Security Software Supply Chain: Is What You See What You Get?
Transcript of Security Software Supply Chain: Is What You See What You Get?
![Page 1: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/1.jpg)
Security Software Supply Chain: Is What You See
What You Get? Start Time: 9 am US Pacific / 12 noon US Eastern / 5 pm London Time
#ISSAWebConf
![Page 2: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/2.jpg)
Security Software Supply Chain: Is What You See What You Get?
Security Software Supply Chain: Is What You See What You Get?
Welcome Conference Moderator
Mark Kadrich Chief Information Security & Privacy Officer, San Diego Health Connect
#ISSAWebConf
03/22/2016 2
![Page 3: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/3.jpg)
Speaker Introduction
Security Software Supply Chain: Is What You See What You Get?
• Derek Weeks
VP and Rugged DEvOps Advocate, Sonatype • Jonathan Knudsen
Cybersecurity Engineer, Synopsys • Michael Angelo
CRISC, CISSP
• Henrik Plate Senior Security Researcher, SAP SE
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016 3
![Page 4: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/4.jpg)
Security Software Supply Chain: Is What You See What You Get?
• Derek Weeks
VP and Rugged DEvOps Advocate, Sonatype To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
4
![Page 5: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/5.jpg)
Illusions of Control:
Security and Your Software Supply Chain
Derek E. Weeks
VP and Rugged DevOps Advocate, Sonatype
@WeeksTweets
#ISSAWebConf
![Page 6: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/6.jpg)
highest quality parts
fewest and
best suppliers
visibility and
traceability
![Page 7: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/7.jpg)
![Page 9: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/9.jpg)
We all have a
SOFTWARE SUPPLY CHAIN
![Page 10: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/10.jpg)
![Page 11: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/11.jpg)
Open Source Download Requests…
2013 2012 2011 2009 2008 2007 2010
2B 1B 500M 4B 6B 8B 13B 17B 2014
31B
2015
![Page 12: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/12.jpg)
How Dependent on 3rd Parties Are We?
10% Custom Written Code
Typical Application
Open Source
Cloud Services
Closed Source
90% From 3rd Parties
![Page 13: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/13.jpg)
highest quality parts
fewest and
best suppliers
visibility and
traceability
AUTOMATE AUTOMATE AUTOMATE
![Page 14: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/14.jpg)
![Page 15: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/15.jpg)
CHANGE Typical component is
updated 3 - 4X per year.
1,286,732 OSS COMPONENTS
11 MILLION OSS USERS 136,249 SUPPLIERS
![Page 16: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/16.jpg)
Suppliers Serving Manufacturers
Source: 2015 State of the Software Supply Chain Report
Orders (downloads)
Suppliers (artifacts)
Parts (versions)
Average 240,757 7,601 18,614
![Page 17: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/17.jpg)
59% never repaired
41% 390 days (median 265 days). CVSS 10s 224 days
<7 The best were remediated in under a week.
Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
![Page 18: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/18.jpg)
![Page 19: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/19.jpg)
Source: 2015 State of the Software Supply Chain Report
Public Repos
Local Repo
Build Tool
Public Repos
Build Tool
95% of downloads
5% of downloads
![Page 20: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/20.jpg)
![Page 21: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/21.jpg)
100-200
Cycle Time: Minutes-Hours
Oh, DevOps…
![Page 22: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/22.jpg)
• Q: Does your organization have an open source policy?
• Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey
![Page 23: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/23.jpg)
Orders Quality Control
Average downloads
# with known vulnerabilities
% with known vulnerabilities
% known vulnerabilities (2013 or older)
240,757 15,337 7.5% 66.3%
Download Volumes of Old CVEs
Source: 2015 State of the Software Supply Chain Report @sonatype
![Page 24: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/24.jpg)
![Page 25: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/25.jpg)
![Page 26: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/26.jpg)
Analysis of 1,500+ applications…
![Page 27: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/27.jpg)
![Page 28: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/28.jpg)
ZTTR (Zero Time to Remediation)
EMPOWER DEVELOPERS FROM THE START 1
![Page 29: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/29.jpg)
DESIGN A FRICTIONLESS APPROACH 2
![Page 30: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/30.jpg)
CREATE A SOFTWARE BILL OF MATERIALS 3
![Page 32: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/32.jpg)
Question and Answer
Security Software Supply Chain: Is What You See What You Get?
Derek Weeks
VP and Rugged DEvOps Advocate, Sonatype
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016 32
![Page 33: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/33.jpg)
Security Software Supply Chain: Is What You See What You Get?
Thank you Derek Weeks
VP and Rugged DEvOps Advocate, Sonatype
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
33
![Page 34: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/34.jpg)
Security Software Supply Chain: Is What You See What You Get?
