MITIGATING RISKS FROM DEVELOPMENT, INTEGRATION, DISTRIBUTION AND DEPLOYMENT Black Duck Software, Inc. All Rights Reserved.

(1)

MITIGATING RISKS FROM DEVELOPMENT , INTEGRATION,

DISTRIBUTION AND DEPLOYMENT

(2)

BILL WEINBERG

Bill leads the Black Duck Open Source Strategy consultancy, helping clients select, build and deploy software for intelligent

devices, enterprise data centers and cloud infrastructure. Bill also acts as Black Duck Open Source community liaison and thought leader, representing Black Duck in the media and at industry conferences, on issues of OSS governance and relevant

technical topics, including the Internet of Things, inner source and legacy migration.

Bill has worked with open source for over 17 years and has over 30 years experience in embedded and open systems,

telecommunications infrastructure and mobile devices. As a founding team member at MontaVista Software, Bill pioneered Linux as leading platform for intelligent devices. As Senior Analyst at OSDL (today, the Linux Foundation), Bill ran the Carrier Grade and Mobile Linux initiatives. As General Manager of the Linux Phone Standards Forum, Bill worked to foster development and standardization of open source mobile telephony.

(3)

JAKE KOUNS

• Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University.

• A number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and

CGEIT.

• He has briefed the DHS and Pentagon on Cyber Liability Insurance issues.

(4)

RISK BASED SECURITY

• RBS is a privately held corporation established in 2011 and is proud to serve the most respected companies such as IBM, Adobe, KPMG, Willis, AIG, Seattle Children’s Hospital, major financials and others.

• RBS founders are behind the Open Security Foundation have been recognized as world-wide experts in the information

security and was awarded SC Magazine’s Editor's Choice Award in 2009.

(5)

THE OPEN SOURCE

(6)

OPEN SOURCE VIEWED AS MORE SECURE

(7)

TODAY’S REALITY

(8)

(9)

(10)

(11)

OPEN SOURCE SECURITY LANDSCAPE

• Open Source is increasingly pervasive

• Vulnerabilities accompany wide development and deployment

• Recent vulnerabilities in last 18 months have raised questions about the OSS security model

(12)

(13)

OPEN SOURCE SECURITY

Community Purview, Limitations

and Solutions

(14)

User Community & Ecosystem

Developer Community Core Developers

OPEN SOURCE DEVELOPMENT MODEL

• Core project developers create, maintain, curate code base

• Vet contributions from larger communities

• Focus on project goals – features, performance, etc.

(15)

User Community & Ecosystem Developer Community

Core Developers

OPEN SOURCE CODE CURATION MODEL

Code v1 Code v2 Code vN

(16)

OPEN SOURCE CODE QUALITY ASSURANCE

Linus’ Law: Many eyes make all bugs shallow

-- Eric Raymond

CODE

unterminated strings

unchecked function returns

Indices out of bounds memory leaks

faulty logic regressions misconfiguration stray pointers

back doors parameter reversal

improper type casts incorrect permissions

debug code

race conditions deprecated versions priority inversion unitialized variables privilege violations

COMMUNITY

Maintainers,

developers, users

exercise, debug & improve code

(17)

THEORETICAL “TRIPLE FENCE” OF OSS SECURITY

Enterprise / OEM Integration

Distribution / Platform Creation

OSS Project Purview

Production

Code

(18)

OPEN SOURCE CODE SECURITY GAP

• Majority of eyes occupied elsewhere

• Minority of community is security-savvy

CODE

unterminated strings

unchecked function returns

Indices out of bounds memory leaks

faulty logic regressions misconfiguration stray pointers

back doors parameter reversal

improper type casts incorrect permissions

debug code

race conditions deprecated versions priority inversion unitialized variables privilege violations

(19)

• Use-case specific errors

• Local misconfiguration • LAN-based vulnerabilities • Deployed deprecated s/w versions • Weak encryption • Bad authentication • Stolen credentials

• Viruses, Trojans & other malware

• Denial of service attacks

• Weak passwords

• Unenforced security policy

• Phishing

• Man-in-the-middle attacks

• Forged certificates

• Spoofed MACs and IP addresses

• Latent zero-day exploits

• Brute force decryption

(20)

AUTOMATE VISIBILITY AND CONTROL – OSS LOGISTICS

Choose

OSS Logistics

Approve Scan Inventory Secure Deliver

(21)

Q & A

(22)

Q & A

What is the typical life-cycle of a vulnerability?

What are the consequences of differing approaches to discovery and disclosure?

(23)

Q & A

About how many vulnerabilities appear each year in OSS, and how does that compare to proprietary software?

(24)

Q & A

How does RBS contribute to OSVDB create and maintain VulnDB, and how are each unique from NVDB and other databases?

(25)

Q & A

The “OSS Security Model” is receiving harsh scrutiny in light of recent vulnerabilities. Criticism notwithstanding, bringing “many eyes” to bear on

software quality and vulnerabilities still beats relying on obscurity.

How would you build on and improve current community security methods and discipline?

(26)

Q & A

Together, Black Duck and RBS are working to implement “OSS Hygiene” by combining risk awareness with OSS module version

management. What are the advantages of this approach?

(27)