t really)
9 More than 1-in-3 say their open source policy doesn’t cover security. Q: How does your open source policy address security vulnerabilities? Source: 2014 Sonatype Open Source Development and Application Security Survey Proof is in the Pudding
10 Even when component versions are updated 4-5 times a year to fix known security, license or quality issues 1. Q: Does someone actively monitor your components for changes in vulnerability data? But What About Developers …
11 Q: Does your organization maintain an inventory of open source components used in production applications? At Least it’s Good in Production?
12 Q: Who has responsibility for tracking & resolving newly discovered component vulnerabilities in *production* applications? In 2013, 50% Named AppDev In 2013, 8% Named AppSec Which Way are the Fingers Pointing?
ARE OPEN SOURCE POLICIES KEEPING OUR APPLICATIONS SAFE?
14 Q: Does your organization have an open source policy? We Don’t Need No Stinking Policy!
15 Q: Do you actually follow your company’s open source policy? We Have a Policy, mmm Bacon
16 Is an “Open Source Policy” more than just a document? Q: How well does your organization control which components are used in development projects? Policy Without Controls Is?
17 But control is not unanimous. Q: Who in your organization has PRIMARY responsibility for open source policy/governance? Don’t Worry We Got It
18 Q: How would you characterize your developers’ interest in application security? Source: 2013 and 2014 Sonatype Open Source Development and Application Security Survey But do I Care?
It’s the Applications STupid
20 Q : When selecting components, which characteristics would be most helpful to you? (choose four) Source: 2014 Sonatype Open Source Development and Application Security Survey Hey if it Works … Ship It!
21 Q: What application security training is available to you? (multiple selections possible) This Security Thing is Such a Drag … Bacon
22 Application development runs at Agile & DevOps speed. Is security is keeping pace? Q: At what point in the development process does your organization perform application security analysis? Q: (multiple selections possible) Cleanup on Aisle 9
WITH OPEN SOURCE COMES LICENSE CONSIDERATIONS
24 Yet, licensing data is considered helpful to 67% of respondents when selecting open source components to use. Q: Are open source licensing risks or liabilities a top concern in your position? You Mean Licenses Matter?
25 Q: Does your organization/policy manage the use of components by license types? (e.g., GPL, copyleft)? Why Yes, I Believe it Does
#1 AVOID THE 7 DEADLY HORSES OF THE COMPONENT APOCALYPSE
#1 THE VIRUS
28 Number of Dependent Components 8781 Downloads6,987,246 CVSS Score6.8 MTTR229 Unique Organizations72,156 CVE Spring Framework through 3.0.5, Spring Security through and through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class. Its Always Spring Somewhare
LIFE OF THE PARTY
30 An App just isn’t an App without XML Number of Dependent Components 4003 Downloads3,797,847 CVSS5 MTTR867 Unique Organizations119,569 CVE XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
32 We Are Still Using That? Number of Dependent Components 75 Downloads324,765 CVSS6.8 Unique Organizations119,569 CVE The org.apache.xalan.processor.XSLProcessorVersion class in Java Plug-in 1.4.2_01 allows signed and unsigned applets to share variables, which violates the Java security model and could allow remote attackers to read or write data belonging to a signed applet.
34 No License, No Worries Number of Dependent Components 1164 Number of Downloads 182,145 Latest Release DateMay Unique Organizations 8,383 jstl:1.2 java standard template library implementation
36 I am what I say I am Number of Dependent Components 1190 Number of Downloads 19,621 Last Release Date Jan Unique Organizations 1,026,964 asm:3.3.1 java bytecode analysis framework
THE ONE HIT WONDER
39 The One-Hit Wonder – represents a component has only a single release, ever. Number of Dependent Components 305 Number of Downloads 432,468 Last Release Nov Unique Organizations 14,454 jakarta-regexp:1.4 regular expression parsing library One Release … Ever!
WHAT MATTERS MOST
42 (Many were upset that bacon was not an option) Q: What is your favorite pizza topping?
43 Q: What do you like to drink with your pizza? …and prefer beer 4-to-1 over wine.