• Jonathan Knudsen Cybersecurity Engineer, Synopsys To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
34
![Page 35: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/35.jpg)
Yes! But What Can You See? Jonathan Knudsen <[email protected]>
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 35
![Page 36: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/36.jpg)
Do You Know What’s Inside?
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 36
![Page 37: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/37.jpg)
Software is Assembled
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 37
Third-Party Code (Free Open Source Software)
First-Party Custom Code
Third-Party Code (Commercial Off-The-Shelf)
![Page 38: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/38.jpg)
How Much Third-Party Code?
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 38
MULTIFUNCTION PRINTER
WI-FI ACCESS POINT
16 3rd-Party SW Components
35 3rd-Party SW Components
ROUTER
134 3rd-Party SW Components
SMART TV
72 3rd-Party SW Components
THERMOSTAT
INFUSION PUMP
38 3rd-Party SW Components
3 3rd-Party SW Components
SMART PHONE
SECURITY CAMERA
123 3rd-Party SW Components
4 3rd-Party SW Components
Source: Synopsys Protecode SC http://protecode-sc.com/
![Page 39: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/39.jpg)
Builder’s Supply Chain
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 39
postgresql gzip
expat
libxml2
Ipsec-tools logrotate gsoap
libssh2
zlib
pcre
xerces-j
sqlite3
raccoon
Router
![Page 40: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/40.jpg)
Buyer’s Supply Chain
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 40
Network Infrastructure
Others
Business Software
![Page 41: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/41.jpg)
Ready for the Next Big One?
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 41
Shellshock
POODLE
![Page 42: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/42.jpg)
Everyone Point to the Person Next to You
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 42
BUILD COMPONENT
SELECTION DEPLOY PURCHASE MAINTENANCE
![Page 43: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/43.jpg)
How Many Vulnerabilities?
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 43
MULTIFUNCTION PRINTER
WI-FI ACCESS POINT
407 CVEs affecting 6 Components
858 CVEs affecting 17 Components
THERMOSTAT
INFUSION PUMP
724 CVEs affecting 18 Components
54 CVEs affecting 1 Components
SMART PHONE
SECURITY CAMERA
909 CVEs affecting 44 Components
226 CVEs affecting 3 Components
ROUTER
4,269 CVEs affecting 70 Components
SMART TV
888 CVEs affecting 26 Components
Source: Synopsys Protecode SC http://protecode-sc.com/
![Page 44: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/44.jpg)
If It Ain’t Broke, It Will Be Soon
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 44
0
100
200
300
400
500
600
700
800
4/2/2008 4/2/2009 4/2/2010 4/2/2011 4/2/2012 4/2/2013 4/2/2014
Late
st F
irm
war
e R
elea
se (
12
/20
14
)
Co
mp
ilati
on
Dat
e fo
r O
ldes
t C
om
po
nen
ts (2
/20
08
)
Unique CVEs
![Page 45: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/45.jpg)
Software Composition Analysis
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 45
• Obtain Software BoM
• Vulnerabilities
• Licenses
• Source analysis for builders
• Binary analysis for buyers
![Page 46: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/46.jpg)
SCA for Builders
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 46
• Process and automation are key
• Shut down “bad” components before they happen
• Manage policy from above
• Let developers be developers
• Track supply chain for released products
![Page 47: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/47.jpg)
SCA for Buyers
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 47
• X-Ray for software
• Assess risk
• Great for procurement!
• Track supply chains in deployed products
![Page 48: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/48.jpg)
Use SCA to Minimize Risk
• Builders • Get a software bill of materials
• Manage vulnerabilities
• Manage licenses
• Protect your brand
• Save money
• Buyers • Get a software bill of materials
• Manage vulnerabilities
• Protect your brand
• Save money 03/22/2016 Security Software Supply Chain: Is What You See What You Get? 48
![Page 49: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/49.jpg)
Question and Answer
Security Software Supply Chain: Is What You See What You Get?
Jonathan Knudsen
Cybersecurity Engineer, Synopsys
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016 49
![Page 50: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/50.jpg)
Security Software Supply Chain: Is What You See What You Get?
Thank you Jonathan Knudsen
Cybersecurity Engineer, Synopsys
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
50
![Page 51: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/51.jpg)
Security Software Supply Chain: Is What You See What You Get?
• Michael Angelo CRISC, CISSP To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
51
![Page 52: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/52.jpg)
Your Organization Is What It Eats - Software Supply Chain Issues
Michael F. Angelo – CRISC, CISSP Chief Security Architect Micro Focus | NetIQ Corporation [email protected] @mfa0007
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 52
![Page 53: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/53.jpg)
Question:
What do: -Printers
-Copiers
-Cars
-Medical devices
-Centrifuges
… have in common?
