Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Die SlideShare-Präsentation wird heruntergeladen.
×
Hier ansehen
Empfohlen
Weitere Verwandte Inhalte
Diashows für Sie (18)
Ähnlich wie Security in the age of open source - Myths and misperceptions (20)
Weitere von Tim Mackey (18)
Aktuellste (20)
Security in the age of open source - Myths and misperceptions
- 1. Security in the Age of Open Source - Myths and Misperceptions Interop ITX 2017
- 2. #whoami – Tim Mackey Current roles: Senior Technical Evangelist; Occasional coder • Former XenServer Community Manager in Citrix Open Source Business Office Cool things I’ve done • Designed laser communication systems • Early designer of retail self-checkout machines • Embedded special relativity algorithms into industrial control system Find me • Twitter: @TimInTech ( https://twitter.com/TimInTech ) • SlideShare: slideshare.net/TimMackey • LinkedIn: www.linkedin.com/in/mackeytim
- 3. I don’t use much open source, so security isn’t an issue I know all of the open source I use and have it covered The NVD gives me everything I need to find and fix open source vulnerabilities quickly 3 BIG MYTHS 1 2 3
- 4. Understanding the Attacker Model Its all about information flow
- 5. Vulnerability Management Implies Data Breach Management 89% of data breaches had a financial or espionage motive Legal costs and forensics dominate remediation expenses Source: Verizon 2016 Data Breach Report
- 6. Attackers Decide What’s Valuable …
- 7. Anatomy of a New Attack Potential Attack Iterate Test against platforms Document Don’t forget PR department! Deploy
- 8. Gaining Project Insight Vulnerability Lifecycle
- 9. CLOSED SOURCE COMMERCIAL CODE • DEDICATED SECURITY RESEARCHERS • ALERTING AND NOTIFICATION INFRASTRUCTURE • REGULAR PATCH UPDATES • DEDICATED SUPPORT TEAM WITH SLA OPEN SOURCE CODE • “COMMUNITY”-BASED CODE ANALYSIS • MONITOR NEWSFEEDS YOURSELF • NO STANDARD PATCHING MECHANISM • ULTIMATELY, YOU ARE RESPONSIBLE Who is Responsible for Code and Security?
- 10. Decomposing a Vulnerability
- 11. Bug Report Submitted glibc Bug Reported July 2015 Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
- 12. glibc 2.9 Vuln Introduced May 2008 glibc Bug Reported July 2015 CVE-2015- 7547 CVE Assigned Feb 16-2016 Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow Assessment Complete – CVE Assigned
- 13. glibc 2.9 Vuln Introduced May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 glibc Bug Reported July 2015 National Vulnerability Database Vuln Published Feb 18-2016 Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow Vulnerability Publication
- 14. glibc 2.9 Vuln Introduced National Vulnerability Database Vuln Published You Find It May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 Feb 18-2016 glibc Bug Reported July 2015 Patches Available You Fix It Highest Security Risk Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow Resolution
- 15. Awareness Timeline How even embargoed vulnerabilities stay hidden
- 16. Media Coverage Embargo Expires Oct 21 2016 Git://id Upstream Patch Vuln: CVE-2016-5195 – AKA “Dirty Cow” Embargoed Vulnerability Awareness Oct 18 2016 Patches Available
- 17. Patches Available Media Coverage Embargo Expires Oct 21 2016 Git://id Upstream Patch Vuln: CVE-2016-5195 – AKA “Dirty Cow” Timing is Opportunity Oct 18 2016 National Vulnerability Database Vuln Published Nov 10 2016 Highest Security Risk
- 18. Understand what is deployed Avoiding regrettable decisions
- 19. Attackers Find Weaknesses – Don’t Give Them Opportunities OpenSSH: AllowTCPForwarding creates open IoT proxyApache Struts: Vulnerability response time mattersHeartbleed: Why in 2017?
