MITIGATING RISKS FROM DEVELOPMENT, INTEGRATION, DISTRIBUTION AND DEPLOYMENT Black Duck Software, Inc. All Rights Reserved.

Size: px

Start display at page:

Abel Garrison
8 years ago
Views:

2 BILL WEINBERG Bill leads the Black Duck Open Source Strategy consultancy, helping clients select, build and deploy software for intelligent devices, enterprise data centers and cloud infrastructure. Bill also acts as Black Duck Open Source community liaison and thought leader, representing Black Duck in the media and at industry conferences, on issues of OSS governance and relevant technical topics, including the Internet of Things, inner source and legacy migration. Bill has worked with open source for over 17 years and has over 30 years experience in embedded and open systems, telecommunications infrastructure and mobile devices. As a founding team member at MontaVista Software, Bill pioneered Linux as leading platform for intelligent devices. As Senior Analyst at OSDL (today, the Linux Foundation), Bill ran the Carrier Grade and Mobile Linux initiatives. As General Manager of the Linux Phone Standards Forum, Bill worked to foster development and standardization of open source mobile telephony Black Duck Software, Inc. All Rights Reserved.

3 JAKE KOUNS Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. A number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT. He has briefed the DHS and Pentagon on Cyber Liability Insurance issues Black Duck Software, Inc. All Rights Reserved.

4 RISK BASED SECURITY RBS is a privately held corporation established in 2011 and is proud to serve the most respected companies such as IBM, Adobe, KPMG, Willis, AIG, Seattle Children s Hospital, major financials and others. RBS founders are behind the Open Security Foundation have been recognized as world-wide experts in the information security and was awarded SC Magazine s Editor's Choice Award in Community offerings: Black Duck Software, Inc. All Rights Reserved.

vulnerabilities in last 18 months have raised questions about the OSS

11 OPEN SOURCE SECURITY LANDSCAPE Open Source is increasingly pervasive Vulnerabilities accompany wide development and deployment Recent vulnerabilities in last 18 months have raised questions about the OSS security model Heartbleed Shellshock Poodle Ghost Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE HAS ITS SHARE OF VULNERABILITIES 12

OPEN SOURCE DEVELOPMENT MODEL User Community & Ecosystem Developer Community Core Developers Code Core project developers create, maintain, curate code

14 OPEN SOURCE DEVELOPMENT MODEL User Community & Ecosystem Developer Community Core Developers Code Core project developers create, maintain, curate code base Vet contributions from larger communities Focus on project goals features, performance, etc Black Duck Software, Inc. All Rights Reserved.

15 OPEN SOURCE CODE CURATION MODEL User Community & Ecosystem Developer Community Core Developers Code v1 Code v2 Code vn CONTINUOUS INCREMENTAL IMPROVEMENT Black Duck Software, Inc. All Rights Reserved.

16 OPEN SOURCE CODE QUALITY ASSURANCE Linus Law: Many eyes make all bugs shallow -- Eric Raymond COMMUNITY unterminated strings Indices out of bounds back doors memory leaks CODE faulty logic privilege violations race conditions stray pointers debug code regressions incorrect permissions unchecked function returns parameter reversal priority inversion unitialized variables deprecated versions misconfiguration improper type casts Black Duck Software, Inc. All Rights Reserved. Maintainers, developers, users exercise, debug & improve code

OPEN SOURCE CODE SECURITY GAP Majority of eyes occupied elsewhere Minority of community is security-savvy COMMUNITY unterminated strings Indices out of bounds memory leaks back doors stray pointers

18 OPEN SOURCE CODE SECURITY GAP Majority of eyes occupied elsewhere Minority of community is security-savvy COMMUNITY unterminated strings Indices out of bounds memory leaks back doors stray pointers CODE faulty logic privilege violations race conditions debug code regressions parameter reversal priority inversion unitialized variables deprecated versions misconfiguration incorrect permissions improper type casts unchecked function returns Black Duck Software, Inc. All Rights Reserved.

19 THREATS RESISTANT TO COMMUNITY OVERSIGHT Use-case specific errors Local misconfiguration LAN-based vulnerabilities Deployed deprecated s/w versions Weak encryption Bad authentication Stolen credentials Viruses, Trojans & other malware Denial of service attacks Weak passwords Unenforced security policy Phishing Man-in-the-middle attacks Forged certificates Spoofed MACs and IP addresses Latent zero-day exploits Brute force decryption Black Duck Software, Inc. All Rights Reserved.

AUTOMATE VISIBILITY AND CONTROL OSS LOGISTICS OSS Logistics Choose Approve Scan

Q & A What is the typical life-cycle of a vulnerability?

24 Q & A How does RBS contribute to OSVDB create and maintain VulnDB, and how are each unique from NVDB and other databases? National Vulnerability Database Black Duck Software, Inc. All Rights Reserved.

25 Q & A The OSS Security Model is receiving harsh scrutiny in light of recent vulnerabilities. Criticism notwithstanding, bringing many eyes to bear on software quality and vulnerabilities still beats relying on obscurity. How would you build on and improve current community security methods and discipline? Black Duck Software, Inc. All Rights Reserved.

26 Q & A Together, Black Duck and RBS are working to implement OSS Hygiene by combining risk awareness with OSS module version management. What are the advantages of this approach? OSS Hygiene Black Duck Software, Inc. All Rights Reserved.

27 Questions?

SECURITY ASPECTS OF OPEN SOURCE

SECURITY ASPECTS OF OPEN SOURCE Phyto Michael 1 2015 Black Duck Software, Inc. All Rights Reserved. THE OPEN SOURCE SECURITY LANDSCAPE March 2015 2 2015 Black Duck Software, Inc. All Rights Reserved. OPEN