Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Transcript of Lessons Learned From Heartbleed, Struts, and The Neglected 90%
![Page 1: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/1.jpg)
LESSONS LEARNED FROM HEARTBLEED, STRUTS, AND THE Neglected 90%
Wendy Nather, Security Research Director, 451 Research, @451wendyJosh Corman, CTO, Sonatype, @joshcorman
![Page 2: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/2.jpg)
FEATURED SPEAKERS
WENDY NATHER, SECURITY RESEARCH DIRECTOR, 451 RESEARCH JOSHUA CORMAN, CTO
CISO of Texas Education Agency
Security Director, Swiss Bank Corp
Co-author of ‘The Cloud Security Rules’
Co-founder of Rugged Software
Previously w/ Akamai & 451 Group
Trusted Security Professional @joshcorman@451wendy
https://451research.com/ http://www.sonatype.com/
![Page 3: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/3.jpg)
STATE OF THE UNION
![Page 4: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/4.jpg)
Web Apps are the Top Attack Surface
--- 2014 Verizon Data Breach Investigations Report
@joshcorman@451wendy
![Page 5: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/5.jpg)
spending attack risk
Source: Normalized spending numbers from IDC, Gartner, The 451 Group ; since groupings vary
Spending and risk are out of sync AppSec gets LEAST $ but MOST attacker focus
Worse, within AppSec, existing dollars go to the 10% written
Host Security ~$10B
Data Security ~$5B
People Security ~$4B
Network Security ~$20B
Application Security~$0.5B Assembled 3rd Party &
OpenSource Components
~90% of most applications
Almost No Spending
SAST/DAST on Written
@joshcorman@451wendy
![Page 6: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/6.jpg)
Spending and risk are
OUT OF SYNC
Component Layer3rd Party &
OpenSource
Database, OS, Firmware, Network
Presentation Layer, Business Logic
DEPENDENCE
CURRENT SPENDING@joshcorman@451wendy
![Page 7: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/7.jpg)
Application Security Technology Roadmap
Q. What is your status of implementation for this technology? n=198-205. Source: 451 Research Information Security – Wave 16 |
Multifactor Authentication for Web-based Applications
Application Security Testing – External Interface Fuzzing or Testing Vul-nerability Assessment
Database Security
Application Security Testing – Code or Binary Analysis-based Vulnerability Assessment
Web Application Firewall (WAF)
32%
35%
36%
38%
40%
0.01
0.005
0.01
0.005
2%
2%
2%
3%
4%
3%
3%
4%
4%
5%
58%
52%
51%
50%
47%
3%
9%
6%
4%
3%
In Use Now (Not Including Pilots) In Pilot/Evaluation (Budget Has Already Been Allocated) In Near-term Plan (In Next 6 Months)In Long-term Plan (6-18 Months) Past Long-term Plan (Later Than 18 Months Out) Not in PlanDon't Know
@joshcorman@451wendy
![Page 8: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/8.jpg)
2013 vs. 2012 Spending Change for Application Security Technologies
Q. How will your spending on this technology change in 2013 as compared to 2012? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden.
