OPEN SOURCE SECURITY ANALYSIS The State of Open Source Security in Commercial Applications

Similar documents
BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

SECURING DOCKER: What You Need to Know

THE REAL ROOT CAUSES OF BREACHES. Security and IT Pros at Odds Over AppSec

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

NEXUS FIREWALL QUALITY AT VELOCITY

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

CyberArk Privileged Threat Analytics

Fortinet, Inc. Advanced Threat Protection Solution

EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1

Threat Centric Vulnerability Management

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015

Sun Tzu Meets the Cloud Everything Is Different Nothing Has Changed

Carbon Black PCI Compliance Mapping Checklist

See What You ve Been Missing

How to construct a sustainable vulnerability management program

Building Secure Systems

Continuously Discover and Eliminate Security Risk in Production Apps

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

8 Must Have. Features for Risk-Based Vulnerability Management and More

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Five Essential Capabilities for Airtight Cloud Security

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

10 FOCUS AREAS FOR BREACH PREVENTION

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

MOVE BEYOND GPO FOR NEXT-LEVEL PRIVILEGE MANAGEMENT

Synology Security Whitepaper

THE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security

Roadmap to the Efficient Cloud: 3 Checkpoints for the Modern Enterprise

Evolution of a Phish That Got Through the Net[work]

Secure access to your enterprise. Enforce risk-based conditional access in real time

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Quantifying the Value of Firewall Management

External Supplier Control Obligations. Cyber Security

Reinvent Your 2013 Security Management Strategy

Symantec Cloud Workload Protection

DDoS MITIGATION BEST PRACTICES

Data locations. For our hosted(saas) solution the servers are located in Dallas(USA), London(UK), Sydney(Australia) and Frankfurt(Germany).

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Exposing The Misuse of The Foundation of Online Security

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Traditional Security Solutions Have Reached Their Limit

Cyber security tips and self-assessment for business

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

IPLocks Vulnerability Assessment: A Database Assessment Solution

Tripwire State of Container Security Report

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

10 Hidden IT Risks That Might Threaten Your Business

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

A Passage to Penetration Testing!

Cybersecurity Today Avoid Becoming a News Headline

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

IT & DATA SECURITY BREACH PREVENTION

THE CYBERSECURITY LITERACY CONFIDENCE GAP

Computer Security: Cyber Essentials KAMI VANIEA 1

Tips for Effective Patch Management. A Wanstor Guide

THALES DATA THREAT REPORT

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

McAfee Total Protection for Data Loss Prevention

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

The checklist is dynamic, not exhaustive, and will be updated regularly. If you have any suggestions or comments, we would like to hear from you.

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Mastering The Endpoint

Information Security Incident Response Plan

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

DDoS: Evolving Threats, Solutions FEATURING: Carlos Morales of Arbor Networks Offers New Strategies INTERVIEW TRANSCRIPT

Device Discovery for Vulnerability Assessment: Automating the Handoff

Skybox Security Vulnerability Management Survey 2012

Advanced Threat Defense Certification Testing Report. Trend Micro Incorporated Trend Micro Deep Discovery Inspector

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

Garrison Technology HOW SECURE REMOTE BROWSING DELIVERS HIGH SECURITY EVEN FOR MAINSTREAM COMMERCIAL ORGANISATIONS

A Guide to Closing All Potential VDI Security Gaps

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

SELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats

85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges

Tripwire State of Cyber Hygiene Report

Speed Up Incident Response with Actionable Forensic Analytics

IT Needs More Control

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

K12 Cybersecurity Roadmap

Microsoft Security Management

The SD-WAN security guide

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Cyber Resilience - Protecting your Business 1

Changing the Game: An HPR Approach to Cyber CRM007

Background FAST FACTS

The Impact of Privacy on HP s Customer Relationship Management Solution

A company built on security

Transcription:

