SECURITY ASPECTS OF OPEN SOURCE

Similar documents
WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Virtualization System Security

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

UNCLASSIFIED Version 1.0 May 2012

Goals. Understanding security testing

What is Web Security? Motivation

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Is Your SSL Website and Mobile App Really Secure?

Host/Platform Security. Module 11

Security Architecture Whitepaper

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Chapter 17. Transport-Level Security

elearning for Secure Application Development

Designing and Coding Secure Systems

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Passing PCI Compliance How to Address the Application Security Mandates

12 Security Camera System Best Practices - Cyber Safe

Linux Network Security

MANAGED SECURITY TESTING

Security Solution Architecture for VDI

That Point of Sale is a PoS

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs

The Top Web Application Attacks: Are you vulnerable?

Web Application Report

BYOD Guidance: BlackBerry Secure Work Space

Specific recommendations

Data Protection: From PKI to Virtualization & Cloud

Potential Targets - Field Devices

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Rational AppScan & Ounce Products

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

SSL and Browsers: The Pillars of Broken Security

THE BLUENOSE SECURITY FRAMEWORK

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

Post-Access Cyber Defense

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

SSL BEST PRACTICES OVERVIEW

2015 Vulnerability Statistics Report

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Patch and Vulnerability Management Program

KeyLock Solutions Security and Privacy Protection Practices

Chapter 7 Transport-Level Security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Thick Client Application Security

PCI DSS 3.0 Compliance

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

PENTEST. Pentest Services. VoIP & Web.

Alliance Key Manager A Solution Brief for Technical Implementers

THE TOP 4 CONTROLS.

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Reducing Application Vulnerabilities by Security Engineering

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Defending Against Data Beaches: Internal Controls for Cybersecurity

Network Test Labs (NTL) Software Testing Services for igaming

Introduction. Purpose. Background. Details

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

Stephen Coty Director, Threat Research

Security aspects of e-tailing. Chapter 7

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

CS5008: Internet Computing

ISO COMPLIANCE WITH OBSERVEIT

State of Security. Top Five Critical Issues Affecting Servers. Decisive Security Intelligence You Can Use. Read Our Predictions for 2013 and Beyond

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone

FISMA / NIST REVISION 3 COMPLIANCE

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

WIND RIVER SECURE ANDROID CAPABILITY

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Cloud and Data Center Security

MySQL Security: Best Practices

CYBERTRON NETWORK SOLUTIONS

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Cisco Advanced Services for Network Security

Endpoint protection for physical and virtual desktops

Symantec Mobile Management Suite

Virtually Secure. a journey from analysis to remote root 0day on an industry leading SSL-VPN appliance

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

2012 Data Breach Investigations Report

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Transcription:

SECURITY ASPECTS OF OPEN SOURCE Phyto Michael 1 2015 Black Duck Software, Inc. All Rights Reserved.

THE OPEN SOURCE SECURITY LANDSCAPE March 2015 2 2015 Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE VIEWED AS MORE SECURE 2014 Future of Open Source Survey 3 2015 Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE HAS ITS SHARE OF VULNERABILITIES 4 2015 Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE SECURITY LANDSCAPE Open Source is increasingly pervasive Vulnerabilities accompany wide development and deployment Recent vulnerabilities in last 18 months have raised questions about the OSS security model Heartbleed Shellshock Poodle Ghost 5 2015 Black Duck Software, Inc. All Rights Reserved.

HEARTBLEED A serious vulnerability in the popular OpenSSL cryptographic software library. Allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). Allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. Names and passwords of the users and the actual content. Eavesdrop on communications Steal data directly from the services used 6 2015 Black Duck Software, Inc. All Rights Reserved.

SHELLSHOCK BASH (BASHDOOR) Shellshock is a vulnerability in GNU's bash shell Allows attackers access to run remote commands on a vulnerable system. Executing Bash with a chosen value in its environment variable list, an attacker can execute arbitrary commands or exploit other bugs that may exist in Bash's command interpreter. 7 2015 Black Duck Software, Inc. All Rights Reserved.