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 53
![Page 54: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/54.jpg)
Answer
All are dependent on software
which has not been: -engineered to be secure
-can be exploited
All of these were developed in secure environments so they are okay?
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 54
![Page 55: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/55.jpg)
Agenda
55
• Successful software
• The problem
• How to….
• The future?
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
![Page 56: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/56.jpg)
Successful Software
• 97% of enterprise desktops.
• 89% of computers in US
• 3 Billion phones
• 5 Billion Cards
• 125 million tvs
• All top OEMs ship Java
56
Since 2013, 612 Java Vulnerabilities 03/22/2016 Security Software Supply Chain: Is What You See What You Get?
![Page 57: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/57.jpg)
Just Like Magic….
57
https://web.nvd.nist.gov/view/vuln/search?execution=e2s1
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
![Page 58: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/58.jpg)
NVD Details
58 03/22/2016 Security Software Supply Chain: Is What You See What You Get?
![Page 59: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/59.jpg)
NVD Summary
59
-Details on vulnerabilities
-Impact analysis
-Vectors
-Pointers to details
-List of affected software
No problem…right?
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
![Page 60: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/60.jpg)
OpenSSL as an Example
60
-Open Source implementation of SSL and TLS.
-Almost 20 years
-Available for most Unix-like O/S, OpenVMS, and Windows.
• 20151 - 902,997,800 web servers
• 2014 CNN 2
3 web servers - OpenSSL
1 http://news.netcraft.com/archives/2015/11/16/november-2015-web-server-survey.html
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
![Page 61: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/61.jpg)
5 Year History
1 Vulnerability Impacts ~602 Million
61
Year CVE
2010 13
2011 7
2012 16
2013 12
2014 32
2015 35
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
![Page 62: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/62.jpg)
Reported Vulnerabilities
• OpenSSL as a Component tracks differently than OpenSSL as a Product
• 1512 SSL Vulnerabilities in 2014
03/22/2016 Security Software Supply Chain: Is What You See What You Get? 62
Year CVEs
2011 4150
2012 5278
2013 5174
2014 7903
2015 6500
Vulnerabilities asserted against products, not Components
![Page 63: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/63.jpg)
The Problem
63
• Third Party Components are in products • Products tested, analyzed, and retested for
vulnerabilities….
• Components may not exhibit vulnerabilities.
• What components are in your environment?
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
![Page 64: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/64.jpg)
How to Identify Components
64
• Ideas • Manifests
• Silent Installs
• Scraping Copyright / Trademark / Version information
• 3rd party license files
• Hashes -National Software Reference Library • http://www.nsrl.nist.gov/Downloads.htm
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
![Page 65: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/65.jpg)
The Future?
65
• If you Identified all the software, and associated components, in your environment
• Then you need • cross reference software to vulnerability in databases
• Need to raise awareness
• provide sufficient information to enable you to test the PSV
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
![Page 66: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/66.jpg)
Proof of Concept
66 03/22/2016 Security Software Supply Chain: Is What You See What You Get?
![Page 67: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/67.jpg)
Feature Creap
67 03/22/2016 Security Software Supply Chain: Is What You See What You Get?
![Page 68: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/68.jpg)
Caution
• Not every Vulnerability will be meaningful
• Every CVE would be marked as • Relevant, Not Relevant,
Investigation
• Mitigated, Not Mitigated, No mitigation needed
68 03/22/2016 Security Software Supply Chain: Is What You See What You Get?
![Page 69: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/69.jpg)
Re-Cap Applying This Today
69
• Look at resources in this presentation
• Create a tool that: • Identifies components in software
• Checks against CVE
• Enables triage & communication of potential issues
• Spread the word &
03/22/2016 Security Software Supply Chain: Is What You See What You Get?
![Page 70: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/70.jpg)
Question and Answer
Security Software Supply Chain: Is What You See What You Get?
Michael Angelo CRISC, CISSP
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016 70
![Page 71: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/71.jpg)
Security Software Supply Chain: Is What You See What You Get?
Thank you Michael Angelo
CRISC, CISSP
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
71
![Page 72: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/72.jpg)
Security Software Supply Chain: Is What You See What You Get?
• Henrik Plate
Senior Security Researcher, SAP SE To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
72
![Page 73: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/73.jpg)
Security Software Supply
Chain: Is What You See
What You Get?
Security Software Supply Chain: Is What You See What You Get?
Vulnerability Impact Assessment
Henrik Plate (SAP SE)
03/22/2016 73
![Page 74: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/74.jpg)
OWASP Dependency Check, etc. OSS Vulnerability
Scanner
You Include a Vulnerable Library – What Now?
