in your code? - Wind River · security vulnerabilities 1400000 200000 400000 600000 800000 1000000...
1
™ Sources 1. http://www.mcafee.com/us/security-awareness/articles/mcafee-labs-threats-predictions-2016.aspx 2. https://www2.fireeye.com/WP-Zero-Day-Danger-LP.html 3. https://nvd.nist.gov/ 4. http://www.slideshare.net/blackducksoftware/2015-future-of-open-source-survey-results 5. https://cve.mitre.org/ Learn how Wind River security monitoring can help you keep your devices protected after deployment: windriver.com/products/linux/security. 310 days 6,270 Knock-Knock: Who’s There? Zero-Day Exploits Like Heartbleed, Shellshock, and OpenSSL 2015 2016 2015 2016 Low 0 1,000 2,000 3,000 4,000 5,000 6,000 7,000 Medium High Critical Critical High Medium Low 594 186 3,497 2,281 1,255 1,702 1,213 1,054 2015–2016 Trends 16.34% of vulnerabilities are critical. McAfee predicted that non-Windows systems would be highly targeted in 2016. Critical Vulnerabilities and Exposures (CVEs) per year on average over the last 5 years High severity CVEs doubled from 2015 to 2016. 2016 Vulnerabilities by Severity Vulnerabilities discovered by cybercriminals remain unknown to the public for an average of 310 days. That gives cybercriminals ample time to steal organizations' most valuable assets. The Bad The Good Increasing abundance of open source projects Opportunities and Challenges with Keeping Your Code Secure Monitoring is not very glamorous. Current research shows that developers are always excited to work on the next emerging technology, not necessarily updating the base platform. 67% don’t monitor open source code for security vulnerabilities 1400000 200000 400000 600000 800000 1000000 1200000 0 2007 2009 2011 2013 2015 Using open source enables users to take fast action. Information about vulnerabilities surfaces quickly through legions of users and researchers. Low Medium High Critical The Price of Protection Yearly cost to staff a security monitoring team K highly skilled engineers required to investigate and address yearly CVEs attacks watering hole code action - script execution man - - in the middle attacks Wind River Linux fixed 5157CVEs in its Linux products in 2016. More Connected Devices = More Data = More Risk What’s in your lurking code? Security in the Connected Era 2.88% 35.37% 16.34% 41.90% Wind River Keeps You Safe Monitoring Monitoring specific security notifications from US Government agencies and organizations like NIST, US CERT, and also public and private security mailing lists. Assessment Determining whether any supported Wind River product is actually susceptible to the vulnerability. Notification Notifying affected customers of the level of susceptibility. Remediation Creating patches for vulnerabilities even before the community publicly announces them, or in the monthly product updates. 32.2 ZB More Data 1B More Users 8.1B More Internet-Connected Devices 95.6 EB More Network Traffic
Transcript of in your code? - Wind River · security vulnerabilities 1400000 200000 400000 600000 800000 1000000...
™
Sources
1. http://www.mcafee.com/us/security-awareness/articles/mcafee-labs-threats-predictions-2016.aspx
2. https://www2.fireeye.com/WP-Zero-Day-Danger-LP.html
3. https://nvd.nist.gov/
4. http://www.slideshare.net/blackducksoftware/2015-future-of-open-source-survey-results
5. https://cve.mitre.org/
Learn how Wind River security monitoring can help you keep your devices protected after deployment: windriver.com/products/linux/security.
19%
310 days
6,270
Knock-Knock: Who’s There?Zero-Day Exploits Like Heartbleed,
Shellshock, and OpenSSL
2015
2016
2015
2016
Low
0 1,000 2,000 3,000 4,000 5,000 6,000 7,000
Medium
High
Critical
CriticalHighMediumLow594
186
3,497
2,281
1,255
1,702
1,213
1,054
2015–2016 Trends
16.34% of vulnerabilities are critical.McAfee predicted that non-Windows systems would be highly targeted in 2016.
Critical Vulnerabilities and Exposures (CVEs) per year on average over the last 5 years
High severity CVEs doubled from 2015 to 2016.
2016 Vulnerabilitiesby Severity
Vulnerabilities discovered by cybercriminals remain unknown to the public for an average of 310 days. That gives cybercriminals ample time to steal organizations' most valuable assets.
The Bad
The Good
Increasing abundance of open source projects
Opportunities and Challenges with Keeping Your Code Secure
Monitoring is not very glamorous. Current research shows that developers are always excited to work on the next emerging technology, not necessarily updating the base platform.
67%don’t monitor open
source code for security vulnerabilities
1400000
200000
400000
600000
800000
1000000
1200000
02007 2009 2011 2013 2015
Using open source enables users to take fast action. Information about vulnerabilities surfaces quickly through legions of users and researchers.
Low
Medium
High
Critical
The Price of Protection
Yearly cost to staff a security monitoring team
Khighly skilled engineers
required to investigate
and address yearly CVEs
attacks
wateringholecode
action-script
exec
utio
n
man--
in the
middle
attacks
Wind River Linux fixed 5157CVEs in its Linux products in 2016.
More Connected Devices = More Data = More Risk
What’s
in yourlurking
code?
Security in the Connected Era
2.88%
35.37%
16.34%
41.90%
Wind River Keeps You Safe
MonitoringMonitoring specific security notifications from US Government
agencies and organizations like NIST, US CERT, and also public
and private security mailing lists.
AssessmentDetermining whether any supported Wind River product is
actually susceptible to the vulnerability.
NotificationNotifying affected customers of the level of susceptibility.
RemediationCreating patches for vulnerabilities even before the community
publicly announces them, or in the monthly product updates.
32.2 ZBMore Data
1BMore Users
8.1B MoreInternet-Connected
Devices
95.6 EB MoreNetwork Traffic
