REDUCE YOUR OPEN SOURCE SECURITY RISK: STRATEGIES, TACTICS, AND TOOLS

Similar documents
Four strategies to reduce your open source risk

Open Source Policy Builder

Table of contents. Best practices in open source governance. Managing the selection and proliferation of open source software across your enterprise

TOP 3 STRATEGIES TO REDUCE RISK IN AUTOMOTIVE/IN-VEHICLE SOFTWARE DEVELOPMENT

FFIEC Cybersecurity Assessment Tool

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

Adopting Agile Testing

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Are You Ready for PCI 3.1?

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Meister Going Beyond Maven

Using Metrics to Manage Your Application Security Program

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

5 Traits of Companies Successfully Preventing Fraud and How to Apply Them in Your Business. An IDology, Inc. Whitepaper

HiSoftware Policy Sheriff. SP HiSoftware Security Sheriff SP. Content-aware. Compliance and Security Solutions for. Microsoft SharePoint

Getting a head start in Software Asset Management

case study Coverity Maintains Software Integrity of Sun Microsystems Award-Winning Storage Products

LexisOne. LexisOne. Powered by Microsoft Dynamics AX EnterpriseSolutions

SecureGRC TM - Cloud based SaaS

How To Monitor Your Entire It Environment

3 keys to effective service availability management. Visibility. Proactivity. Collaboration.

Application Security 101. A primer on Application Security best practices

Why a single source for assets should be. the backbone of all your digital activities

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

ENJOYING OPEN SOURCE WITHOUT COMPROMISING BUSINESS. Dr. Ron Rymon Founder, White Source Software

SEO MADE SIMPLE. 5th Edition. Insider Secrets For Driving More Traffic To Your Website Instantly DOWNLOAD THE FULL VERSION HERE

The Essential Guide to: Risk Post IPO

FIREWALL CLEANUP WHITE PAPER

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

Minimizing code defects to improve software quality and lower development costs.

Reliable Business Data Implementing A Successful Data Governance Strategy with Enterprise Modeling Standards

RECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES. Cost-Effective, Legally Defensible Records Management

Several recent surveys have shown that

IT Risk Management: Guide to Software Risk Assessments and Audits

CDM Vulnerability Management (VUL) Capability

Physicians are fond of saying Treat the problem, not the symptom. The same is true for Information Technology.

Free yourself from the monsters of payroll

Cloud Infrastructure Security Management

WHITEPAPER. The Companion Guide to FINRA/SEC Social Networking Compliance

Procuring Penetration Testing Services

FTP is Free, but Can You Really Afford It?

Information Security Services

DISCOVERING AND SECURING SENSITIVE DATA IN HADOOP DATA STORES

Is Penetration Testing recommended for Industrial Control Systems?

WHITE PAPER. Mitigate BPO Security Issues

Realize That Big Security Data Is Not Big Security Nor Big Intelligence

Copyright 2008, 2009, 2010 IMP Solutions Group Adobe, Adobe LiveCycle and Adobe LiveCycle ES are registered trademarks of Adobe.

How Software Asset Management Enables Businesses to Meet Sarbanes-Oxley Requirements

Elevating the Customer Experience in the Mobile World

ISO/IEC 27001:2013 Your implementation guide

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Introduction. ¹The rise of the digital bank, McKinsey & Company, (July 2014)

THE FUTURE OF MOBILE PAYMENTS

Process Solutions. Staying Ahead of Today s Cyber Threats. White Paper

Average producers can easily increase their production in a larger office with more market share.

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Web Security Everything we know is wrong

Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge

Parenting a College Student ARCS. arts.kennesaw.edu/arcs

SCHEME AND SERVICE INFORMATION

Whitepaper. How to Implement a Strong BYOD Policy. BYOD on the Rise - But with Challenges

SECURITY FIRST: CLARITY ON PCI COMPLIANCE

Faxing: A Healthcare Disaster. 10 Ways Faxing is Holding Back Your Business

Enterprise Security Tactical Plan

THE SECURITY EXPOSURE

The 2014 Ultimate Career Guide

All of these circumstances indicate that the world of tomorrow is as different as today s water utility business is from that of yesteryear.

