Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP When Security Isn’t Free The Myth of Open Source Security David Harper EMEA Services Director Fortify Software

OWASP Outline  The Open Source Myth  “Open Source Software is inherently secure”  Examine the evidence  Open Source Security Study  Securing Open Source Software  An approach for the Open Source community  Exploiting Open Source Software securely  Recommendations for the Enterprise

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP “Open Source Software is inherently secure”

OWASP Open Source is Prevalent  What type of applications?  Operating systems: 78%  Back end databases & Web servers: 74%  Software development tools: 61%  Desktop applications: 45%  Enterprise applications: 29% Do you use open source? CIO.com study – April 2008

OWASP Open Source is Trusted  Many open source projects claim enterprise- class capabilities  Open source is viewed similarly to closed source  44% of respondents considered open source equally to closed-source  Security is not frequently a concern when choosing open source  Only 26% sited security as one of the top 3 barriers to adoption *Gartner: “Application Security Testing Should Be Mandatory for Outsourced Development and Maintenance”

OWASP The Open Source Software Myth  “Given enough eyeballs, all bugs are shallow”  The Cathedral and the Bazaar, Raymond 1977  Assumes  Motivation to perform security code review  Reviewers have security expertise  There are “enough eyeballs”  Goes against application security best practice  Secure Development Life-cycle 6

OWASP Myth has been widely discredited  The myth of more eyes  Burton Group, 2005  The myth of open source security  John Viega  Numerous examples of security vulnerabilities that have been present in OSS for more than 10 years  Sendmail  Kerberos 7

OWASP About Open Source Software  Open Source Software is not inherently in- secure either  Lots of security benefit from publishing source code  No “silver bullet” for Software Security 8

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Open Source Security Study

OWASP Fortify Open Source Security Study  Are Open Source Development Communities Embracing Security Best Practices?  Examine sample of Java Open Source projects  Look for vulnerabilities  Look for Secure Development Best Practices  Study by Larry Suto  Commissioned by Fortify Software  Full report

OWASP Open Source Projects – 11 Selected ApplicationDescription DerbyRelational database GeronimoApplication server HibernateObject relational mapping tool HipergateCRM web application JBossApplication server JOnASApplication server OFBizE-Business solution web application OpenCMSContent management solution ResinApplication server StrutsWeb application framework TomcatApplication server

OWASP Vulnerabilities Identified  High Impact Issues including:  SQL Injection  Cross-site Scripting 14,425

OWASP Vulnerability Trend DerbyGeronimo HibernateHipergate

OWASP Secure Development Best Practice  Evaluated key indicators of Best Practice  Documentation that covers the security implications and secure deployment of the software they develop  A dedicated alias for users to report security vulnerabilities  Easy access to internal security experts to discuss security issues

OWASP Secure Development Best Practice ApplicationProminent Link to Security Inf. Security-Specific Alias Easy Access to Security Experts DerbyNNN GeronimoNNN HibernateNNN HipergateNNN JBossYNY JOnASNNN OFBizNNN OpenCMSNNN ResinNNY StrutsYYY TomcatNNN

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Securing Open Source Software

OWASP Security in the Development Lifecycle

OWASP Secure Development Life-Cycle  See InitiateDefineImplementDesignDevelopTestOperate Governance Construction Deployment Verification Strategy & Metrics Policy & Compliance Education & Guidance Threat Assessment Security Requirements Secure Architecture Design Review Code Review Security Testing Vulnerability Management Environment Hardening Operational Enablement

OWASP Java Open Review Project  Source Code Review service for Open Source Projects  Fortify Source Code Analyzer  Findbugs  Process  Developer submits project  Detailed results provided to developer  Summary information to consumers  Automatic scan of subsequent versions  See 19

OWASP Java Open Review Project 20

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Exploiting Open Source Software securely

OWASP Software Security Assurance (SSA)  A risk management strategy for all sources of software risk Remediate Vulnerabilities found in software Remediate Vulnerabilities found in software Assess Software for security vulnerabilities Assess Software for security vulnerabilities Prevent Software security vulnerabilities Prevent Software security vulnerabilities

OWASP Assess  Create Inventory  Component  Version  Business Risk  Assign Owner  Identify and Classify Vulnerabilities  Source Code Analysis  Architectural Review  Ensure security involvement in any new OSS decisions 23

OWASP Remediate  Fix critical vulnerabilities  Upgrade to latest version  Security Patch  Fix code  Replace with secure alternative  Application Firewall 24

OWASP Prevent  For each OSS component  Assign Owner  Implement appropriate strategy  Treat as In-house Development –Manage using existing SDL  Treat as Out-Sourced Development –Become a Contributing Developer –Java Open Review project  Treat As COTS –Patch management  Replace  Establish OSS Security Guidelines  Approved List 25

OWASP Summary  Open Source Software is NOT inherently secure  Widespread miss-understanding putting organizations at risk  Open Source community should  Adopt a Secure Development Life-cycle  Take advantage of the Java Open Review service  Enterprises using Open Source Software must  Asses impact of current OSS deployments  Remediate critical vulnerabilities found  Prevent further vulnerabilities by adopting appropriate security strategy

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Q&A David Harper