SlideShare ist ein Scribd-Unternehmen logo

Managing the Security Impact of Bundled Open Source Software from OSCON

Cisco Security
Cisco Security

The benefits of including Open Source Software in products and services are very well understood, including many that greatly improve the security of the resultant product. Less well-known or understood, however, is the real security impact of bundling OSS and other third-party software into products. View the blog and on-demand presentation: http://ow.ly/dIZsl

Technologie
1 von 25
Managing the Security Impact of Bundled Third-Party Software Tim Sammut tsammut@cisco.com
About me Cisco Security Research & Gentoo Linux Security Team ICASI Third-Party Software Operations Member Security Working Group Chair tsammut@cisco.com underling@gentoo.org
About you
Do you produce a product, service or package?
Do you disclose vulnerabilities to your customers?
Where is third-party software creating security problems for you?
 Open Source Software vs. Third-Party Software Quick Level Set  Do we even care about this stuff?  What are we trying to accomplish?
It is not our code, but it is our product!
The Challenges
 Which packages?  Which versions?  Which compile-time options? Knowing Where  Which kernel versions? TPS is Used Given a vulnerable TPS package can you reliably determine affected products? Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
 Exposure expands in under-understood ways  Dependencies are equally exposed to vulnerabilities Understanding  Tools hide build and run-time dependencies Dependencies Focus is often on point requirements without documenting every TPS package incorporated. Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
 No naming scheme  Even authoritative names change  Locally modified packages are indistinguishable Inconsistent  Simple input variances Package Naming  Versioning is itself complex Are you able to efficiently process large amounts of TPS usage data? Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
 How are development teams choosing which TPS is used?  Are the considering stability or security? Unmanageable  Are they planing for the ongoing maintenance? Selection Processes Are you gaining development-time freedoms at the expense of long-term maintainability? Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
 No “Single Source of Truth” Learning of Newly  Disclosure formats, vehicles and time lines vary wildly Disclosed  Monitoring the CVE dictionary is incomplete Vulnerabilities Do you learn of new and relevant TPS vulnerabilities before your customers? Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
 Do we wait for a new upstream release?  Do we upgrade? Can we upgrade?  Do we patch? Inconsistent Fixing  Will an upstream fix ever come? of Vulnerabilities  Is the upstream even active? Solving this one time is easy. Do you know what you did last time or across many products? Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
 Who is responsible to fix the issue? External  How quickly?  In what cases? Development  And for how long? Partners  Are each of the previous challenges covered? Combining TPS and external partners creates efficiency and vast unknowns that must be managed. Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
What other challenges exist? Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
The “Solutions”
Absolutely critical and foundational to success Build a Strong Catalog of TPS Use Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
Creates tremendous efficiencies throughout the problem space Standardize Everything Possible Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
Must produce a consistent vulnerability feed for internal consumption Monitor Vulnerability Disclosure Scalably Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
Key to understanding today's impact and the historic record Instrument the Bug Database Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
Support and require the equivalent of internal processes Require Contract Language with Partners Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
Questions? It is not our code, but it is our product!
Thank you. tsammut@cisco.com

Empfohlen

2013 Cisco Annual Security Report
2013 Cisco Annual Security Report2013 Cisco Annual Security Report
2013 Cisco Annual Security ReportCisco Security
 
Enterprise Strategy Group: Security Survey
Enterprise Strategy Group: Security SurveyEnterprise Strategy Group: Security Survey
Enterprise Strategy Group: Security SurveyCisco Security
 
Cisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco Security
 
Defending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationDefending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationCisco Security
 
Infographic: Security for Mobile Service Providers
Infographic: Security for Mobile Service ProvidersInfographic: Security for Mobile Service Providers
Infographic: Security for Mobile Service ProvidersCisco Security
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the FutureCisco Security
 
From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to CloudCisco Security
 
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Cisco Security
 

Empfohlen

2013 Cisco Annual Security Report
2013 Cisco Annual Security Report2013 Cisco Annual Security Report
2013 Cisco Annual Security ReportCisco Security
 
