Shifting the conversation from active interception to proactive neutralization

Shifting the conversation from active interception to proactive neutralization

Rod Cope, CTO

Presenters

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Rod Cope, CTORogue Wave Software

2

“With all software, there will be more security holes, you need to plan for it, have tooling, prepare for some notification process so you can quickly learn when there is an issue, whether it’s open source or from somewhere else, that you know there’s an issue, and then have a mitigation plan in place so you knowwhat is affected.”-Rod Cope, CTO

Why the shift?

4© 2015 Rogue Wave Software, Inc. All Rights Reserved.

150X as much as fixing the bug during the requirements or design phase.

76% of organizations

using open source don’t havemeaningful

controls overwhat components

go intotheir applications

55% of organizations

don’t have security

awareness program in place

78% of development

teams use time consuming manual testing processes

to ensure code security

72% of developers believe they are responsible for security and

safety testing of their code

70% of development organizations don’t have clear policies,

procedures, and tools for using open source

code

5

What are the risks?

Risks include

OSS security issues

Unknown OSS

Outside reprogramming of systems

Code vulnerabilities


© 2015 Rogue Wave Software, Inc. All Rights Reserved 6

Unknown OSS & security issues

7

Outside reprogramming of systems


8

Code vulnerabilities



Common attacks

Organizations have failed to prevent attacks

Lack of time Lack of focus

Lack of tools/proper

tools

Survey:1700 developers,

80% of them incorrectly

answered key questions

surrounding the protection of

sensitive data

SQL injection

Unvalidated input

Cross-site scripting

Most breaches result from input trust issues

Heartbleed: buffer overrun BMW patch:

HTTP vs. HTTPS

9

10

Software suppliers can introduce risks

(security, functional, compliance) before

they reach you

Root causes of vulnerabilities

Supply chainSoftware suppliers can introduce

risks (security, functional, compliance) before they reach you

Minimal testingDifferent platforms, processes,

tools, standards, etc. require more effort to assess, test, and

standardize Lack of prioritization

Over 90% of companies use OSS components in commercial software1

46 million vulnerable open source components are downloaded each

year

Lack of developer education

1. Gartner


11

Multi-source software

Open source

Your product

Legacy

COTS Contractors

ISV

IntegrateTest

cost to fix

defects

$$$$

$


Traditional development: Security as a service


12

Adaptive

Separation of duties for testing and auditing

Separate testing tools, results fed to development

Traditional Secure Development Lifecycle Activities

Design

• Establish design Requirements

• Analyze attack surface

• Threat modeling

Build

• Use approved tools

• Deprecate unsafe functions

Test

• Static analysis• Dynamic

analysis• Fuzz testing• Attack surface

review• Open source

review

Deploy

• Incident response plan

• Final security review

• Release archive

Development, compliance, and security are independent functions

Req's

• Establish security requirements

• Create quality gates

• Risk assessments

Consequences of security as a service


13

Adaptive

Cost of Remediation Source: Barry Boehm, “Equity Keynote Address” March 19, 2007

Cost of Remediation

Increased remediation

costsDelayed releases

Security and development become adversarial

5x

Design

• Establish design requirements

• Analyze attack surface

• Threat modeling

10x

Build

• Use approved tools

• Deprecate unsafe functions

20x50x

Test

• Static analysis• Dynamic

analysis• Fuzz testing• Attack surface

review• Open source

review

150x

Deploy

• Incident response plan

• Final security review

• Release archive

1x

Req’s

• Establish security requirements

• Create quality gates

• Risk assessments

Build-only analysis in dev process

Build Analysis / Test


Cost of defects

Defect introduction

50% of defects introduced here

Build Analysis / Test


Cost of defects

Solutions


Shift your plan of attack

Agile, continuous integration, continuous delivery

Understanding processesEducating teams

Implementing toolsEnforcing compliance

Measuring success

Adopting new standards

Systems integrators vs. systems builders

Multiple development teams

17

18

Prevent software failure due to defects

Your team worries about

Problems with array indexes

Errors in error handlers

Untrapped exceptions

Memory leaks

Unchecked stacks and

buffers

Misplaced pointers


19

Analysis and testing

Check code faster

Source: https://uwaterloo.ca/counselling-services/curve-forgetting


Issues identified at your desktop

1 Real-time feedback

Correct code before check-in2All areas impacted by a given defect are highlighted3After system build, the impact of other developers code is also delivered to the desktop for corrective action

4

20

Traditionally used to find simple, annoying bugs

Modern, state-of-the-art SCA

Sophisticated inter-procedural control and

data-flow analysis

Model-based simulation of runtime

expectation

Provides an automated view of all

possible execution paths

Find complex bugs and runtime errors:memory leaksconcurrency violationsbuffer overflows

Check compliance with internationally

recognized standards:

MISRACWE

OWASPISO2626

2

Static code analysis


• Hundreds of checkers for C, C++, C# and Java• Support for numerous standards• Customizable:

– Turn checkers on or off– Change the severity of identified defects– Add custom checkers

Klocwork static analysis engine

• MISRA, DISA, CWE, CERT, etc.

• Dead code• Unreachable code

Calculated values that are never used

• Unused function parameters

• …

Coding Standards & Maintainability

• Memory and resource leaks

• Concurrency violations• Infinite loops• Dereferencing NULL

pointers• Usage of uninitialized data• Resource management• Memory allocation errors• …

Reliability

• Buffer overflow• Un-validated user input• SQL injection• Path injection• File injection• Cross-site scripting• Information leakage• Vulnerable coding

practices• …

Security


20

22

Klocwork finds Heartbleed


23

Use open source software safely

“So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often.”-Steve Marquess, OpenSSL Software Foundation on the Heartbleed bug

80% of developers need not prove the security of OSS

they’re using Only 7% of organizations have an OSS policy around security


Application code

3rd party components If you’re using open source, security verification is up to you

Do you know all the open source you are using?

Test your code

Look for flaws early

Make security a

priority


24

25

Use only trusted packages Notify and update security fixes

Maintain with OSS support

Automated, repeatable way to locate OSS packages (and packages within packages!) and licensing obligations

Look for scanning tools that are SaaS and protect your IP by not requiring source code upload

Know your inventory with OSS scanning

Reducing open source risk

Get notified of latest patches, risks, and bugs

Establish an OSS policy to minimize risk


26

Open source management: OpenLogic

Commercial-grade technical support for hundreds of open source packages

Web-based platform for open source governance

Open source scanning solutions

Library of certified open source software with proactive security notifications


27

Security vulnerability example


28

Scan results example


29

Conclusions

Tooling

Notification processes OSS security notifications, latest patches

Mitigation planShift from security as a service to

security at the developer, correcting vulnerabilities as early

as possible

Code analysis and OSS scanning


See us in action:

www.roguewave.com

Rod Cope| [email protected]

Shifting the conversation from active interception to proactive neutralization

Software

Transcript of Shifting the conversation from active interception to proactive neutralization