74
What now?
Scan app during build
Central, workflow-based database of app dependencies on OSS
OSS Vulnerability Scanners integrated into development lifecycle
Common understanding of the dependency on a vulnerable library
![Page 75: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/75.jpg)
OSS Vulnerability Scanner
Solution Goal – Assess Exploitability
75
Scan app during build
Central, workflow-based database of app dependencies on OSS
OSS Vulnerability Scanners integrated into development lifecycle
Vulnerability Exploitable?
yes no Fix now Fix later
Common understanding of the dependency on a vulnerable library
![Page 76: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/76.jpg)
Solution Approach
76
• Application-specific exploitability is difficult to determine (minimalistic vuln. descriptions, transitive dependencies, multi-module OSS projects, data provenance, sanitizations, configurations, etc.)
• Only code matters: Can the application be executed in such a way that vulnerable library code is ran?
• Assumption: If an application executes code for which a security fix exists, then there is a significant risk that the vulnerability can be exploited in the specific application context
Vulnerability Exploitable?
yes no Fix now Fix later
![Page 77: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/77.jpg)
Static Analysis Call graph reachability check for elements of OSS security patch
Dynamic Analysis Comparison of traces collected during tests with change lists of OSS security patches
Solution Approach
77
Vulnerable Code Actually
Executed?
yes High Risk
Low Risk
no
Vulnerable Code
Potentially Executed?
yes no
Plate, Ponta, Sabetta, “Impact assessment for vulnerabilities in open-source software libraries,” ICSME 2015, 31st IEEE International Conference on Software Maintenance and Evolution
![Page 78: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/78.jpg)
Assessment Levels
Non-vulnerable library release used
Vulnerable library release used
Vulnerable library code potentially executable
Vulnerable library code actually executed
![Page 79: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/79.jpg)
Central Build Infrastructure or App-specific CI System
OSS Repo
Solution Architecture (Java)
Backend (Central Service @ SAP)
Maven Plugin (scheduled periodically)
Application
(a) analyze
(b) up/download analysis results
3rd Party OSS Repositories
(2) retrieve file revisions
Tool Expert @ Central Team
Security & Application Expert
(1) trigger analysis of OSS security patch
(c) review results of app analysis
79
![Page 80: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/80.jpg)
![Page 81: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/81.jpg)
Example & Screenshots
CVE-2012-2098 • Algorithmic complexity vulnerability in the sorting algorithms in bzip2
compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.
• cpe:/a:apache:commons-compress:*
Maven GAV • org.apache.commons : commons-compress : 1.4
81
![Page 82: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/82.jpg)
![Page 83: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/83.jpg)
![Page 84: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/84.jpg)
Wrap-up & Outlook
84
Today • Code-centricity reduces false-positives, and is robust against
rebundling • Static and dynamic analyses prioritize backlog • New bugs do not require new scans • Productively used at SAP
Tomorrow • Continued development, e.g., as part of EIT project VAMOSS • Production of re-usable library call graphs • Analysis of alternative fixing strategies
![Page 85: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/85.jpg)
Question and Answer
Security Software Supply Chain: Is What You See What You Get?
Henrik Plate
Senior Security Researcher, SAP SE
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
03/22/2016 85
![Page 86: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/86.jpg)
Security Software Supply Chain: Is What You See What You Get?
Thank you Henrik Plate
Senior Security Researcher, SAP SE
03/22/2016
Security Software Supply Chain: Is What You See What You Get?
86
![Page 87: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/87.jpg)
Open Panel with Audience Q&A
Security Software Supply Chain: Is What You See What You Get?
• Michael Angelo CRISC, CISSP
• Jonathan Knudsen Cybersecurity Engineer, Synopsys
• Henrik Plate Senior Security Researcher, SAP SE
• Derek Weeks VP and Rugged DEvOps Advocate, Sonatype
#ISSAWebConf
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
03/22/2016 87
![Page 88: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/88.jpg)
Security Software Supply Chain:
Is What You See What You Get?
Closing Remarks
Security Software Supply Chain: Is What You See What You Get?
Thank you Citrix for donating the Webcast service
03/22/2016 88
![Page 89: Security Software Supply Chain: Is What You See What You Get?](https://reader031.fdocuments.net/reader031/viewer/2022041617/62532cdc65cc614b534669b8/html5/thumbnails/89.jpg)
CPE Credit
Security Software Supply Chain: Is What You See What You Get?
• Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz.
• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.
• On-Demand Viewers Quiz Link: http://www.surveygizmo.com/s3/2662670/ISSA-Web-Conference-March-22-2016-Security-Software-Supply-Chain-Is-What-You-See-What-You-Get
#ISSAWebConf
03/22/2016 89