OPEN SOURCE SECURITY ANALYSIS The State of Open Source Security in Commercial Applications By Mike Pittenger, Vice President, Security Strategy Black Duck s On-Demand business conducts audits of customers software, often in merger or acquisition situations. Typically the audits include commercial software that has been in the market for a number of years. From a legal standpoint, customers want to confirm their software is not subject to unnecessary intellectual property (IP) risk through the use software under restrictive licenses (e.g., GPL, LGPL), or from improper reporting of the open source licenses used. From a security standpoint, customers want to understand the security profile of their software. While many of these companies have internal security programs and deploy security testing tools such as static and dynamic analysis, those tools are not effective at identifying the types of vulnerabilities disclosed every day in popular open source components. More importantly, if a customer is not aware of all of the open source in use, they cannot defend against common attacks against known vulnerabilities in those components. This study covers more than 200 applications reviewed by Black Duck On-Demand over the six months from October 2015 through March 2016. The age of the applications tested (e.g., how old the codebase is) varies widely. All of the companies submitting code for audit review had conducted manual reviews, and all data was anonymized prior to Black Duck s analysis. YOU RE USING OPEN SOURCE, AND MORE THAN YOU THINK Everyone uses open source. Black Duck finds it in over 95% of the applications we analyze for clients. It s easy to understand why. Open source adds needed functionality while lowering development costs and accelerating time to market. Open source can enter a code base in a variety of ways. We commonly think of a developer who recognizes a need for specific functionality, and pulls in an open source component that meets the re- 105 Average number components in 1

quirements. While this represents the classic 2x example, open source enters in other ways as well. Commercial components typically include open source that may or may not be disclosed. Additionally, outsourced development teams are highly motivated to use open source for lowering development costs and speeding time to market. In other cases, open source is built into reusable components that are used internally. Our review found that open source comprises over 35% of the average commercial application, and represents over 100 unique open source components in. When considering these numbers, it is important to remember that we are reviewing commercial applications as opposed to code developed for internal use. In the latter category, we expect to see open source comprising a much higher percentage of the application (75%+ is not unusual), though with a smaller total number of components. If the number of unique components is surprising to a reader, it is also surprising to our customers. Those who provide a listing of the components (bill of material) they expect to be in the applications when the audit begins are often only aware of 45% of the actual components used. In other words, while customers may believe they are using (on average) 60-70 components, they are actually using over 140. 67% of applications reviewed contained open source security vulnerabilities On average the companies were using 100% more open source than they originally believed IF YOU RE USING OPEN SOURCE, CHANCES ARE YOU ARE LIKELY INCLUDING VULNERABILITIES KNOWN TO THE WORLD AT LARGE Without visibility into the open source they use, a company is unable to protect itself from known vulnerabilities in those components. Even when components are identified, it can be difficult to track the various projects and comb publicly available databases for changes to the code, including newly disclosed vulnerabilities. Since 2014 alone, the National Vulnerability Database (NVD) has reported over 6,000 new vulnerabilities in open source software. Do the math. If the average commercial application tested includes over 100 unique open source components, manual tracking of the components in a single application is clearly burdensome. Multiply that by the hundreds or thousands of applications in a large enterprise, and the ability to track risk manually is impossible. 2

THIS ISN T AN ISOLATED INCIDENT While a single component with an exploitable vulnerability can be a problem, the issue is more widespread according to our data. On average, we identified five vulnerable components in every application. Of course, this doesn t mean customers should stop using open source. It does indicate, however, that visibility into the components that are included in their code base is required. This would provide the ability to switch to newer (or at least less vulnerable) versions of the same components. 22.5 Average number component vulnerabilities in A single vulnerability may or may not warrant an organization s attention. It could be minor or unreachable by an attacker. What we found, however, goes far beyond a single vulnerability in a single component. On average, each vulnerable component included multiple, unique vulnerabilities. When we look at the total number of vulnerabilities per project, the numbers are daunting over 22 individual vulnerabilities in any single application. 1,894 days Average age of open source component vulnerabilities at scan time BAD NEWS, THIS ISN T A NEW PROBLEM When a security issue is disclosed in an open source component, it is often (but not always) accompanied by an update or patch that remediates the issue. This allows development teams to address the vulnerability by updating the component. With some components, of course, this is not a simple fix. Those with multiple APIs will require more planning and testing to ensure the fix doesn t break other functionality or add new vulnerabilities. The planning process still doesn t explain the age of vulnerabilities found in our study. On average, the vulnerabilities we identified had been disclosed more than five years before our analysis. This indicates that the organizations didn t know about the vulnerabilities, either because they didn t know the component was present, or had not checked public resources for vulnerability information. This represents a significant risk to organizations deploying these applications. The longer a vulnerability is known, the more likely that an attacker can leverage it. And attackers often move quickly. The 2015 Verizon Data Breach Investigation Report found that half of the CVE s (Commonly Vulnerabilities and Exposures) exploited in 2014 fell within two weeks, and 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published. In other words, you need to know where vulnerabilities exist in your code (and the open source in your custom code) and add this to your incident-response program. 3

