Keeping applications secure, whether you're developing for internal use or for your customers, isn't easy. Today, applications are a mix of open source and custom code. Identifying and resolving security vulnerabilities in both requires the right tools and know-how. Black Duck and IBM are working together to help you keep your applications secure.
CONSTANTINE: Welcome to our webinar on application security in the age of open source. My name is Constantine Grancharov from IBM Security (PROVIDE BRIEF BACKGROUND, ROL). I’ll be hosting today’s session with Mike Pittenger of Black Duck. MIKE: introduces self, provides brief background and role.
CONSTANTINE: Over the next 30 minutes or so, our goal is to give you a brief overview on the state of application security and the new challenges that the rise in open source software use is having on it. We’ll then share our perspective on a new holistic approach organizations can take to ensure application security in this new hybrid world.
CONSTANTINE: First, let’s kick things off with a brief overview on the current state of application security
One of main weaknesses in the IT infrastructure of organizations is where most people do not expect – it is in the application layer. Many applications are not built with security in mind and they become the weakest link that attackers exploit to carry out a data breach. In fact…
SQL injections, a type of application attack, were responsible for 8.1 percent of all data breaches in 2014Source: The 10 Most Common Application Attacks in Action, April 2015https://securityintelligence.com/the-10-most-common-application-attacks-in-action/#.VWd6zmN3iyC
CONSTANTINE: Here is another chart that illustrates that organizations are not paying enough attention to the application security problem.
Based on another study done by the Ponemon Institute, the highest security risk is at the application layer. Yet, most organizations focus primarily on the Network layer, and that’s where they allocate most of their resources…
CONSTANTINE: What are some of the challenges organizations face when it comes to application security?...
Compliance –External regulations and internal policy requirements
How do I set internal policy requirements for application security?
Is my private/sensitive data exposed by apps?
How do I check for and demonstrate application compliance?
Pace – Rapid growth in number of applications and releases to meet the requirements of the business
Which applications pose the biggest business risk? Mobile? Web? Partner? 3rd Party Vendor?
How do we test apps for security in rapid DevOps/Agile shops without slowing down the process/business?
How do we reduce costs and catch security problems before production/earlier in the lifecycle?
Resources–Resource and awareness challenges
Where do we start? How do we prioritize the work?
What do we test and how do we test it?
How do we staff and improve skills and awareness?
CONSTANTINE: The third, and final challenge faced by application security teams is the changing code base. It not only is comprised of custom code but increasingly, open source components, projects and code that help to [READ BULLETS ABOVE].
CONSTANTINE: Now, I’m going to turn it over to Mike Pittenger, who will dive into more detail on the unique application security risks posed by open source and how organizations need to think about protecting themselves from such risks.
MIKE: One of the most challenging aspects of container security is finding open source software vulnerabilities. This is increasingly important. After all, open source software makes up a growing percentage of your code base and containers are commonly built on open source components.
MIKE: Open source was once viewed with suspicion, but in the past few years has been embraced by organizations, everyone from mobile application developers to the Department of Defense and large financial services organizations. Gartner estimates the 99% of the Global 2000 now use open source components, and over 1.5 million projects are now available for use. Note also that Gartner believes unrestricted use without organizational policies and controls brings risk to organizations.
MIKE: Managing open source can be a challenge, since it can enter the code base in several ways. You may have policies, and even review and approve open source in design reviews, but developers may reuse internal code that includes older open source components, pull unapproved code from web-based repositories, integrate code from supply chain partners.
The end result is deployed code that contains open source, often without the knowledge or review of development managers and security teams.
MIKE: This new world presents two very different but equally important application security challenges for organizations. They include:
One of main weaknesses in the IT infrastructure of organizations is where most people do not expect – it is in the application layer. Many applications are not built with security in mind and they become the weakest link that attackers exploit to carry out a data breach. In fact…
SQL injections, a type of application attack, were responsible for 8.1 percent of all data breaches in 2014Source: The 10 Most Common Application Attacks in Action, April 2015https://securityintelligence.com/the-10-most-common-application-attacks-in-action/#.VWd6zmN3iyC
59% of banking applications we tracked are vulnerable to a critical disclosure.Source: IBM X-Force Threat Research 1Q 2015 Reporthttp://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&appname=SCTE_WG_WG_USEN&htmlfid=WGL03073USEN&attachment=WGL03073USEN.PDF#loaded
On mobile devices you get your applications from an app store, not your corporate image, like you do with a laptop. We usually have no idea who built those applications, we have no relationship or support agreement with the developer, and we have no idea how the application works.
MIKE: Open source is not necessarily less secure, or more secure, than commercial software. There are, however, some characteristics of open source that make it particularly attractive to attackers.
Open source is widely used by enterprises in commercial applications
Therefore, a new vulnerability in a popular project provides a target-rich environment for attackers.
Attackers have access to the code for analysis
Vulnerabilities in commercial code are exploitable, but attackers don’t have easy access to the source for analysis. That’s not the case in open source, where everyone has access. Like researchers, attackers can also identify new vulnerabilities
When new vulnerabilities are disclosed, we publish them to the world
NIST maintains the National Vulnerability database as a publicly available reference for vulnerabilities identified in software, and other sources – most notably OSVDB – focus on all identified vulnerabilities in open source.