Vendor Credentialing as a Corporate Function; What You Don t Know Can Hurt You

WHITE PAPER: STRATEGIC IMPACT PILLARS FOR EFFICIENT MIGRATION TO CLOUD COMPUTING IN GOVERNMENT

BUYER S GUIDE. The Unified Communications Buyer s Guide to Picking the Right Cloud Telephony Solution

EFFECTIVE STRATEGIC PLANNING IN MODERN INFORMATION AGE ORGANIZATIONS

Achieving PCI DSS Compliance Through Outsourcing: Where to begin?

Embracing Microsoft Vista for Enhanced Network Security

GETTING THE BIGGEST BANG FOR YOUR SOURCE CODE ANALYSIS BUCK

Who, What, Where, How: Five Big Questions in Mobile Security

How To Manage A Network Security Risk

FREQUENTLY ASKED QUESTIONS. Oracle Applications Strategy

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

YOUR TRUSTED PARTNER IN A DIGITAL AGE. A guide to Hiscox Cyber and Data Insurance

Research Investments in Large Indian Software Companies

Business Opportunity Enablement through Information Security Compliance

ITIL, the CMS, and You BEST PRACTICES WHITE PAPER

IT Asset Inventory and Outsourcing: The Value of Visibility

Application Security Center overview

Mastering your supply spend

Digital Signatures in the Legal Market:

5 Steps to Implement & Maintain PCI DSS Compliance.

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

Strengthen security with intelligent identity and access management

University of Alberta Business Alumni Association Alumni Mentorship Program

Best-Selling Sites: What Your Website and a Great Book Should Have in Common

Table of Contents. Technical paper Open source comes of age for ERP customers

Managing Your Career Tips and Tools for Self-Reflection

Closing the Business Analysis Skills Gap

No More Disks. No More Data. No More Doubt. Goodbye Disks. Goodbye Doubt.

PCI Data Security Standards (DSS)

Transcription:

REDUCE YOUR OPEN SOURCE SECURITY RISK: STRATEGIES, TACTICS, AND TOOLS

Open source security must be a priority While there s no doubt that open source software (OSS) is here to stay, that doesn t mean that developers can feel free to use all and any open source software components with no thought to the vulnerabilities and security issues they may introduce into their development projects. The fact is, there s no such thing as bulletproof, bug-free, automatically license compliant, and easily auditable software. Not in the open source world and not in the commercial off the shelf (COTS) world. 2

While IT systems have become ubiquitous in virtually every aspect of business operations and consumer behavior and lifestyles, the productivity, innovation, economic impact, and convenience imparted by these systems don t come without risks. We see these risks everyday in news reports of data breaches, first hand experience with systems that falter or fail, leading to frustration, reduced productivity, customer defections, and more. So, it s incumbent on developers, project team leaders, IT managers, CIOs, line of business owners, all the way up to C-level executives to ensure that there are sound strategies and tactics in place to make it easy to acquire, distribute, use, monitor, analyze, and keep track of open source software to reduce the risk of vulnerable and buggy software and applications to an absolute minimum. CHALLENGES ABOUND Consider these statistics that illustrate the sources and breadth of the challenges facing open source developers: Applications are the number one attack vector leading to breaches. 90 percent of typical applications comprise open source components. Some 11 million developers worldwide make 13 billion open source requests each year. 46 million vulnerable open source components are downloaded each year. 76 percent of organizations using open source don t have meaningful controls over what components go into their applications. Only 20 percent of developers say they have to prove they re using secure open source components. While organizations may screen for common vulnerabilities and exposures (CVEs) as open source code comes in the door, only about 20 percent track vulnerabilities over time. Only 56 percent of organizations say they have open source policies in place. But less than 70 percent say they follow their own policies. 77 percent of organizations surveyed say they ve never banned a component. 31 percent of organizations suspect (not know, but suspect) they ve experienced a breach attributable to an OSS component. 51 percent of organizations aren t concerned about license risk. Keep in mind that most open source software is created to fill a technical gap and is delivered as is. Security is rarely top of mind in the development process. There are many more hair-raising statistics that could be listed, but these should make the point that most organizations are sorely in need of well-conceived and defined strategies and tactics to enable them to manage the security risks inherent in using OSS. Still, in spite of these and other risks, OSS adoption by companies and developers continues to grow year on year, owing to the competitive features and technical capabilities it provides, its ability to accelerate development and time to market, and of course, its ability to reduce costs. There s often also a general assumption that with so many individuals involved in the development of OSS components, it must necessarily be very well vetted and quite secure. In a way, OSS has over time engendered a level of brand trust, similar to or greater than the trust accorded to COTS brands. 3