Enterprise Strategy Group: Security Survey
Enterprise Strategy Group: Security SurveyEnterprise Strategy Group: Security Survey
Enterprise Strategy Group: Security SurveyCisco Security
 
Cisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco Security
 
Defending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationDefending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationCisco Security
 
Infographic: Security for Mobile Service Providers
Infographic: Security for Mobile Service ProvidersInfographic: Security for Mobile Service Providers
Infographic: Security for Mobile Service ProvidersCisco Security
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the FutureCisco Security
 
From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to CloudCisco Security
 
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Cisco Security
 
Cisco ISE Reduces the Attack Surface by Controlling Access
Cisco ISE Reduces the Attack Surface by Controlling AccessCisco ISE Reduces the Attack Surface by Controlling Access
Cisco ISE Reduces the Attack Surface by Controlling AccessCisco Security
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Pervasive Security Across Your Extended Network
Pervasive Security Across Your Extended NetworkPervasive Security Across Your Extended Network
Pervasive Security Across Your Extended NetworkCisco Security
 
McAllen Intermediate School District
McAllen Intermediate School DistrictMcAllen Intermediate School District
McAllen Intermediate School DistrictCisco Security
 
Rizkan
RizkanRizkan
RizkanArya Ningrat
 
Taylor rita visual_resumestoryboard.zip
Taylor rita visual_resumestoryboard.zipTaylor rita visual_resumestoryboard.zip
Taylor rita visual_resumestoryboard.zipRita_E
 
Dapodik ltj
Dapodik ltjDapodik ltj
Dapodik ltjArya Ningrat
 
Intannnnn5555
Intannnnn5555Intannnnn5555
Intannnnn5555Arya Ningrat
 
Plasma e2 24-01-53
Plasma e2 24-01-53Plasma e2 24-01-53
Plasma e2 24-01-53Neannapa Khajornmot
 
Storyboard ikan anyaman kpd 3026
Storyboard ikan anyaman kpd 3026Storyboard ikan anyaman kpd 3026
Storyboard ikan anyaman kpd 3026Affizan Eady
 
Hipertensi 2
Hipertensi 2Hipertensi 2
Hipertensi 2Arya Ningrat
 
Workshop "Smart cities and communities" @ La Sapienza
Workshop "Smart cities and communities" @ La SapienzaWorkshop "Smart cities and communities" @ La Sapienza
Workshop "Smart cities and communities" @ La SapienzaSaverio Massaro
 
Incident Response Services Template - Cisco Security
Incident Response Services Template - Cisco SecurityIncident Response Services Template - Cisco Security
Incident Response Services Template - Cisco SecurityCisco Security
 
3 Tips for Choosing a Next Generation Firewall
3 Tips for Choosing a Next Generation Firewall3 Tips for Choosing a Next Generation Firewall
3 Tips for Choosing a Next Generation FirewallCisco Security
 
AMP Helps Cisco IT Catch 50% More Malware threats
AMP Helps Cisco IT Catch 50% More Malware threatsAMP Helps Cisco IT Catch 50% More Malware threats
AMP Helps Cisco IT Catch 50% More Malware threatsCisco Security
 
A Reality Check on the State of Cybersecurity
A Reality Check on the State of CybersecurityA Reality Check on the State of Cybersecurity
A Reality Check on the State of CybersecurityCisco Security
 
Balance Data Center Security and Performance
Balance Data Center Security and PerformanceBalance Data Center Security and Performance
Balance Data Center Security and PerformanceCisco Security
 
The Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicThe Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicCisco Security
 
Data Center Security Challenges
Data Center Security ChallengesData Center Security Challenges
Data Center Security ChallengesCisco Security
 
Malware and the Cost of Inactivity
Malware and the Cost of InactivityMalware and the Cost of Inactivity
Malware and the Cost of InactivityCisco Security
 
Midsize Business Solutions: Cybersecurity
Midsize Business Solutions: CybersecurityMidsize Business Solutions: Cybersecurity
Midsize Business Solutions: CybersecurityCisco Security
 
Integrated Network Security Strategies
Integrated Network Security StrategiesIntegrated Network Security Strategies
Integrated Network Security StrategiesCisco Security
 