POODLE Padding Oracle On Downgraded Legacy Encryption (POODLE) is a flaw in how browsers handle encryption. Attackers, as man-in-the-middle, can change data in a way that forces a leak of data in a block called cipher. Many of the cipher suites in SSL v3.0 are already not being used due to insecure and small key sizes. POODLE vulnerability allows attackers to use the design of SSL v3.0 to decrypt sensitive information secret session cookies which give the attacker the ability to hijack sessions for users accounts. Because the protocol is too old, the flaw can t be patched, but it s hastening the death of SSL v3.0 as a standard. 8 2015 Black Duck Software, Inc. All Rights Reserved.

GHOST "GHOST" is the name of a vulnerability recently found in one of the key components of Linux systems. The component is the Linux GNU C Library that is used by all Linux programs. The vulnerability has been found in a function of this library that is used to convert Internet host names to Internet addresses. If an attacker found vulnerable software and a way to transfer a properly crafted host name up to this function then theoretically the attacker could take over the control of the system. 9 2015 Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE SECURITY Community Purview, Limitations and Solutions 10 2015 Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE DEVELOPMENT MODEL User Community & Ecosystem Developer Community Core Developers Code Core project developers create, maintain, curate code base Vet contributions from larger communities Focus on project goals features, performance, etc. 11 2015 Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE CODE CURATION MODEL User Community & Ecosystem Developer Community Core Developers Code v1 Code v2 Code vn CONTINUOUS INCREMENTAL IMPROVEMENT 12 2015 Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE CODE QUALITY ASSURANCE Linus Law: Many eyes make all bugs shallow -- Eric Raymond COMMUNITY unterminated strings Indices out of bounds back doors memory leaks CODE faulty logic privilege violations race conditions stray pointers priority inversion debug code regressions incorrect permissions unchecked function returns parameter reversal unitialized variables deprecated versions misconfiguration improper type casts 13 2015 Black Duck Software, Inc. All Rights Reserved. Maintainers, developers, users exercise, debug & improve code

THEORETICAL TRIPLE FENCE OF OSS SECURITY Production Code Enterprise / OEM Integration Distribution / Platform Creation OSS Project Purview 14 2015 Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE CODE SECURITY GAP Majority of eyes occupied elsewhere Minority of community is security-savvy COMMUNITY unterminated strings Indices out of bounds memory leaks back doors stray pointers CODE faulty logic privilege violations race conditions priority inversion debug code regressions parameter reversal unitialized variables deprecated versions misconfiguration incorrect permissions improper type casts unchecked function returns 15 2015 Black Duck Software, Inc. All Rights Reserved.

THREATS RESISTANT TO COMMUNITY OVERSIGHT Use-case specific errors Local misconfiguration LAN-based vulnerabilities Deployed deprecated s/w versions Weak encryption Bad authentication Stolen credentials Viruses, Trojans & other malware Denial of service attacks Weak passwords Unenforced security policy Phishing Man-in-the-middle attacks Forged certificates Spoofed MACs and IP addresses Latent zero-day exploits Brute force decryption 16 2015 Black Duck Software, Inc. All Rights Reserved.

BLACK DUCK & OSS SECURITY Open Source Logistics and Version-based OSS Hygiene 17 2015 Black Duck Software, Inc. All Rights Reserved.

SECURITY TECHNOLOGIES Intrusion Detection Authentication Network Security Encryption End-point Security Code Quality Tools Patch/Update Management Auditing & Logging Hardware Mechanisms Configuration Management Policy Enforcement Physical Security Formal Verification Certifiable Systems Capabilities & Access Control Binary Obfuscation 18 2015 Black Duck Software, Inc. All Rights Reserved.

BLACK DUCK OSS SECURITY VULNERABILITY DETECTION AND REMEDIATION Intrusion Detection Authentication Network Security Encryption End-point Security Code Quality Tools Patch/Update Management Auditing & Logging Hardware Mechanisms Configuration Management Policy Enforcement Physical Security Formal Verification Certifiable Systems Capabilities & Access Control Binary Obfuscation 19 2015 Black Duck Software, Inc. All Rights Reserved.

AUTOMATE VISIBILITY AND CONTROL OSS LOGISTICS OSS Logistics Choose Approve Scan Inventory Secure Deliver 20 2015 Black Duck Software, Inc. All Rights Reserved.

