Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byShane Covil Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org When Security Isn’t Free The Myth of Open Source Security David Harper EMEA Services Director Fortify Software

2 OWASP Outline  The Open Source Myth  “Open Source Software is inherently secure”  Examine the evidence  Open Source Security Study  Securing Open Source Software  An approach for the Open Source community  Exploiting Open Source Software securely  Recommendations for the Enterprise

3 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org “Open Source Software is inherently secure”

4 OWASP Open Source is Prevalent  What type of applications?  Operating systems: 78%  Back end databases & Web servers: 74%  Software development tools: 61%  Desktop applications: 45%  Enterprise applications: 29% Do you use open source? CIO.com study – April 2008

5 OWASP Open Source is Trusted  Many open source projects claim enterprise- class capabilities  Open source is viewed similarly to closed source  44% of respondents considered open source equally to closed-source  Security is not frequently a concern when choosing open source  Only 26% sited security as one of the top 3 barriers to adoption *Gartner: “Application Security Testing Should Be Mandatory for Outsourced Development and Maintenance”

6 OWASP The Open Source Software Myth  “Given enough eyeballs, all bugs are shallow”  The Cathedral and the Bazaar, Raymond 1977  Assumes  Motivation to perform security code review  Reviewers have security expertise  There are “enough eyeballs”  Goes against application security best practice  Secure Development Life-cycle 6

7 OWASP Myth has been widely discredited  The myth of more eyes  Burton Group, 2005  The myth of open source security  John Viega  Numerous examples of security vulnerabilities that have been present in OSS for more than 10 years  Sendmail  Kerberos 7

8 OWASP About Open Source Software  Open Source Software is not inherently in- secure either  Lots of security benefit from publishing source code  No “silver bullet” for Software Security 8

9 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Open Source Security Study

10 OWASP Fortify Open Source Security Study  Are Open Source Development Communities Embracing Security Best Practices?  Examine sample of Java Open Source projects  Look for vulnerabilities  Look for Secure Development Best Practices  Study by Larry Suto  Commissioned by Fortify Software  Full report www.fortify.comwww.fortify.com

11 OWASP Open Source Projects – 11 Selected ApplicationDescription DerbyRelational database GeronimoApplication server HibernateObject relational mapping tool HipergateCRM web application JBossApplication server JOnASApplication server OFBizE-Business solution web application OpenCMSContent management solution ResinApplication server StrutsWeb application framework TomcatApplication server

12 OWASP Vulnerabilities Identified  High Impact Issues including:  SQL Injection  Cross-site Scripting 14,425

13 OWASP Vulnerability Trend DerbyGeronimo HibernateHipergate

14 OWASP Secure Development Best Practice  Evaluated key indicators of Best Practice  Documentation that covers the security implications and secure deployment of the software they develop  A dedicated email alias for users to report security vulnerabilities  Easy access to internal security experts to discuss security issues

15 OWASP Secure Development Best Practice ApplicationProminent Link to Security Inf. Security-Specific email Alias Easy Access to Security Experts DerbyNNN GeronimoNNN HibernateNNN HipergateNNN JBossYNY JOnASNNN OFBizNNN OpenCMSNNN ResinNNY StrutsYYY TomcatNNN

16 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Securing Open Source Software

17 OWASP Security in the Development Lifecycle

18 OWASP Secure Development Life-Cycle  See www.opensamm.orgwww.opensamm.org InitiateDefineImplementDesignDevelopTestOperate Governance Construction Deployment Verification Strategy & Metrics Policy & Compliance Education & Guidance Threat Assessment Security Requirements Secure Architecture Design Review Code Review Security Testing Vulnerability Management Environment Hardening Operational Enablement

19 OWASP Java Open Review Project  Source Code Review service for Open Source Projects  Fortify Source Code Analyzer  Findbugs  Process  Developer submits project  Detailed results provided to developer  Summary information to consumers  Automatic scan of subsequent versions  See http://opensource.fortify.comhttp://opensource.fortify.com 19

20 OWASP Java Open Review Project 20

21 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Exploiting Open Source Software securely

22 OWASP Software Security Assurance (SSA)  A risk management strategy for all sources of software risk Remediate Vulnerabilities found in software Remediate Vulnerabilities found in software Assess Software for security vulnerabilities Assess Software for security vulnerabilities Prevent Software security vulnerabilities Prevent Software security vulnerabilities

23 OWASP Assess  Create Inventory  Component  Version  Business Risk  Assign Owner  Identify and Classify Vulnerabilities  Source Code Analysis  Architectural Review  Ensure security involvement in any new OSS decisions 23

24 OWASP Remediate  Fix critical vulnerabilities  Upgrade to latest version  Security Patch  Fix code  Replace with secure alternative  Application Firewall 24

25 OWASP Prevent  For each OSS component  Assign Owner  Implement appropriate strategy  Treat as In-house Development –Manage using existing SDL  Treat as Out-Sourced Development –Become a Contributing Developer –Java Open Review project  Treat As COTS –Patch management  Replace  Establish OSS Security Guidelines  Approved List 25

26 OWASP Summary  Open Source Software is NOT inherently secure  Widespread miss-understanding putting organizations at risk  Open Source community should  Adopt a Secure Development Life-cycle  Take advantage of the Java Open Review service  Enterprises using Open Source Software must  Asses impact of current OSS deployments  Remediate critical vulnerabilities found  Prevent further vulnerabilities by adopting appropriate security strategy

27 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Q&A David Harper dharper@fortify.com +44 118 983 2055

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
OWASP CLASP Overview.

OWASP CLASP Overview.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Institute for Cyber Security

Institute for Cyber Security
The Web Wizards Guide to Freeware/Shareware Chapter Six Open Source Software.

The Web Wizards Guide to Freeware/Shareware Chapter Six Open Source Software.
System Development MIS Chapter 6 Jack G. Zheng May 28 th 2008.

System Development MIS Chapter 6 Jack G. Zheng May 28 th 2008.
1 of 18 Information Dissemination New Digital Opportunities IMARK Investing in Information for Development Information Dissemination New Digital Opportunities.

1 of 18 Information Dissemination New Digital Opportunities IMARK Investing in Information for Development Information Dissemination New Digital Opportunities.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Project Appraisal Module 5 Session 6.

Project Appraisal Module 5 Session 6.
Software change management

Software change management
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
Presentation by Priyanka Sawarkar

Presentation by Priyanka Sawarkar
What is GNU/Linux (Not Linux!)? David Sudjiman davidsudjiman (at) yahoo (dot) com The latest version of this document can.

What is GNU/Linux (Not Linux!)? David Sudjiman davidsudjiman (at) yahoo (dot) com The latest version of this document can.
Chapter 11: Systems Development and Procurement Copyright © 2013 Pearson Education, Inc. publishing as Prentice Hall Chapter 11 - 1.

Chapter 11: Systems Development and Procurement Copyright © 2013 Pearson Education, Inc. publishing as Prentice Hall Chapter
SESSION ID: Continuous Monitoring with the 20 Critical Security Controls SPO1-W02 Wolfgang Kandek CTO.

SESSION ID: Continuous Monitoring with the 20 Critical Security Controls SPO1-W02 Wolfgang Kandek CTO.
State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode.

State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Jason Ming Sun ICT Academic Systems University of South Africa Government CIO Summit Towards reducing costs of doing business in government.

Jason Ming Sun ICT Academic Systems University of South Africa Government CIO Summit Towards reducing costs of doing business in government.

Similar presentations

Ads by Google