Weitere ähnliche Inhalte

Andere mochten auch

Cisco ISE Reduces the Attack Surface by Controlling Access
Cisco ISE Reduces the Attack Surface by Controlling AccessCisco ISE Reduces the Attack Surface by Controlling Access
Cisco ISE Reduces the Attack Surface by Controlling AccessCisco Security
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Pervasive Security Across Your Extended Network
Pervasive Security Across Your Extended NetworkPervasive Security Across Your Extended Network
Pervasive Security Across Your Extended NetworkCisco Security
 
McAllen Intermediate School District
McAllen Intermediate School DistrictMcAllen Intermediate School District
McAllen Intermediate School DistrictCisco Security
 
Taylor rita visual_resumestoryboard.zip
Taylor rita visual_resumestoryboard.zipTaylor rita visual_resumestoryboard.zip
Taylor rita visual_resumestoryboard.zipRita_E
 
Storyboard ikan anyaman kpd 3026
Storyboard ikan anyaman kpd 3026Storyboard ikan anyaman kpd 3026
Storyboard ikan anyaman kpd 3026Affizan Eady
 
Workshop "Smart cities and communities" @ La Sapienza
Workshop "Smart cities and communities" @ La SapienzaWorkshop "Smart cities and communities" @ La Sapienza
Workshop "Smart cities and communities" @ La SapienzaSaverio Massaro
 

Andere mochten auch (12)

Cisco ISE Reduces the Attack Surface by Controlling Access
Cisco ISE Reduces the Attack Surface by Controlling AccessCisco ISE Reduces the Attack Surface by Controlling Access
Cisco ISE Reduces the Attack Surface by Controlling Access
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
Pervasive Security Across Your Extended Network
Pervasive Security Across Your Extended NetworkPervasive Security Across Your Extended Network
Pervasive Security Across Your Extended Network
 
McAllen Intermediate School District
McAllen Intermediate School DistrictMcAllen Intermediate School District
McAllen Intermediate School District
 
Rizkan
RizkanRizkan
Rizkan
 
Taylor rita visual_resumestoryboard.zip
Taylor rita visual_resumestoryboard.zipTaylor rita visual_resumestoryboard.zip
Taylor rita visual_resumestoryboard.zip
 
Dapodik ltj
Dapodik ltjDapodik ltj
Dapodik ltj
 
Intannnnn5555
Intannnnn5555Intannnnn5555
Intannnnn5555
 
Plasma e2 24-01-53
Plasma e2 24-01-53Plasma e2 24-01-53
Plasma e2 24-01-53
 
Storyboard ikan anyaman kpd 3026
Storyboard ikan anyaman kpd 3026Storyboard ikan anyaman kpd 3026
Storyboard ikan anyaman kpd 3026
 
Hipertensi 2
Hipertensi 2Hipertensi 2
Hipertensi 2
 
Workshop "Smart cities and communities" @ La Sapienza
Workshop "Smart cities and communities" @ La SapienzaWorkshop "Smart cities and communities" @ La Sapienza
Workshop "Smart cities and communities" @ La Sapienza
 

Mehr von Cisco Security

Incident Response Services Template - Cisco Security
Incident Response Services Template - Cisco SecurityIncident Response Services Template - Cisco Security
Incident Response Services Template - Cisco SecurityCisco Security
 
3 Tips for Choosing a Next Generation Firewall
3 Tips for Choosing a Next Generation Firewall3 Tips for Choosing a Next Generation Firewall
3 Tips for Choosing a Next Generation FirewallCisco Security
 
AMP Helps Cisco IT Catch 50% More Malware threats
AMP Helps Cisco IT Catch 50% More Malware threatsAMP Helps Cisco IT Catch 50% More Malware threats
AMP Helps Cisco IT Catch 50% More Malware threatsCisco Security
 
A Reality Check on the State of Cybersecurity
A Reality Check on the State of CybersecurityA Reality Check on the State of Cybersecurity
A Reality Check on the State of CybersecurityCisco Security
 
