© 2016 Denim Group – All Rights Reserved

Create a Unified View of Your Application

Security Program – Black Duck Hub and

ThreadFix

December 16th, 2016

Dan CornellCTO, Denim Group

Mike PittengerVice President of Security Strategy, Black Duck

© 2016 Denim Group – All Rights Reserved

Agenda

• State of Application Security

• Black Duck Hub Overview

• ThreadFix Overview

• ThreadFix / Black Duck Hub Integration

• Components: Open Source and Internal

8 of the top 10 Software Companies

(70 of the top 100)

6 of the top 8Mobile Handset Vendors

6 of the top 10 Investment Banks

24Countries

250+Employees

2,000Customers

About Black Duck

40Founded

2002

Of The Fortune

100

Up to 90%Open Source

TODAY

50%Open Source

2010

20%Open Source

20051998

10%Open Source

Open Source Changed the Way Applications are Built

Custom & Commercial Code

Open Source Software

Source

Open Source is the modern architecture

OpenSSL

Introduced: 2011

Discovered: 2014

Heartbleed

GNU C Library

Introduced: 2000

Discovered: 2015

Ghost

QEMU

Introduced: 2004

Discovered: 2015

Venom

Bash

Introduced: 1989

Discovered: 2014

Shellshock

OpenSSL

Introduced: 1990's

Discovered: 2015

Freak

FREAK!

Consequences Can Be Costly When You Can’t Control What You Can’t See

Black Duck Open Source Security Audit Report Highlights Security & Management Challenges

Why Aren’t We Finding These in Testing?

• Static analysis• Testing of source code or binaries for unknown security vulnerabilities in custom code

• Advantages in buffer overflow, some types of SQL injection

• Provides results in source code

• Dynamic analysis

• Testing of compiled application in a staging environment to detect unknown security vulnerabilities in custom code

• Advantages in injection errors, XSS

• Provides results by URL, must be traced to source

What’s Missing?

• Automated testing finds common vulnerabilities

in the code you write

• They are good, not perfect

• Different tools work better on different

classes of bugs

• Many types of bugs are undetectable except

by trained security researchers

There Are No Perfect Answers

All possible

security vulnerabilities

FREAK!

Identifiable with Static

Analysis

Identifiable with

Dynamic Analysis

0

500

1000

1500

2000

2500

3000

3500

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

The Threat Landscape Constantly Changes

National Vulnerability Database (NVD) Black Duck Extended Vulnerability Data (EVD)

• VulnDB (Open Source Vulnerability Database)• In 2015, over 3,000 new vulnerabilities in open source

• Since 2004, over 74,000 vulnerabilities have been disclosed by NVD. • 63 reference automated tools

• 50 of those are for vulnerabilities reported in the tools

• 13 are for vulnerabilities that could be identified by a fuzzer

DEVELOPER DOWNLOADS

OUTSOURCED DEVELOPMENT

THIRD PARTY LIBRARIES

CODE REUSE

APPROVED COMPONENTS

COMMERCIAL APPS

OPEN SOURCE CODE

We Have Little Control Over How Open Source Enters The Code Base

To manage open source risks you need an end-to-end approach

INVENTORY

Open Source

Components

in Your Code

MAP

Components

to Known

Vulnerabilities

IDENTIFY

License &

Code Quality

Risks

TRACK

Policy Violations

& Remediation

Progress

ALERT

When New

Vulnerabilities

Affect Your Code

Automation and policy management

Integration with DevOps tools and processes

Black Duck Provides Visibility and Control

Vulnerability Information and Alerts

Key Takeaways

• Open source is here to stay (and growing)

• Open source saves development costs and accelerates time to

market

• Open Source Security isn’t covered by traditional tools

• Static analysis is good, but doesn't help with open source

vulnerabilities

• Identify open source with known vulnerabilities, early in the SDL

• New paradigm requires new methodologies

• Visibility to open source and continuous monitoring is required.

© 2016 Denim Group – All Rights Reserved

ThreadFix Overview

• Create a consolidated view of your applications and vulnerabilities

• Prioritize application risk decisions based on data

• Translate vulnerabilities to

developers in the tools they

are already using

© 2016 Denim Group – All Rights Reserved

ThreadFix Overview

© 2016 Denim Group – All Rights Reserved

Create a consolidated view of

your applications and

vulnerabilities

© 2016 Denim Group – All Rights Reserved

Application Portfolio Tracking

© 2016 Denim Group – All Rights Reserved

Vulnerability Import

© 2016 Denim Group – All Rights Reserved

Vulnerability Consolidation

© 2016 Denim Group – All Rights Reserved

Prioritize application risk

decisions based on data

© 2016 Denim Group – All Rights Reserved

Vulnerability Prioritization

© 2016 Denim Group – All Rights Reserved

Reporting and Metrics

© 2016 Denim Group – All Rights Reserved

Translate vulnerabilities to

developers in the tools they

are already using

© 2016 Denim Group – All Rights Reserved

Defect Tracker Integration

© 2016 Denim Group – All Rights Reserved

ThreadFix / Black Duck Hub

Integration

© 2016 Denim Group – All Rights Reserved

ThreadFix HotSpot Technology

© 2016 Denim Group – All Rights Reserved

ThreadFix

www.threadfix.it

Black Duck Hub

www.blackducksoftware.com

Questions and Contact

© 2016 Denim Group – All Rights Reserved

About Denim Group

Denim Group is the leading secure software development firm,

serving as a trusted advisor on matters of software risk and security.

Our flagship ThreadFix product accelerates the process of software

vulnerability remediation, reflecting the company's understanding of

what it takes to fix application vulnerabilities faster.