Transcript AppSecUSA2014 rberg

AppSec USA 2014
Denver, Colorado
OWASP A9: A Year Later
Are you still using components with known
vulnerabilities?
Our world runs on software, and software runs on open source components. For
FOUR YEARS, we HAVE asked Those on the front lines — developers, architects, and
managers, about how they're using Open source components, and how they're balancing
the need for speed with the need for security.
THIS YEAR
3,353
PEOPLE SHARED THEIR VIEWS
2
The TRUE State of OSS Security
STATE
OF THE INDUSTRY
PRACTICES
COMPONENTS
76% don’t have meaningful
Applications are the #1 attack
controls over what components
are in their applications.
The Central Repository
is used by 83%.
vector leading to breach
21% must prove use of secure
13 billion open source
components.
component requests annually
63% have incomplete view of
11 million developers
license risk.
Nexus component managers used
3-to-1 over others
84% of developers use
Maven/Jar to build applications.
worldwide
90% of a typical application is
is now open source components
46 million
vulnerable open source
components downloaded annually
APP SECURITY
OSS POLICIES
6 in 10 don’t track
56% have a policy
and 68% follow policies.
vulnerabilities over time.
77% have never banned a
component.
31% suspected an open source
breach.
Top 3 challenges
no enforcement/workaround are
common, no security, not clear
what’s expected
3
Open source component use has exploded
13 BILLION
1
OPEN SOURCE SOFTWARE
COMPONENT REQUESTS
11 MILLION
2
DEVELOPERS WORLDWIDE
2007 2008 2009 2010 2011 2012
500M
•
1B
2B
4B
6B
8B
2013
13B
Source: 1Sonatype, Inc. analysis of the (Maven) Central Repository; 2IDC
4
Open Source Software is essential
WRITTEN
ASSEMBLED
...to help build your applications
...and satisfy demand.
Most applications are now assembled from
hundreds of open source components…often
reflecting as much as 90% of an application.
Open source helps meet accelerated
development demand required for
these growth drivers.
5
Heartbleed raises awareness
Q: Has your organization had a breach that can be attributed to a vulnerability in an
open source component or dependency in the last 12 months?
6
Not Uncommon (if you look)
1-in-10 had or suspected an open source related breach in the past 12 months
7
We Care (shhh don’t tell we don’t really)
• Yet, 78% have never banned an open source component, library or project.
•
Q: Has your organization ever banned use of an open source component, library or project?
8
Proof is in the Pudding
More than 1-in-3 say their open source policy doesn’t cover security.
•
•
Q: How does your open source policy address security vulnerabilities?
Source: 2014 Sonatype Open Source Development and Application Security Survey
9
But What About Developers …
Even when component versions are updated 4-5 times a year to fix known security, license or quality issues1.
•
Q: Does someone actively monitor your components for changes in vulnerability data?
10
At Least it’s Good in Production?
•
Q: Does your organization maintain an inventory of open source components used in production
applications?
11
Which Way are the Fingers Pointing?
•
Q: Who has responsibility for tracking & resolving newly discovered component
vulnerabilities in *production* applications?
In 2013, 50% Named AppDev
In 2013, 8% Named AppSec
12
ARE OPEN SOURCE POLICIES KEEPING
OUR APPLICATIONS SAFE?
We Don’t Need No Stinking Policy!
•
Q: Does your organization have an open source policy?
14
We Have a Policy, mmm Bacon
•
Q: Do you actually follow your company’s open source policy?
15
Policy Without Controls Is?
Is an “Open Source Policy” more than just a document?
•
Q: How well does your organization control which components are used in development projects?
16
Don’t Worry We Got It
But control is not unanimous.
•
Q: Who in your organization has PRIMARY responsibility for open source policy/governance?
17
But do I Care?
•
•
Q: How would you characterize your developers’ interest in application security?
Source: 2013 and 2014 Sonatype Open Source Development and Application Security Survey
18
It’s the Applications STupid
Hey if it Works … Ship It!
•
•
Q: When selecting components, which characteristics would be most helpful to you? (choose four)
Source: 2014 Sonatype Open Source Development and Application Security Survey
20
This Security Thing is Such a Drag … Bacon
•
Q: What application security training is available to you? (multiple selections possible)
21
Cleanup on Aisle 9
Application development runs at Agile & DevOps speed. Is security is keeping pace?
•
Q: At what point in the development process does your organization perform application security
analysis? Q: (multiple selections possible)
22
WITH OPEN SOURCE COMES
LICENSE CONSIDERATIONS
You Mean Licenses Matter?
Yet, licensing data is considered helpful to 67% of respondents when selecting open source components to
use.
•
Q: Are open source licensing risks or liabilities a top concern in your position?
24
Why Yes, I Believe it Does
•
Q: Does your organization/policy manage the use of components by license types? (e.g., GPL,
copyleft)?
25
#1 AVOID THE 7 DEADLY HORSES OF THE
COMPONENT APOCALYPSE
#1 THE VIRUS
Its Always Spring Somewhare
CVE-2011-2894
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly
other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended
security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using
InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a
DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
Number of Dependent
Components
8781
Downloads
6,987,246
CVSS Score
6.8
MTTR
229
Unique Organizations
72,156
28
LIFE OF THE PARTY
An App just isn’t an App without XML
CVE-2009-2625
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before
Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a
denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the
Codenomicon XML fuzzing framework.
Number of Dependent
Components
4003
Downloads
3,797,847
CVSS
5
MTTR
867
Unique Organizations
119,569
30
THE FORGOTTEN
We Are Still Using That?
CVE-2003-1516
The org.apache.xalan.processor.XSLProcessorVersion class in Java Plug-in 1.4.2_01 allows signed and unsigned
applets to share variables, which violates the Java security model and could allow remote attackers to read or
write data belonging to a signed applet.
Number of Dependent
Components
75
Downloads
324,765
CVSS
6.8
Unique Organizations
119,569
32
THE UNDESIRABLE
No License, No Worries
jstl:1.2 java standard template library implementation
Number of Dependent
Components
1164
Number of Downloads
182,145
Latest Release Date
May-11-2006
Unique Organizations
8,383
34
THE UNPROVEN
I am what I say I am
asm:3.3.1 java bytecode analysis framework
Number of Dependent
Components
1190
Number of Downloads
19,621
Last Release Date
Jan-12-2011
Unique Organizations
1,026,964
36
THE UNPROVEN
THE ONE HIT WONDER
One Release … Ever!
Thejakarta-regexp:1.4
One-Hit Wonder
– represents a
regular expression parsing library
component has only a single release, ever.
Number of Dependent
Components
305
Number of Downloads
432,468
Last Release
Nov-8-2005
Unique Organizations
14,454
39
40
WHAT MATTERS MOST
(Many were upset that bacon was not an option)
•
Q: What is your favorite pizza topping?
42
• …and prefer beer 4-to-1 over wine.
•
Q: What do you like to drink with your pizza?
43
AppSec USA 2014
Denver, Colorado
Thank You
[email protected]