EVEN WELL-PUBLICIZED VULNERABILITIES ARE NOT GETTING FIXED Vulnerabilities in open source are particularly attractive to attackers. The ubiquity of the affected components, the public disclosure of vulnerabilities (often with sample exploits) and access to the source code make the attacker s job simpler. In addition, without a traditional support model, users are typically unaware of new updates and vulnerabilities. 10% of the applications included the Heartbleed vulnerability Some vulnerabilities garner a lot of news, while others fly under the radar. However, when something like Heartbleed is talked about in the mainstream media, including the nightly news, one would expect companies to take note. Our study found over 10% of the applications tested included the Heartbleed vulnerability (disclosed a minimum of 18 months prior to our analysis), and almost 10% included POODLE. LogJam and FREAK each affected almost 5% of the applications. This illustrates the difficultly organizations have in managing open source components, and hence the attractiveness to attackers of vulnerabilities in these components. Without a comprehensive list of the components used, it is nearly impossible to map new vulnerabilities to specific applications that use the affected components. With popular components like OpenS- SL, attackers see a target-rich environment when new vulnerabilities (and associated exploits) are disclosed. NOR IS BAD NEWS SOMETHING YOU CAN SAFELY IGNORE % of High Severity (CVSS Base Score >= 7.0 39.55% % Medium Severity (CVSS Base Score >=4, <=6.9 52.10% % Low Severity 8.35% 40% vulnerabilities in were rated severe As noted previously, vulnerabilities vary in severity and will warrant different responses from an organization. The analysis tell us, again, that awareness of the vulnerabilities was low (or non-existent). Common Vulnerability Scoring System (CVSS) base scores (scored 1-10) are calculated by looking a combination of the simplicity of exploiting the vulnerability and its impact to confidentiality, integrity, and availability for the component. Our study found almost 40% of the vulnerabilities had CVSS base scores greater than 7, and over 90% had base scores greater than 4. 4

CONCLUSION Open source lowers development costs while accelerating time to market, and we expect its adoption to continue to grow. This report highlights the fact that, even for companies that conducted manual reviews, unknown (to the companies) open source permeated commercial applications. Vulnerabilities in open source are particularly attractive to attackers. The ubiquity of the affected components provides a target-rich environment; the vulnerabilities are publicly disclosed (often with sample exploits); and without a traditional support model, users are typically unaware of new updates and vulnerabilities. It s obvious that it is impossible to defend against a threat that you don t know exists. Organizations can address this with three simple steps: 1. CREATE OPEN SOURCE USAGE POLICIES: Understand the characteristics that are important to your organization for each type of application you build, including license obligations, acceptable security risk and open source community support. 2. TRACK USAGE AND ENFORCE POLICIES: Automated tools like Black Duck Hub automatically identify and track open source through integration with build tools, highlighting known vulnerabilities and components that violate company policy. This inventory, or bill of materials, is updated with every build and can be used to map new vulnerabilities to your applications. 3. MONITOR FOR NEW VULNERABILITIES: Public sources, like the National Vulnerability Database, provide information on publicly disclosed vulnerabilities in open source and commercial software. OSSA 2016 ABOUT BLACK DUCK SOFTWARE Organizations worldwide use Black Duck Software s industry-leading products to automate the processes of securing and managing open source software, eliminating the pain related to security vulnerabilities, open source license compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, London, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com. CONTACT To learn more, please contact: sales@blackducksoftware.com or +1 781.891.5100 Additional information is available at: www.blackducksoftware.com 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback