shifting the conversation from active interception to proactive neutralization

Shifting the conversation from active interception to proactive neutralization

Rod Cope, CTO

Presenters

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Rod Cope, CTORogue Wave Software

2

“With all software, there will be more security holes, you need to plan for it, have tooling, prepare for some notification process so you can quickly learn when there is an issue, whether it’s open source or from somewhere else, that you know there’s an issue, and then have a mitigation plan in place so you knowwhat is affected.”-Rod Cope, CTO

Why the shift?

4© 2015 Rogue Wave Software, Inc. All Rights Reserved.

150X as much as fixing the bug during the requirements or design phase.

76% of organizations

using open source don’t havemeaningful

controls overwhat components

go intotheir applications

55% of organizations

don’t have security

awareness program in place

78% of development

teams use time consuming manual testing processes

to ensure code security

72% of developers believe they are responsible for security and

safety testing of their code

70% of development organizations don’t have clear policies,

procedures, and tools for using open source

code

5

What are the risks?

Risks include

OSS security issues

Unknown OSS

Outside reprogramming of systems

Code vulnerabilities

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

© 2015 Rogue Wave Software, Inc. All Rights Reserved 6

Unknown OSS & security issues

7

Outside reprogramming of systems

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

8

Code vulnerabilities

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Common attacks

Organizations have failed to prevent attacks

Lack of time Lack of focus

Lack of tools/proper

tools

Survey:1700 developers,

80% of them incorrectly

answered key questions

surrounding the protection of

sensitive data

SQL injection

Unvalidated input

Cross-site scripting

Most breaches result from input trust issues

Heartbleed: buffer overrun BMW patch:

HTTP vs. HTTPS

9

10

Software suppliers can introduce risks

(security, functional, compliance) before

they reach you

Root causes of vulnerabilities

Supply chainSoftware suppliers can introduce

risks (security, functional, compliance) before they reach you

Minimal testingDifferent platforms, processes,

tools, standards, etc. require more effort to assess, test, and

standardize Lack of prioritization

Over 90% of companies use OSS components in commercial software1

46 million vulnerable open source components are downloaded each

year

Lack of developer education

1. Gartner

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

11

Multi-source software

Open source

Your product

Legacy

COTS Contractors

ISV

IntegrateTest

cost to fix

defects

$$$$

$

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Traditional development: Security as a service

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

12

Adaptive

Separation of duties for testing and auditing

Separate testing tools, results fed to development

Traditional Secure Development Lifecycle Activities

Design

• Establish design Requirements

• Analyze attack surface

• Threat modeling

Build

• Use approved tools

• Deprecate unsafe functions

Test

• Static analysis• Dynamic

analysis• Fuzz testing• Attack surface

review• Open source

review

Deploy

• Incident response plan

• Final security review

• Release archive

Development, compliance, and security are independent functions

Req's

• Establish security requirements

• Create quality gates

• Risk assessments

Consequences of security as a service

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

13

Adaptive

Cost of Remediation Source: Barry Boehm, “Equity Keynote Address” March 19, 2007

Cost of Remediation

Increased remediation

costsDelayed releases

Security and development become adversarial

5x

Design

• Establish design requirements

• Analyze attack surface

• Threat modeling

10x

Build

• Use approved tools

• Deprecate unsafe functions

20x50x

Test

• Static analysis• Dynamic

analysis• Fuzz testing• Attack surface

review• Open source

review

150x

Deploy

• Incident response plan

• Final security review

• Release archive

1x

Req’s

• Establish security requirements

• Create quality gates

• Risk assessments

Build-only analysis in dev process

Build Analysis / Test

14© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Cost of defects

Defect introduction

50% of defects introduced here

Build Analysis / Test

15© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Cost of defects

Solutions

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Shift your plan of attack

Agile, continuous integration, continuous delivery

Understanding processesEducating teams

Implementing toolsEnforcing compliance

Measuring success

Adopting new standards

Systems integrators vs. systems builders

Multiple development teams

17

18

Prevent software failure due to defects

Your team worries about

Problems with array indexes

Errors in error handlers

Untrapped exceptions

Memory leaks

Unchecked stacks and

buffers

Misplaced pointers

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

19

Analysis and testing

Check code faster

Source: https://uwaterloo.ca/counselling-services/curve-forgetting

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Issues identified at your desktop

1 Real-time feedback

Correct code before check-in2All areas impacted by a given defect are highlighted3After system build, the impact of other developers code is also delivered to the desktop for corrective action

4

20

Traditionally used to find simple, annoying bugs

Modern, state-of-the-art SCA

Sophisticated inter-procedural control and

data-flow analysis

Model-based simulation of runtime

expectation

Provides an automated view of all

possible execution paths

Find complex bugs and runtime errors:memory leaksconcurrency violationsbuffer overflows

Check compliance with internationally

recognized standards:

MISRACWE

OWASPISO2626

2

Static code analysis

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

• Hundreds of checkers for C, C++, C# and Java• Support for numerous standards• Customizable:

– Turn checkers on or off– Change the severity of identified defects– Add custom checkers

Klocwork static analysis engine

• MISRA, DISA, CWE, CERT, etc.

• Dead code• Unreachable code

Calculated values that are never used

• Unused function parameters

• …

Coding Standards & Maintainability

• Memory and resource leaks

• Concurrency violations• Infinite loops• Dereferencing NULL

pointers• Usage of uninitialized data• Resource management• Memory allocation errors• …

Reliability

• Buffer overflow• Un-validated user input• SQL injection• Path injection• File injection• Cross-site scripting• Information leakage• Vulnerable coding

practices• …

Security

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

20

22

Klocwork finds Heartbleed

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

23

Use open source software safely

“So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often.”-Steve Marquess, OpenSSL Software Foundation on the Heartbleed bug

80% of developers need not prove the security of OSS

they’re using Only 7% of organizations have an OSS policy around security

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Application code

3rd party components If you’re using open source, security verification is up to you

Do you know all the open source you are using?

Test your code

Look for flaws early

Make security a

priority

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

24

25

Use only trusted packages Notify and update security fixes

Maintain with OSS support

Automated, repeatable way to locate OSS packages (and packages within packages!) and licensing obligations

Look for scanning tools that are SaaS and protect your IP by not requiring source code upload

Know your inventory with OSS scanning

Reducing open source risk

Get notified of latest patches, risks, and bugs

Establish an OSS policy to minimize risk

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

26

Open source management: OpenLogic

Commercial-grade technical support for hundreds of open source packages

Web-based platform for open source governance

Open source scanning solutions

Library of certified open source software with proactive security notifications

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

27

Security vulnerability example

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

28

Scan results example

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

29

Conclusions

Tooling

Notification processes OSS security notifications, latest patches

Mitigation planShift from security as a service to

security at the developer, correcting vulnerabilities as early

as possible

Code analysis and OSS scanning

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

See us in action:

www.roguewave.com

Rod Cope| rod.cope@roguewave.com