Balance Data Center Security and Performance
Balance Data Center Security and PerformanceBalance Data Center Security and Performance
Balance Data Center Security and PerformanceCisco Security
 
The Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicThe Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicCisco Security
 
Data Center Security Challenges
Data Center Security ChallengesData Center Security Challenges
Data Center Security ChallengesCisco Security
 
Malware and the Cost of Inactivity
Malware and the Cost of InactivityMalware and the Cost of Inactivity
Malware and the Cost of InactivityCisco Security
 
Midsize Business Solutions: Cybersecurity
Midsize Business Solutions: CybersecurityMidsize Business Solutions: Cybersecurity
Midsize Business Solutions: CybersecurityCisco Security
 
Integrated Network Security Strategies
Integrated Network Security StrategiesIntegrated Network Security Strategies
Integrated Network Security StrategiesCisco Security
 
Cisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack ContinuumCisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack ContinuumCisco Security
 
Infonetics Network and Content Security Vendor Scorecard
Infonetics Network and Content Security Vendor ScorecardInfonetics Network and Content Security Vendor Scorecard
Infonetics Network and Content Security Vendor ScorecardCisco Security
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Cisco Security
 
The Evolution of and Need for Secure Network Access
The Evolution of and Need for Secure Network AccessThe Evolution of and Need for Secure Network Access
The Evolution of and Need for Secure Network AccessCisco Security
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco Security
 
String of Paerls Infographic
String of Paerls InfographicString of Paerls Infographic
String of Paerls InfographicCisco Security
 
Midyear Security Report Infographic
Midyear Security Report InfographicMidyear Security Report Infographic
Midyear Security Report InfographicCisco Security
 
Cisco Annual Security Report Infographic
Cisco Annual Security Report InfographicCisco Annual Security Report Infographic
Cisco Annual Security Report InfographicCisco Security
 
City of Tomorrow Builds in Next-Generation Security
City of Tomorrow Builds in Next-Generation SecurityCity of Tomorrow Builds in Next-Generation Security
City of Tomorrow Builds in Next-Generation SecurityCisco Security
 
Laser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect AssetsLaser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect AssetsCisco Security
 

Mehr von Cisco Security (20)

Incident Response Services Template - Cisco Security
Incident Response Services Template - Cisco SecurityIncident Response Services Template - Cisco Security
Incident Response Services Template - Cisco Security
 
3 Tips for Choosing a Next Generation Firewall
3 Tips for Choosing a Next Generation Firewall3 Tips for Choosing a Next Generation Firewall
3 Tips for Choosing a Next Generation Firewall
 
AMP Helps Cisco IT Catch 50% More Malware threats
AMP Helps Cisco IT Catch 50% More Malware threatsAMP Helps Cisco IT Catch 50% More Malware threats
AMP Helps Cisco IT Catch 50% More Malware threats
 
A Reality Check on the State of Cybersecurity
A Reality Check on the State of CybersecurityA Reality Check on the State of Cybersecurity
A Reality Check on the State of Cybersecurity
 
Balance Data Center Security and Performance
Balance Data Center Security and PerformanceBalance Data Center Security and Performance
Balance Data Center Security and Performance
 
The Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware InfographicThe Cost of Inactivity: Malware Infographic
The Cost of Inactivity: Malware Infographic
 
Data Center Security Challenges
Data Center Security ChallengesData Center Security Challenges
Data Center Security Challenges
 
Malware and the Cost of Inactivity
Malware and the Cost of InactivityMalware and the Cost of Inactivity
Malware and the Cost of Inactivity
 
Midsize Business Solutions: Cybersecurity
Midsize Business Solutions: CybersecurityMidsize Business Solutions: Cybersecurity
Midsize Business Solutions: Cybersecurity
 
Integrated Network Security Strategies
Integrated Network Security StrategiesIntegrated Network Security Strategies
Integrated Network Security Strategies
 
Cisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack ContinuumCisco Addresses the Full Attack Continuum
Cisco Addresses the Full Attack Continuum
 