Proof of the vulnerability (in the form of an exploit) is often included
When a vulnerability is discovered, the researcher will typically provide proof of the vulnerability in the form of exploit code, making the attackers’ job even easier
Attackers can use these as well – but if they are confused, there are typically YouTube videos available to provide step-by-step instructions
MIKE: What’s the implication of using open source code? Something many organizations haven’t considered is that the support model is entirely different.
With commercial code, there are often dedicated security researchers, whose findings are put out via a robust alerting infrastructure to all their customers. Regular patches means their customers need not worry too much about remediation, as long as their patch management process is fairly robust. And most importantly, dedicated support teams are able to respond to your issues should anything happen.
With open source code, security research is often done by “white hat” hackers, academics, and the general open source community. There isn’t necessarily a clear process for making sure all code commits do not introduce new vulnerabilities.
Security issues are usually announced on newsfeeds, email lists which you need to subscribe to. There is no proactive alerting for customers since there are no “customers” in the traditional sense of the word.
When bug fixes go out, patching usually just means downloading the latest version, which may break the application. There is no one standard way of distributing patches to open source code.
And finally, the biggest challenge of all is that your engineering and security teams are ultimately responsible for the open source code you use. In case of a security incident, when it comes to open source there is no vendor you can point a finger at. That means the imperative is on you to be extra-vigilant when it comes to open source vulnerabilities.
MIKE: In short, many companies are not addressing this. The best practices we have seen in large, multi-national organizations, with mature SDLC practices, would be similar to the 3 activities listed here – question development teams about what they are using, tally the results in a spreadsheet, and react to vulnerabilities that they hear about.
Manual tabulation
Manual tabulation occurs either at design review (and is therefore dependent on developers adhering to version requirements and not adding additional functionality) or at the end of the development cycle (therefore dependent on the dev teams' memory and best efforts). In both cases, accuracy is dependent on static requirements or managers’ memories.
Accuracy at the beginning of the SDLC ignores any changes in requirements, especially in an Agile environment. It is also dependent on developers selecting the approved version of a component
Accuracy at the end of the SDLC is subject to recollection and level of effort
Maintain results in a spreadsheet
Updates to code that include new open source may not be captured
Tracking of new vulnerabilities in the components used is decentralized, at best
Manual tracking quickly becomes unmanageable
On average, 11 new vulnerabilities per day
What do you do if you have 100 internal applications, and each uses 10 open source components?
MIKE: A best-practices solution would combine elements of TRUST, VERIFICATION, and MONITORING:
1 – Starting with TRUST, this is providing developers and architects a way to choose open source components that are free of known vulnerabilities, and have active community support. This is a proactive step that reduces risk downstream in the software development process, and is the most cost-effective means of risk reduction.
2 – VERIFICATION means two things, having an accurate inventory of open source and being able to map than against all known vulnerabilities, in any and all applications, at any point in the SDL
3 – MONITOR means being able to monitor the released code for newly discovered vulnerabilities and alert the right people for remediation.
Many organizations end security testing when applications are released. After all, the code base isn’t changing, nor are the security rules in the tools, so why test simply to see the same results again? However, this ignores the fact that while the code base isn’t changing, the threat environment changes constantly. With over 4,000 new vulnerabilities each year, a comprehensive solution should be continuously monitoring this constant stream of new vulnerabilities, and automatically notify you of any new vulnerabilities in the open source you used in deployed applications, including:
Which applications use the code
How critical the vulnerability is, and
How to remediate it
MIKE:
The SDLC has always focused on activities that help build security into applications at each stage of the development process, including the use of appropriate testing tools.
A similar set of activities is needed for addressing the security of the open source we use. This includes creating policies for the characteristics of open source you will allow in your applications, then ENFORCING those policies at each stage of the SDLC to ensure that, when you ship code, it is free from vulnerabilities in the open source components. In addition, continuous monitoring of the threat space will provide early notification of new vulnerabilities, and the tools needed to identify and remediate affected applications.
MIKE: Now I’ll pass the baton back to Constantine from IBM who will show a brief demo of how we manage security vulnerabilities for custom code and open source code in a holistic manner.
CONSTANTINE
AppScan Enterprise --
CONSTANTINE
CONSTANTINE
CONSTANTINE
MIKE
MIKE: In summary, we’ve discussed:
OSS is pervasive and integral part of app development
OSS has unique security and support challenges
manual process isn’t sufficient
Therefore, level of risk warrants action.
If you agree this is a priority for you, the next steps are critical. Most CISOs we speak with want to find out more about the current situation at their organization. The best person to ask is often the head of application development.
What you want to know are the answers to the following questions:
What policies exist?
Is there a list of components?
How are they creating the list?
Are they tracking vulnerabilities?
How do they ensure nothing gets through?
These questions will shed light on the current state of how open source is used and managed at your organization and give you a good starting point for further discussions. What would you propose the next steps should be?