FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security Risks with Black Duck
1. Managing Open Source Security
Risks with Black Duck
Jeffrey Michael
Senior Product Manager
2. Why: Why should you care and why is it so hard?
Open Source Security Risk Management
Selection: How to identify and use high-quality components?
Governance: How to set and enforce policies to ensure nothing falls through the cracks?
Detection: How to truly know what open source you’re using?
Prioritization, Mitigation, & Remediation: What to do and when?
Monitoring: What happens after you release?
3. Up to 90%
Open Source
TODAY
50%
Open Source
2010
20%
Open Source
20051998
10%
Open Source
Why should you care?
Today, most application code is open source
4. Why should you care?
Over 40,000 known open source vulnerabilities
7. Why is it hard?
Bug
Introduced
National
Vulnerability
Database
Vuln
Discovered
You
Find It
You
FIX It
Exploits
Published
Hackers
Hack
Highest Security Risk
The Race between you and open source hackers
8. Open Source Selection Process/Criteria
Active
Development
Security
track record
Support
Community
Version
9. Open Source Selection Process/Criteria
Active Development & Support Community
GitHub
OpenHub
12. Governance: Open Source Policies
• Define/manage open source policies to meet your organizations risk tolerance.
• Transparency into what open source is entering your code base.
• Early notification of policy violations
• Reporting and visibility of what open source violates policy and where that open
source exists
13. Detection: What open source am I using?
• Automated and Multi-factor
• Supports multiple risk tolerance or LOE scenarios
• Most comprehensive language support
• Multiple points of verification to ensure accuracy
• Streamlines disambiguation
• Identifies partial, modified and snippet reused components
Source Content Scan
Optimized file system scanning
with Scan client Analyze Source
Content for:
• Snippet Matches
Dependency Analysis
Build process monitoring and
Package file inspection track
Direct & Transitive Dependencies
from:
• Static package management files
and other artifacts
• Dynamically resolved
dependencies listed in Build info
Component Scanning
File system scanning with Scan
Client Contextual analysis
identifies most open source in
use:
• File / Directory meta-data
• Exact File Content (SHA1
signatures)
Binary Analysis
(Protecode SC)
Contextual File system scanning
Analyzes Modified or
Unstructured Binaries from:
• Compiled Source Code
• Third Party Applications
Easy Hard
14. Where do I start and what do I do?
Prioritization Know the most significant vulnerabilities within your most critical applications.
15. Where do I start and what do I do?
Mitigation & Remediation What can I do to address my issues?
16. Monitoring: What about issues with production applications?
Reporting, Notification, and Dashboard
monitoring.
17. Monitoring: What about issues with production applications?
Hub Alert plugin
• Single notification platform
• Vulnerabilities
• Policy Violations
• Policy Overrides
• Policy cancelations
• Distribute to your channel of choice
• HipChat
• Slack
• Email
18. Monitoring: What about issues with production applications?
Jira integration for automated
notification/triage.
19. Why: Why should you care and why is it so hard?
Open Source Security Risk Management
Selection: How to identify and use high-quality components?
Governance: How to set and enforce policies to ensure nothing falls through the cracks?
Detection: How to truly know what open source you’re using?
Prioritization, Mitigation, & Remediation: What to do and when?
Monitoring: What happens after you release?