AUTOMATE VISIBILITY AND CONTROL OSS LOGISTICS OSS Logistics Choose Approve Scan Inventory Secure Deliver NVD VulnDB OSVDB 21 2015 Black Duck Software, Inc. All Rights Reserved.

VERSION PROLIFERATION IN SOFTWARE STACKS EIT or OEM Deployment Value-added Code Open Source Libraries, etc. Update-to-Date Versions Version N-1 Version N-2 Deprecated Versions of OSS Can contain Bugs fixed later Security vulnerabilities Add size & complexity Unneeded extra code Namespace conflicts Operational costs OSS Reality Check Modern apps contain Millions of lines of code Thousands of OSS s/w components & 3 rd party code Multiple versions of each Multiple points of ingress Developers take code from multiple sources Not all reliable, up-to-date 22 2015 Black Duck Software, Inc. All Rights Reserved.

BLACK DUCK HELPS KEEP OPEN SOURCE S/W CONTENT UP TO DATE AND VULNERABILITY-FREE EIT or OEM Deployment Value-added Code Open Source Libraries, etc. Update-to-Date Versions Black Duck Tools Help enforce sourcing polices Licenses Versioning Security Eliminate version proliferation Version N-1 Version N-2 Identify deprecated s/w versions Keep s/w up-to-date Root out known / possible vulnerabilities 23 2015 Black Duck Software, Inc. All Rights Reserved.

OSS CERTIFICATION CHALLENGES 24 2015 Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE PLATFORMS A CERTIFICATION CHALLENGE Linux, Android too large, too dynamic to certify Linux kernel now tops 20 MLoC Certification competency < 15 KLoC 200-500 additional packages (libs, utils, etc.) all moving targets Certification regimes require comprehensive specification Documentation does not exist at requisite level Alternative Path Virtualization / Separation Kernels Put Linux into a certifiable box 25 2015 Black Duck Software, Inc. All Rights Reserved.

PRODUCT LIFE CYCLE ALIGNMENT WITH OSS AND CERTIFICATION Docs OS Docs OS Security Up dates Tools Security Up dates Tools M/W M/W OSS VERSION OSS VERSION OSS VERSION PRE-MARKET CERTIFY RE-CERTIFY Project Launch Code Freeze Product Release Maintenance Updates, etc. End of Life 26 2015 Black Duck Software, Inc. All Rights Reserved.

COMMERCIAL (3 RD PARTY) SERVICES TO SUPPORT DEVICE CERTIFICATION What is available to you? Dedicated Consulting Practices Security analysis, certification services Artifacts Generation Storyboarding, benchmarking, requirements capture Design for Verification and validation Safety, security, and standards compliance Development process review and risk planning Vulnerability analysis For software and hardware architectures On-going security alerts and remediation 27 2015 Black Duck Software, Inc. All Rights Reserved.

TECHNOLOGY STRATEGY RECOMMENDATIONS Choose embedded OSS platform carefully Be wary of informal supply of embedded Linux, Android by semiconductor manufacturers Consider working with commercial platform providers Gain access to services targeted at medical OEMs Treat embedded Linux as COTS s/w base Establish formal ingestion procedures Maintain platform code in isolation from value-added apps and other Gambro-specific software Certification-specific concerns Anticipate challenges/levels of concern by building artifact base around Linux platform early in life-cycle Construct or acquire secondary documentation, test plan and test harness to facilitate traceability 28 2015 Black Duck Software, Inc. All Rights Reserved.

MIGRATION RESOURCE - VIRTUALIZATION Rehost legacy apps, OS as a guest in a virtual machine Type I Hypervisor (bare metal) Native Linux Containers - LXC Commercial products GB Broadband (OK Labs) GreenHills (Padded Cell) Red Bend (VirtualLogix) VMware, et al. Wind River Strengths No porting, retain certification Smaller TCB Weaknesses Still requires legacy RTOS, stack, support 29 2015 Black Duck Software, Inc. All Rights Reserved.

Q & A 30 2015 Black Duck Software, Inc. All Rights Reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information