The document discusses open source software (OSS) security issues and strategies for addressing vulnerabilities. It notes that while open development allows many eyeballs to find bugs, in reality most don't know what to look for and vulnerabilities are still regularly found. It then provides data on vulnerabilities reported over time for several major OSS projects. The document advocates applying a secure development lifecycle and vulnerability management process to address issues early. It also discusses automating scanning of code and binaries for vulnerabilities and integrating these tools into developer workflows.
18. Cathedral and the Bazaar
1999: “Given enough eyeballs, all bugs are
shallow.”
2003: Michael Howard & David LeBlanc
assert most don’t know what to look for
2006: Coverity & others release reports of
selectively scanned Open & Closed source
projects, claiming proof Linus’ Law works
2014: Heartbleed, Shellshock, Poodle, etc
2017: …
https://www.flickr.com/photos/hades2k/7001927337
27. Data from public sources is limited
FFMPEG
NVD: 253
CVE Details: 253
28. High value data isn’t free
FFMPEG
NVD: 253
CVE Details: 253
VulnDB: 1,200+
29. Efficiency At What Cost?
A single application
◦ may have hundreds of different
third party libraries implemented
◦ may have multiple copies of the
same component or library
implemented
30. Debate!
What should you measure library quality on?
◦ Count of vulnerabilities
◦ Frequency of update releases
◦ Average severity of vulns (CVSS or other)
◦ Existence of POC or Exploit
34. Cost to Fix Vulnerabilities
The National Institute of Standards and
Technology (NIST) estimates that code
fixes performed after release can result
in 25+ times the cost of fixes performed
during the design phase.
tl;dr: Pay me now or pay me later… with
interest.
37. OSS Vulnerability Lifecycle
Identify
Issue
Assess
Impact
Dev &
Test Fix
Public
Release
w/ CVE
Post
Release
Identify
Issue
Assess
Impact
Dev &
Test Fix
Public
Release
Post
Release
Identify
Issue
Assess
Impact
Dev &
Test Fix
Public
Release
Post
Release
Identify
Issue
Assess
Impact
Dev &
Test Fix
Public
Release
Post
Release
40. Cloud Architecture and OSS (Generic)
Data Center
Facility Security
HVAC
Power
Shared HW
Network
Storage
Compute
ILO / Serial
BIOS / Firmware
VM OS - IaaS/PaaS/Other
Linux BSD Windows
43. Zooming in on the Cloud – “Scanning”
100x
• Source Code
• Intellectual property
• Vulnerability
• Binary in builds
10x
• VM / Infra / OS
• Packages
• Configuration
• Authenticated (Internal)
1x
• Edge / Port
• Un-Authenticated
• Authenticated (web app)
44. Automate and Integrate
Automate what can be automated
◦ Source Code Scanning
◦ Binary Scanning
◦ Both for IP, Security, and freshness
Integrate
◦ The solutions and tools *MUST* be integrated Into your developers workflow and build
systems
45.
46. Get It Done
• Automate everything you can:
◦ Detection and inventorying of OSS implemented in source code, cloud tenants, etc
◦ Notifications of out of date and vulnerable OSS that needs updating
◦ Updating packages - Greenkeeper
• Complete a Security Assessment of OSS components prior to use
• Routinely update OSS components to current version
• Microsoft employee? Go further down the OSS Risk Rabbit Hole
and stream the STRIKE presentation. Find it at aka.ms/osssec