Source: 451 Research Information Security – Wave 16 |
Database Security
Multifactor Authentication for Web-based Applications
Application Security Testing – External Interface Fuzzing or
Web Application Firewall (WAF)
Application Security Testing – Code or Binary Analysis-based
1%
1%
75%
77%
73%
72%
70%
16%
16%
19%
24%
24%
Less Spending About the Same More Spending
@joshcorman@451wendy
![Page 9: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/9.jpg)
2014 vs. 2013 Spending Change for Application Security Technologies
Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Resarch Information Security – Wave 16 |
Application Security Testing – External Interface Fuzzing or
Multifactor Authentication for Web-based Applications
Database Security
Web Application Firewall (WAF)
Application Security Testing – Code or Binary Analysis-based
70%
68%
63%
60%
58%
21%
26%
28%
32%
34%
1%
3%
2%
Less Spending About the Same More Spending
@joshcorman@451wendy
![Page 10: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/10.jpg)
2014 vs. 2013 Spending Change for Information Security Technologies
Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 |
Anti-spam/Email SecurityPatch ManagementPenetration Testing
Anti-spywareHard Drive Encryption
Laptop EncryptionAnti-virus
Host Intrusion Detection and/or Prevention (HIDS/HIPS)Secure File TransferComputer Forensics
Email/Messaging Archiving/ComplianceVulnerability/Risk Assessment/Scanning (of Infrastructure)
File Integrity MonitoringSSL VPNs
Secure Instant MessagingEmail Encryption
Application Security Testing – External Interface Fuzzing orKey Management and/or Public Key Infrastructure
Web Content FilteringThreat Intelligence
Two-factor (Strong) Authentication for Infrastructure (e.g.,Single Sign-on
IT Security Training/Education/AwarenessAnti-botnet
Multifactor Authentication for Web-based ApplicationsInformation or Digital Rights Management
Database SecurityAdvanced Anti-malware Response
Managed Security Service Provider (MSSP)Policy and Configuration Management
TokenizationWeb Application Firewall (WAF)
IT GRC (Governance, Risk, Compliance)Network Data-loss Prevention Solutions
Application Security Testing – Code or Binary Analysis-basedMobile Device Security (Not MDM)
Network Intrusion Detection and/or Prevention (NIDS/NIPS)Network Firewalls
Event Log Management SystemVirtualization Security
Application-aware FirewallIdentity Management
Unified Threat Management (UTM)Endpoint Data-loss Prevention Solutions
Network Access Control (NAC)Cloud Security
Security Information Event Management (SIEM)Mobile Device Management
5%4%3%
4%4%
4%5%6%
3%3%
2%2%
4%9%
4%3%
3%11%
1%9%
2%5%
5%
4%1%
4%13%
1%2%
3%5%8%
2%3%
6%10%
8%
10%5%
8%2%
2%
7%4%
83%83%82%
84%82%
83%80%78%
76%71%
79%76%74%
69%72%
73%70%
71%65%
71%66%
64%63%
64%68%
58%63%62%
53%66%
63%60%
51%49%
58%52%
54%51%
51%54%
46%50%48%
53%48%
32%44%42%
7%10%10%10%11%11%
13%14%
15%16%
17%18%
19%20%20%21%21%21%22%
23%23%
24%26%26%26%
27%28%
29%29%30%
31%32%
33%34%34%35%
36%36%37%37%
39%40%
40%42%42%
44%46%46%
Less Spending About the Same More Spending
@joshcorman@451wendy
![Page 11: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/11.jpg)
2014 vs. 2013 Spending Change for Information Security Technologies
Q. How will your spending on this technology change in 2014 as compared to 2013? n=45-201. Data from respondents not using the technology or that don't know about spending are hidden. Source: 451 Research Information Security – Wave 16 |
Anti-spam/Email SecurityPatch ManagementPenetration Testing
Anti-spywareHard Drive Encryption
Laptop EncryptionAnti-virus
Host Intrusion Detection and/or Prevention (HIDS/HIPS)Secure File TransferComputer Forensics
Email/Messaging Archiving/ComplianceVulnerability/Risk Assessment/Scanning (of Infrastructure)
File Integrity MonitoringSSL VPNs
Secure Instant MessagingEmail Encryption
Application Security Testing – External Interface Fuzzing orKey Management and/or Public Key Infrastructure
Web Content FilteringThreat Intelligence
Two-factor (Strong) Authentication for Infrastructure (e.g.,Single Sign-on
IT Security Training/Education/AwarenessAnti-botnet
Multifactor Authentication for Web-based ApplicationsInformation or Digital Rights Management
Database SecurityAdvanced Anti-malware Response
Managed Security Service Provider (MSSP)Policy and Configuration Management