- 20. Implications of an Agile World
- 21. Start with Sprint 0 Requirements and Backlog Verification Sprint 0 Strategy & Metrics Compliance & Policy Standards and Requirements Security Features & Design Software Environment
- 22. Retrofitting SDL Concepts into Modern Methodologies Verification Strategy & Metrics Compliance & Policy Learnings Standards and Requirements Security Features & Design Design Review of Stories Software Environment Sprint 0 Attack Models Code Review Security Testing Vulnerability Management Penetration Testing
- 23. Identifying Manual Security Activities Verification Strategy & Metrics Compliance & Policy Attack Models Standards and Requirements Security Features & Design Code Review Security Testing Vulnerability Management Software Environment Sprint 0 A M Automated Manual Penetration Testing Learnings Design Review of Stories
- 24. Automating Activities to Reduce Effort Verification Strategy & Metrics Compliance & Policy Attack Models Standards and Requirements Security Features & Design Code Review Security Testing Vulnerability Management Software Environment Sprint 0 A M Automated Manual Penetration Testing Learnings Design Review of Stories
- 25. Increasing Automation to Match Development Speed Verification Strategy & Metrics Compliance & Policy Attack Models Standards and Requirements Security Features & Design Code Review Security Testing Vulnerability Management Software Environment Sprint 0 A M Automated Manual Penetration Testing Learnings Design Review of Stories
- 26. Reducing Dependency Risks Verification Strategy & Metrics Compliance & Policy Attack Models Standards and Requirements Security Features & Design Code Review Security Testing Vulnerability Management Software Environment Sprint 0 A M Automated Manual Penetration Testing Design Review of Stories Learnings
- 27. Open Source Risk Maturity Model
- 28. LEVEL 1 – BLISSFUL IGNORANCE No policies in place to manage open source security and licensing risks. Unknown versions and dependencies. No documentation of intent.
- 29. LEVEL 2 – AWAKENING Inconsistent manual processes to identify and report on open source usage. Conceptual awareness of license requirements. Unaware of security implications of open source usage.
- 30. Vulnerability Analysis Compliments SAST/DAST All possible security vulnerabilities Static and Dynamic Analysis - Discover common security patterns - Challenged by nuanced bugs - Focuses on your code; not upstream Vulnerability Analysis - Identifies vulnerable dependencies - 3000+ disclosures in 2015 - 4000+ disclosures in 2016 - Most vulnerabilities found by researchers
- 31. LEVEL 3 – UNDERSTANDING Manual review processes, and basic tooling. Primary focus on license compliance. Accuracy is difficult to maintain. Provides limited insight into security vulnerabilities. Tools: Spreadsheets, low cost tools, sporadic security scans
- 32. But security investment is often not aligned with actual risks
- 33. LEVEL 4 – ENLIGHTENMENT Automatic identification of open source components and versions. Direct mapping to licenses and disclosed vulnerabilities. Integration with developer, issue management, CI/CD and deployment tools.
- 34. Designing a Better Solution
- 35. 8,800 DATA SOURCES 530 TERABYTES OF CONTENT 2,400 LICENSE TYPES 12 YEARS OF OSS ACTIVITY 84,000 OSS VULNERABILITIES • Designed with Open Source behavior traits including forks and merges • Vulnerability information enhanced through dedicated security research team • Real time updates as security issues occur • Maps vulnerabilities to public exploits Comprehensive KnowledgeBase
- 36. Define Actionable Risk Elements Open source license compliance • Ensure project dependencies are understood Use of vulnerable open source components • Is component a fork or dependency? • How is component linked? Operational risk • Can you differentiate between “stable” and “dead”? • Is there a significant change set in your future? • API versioning • Security response process for project
- 37. Solving for Open Source Disclosures Distributed Weakness Filing • Open Source specific CAN • Designed for Open Source projects without an existing CAN Increasing vulnerability awareness • Reinforce security collaboration • Reduce islands of knowledge https://iwantacve.org https://github.com/distributedweaknessfiling/
- 38. Question the “Newer Version” Patch Process
- 39. Support Gating of Builds for Risk Elements DEVELOP BUILD PACKAGE RISK ASSESSMENT BUG TRACKING
- 40. Support Ongoing Monitoring for Changes in Risk DEVELOP BUILD PACKAGE DEPLOY PRODUCTION BUG TRACKING TEST AUTOMATION RISK ASSESSMENT
- 41. Container Orchestration Increases Velocity Red Hat OpenShift as reference case
- 42. Integration Points for OpenShift Container Platform
- 43. Black Duck OpenShift Integration Component Identification Black Duck KnowledgeBase Customer Hosted Black Duck Hosted Integrated Registry ImageStream Events Policy Engine Hub Scan Engine Hub Scan Controller Hub Notifications Image Annotation External Registries
- 44. Problem: Security response times are too long Automate awareness of open source dependencies while operating at DevOps speed
- 45. Managing Open Source Security Requires End-End Visibility INVENTORY Open Source Components MAP To Known Vulnerabilities IDENTIFY License & Quality Risks MANAGE Open Source Risk Policies MONITOR For New Vulnerabilities Automation and workflow Integration with DevOps tools and processes