ASK QUESTIONS You may already be concerned about the security of OSS, perhaps prompted by a first-hand experience with flaws and vulnerabilities that have created migraine-inducing headaches for you and your business. If not, consider yourself lucky, but not off the hook. Ask yourself a few questions to assess your potential risk and liabilities. For instance: Does your organization have an OSS policy in place and in use to enable you to manage, track, test, and update OSS? Do you know what OSS is present and in use in your organization? How do you stay on top of new vulnerabilities as they are discovered and reported? Do you know if you are in compliance with OSS license terms and conditions? Does your organization have a system in place to communicate information about CVEs to the pertinent stakeholders? If you ve answered no to any of these questions, the only comfort you can take is that you re not alone. Of course, that doesn t solve the problem. So, what to do? QUALITY AND PEACE OF MIND LIE IN SOUND STRATEGY AND TACTICS Every organization employing OSS must have an open source management strategy in place that articulates the challenges presented by OSS and the organization s objectives in terms of usage, reliability, and security. That strategy must be executed through the development and diligent implementation of tactics that enable and enforce OSS acquisition, tracking, monitoring, and analysis best practices. Wondering where and how to begin? Following are six straightforward tactics that significantly reduce your OSS risks. Create OSS policies If your organization is committed to reducing the risk associated with using OSS, you must create policies that define and communicate usage rules and guidelines. Based on the combined knowledge of the stakeholders in this process regarding the various OSS components in use across your organization, you can begin with a simple process of categorizing those components into black, white, and grey lists. According to this simple scheme, components on the black list would be banned. Those on the white list would be pre-approved. And those on the grey list would require review in order to determine approval. These initial lists will get you started, but, this is not a one-time process. As additional OSS components are identified in your enterprise, and as new components become available, they ll have to be categorized. Once this process is established, you may want to add another category: conditional usage approval. For instance, you might stipulate that Bouncy Castle Cryptos is approved for use only if you use version X.5 and above. Defining conditional usage can grow complex over time, so it s very important that you be crisp and clear in the language you employ to communicate such usage. 4

While providing clear guidelines for the use of all aspects of OSS, your open source management policies should also contain provisions that make it the responsibility of each developer to comply with the policies by tracking, recording, monitoring, and updating OSS usage. For policies to be effective, they must be living, evolving things. Create an OSS acquisition process The next tactic to help you reduce your OSS risk profile is to create a process that defines how developers may acquire OSS. This tactic addresses the difference between can and may. Anyone can easily download or otherwise import OSS components from a plethora of sources. The point here is to manage how developers may acquire OSS and incorporate it in their work. While there are several ways to approach this, the best approach is to create a formal approval process that requires developers to formally request the use of a particular component that is not already white listed per your OSS policy. At a minimum, an effective approval process should require the developer to identify him/ herself, describe the component being requested and detail how, when, and where the component will be used. If for some reason, such a request for approval process seems too onerous for your organization, you might employ a declaration process in which developers, as they download the OSS in question, tag it with the same basic who, what, where, when, and how information described above. Those declarations could then go into a tracking database (to be discussed shortly) so that there is at least a clear record of the acquisition and intended use. This process could be further minimized by simply requiring developers to email the same information to their management teams. While the first method seems clearly the best, the most important thing is to agree on a method that will be used. Thus, the inclusion of the less formal alternatives. In determining what approach to take to managing the acquisition of OSS, you also need to create a list of key stakeholders to whom the acquisition request and associated information is communicated. In considering who should be on this list, include developers, project team managers, line of business managers, legal departments, and others who might be affected in the event of a subsequent problem. Managing provisioning The acquisition approval process naturally leads to the issues of where the OSS will be acquired and how it will be distributed across your enterprise. To address this issue, it s recommended that your organization build a centralized, internal repository for approved components. Many organizations have already done this and it works. Once an organization creates a library of open source components it wants its developers to use and reuse, it s gone a long way toward enhancing the security and reliability of its code. In the absence of creating such a centralized repository, some organizations have chosen to rely upon and use approved, external repositories such as those established and maintained by groups including Maven Central, OpenLogic, The Apache Software Foundation, and the Eclipse Software Foundation. Using these sources provides a level of confidence that the OSS available through them has been vetted for reliability and security. 5