TokenizationWeb Application Firewall (WAF)
IT GRC (Governance, Risk, Compliance)Network Data-loss Prevention Solutions
Application Security Testing – Code or Binary Analysis-basedMobile Device Security (Not MDM)
Network Intrusion Detection and/or Prevention (NIDS/NIPS)Network Firewalls
Event Log Management SystemVirtualization Security
Application-aware FirewallIdentity Management
Unified Threat Management (UTM)Endpoint Data-loss Prevention Solutions
Network Access Control (NAC)Cloud Security
Security Information Event Management (SIEM)Mobile Device Management
5%4%3%
4%4%
4%5%6%
3%3%
2%2%
4%9%
4%3%
3%11%
1%9%
2%5%
5%
4%1%
4%13%
1%2%
3%5%8%
2%3%
6%10%
8%
10%5%
8%2%
2%
7%4%
83%83%82%
84%82%
83%80%78%
76%71%
79%76%74%
69%72%
73%70%
71%65%
71%66%
64%63%
64%68%
58%63%62%
53%66%
63%60%
51%49%
58%52%
54%51%
51%54%
46%50%48%
53%48%
32%44%42%
7%10%
10%10%11%11%
13%14%
15%16%
17%18%
19%20%20%21%21%21%22%
23%23%
24%26%26%26%
27%28%
29%29%30%
31%32%
33%34%34%35%
36%36%37%37%
39%40%
40%42%42%
44%46%46%
Less Spending About the Same More Spending
@joshcorman@451wendy
![Page 12: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/12.jpg)
Below the Security Poverty Line …
• Little to no IT expertise• More likely to use open source because it’s free• No resources to monitor open source use or test it for
vulnerabilities• Disproportionately dependent on third party vendors
• Limited span of control• Configuration and tuning decisions• Architecture and strategy decisions• Risk management
• Information asymmetry
@joshcorman@451wendy
![Page 13: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/13.jpg)
What do we mean by the ‘Neglected 90%’
90%AssembledWritten
@joshcorman@451wendy
![Page 14: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/14.jpg)
Defensible Infrastructure
Operational Excellence
Situational Awareness
Counter-measures
What Security Approach Has the Most Impact?
@joshcorman@451wendy
![Page 15: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/15.jpg)
IS IT OPEN SEASON ON OPEN SOURCE?
![Page 16: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/16.jpg)
Now that software is 90%
ASSEMBLED…
@joshcorman@451wendy
![Page 17: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/17.jpg)
One risky component,multiplied thousands of times:
ONE EASYTARGET
@joshcorman@451wendy
![Page 18: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/18.jpg)
Global Bank
Software Provider
Software Provider’s Customer
State University
Three-LetterAgency
Large FinancialExchange
Hundreds of Other Sites
@joshcorman@451wendy
![Page 19: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/19.jpg)
Is it true, with many eyeballs, all bugs are SHALLOW?
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
10.0
9.0
8.0
7.0
6.0
5.0
4.0
3.0
2.0
1.0
CVE-2005-3745
CVE-2006-1546CVE-2006-1547
CVE-2006-1548 CVE-2008-6504CVE-2008-6505
CVE-2008-2025CVE-2007-6726CVE-2008-6682
CVE-2010-1870
CVE-2011-2087
CVE-2011-1772
CVE-2011-2088CVE-2011-5057
CVE-2012-0392CVE-2012-0391
CVE-2012-0393
CVE-2012-0394
CVE-2012-1006CVE-2012-1007
CVE-2012-0838
CVE-2012-4386
CVE-2012-4387
CVE-2013-1966CVE-2013-2115CVE-2013-1965
CVE-2013-2134CVE-2013-2135
CVE-2013-2248
CVE-2013-2251CVE-2013-4316
CVE-2013-4310
CVE-2013-6348
CVE-2014-0094
@joshcorman@451wendy
![Page 20: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/20.jpg)
In 2013, 4,000organizations downloaded a version of Bouncy Castle
with a level 10 vulnerability
20,000 TIMES …
MORE THAN FIVE YEARS
after the vulnerability was fixed
NATIONAL CYBER AWARENESS SYSTEMOriginal Release Date:
03/30/2009CVE-2007-6721Bouncy Castle Java Cryptography APICVSS v2 Base Score: 10.0 HIGHImpact Subscore: 10.0Exploitability Subscore: 10.0
@joshcorman@451wendy
![Page 21: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/21.jpg)
In December 2013,
6,916 DIFFERENTorganizations downloaded
a version of httpclient with broken ssl validation (cve-2012-5783)
66,824 TIMES …
More than ONE YEAR AFTER THE ALERT
NATIONAL CYBER AWARENESS SYSTEMOriginal Release Date:
11/04/2012CVE-2012-5783Apache Commons HttpClient 3.xCVSS v2 Base Score: 5.8 MEDIUMImpact Subscore: 4.9Exploitability Subscore: 8.6
@joshcorman@451wendy
![Page 22: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/22.jpg)
THE REAL IMPLICATIONS OF HEARTBLEED
![Page 23: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/23.jpg)
Heartbleed + Internet of Things = ?