Infonetics Network and Content Security Vendor Scorecard
Infonetics Network and Content Security Vendor ScorecardInfonetics Network and Content Security Vendor Scorecard
Infonetics Network and Content Security Vendor Scorecard
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
 
The Evolution of and Need for Secure Network Access
The Evolution of and Need for Secure Network AccessThe Evolution of and Need for Secure Network Access
The Evolution of and Need for Secure Network Access
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security Report
 
String of Paerls Infographic
String of Paerls InfographicString of Paerls Infographic
String of Paerls Infographic
 
Midyear Security Report Infographic
Midyear Security Report InfographicMidyear Security Report Infographic
Midyear Security Report Infographic
 
Cisco Annual Security Report Infographic
Cisco Annual Security Report InfographicCisco Annual Security Report Infographic
Cisco Annual Security Report Infographic
 
City of Tomorrow Builds in Next-Generation Security
City of Tomorrow Builds in Next-Generation SecurityCity of Tomorrow Builds in Next-Generation Security
City of Tomorrow Builds in Next-Generation Security
 
Laser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect AssetsLaser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect Assets
 

Kürzlich hochgeladen

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Kürzlich hochgeladen (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Managing the Security Impact of Bundled Open Source Software from OSCON

  • 1. Managing the Security Impact of Bundled Third-Party Software Tim Sammut tsammut@cisco.com
  • 2. About me Cisco Security Research & Gentoo Linux Security Team ICASI Third-Party Software Operations Member Security Working Group Chair tsammut@cisco.com underling@gentoo.org
  • 4. Do you produce a product, service or package?
  • 5. Do you disclose vulnerabilities to your customers?
  • 6. Where is third-party software creating security problems for you?
  • 7.  Open Source Software vs. Third-Party Software Quick Level Set  Do we even care about this stuff?  What are we trying to accomplish?
  • 8. It is not our code, but it is our product!
  • 10.  Which packages?  Which versions?  Which compile-time options? Knowing Where  Which kernel versions? TPS is Used Given a vulnerable TPS package can you reliably determine affected products? Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  • 11.  Exposure expands in under-understood ways  Dependencies are equally exposed to vulnerabilities Understanding  Tools hide build and run-time dependencies Dependencies Focus is often on point requirements without documenting every TPS package incorporated. Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  • 12.  No naming scheme  Even authoritative names change  Locally modified packages are indistinguishable Inconsistent  Simple input variances Package Naming  Versioning is itself complex Are you able to efficiently process large amounts of TPS usage data? Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  • 13.  How are development teams choosing which TPS is used?  Are the considering stability or security? Unmanageable  Are they planing for the ongoing maintenance? Selection Processes Are you gaining development-time freedoms at the expense of long-term maintainability? Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  • 14.  No “Single Source of Truth” Learning of Newly  Disclosure formats, vehicles and time lines vary wildly Disclosed  Monitoring the CVE dictionary is incomplete Vulnerabilities Do you learn of new and relevant TPS vulnerabilities before your customers? Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  • 15.  Do we wait for a new upstream release?  Do we upgrade? Can we upgrade?  Do we patch? Inconsistent Fixing  Will an upstream fix ever come? of Vulnerabilities  Is the upstream even active? Solving this one time is easy. Do you know what you did last time or across many products? Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  • 16.  Who is responsible to fix the issue? External  How quickly?  In what cases? Development  And for how long? Partners  Are each of the previous challenges covered? Combining TPS and external partners creates efficiency and vast unknowns that must be managed. Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  • 17. What other challenges exist? Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  • 19. Absolutely critical and foundational to success Build a Strong Catalog of TPS Use Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  • 20. Creates tremendous efficiencies throughout the problem space Standardize Everything Possible Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  • 21. Must produce a consistent vulnerability feed for internal consumption Monitor Vulnerability Disclosure Scalably Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  • 22. Key to understanding today's impact and the historic record Instrument the Bug Database Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  • 23. Support and require the equivalent of internal processes Require Contract Language with Partners Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development Used Dependencies Naming Selection Processes Vulnerabilities Partners
  • 24. Questions? It is not our code, but it is our product!