The best approaches and practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising on security.
Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource Webinar
1. Tackling The Risks Of
Open Source Security
5 Things Every CISO Needs To Know
2. Senior Director of Product
Management
Meet Today’s Speaker
Rami Elron
Senior Director
of Product Management
at WhiteSource
3. 02
It’s Time To Change
Your Mindset
5 Things Every CISO Needs To Know About
Open Source Security
01
Open Source Risk
Is On The Rise
05
Shift Left Is At It’s Best
With Open Source.
04
Delegate Security
Responsibilities
03
Prioritize Security
Vulnerabilities
5. Are You Spending Enough In AppSec?
Source: Ponemon Institute: The Increasing Risk to Enterprise Applications
Gaps in Security Risks and the Allocation of Spending The Level of Risk (# of
Breaches Multiplied By
Severeness)
The Level of
Annual Spending
(Investment) in IT Security
0%
5%
10%
15%
20%
25%
30%
35%
40%
Application Endpoints Networks Data Servers
Risk Level Annual Spending %
0
1
6. Open Source Components Account For
60%-80% Of The Average Software Product
5%-10%
1998
30%-50%
2008
60%-80%
2016
Proprietary Code
Open Source Code
Source: North Bridge Future Of Open Source Survey
0
1
7. Number Of New CVEs Discovered
MoreThan Doubled YoY in 2017
0
2000
4000
6000
8000
10000
12000
14000
16000
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
# of Vulnerabilities
Source: Common Vulnerabilities and Exposures
0
1
9. Potential vulnerability detected
(SAST & DAST)
No public information
Need to research to find a fix
During development
Detection
Publicity
Remediation
Scan Phase
Known vulnerability
All information is publicly available
Actionable remediation(s) are available
Continuous monitoring (incl. post release)
PROPRIETARY VULNERABILITIES OPEN SOURCE VULNERABILITIES
Open Source Security is a different game -
change your mindset
0
2
11. On average, 70%* of reported
security vulnerabilities
in open source libraries
are not referenced
by the developers’ code.
Effective vs Passive
* Based on preliminary research by WhiteSource
Open Source Code
70%
30%
Passive
Effective
0
3
13. Automate Security Tools To Improve Coverage While
Reducing Friction
0
4
Security DevOps Developers
14. Turn Developers Into Security Advocates
Empower developers with more flexible selection and approval processes
0
4
Project
Planning
Requirements
Definition
Design
Development
Integration &
Test
Installation &
Acceptance
16. The cost of fixing security and quality issues is rising significantly,
as the development cycle advances.
Source: Ponemon Institute Research
Coding
$80/Defect
Build
$240/Defect
QA & Security
$960/Defect
Production
$7,600/Defect
0
5Detect Issues As Early As Possible
17. Detect Issues As Early As Possible
Cost of fixing issues reduces by 90% when detected in the build vs post release
0
5
Alone in 2017, more than 20,000 new vulnerabilities were cataloged according to breach analysis specialist Risk Based Security. https://betanews.com/2018/02/15/2017-record-vulnerabilities/
And about 32 percent of vulnerabilities (approximately 1 in 3) had a public exploit. http://www.eweek.com/security/reported-software-vulnerabilities-on-track-to-break-record-in-2017
Open source vulnerabilities can be discovered even years after a component has been released to be the market, therefore you need to continuously monitor.
E.g. Heartbleed vulnerability was found 7 years after OpenSSL was released
Equifax with Apache Struts
Key takeaway – you cannot manager your proprietary code the same as you manage open source security.
Good news, 87% of open source vulnerabilities have fixes! The community alerts, fixes and released updates because everything is known. You only have to listen to the open source community.
WhiteSource helps you block the usage of vulnerable components in your products & detect vulnerabilities once added to your software.
It then also helps you remediate it.