Beyond these two approaches, things can get risky. A lot of OSS is available through blogs and forums, which while readily and easily available, may enter your organization with some rude surprises. Returning to the recommendation that you build your own repository, here are a few more recommendations: In addition to populating your repository with approved OSS components, consider including the metadata associated with those components. So, for instance, if a developer wants to use a particular Apache plug-in, he can view the metadata that might say our security team has reviewed this and you have to use version 2.7 or higher. As you build your repository, consider building in functionality that will allow you to reach out and query the National Vulnerability Database (NVD), for example, and let you store the information contained there alongside the metadata you ve already stored in your repository. Finally, and this refers back to the creation of your OSS policies, you should have a process in place that checks to ensure that all components stored in your repository have met your organization s criteria for security. Tracking usage Up to this point, tactics have focused on processes and activities designed to minimize the chance that flawed, buggy, vulnerable OSS components find their way into your organization, projects, and products. Equally important is the fact that when a security issue arises, you need a way to identify what open source components you have in place and where they are being used in order to rapidly remediate the issue. Tracking that kind of information manually would be difficult enough if your organization and its employees were never changing. But the fact is that project teams change, employees come and go, and all of this throws a wrench into orderly knowledge transfer. When a problem arises be it a malware issue, a compliance issue, or a patent issue a tracking database can prove invaluable. You simply cannot rely on individual human recall, particularly if the individual who might have the answer is no longer working at your organization. The goal in tracking open source usage is to provide a mechanism you can tap in the event of a security issue to find out what OSS you have, where it is, and how it is being used. You want to know how it s been modified over time. You want to know who the project owner is. You may also, for example in a merger or acquisition situation, need proof that your organization has complied with the appropriate licenses. When a situation arises there are always more questions to be answered than any person or group of people can answer off the top of their heads. In the case of OSS, this is made even more complex when you consider that a substantial percentage of OSS downloaded today contains additional open source components, each of which may have security issues or be licensed differently. So you need to create a tracking system that tracks the who, what, where, and how of your OSS usage plus other attributes that may be uniquely important to your organization. This is a daunting task to be sure, but there are tools, such as Rogue Wave Klocwork, that detect security, safety, and reliability issues in real-time by using static code analysis and provide actionable reporting functionality to produce answers quickly. 6

Ongoing monitoring and analyzing Ensuring the efficacy of your open source management strategy and supporting tactics requires an ongoing commitment on the part of your organization and each individual involved in open source development. Once you ve created policies to govern your organization s use of OSS, and developed processes and mechanisms to manage OSS acquisition, provisioning and tracking, you must continue to monitor OSS updates for updates and security issues. You must also proactively analyze your OSS code, scanning for security flaws. In the case of monitoring, that means: Developing and tracking sources for security information, such as the NVD, Open Source Vulnerability Database (OSVDB), and other established, reliable sources. Determining how you will monitor updates (i.e. what tools you ll use). Deciding how often you ll monitor based on business critical usage factors that you ll determine. Tasking this responsibility to an in-house owner or to a trusted outsourced service provider. In the case of analyzing your OSS code, that means: Proactively scanning all code for security flaws (rather than waiting for problems to occur). Automating issue discovery through the use of static code analysis tools to ensure process efficiency. Distinguishing between real risks as opposed to typing errors risks such as buffer overflows, memory leaks, uninitialized data, string taint, and process/os specific flaws. Ensuring compliance with security standards (such as CWE, OWASP, CERT, and DISA). This brings the tactical approach described here full circle back to the key objective of your open source management strategy to reduce the risks associated with using OSS to the greatest extent possible in order to fully and uninterruptedly realize the many benefits of employing OSS. DON T PANIC. HELP IS AVAILABLE. Creating an open source management strategy and executing the tactics described in this document require time, effort, and consistent participation of stakeholders. It takes a lot of work. The good news is that there are many tools on the market that can help make the process easier. For more information on how you can reduce your open source risk, feel free to visit the OpenLogic website or email us at info@openlogic.com. 7

Rogue Wave Software provides software development tools for mission-critical applications. Our trusted solutions address the growing complexity of building great software and accelerate the value gained from code across the enterprise. The Rogue Wave portfolio of complementary, cross-platform tools helps developers quickly build applications for strategic software initiatives. With Rogue Wave, customers improve software quality and ensure code integrity, while shortening development cycle times. 2014 Rogue Wave Software, Inc. All rights reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information