Open Software and Trust Better Than Free? April 28, 2015 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time 1
T Sponsored by: #ISSAWebConf 2
Welcome Conference Moderator Phillip Griffin CISM, ISSA Fellow, and ISSA Educational Advisory Council Member April 28, 2015 Start Time: 9am US Pacific 12pm US Eastern/5pm London Time 3
Speaker Introduction Mark Kadrich- Chief Information Security & Privacy Officer, San Diego Health Connect Tim Jarrett- Director, Enterprise Security Strategy, Veracode Remember to type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function. 4
Open Software and Trust Better than Free? Mark Kadrich Chief Information Security & Privacy Officer, San Diego Health Connect
Another Model Medical TV Shows Medical Procedures Advice Advised by experts Popularity Waning but still viewed by millions! Legal TV Shows Courtroom Procedures Legal Descriptions of Crimes Forensic Investigations Advised by experts 6
Some Medical Numbers Grays Anatomy (4.5) 5.85 Million Viewers! Discuss and depict medical procedures every week Dr. Allan Hamilton, Neurosurgeon and Medical Advisor Doctor OZ (1.6) 2.08 Million Viewers! Viewer Rating of 7.2! (People LOVE him) Medical advice by a doctor! Some issues but people STILL watch Sharing of information via social networks 7
Some Legal Numbers Law & Order Franchise (1.64) NCIS Franchise (2.48+2.13+1.63) CSI Franchise (1.5+1.29) HOLY COW BATMAN OVER 20 MILLION VIEWERS! 8
Some Statistics 18.5* Million software developers in the world 11 Million are professionals 7.5 Million are hobbyists 7.7 Million Physicians in the world 7.7 Million are professionals 0.0 Million are hobbyists 1.3 Million Lawyers in the US ALONE 1 Million are active Unknown how many hobbyist lawyers there are... a man who is his own lawyer has a fool for a client... *TechRepublic 9
Why This is Important Because you have... Good, Fast Coders Good, Slow Coders Bad, Fast Coders Bad, Slow Coders Where do you think the largest population of coders is? 10
Argument for Open Source Security Many eyes looking at code Open nature of code means better security Obfuscation isn t a good security plan 11
Open Means Free Range No guarantee of security tools No assurance of review No agreed upon metrics No measurable level of quality 12
Closed Code Statistics 85% of bugs removed from code before release Average is 15-50 errors per KLOC MS has reduced this to 10-20 per KLOC in-house MS has further reduced this to.5 per KLOC Linux has 10M LOC or potentially 5000 errors... 13
It s About Trust To really trust code you must have a rigorous testing and validation methodology Shuttle Code had ZERO errors in 500,000 lines of code. "Harlan Mills pioneered 'cleanroom development', a technique that has been able to achieve rates as low as 3 defects per 1000 lines of code during in-house testing and 0.1 defect per 1000 lines of code in released product(cobb and Mills 1990). A few projects - for example, the spaceshuttle software - have achieved a level of 0 defects in 500,000 lines of code using a system of format development methods, peer reviews, and statistical testing." 14
Thank You! Mark Kadrich Chief Information Security & Privacy Officer, San Diego Health Connect 15
Question and Answer Mark S. Kadrich CISO & Privacy Officer, San Diego Health Connect To ask a question, type your question in the Chat area of your screen. You may need to click on the double arrows to open this function. #ISSAWebConf 16
Thank you! Mark S. Kadrich CISO & Privacy Officer, San Diego Health Connect 17
Open Software and Trust Better Than Free? Tim Jarrett Director, Enterprise Security Strategy VERACODE #ISSAWebConf
2014: The year of open software bugs 19
Heartbleed Remotely exploitable information leak vulnerability in OpenSSL Allows attackers to steal credentials, private keys, emails, and other sensitive data Web applications provide the critical attack vector, but could be on any system Observed frequency: 1 in 3600 web sites About 34% of organizations tested had at least one vulnerable site 20
Shellshock Remotely exploitable application-layer vulnerability in Bash Allows attackers to run arbitrary code on the target system (totally controlling it) Web applications provide the critical attack vector, but could be on any system Observed frequency: 1 in 450 web applications 21
For context 6.00% 5.65% 5.00% 4.00% 3.00% 2.00% Heartbleed Shellshock SQL Injection 1.00% 0.00% 0.03% 0.22% Vulnerability Prevalence SQL Injection prevalence data source: Veracode dynamic scan data, authenticated and unauthenticated scans, 2014 22
So why are these bugs such a big deal??? Likelihood of success Reward = Chosen attack Effort 23
Also 24
And 25
And 26
Why doesn t my catch this? Antivirus: Because these aren t malicious programs, they re parts of programs you (and your organization) use every day. And there s no signature you can scan for. Source code scanner: Because these vulnerabilities are generally in compiled libraries that your developers include and don t have source for. 27
Successful approaches Web vulnerability scanning Software composition analysis Static analysis 28
Web vulnerability scanning Uses web scanning (making browsing requests, filling out forms) to find known vulnerabilities Example products: Qualys, Veracode Benefits Require no developer involvement Look for component vulnerabilities the same way they ll be exploited Server side or app vulns Drawbacks Imprecise identification of vulnerable components; must use per-vulnerability attacks Requires good crawling 29
Software composition analysis Enumerates the known components used by applications Associates with vulnerability data Example products: Sonatype, Veracode Benefits Comprehensive application coverage Generates an inventory that can be mined when new vulnerabilities appear Drawbacks Requires development team involvement Doesn t help for some vulnerabilities (e.g. Shellshock) that leverage components on the server 30
Static analysis Fully models all the paths of the application Looks for poor coding practices that can be exploited Example products: HP Fortify, Veracode Benefits Comprehensive application coverage Best way to find unsafe coding practices that enable exploitation of a server component vuln Drawbacks Requires development team involvement (usually) Only good for some types of vulns (would miss Heartbleed) 31
A scan is not enough Inventory: What components are my applications using? Policy: How do Security and development manage component security issues? Program: How does Security roll out the new standards to the organization? Plan: How will you respond when the next Heartbleed is found? 32
THANK YOU Twitter: @tojarrett 33
Thank You Tim Jarrett Director, Enterprise Security Strategy VERACODE Twitter: @tojarrett 34
Question and Answer Tim Jarrett Director, Enterprise Security Strategy VERACODE Twitter: @tojarrett To ask a question, type your question in the Chat area of your screen. You may need to click on the double arrowsto open this function. 35
Thank you! Tim Jarrett Director, Enterprise Security Strategy VERACODE 36
Open Panel with Audience Q&A Mark Kadrich Chief Information Security & Privacy Officer, San Diego Health Connect Tim Jarrett Director, Enterprise Security Strategy VERACODE To ask a question, type your question in the Chat area of your screen. You may need to click on the double arrows to open this function. #ISSAWebConf 37
Closing Remarks I would like to thank Mark and Tim for lending their time and expertise to this ISSA Educational Program. Thank you to VERACODE for sponsoring this webinar. Thank you Citrix for donating the Webcast service. #ISSAWebConf 38
CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. On-Demand Viewers Quiz Link http://www.surveygizmo.com/s3/2119251/issa-web- Conference-April-28-2015-Open-Software-and-Trust- Better-Than-Free #ISSAWebConf 39