In Our Bodies In Our Homes
@joshcorman@451wendy
![Page 24: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/24.jpg)
IS IT TIME FOR A SOFTWARE SUPPLY CHAIN? (and /or software liability)
![Page 25: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/25.jpg)
APPLICATIONPLATFORMS & TOOLS
COMPONENTVERSIONCOMPONENTSPROJECTS
DELIVERYINTEGRATIONSELECTIONSUPPLYSUPPLIER
OPTIMIZATION(MONITORING)
Supply Chain Management
@joshcorman@451wendy
![Page 26: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/26.jpg)
If you’re not using secure
COMPONENTSyou’re not building secure
APPLICATIONS
Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT
SELECTION
@joshcorman@451wendy
![Page 27: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/27.jpg)
Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT
SELECTION
Today’s approaches
AREN’T WORKING
46m vulnerable
components downloaded
!
71% of apps have 1+
critical or severe
vulnerability
!
90% of
repositories have 1+ critical
vulnerability
!
@joshcorman@451wendy
![Page 28: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/28.jpg)
“Sonatype presents a rare opportunity to do something concrete in the application security space. One of the 1st tools that comes close to remediation not just scan results and recommendations.”
-- Wendy Nather
@joshcorman@451wendy
![Page 29: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/29.jpg)
Problem discovery Problem remediation
“Scan and scold”
Source code scanning
Approval-centric workflow
Empower developers
Component analysis
Automated policy across lifecycle
Policy enforcement throughout SLC
A NEW APPROACH
CURRENT METHODS SONATYPE CLM
Scans after development
@joshcorman@451wendy
![Page 30: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/30.jpg)
Don’t use vulnerable components. It’s an
AVOIDABLERISK
2013 Data Breach Investigations Report
“Some organizations will be a target REGARDLESS of what they do, but most become a target BECAUSE of what they do.”
@joshcorman@451wendy
![Page 31: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/31.jpg)
How can we choose the best components
FROM THE START?
Shift Upstream = ZTTR (Zero Time to Remediation)
Analyze all components from within your IDE
License, Security and Architecture data for each component, evaluated against your policy
@joshcorman@451wendy
![Page 32: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/32.jpg)
How do we prevent future bleeding hearts?
-- 3 step action plan
@joshcorman@451wendy
LEARN MORE
“The combination of growing component usage, coupled with lack of security, requires us to urgently re-evaluate traditional application security approaches.”
http://www.sonatype.com/clm/spotlight-on-heartbleed
www.sonatype.com/neglected90
![Page 33: Lessons Learned From Heartbleed, Struts, and The Neglected 90%](https://reader035.fdocuments.net/reader035/viewer/2022062523/58f070f71a28abbb278b45ef/html5/thumbnails/33.jpg)
LESSONS LEARNED FROM HEARTBLEED, STRUTS AND THE NEGLECTED 90%