Aliens in Your Apps!

ALIENS IN YOUR APPS? Are you using components with known vulnerabiliBes?

October 22, 2014 – All Things Open Ryan Berg, CSO, Sonatype

2 11/12/14

3 11/12/14

www.Sonatype.com/RiskAssessments

Our world runs on software, and software runs on open source components. For

FOUR YEARS, we HAVE asked Those on the front lines — developers, architects, and

managers, about how they're using Open source components, and how they're balancing

the need for speed with the need for security.

3,353 THIS YEAR

PEOPLE SHARED THEIR VIEWS

The TRUE State of OSS Security

OSS POLICIES 56% have a policy

and 68% follow policies.

Top 3 challenges no enforcement/workaround are common, no security, not

clear what’s expected

PRACTICES 76% don’t have meaningful

controls over what components are in their applications.

21% must prove use of secure components.

63% have incomplete view of license risk.

COMPONENTS

The Central Repository is used by 83%.

Nexus component managers used 3-to-1 over others

84% of developers use

Maven/Jar to build applications.

STATE OF THE INDUSTRY

Applications are the #1 attack vector leading to breach

13 billion open source

component requests annually

11 million developers worldwide

90% of a typical application is

is now open source components

46 million

vulnerable open source components downloaded

annually

APP SECURITY 6 in 10 don’t track

vulnerabilities over time.

77% have never banned a component.

31% suspected an open source breach.

Open source component use has exploded

Source: 1Sonatype, Inc. analysis of the (Maven) Central Repository; 2IDC

13 BILLION

Open Source soVware Component requests

2013 2012 2011 2009 2008 2007 2010

2B 1B 500M 4B 6B 8B 13B

11 MILLION

developers worldwide

2

1

...to help build your applications Most applications are now assembled from hundreds of open source components…often reflecting as much as 90% of an application.

...and satisfy demand. Open source helps meet accelerated development demand required for these growth drivers.

ASSEMBLED

WRITTEN

Open Source Software is essential

Heartbleed raises awareness

Q: Has your organizaBon had a breach that can be a\ributed to a vulnerability in an open source component or dependency in the last 12 months?

Not uncommon (if you look)

1-‐in-‐10 had or suspected an open source related breach in the past 12 months

We care (shhh don’t tell we don’t really)

Q: Has your organizaBon ever banned use of an open source component, library or project?

Proof is in the pudding More than 1-‐in-‐3 say their open source policy doesn’t cover security.

Q: How does your open source policy address security vulnerabiliBes?

Source: 2014 Sonatype Open Source Development and ApplicaBon Security Survey

But what about developers … Even when component versions are updated 4-‐5 =mes a year to fix known security, license or quality issues.

Q: Does someone acBvely monitor your components for changes in vulnerability data?

At least it’s good in producXon?

Q: Does your organizaBon maintain an inventory of open source components used in producBon applicaBons?

Which way are the fingers poinXng? Q: Who has responsibility for tracking & resolving newly discovered component vulnerabiliBes in *producBon* applicaBons?

In 2013, 50% Named AppDev

In 2013, 8% Named AppSec

ARE OPEN SOURCE POLICIES KEEPING OUR APPLICATIONS SAFE?

We don’t need no sXnking policy!

Q: Does your organizaBon have an open source policy?

We have a policy, mmm bacon

Q: Do you actually follow your company’s open source policy?

Policy without controls is? Is an “Open Source Policy” more than just a document?

Q: How well does your organizaBon control which components are used in development projects?

Don’t worry we got it But control is not unanimous.

Q: Who in your organizaBon has PRIMARY responsibility for open source policy/governance?

But do I care?

Q: How would you characterize your developers’ interest in applicaBon security?

Source: 2013 and 2014 Sonatype Open Source Development and Application Security Survey

It’s the ApplicaXons Stupid

Hey if it works … ship it!

Q: When selecBng components, which characterisBcs would be most helpful to you? (choose four)

Source: 2014 Sonatype Open Source Development and Application Security Survey

This security thing is such a drag … Bacon

Q: What applicaBon security training is available to you? (mulBple selecBons possible)

Cleanup on Aisle 9, Cleanup on Aisle 9 AppDev runs at Agile & DevOps speed. Is security is keeping pace?

Q: At what point in the development process does your organizaBon perform applicaBon security analysis? Q: (mulBple selecBons possible)

With Open Source Come License ConsideraXons

You mean licenses maber? Yet, licensing data is considered helpful to 67% of respondents when selec=ng open source components to use.

Q: Are open source licensing risks or liabiliBes a top concern in your posiBon?

Why yes, I believe it does

Q: Does your organizaBon/policy manage the use of components by license types? (e.g., GPL, copyleV)?

Defend Your Socware Against Common Vulnerability Types

(tongue in cheek)

#1 THE INFECTOR A vulnerable component that many other components depend upon.

Number of Dependent Components

8781

Downloads 6,987,246

CVSS Score 6.8

MTTR 229

Unique OrganizaBons 72,156

CVE-‐2011-‐2894 Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote a\ackers to bypass intended security restricBons and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocaBonHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserializaBon of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.RunBme class.

Its always Spring somewhere

#2 THE IMPOSTOR A vulnerable component that is also very popular.

An App just isn’t an App without XML


4003

Downloads 3,797,847

CVSS 5

MTTR 867


CVE-‐2009-‐2625 XMLScanner.java in Apache Xerces2 Java, as used in Sun Java RunBme Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote a\ackers to cause a denial of service (infinite loop and applicaBon hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

A vulnerable component with a security vulnerability from many years ago.

#3 THE FORGOTTEN

We are sXll using that?


75

Downloads 324,765

CVSS 6.8


CVE-‐2003-‐1516 The org.apache.xalan.processor.XSLProcessorVersion class in Java Plug-‐in 1.4.2_01 allows signed and unsigned applets to share variables, which violates the Java security model and could allow remote a\ackers to read or write data belonging to a signed applet.

A popular component with neither a declared nor observable license.

#4 THE UNDESIRABLE

No license, no worries


1164

Number of Downloads 182,145

Latest Release Date May-‐11-‐2006


jstl:1.2 java standard template library implementaBon

A popular component with a declared license but no proof of source.

#5 THE UNPROVEN

I am what I say I am


1190


Last Release Date Jan-‐12-‐2011

Unique OrganizaBons 1,026,964

asm:3.3.1 java bytecode analysis framework

A popular component that hasn’t been updated in more than 5 years.

#6 THE LIVING DEAD

One release … Ever!


305


Last Release Nov-‐8-‐2005


jakarta-‐regexp:1.4 regular expression parsing library

41 11/12/14

Complimentary assessment to ID aliens in your apps: www.Sonatype.com/RiskAssessments

MATTERS MOST

(Many were upset that bacon was not an opXon)

Q: What is your favorite pizza topping?

…and prefer beer 4-‐to-‐1 over wine.

Q: What do you like to drink with your pizza?

Thank You! [email protected]

Aliens in Your Apps!

Technology

Transcript of Aliens in Your Apps!