Shifting the conversation from active interception to proactive neutralization
Rod Cope, CTO
Presenters
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Rod Cope, CTORogue Wave Software
2
“With all software, there will be more security holes, you need to plan for it, have tooling, prepare for some notification process so you can quickly learn when there is an issue, whether it’s open source or from somewhere else, that you know there’s an issue, and then have a mitigation plan in place so you knowwhat is affected.”-Rod Cope, CTO
Why the shift?
4© 2015 Rogue Wave Software, Inc. All Rights Reserved.
150X as much as fixing the bug during the requirements or design phase.
76% of organizations
using open source don’t havemeaningful
controls overwhat components
go intotheir applications
55% of organizations
don’t have security
awareness program in place
78% of development
teams use time consuming manual testing processes
to ensure code security
72% of developers believe they are responsible for security and
safety testing of their code
70% of development organizations don’t have clear policies,
procedures, and tools for using open source
code
5
What are the risks?
Risks include
OSS security issues
Unknown OSS
Outside reprogramming of systems
Code vulnerabilities
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
© 2015 Rogue Wave Software, Inc. All Rights Reserved 6
Unknown OSS & security issues
7
Outside reprogramming of systems
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
8
Code vulnerabilities
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Common attacks
Organizations have failed to prevent attacks
Lack of time Lack of focus
Lack of tools/proper
tools
Survey:1700 developers,
80% of them incorrectly
answered key questions
surrounding the protection of
sensitive data
SQL injection
Unvalidated input
Cross-site scripting
Most breaches result from input trust issues
Heartbleed: buffer overrun BMW patch:
HTTP vs. HTTPS
9
10
Software suppliers can introduce risks
(security, functional, compliance) before
they reach you
Root causes of vulnerabilities
Supply chainSoftware suppliers can introduce
risks (security, functional, compliance) before they reach you
Minimal testingDifferent platforms, processes,
tools, standards, etc. require more effort to assess, test, and
standardize Lack of prioritization
Over 90% of companies use OSS components in commercial software1
46 million vulnerable open source components are downloaded each
year
Lack of developer education
1. Gartner
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
11
Multi-source software
Open source
Your product
Legacy
COTS Contractors
ISV
IntegrateTest
cost to fix
defects
$$$$
$
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Traditional development: Security as a service
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
12
Adaptive
Separation of duties for testing and auditing
Separate testing tools, results fed to development
Traditional Secure Development Lifecycle Activities
Design
• Establish design Requirements
• Analyze attack surface
• Threat modeling
Build
• Use approved tools
• Deprecate unsafe functions
Test
• Static analysis• Dynamic
analysis• Fuzz testing• Attack surface
review• Open source
review
Deploy
• Incident response plan
• Final security review
• Release archive
Development, compliance, and security are independent functions
Req's
• Establish security requirements
• Create quality gates
• Risk assessments
Consequences of security as a service
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
13
Adaptive
Cost of Remediation Source: Barry Boehm, “Equity Keynote Address” March 19, 2007
Cost of Remediation
Increased remediation
costsDelayed releases
Security and development become adversarial
5x
Design
• Establish design requirements
• Analyze attack surface
• Threat modeling
10x
Build
• Use approved tools
• Deprecate unsafe functions
20x50x
Test
• Static analysis• Dynamic
analysis• Fuzz testing• Attack surface
review• Open source
review
150x
Deploy
• Incident response plan
• Final security review
• Release archive
1x
Req’s
• Establish security requirements
• Create quality gates
• Risk assessments
Build-only analysis in dev process
Build Analysis / Test
14© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Cost of defects
Defect introduction
50% of defects introduced here
Build Analysis / Test
15© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Cost of defects
Solutions
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Shift your plan of attack
Agile, continuous integration, continuous delivery
Understanding processesEducating teams
Implementing toolsEnforcing compliance
Measuring success
Adopting new standards
Systems integrators vs. systems builders
Multiple development teams
17
18
Prevent software failure due to defects
Your team worries about
Problems with array indexes
Errors in error handlers
Untrapped exceptions
Memory leaks
Unchecked stacks and
buffers
Misplaced pointers
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
19
Analysis and testing
Check code faster
Source: https://uwaterloo.ca/counselling-services/curve-forgetting
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Issues identified at your desktop
1 Real-time feedback
Correct code before check-in2All areas impacted by a given defect are highlighted3After system build, the impact of other developers code is also delivered to the desktop for corrective action
4
20
Traditionally used to find simple, annoying bugs
Modern, state-of-the-art SCA
Sophisticated inter-procedural control and
data-flow analysis
Model-based simulation of runtime
expectation
Provides an automated view of all
possible execution paths
Find complex bugs and runtime errors:memory leaksconcurrency violationsbuffer overflows
Check compliance with internationally
recognized standards:
MISRACWE
OWASPISO2626
2
Static code analysis
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
• Hundreds of checkers for C, C++, C# and Java• Support for numerous standards• Customizable:
– Turn checkers on or off– Change the severity of identified defects– Add custom checkers
Klocwork static analysis engine
• MISRA, DISA, CWE, CERT, etc.
• Dead code• Unreachable code
Calculated values that are never used
• Unused function parameters
• …
Coding Standards & Maintainability
• Memory and resource leaks
• Concurrency violations• Infinite loops• Dereferencing NULL
pointers• Usage of uninitialized data• Resource management• Memory allocation errors• …
Reliability
• Buffer overflow• Un-validated user input• SQL injection• Path injection• File injection• Cross-site scripting• Information leakage• Vulnerable coding
practices• …
Security
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
20
22
Klocwork finds Heartbleed
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
23
Use open source software safely
“So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often.”-Steve Marquess, OpenSSL Software Foundation on the Heartbleed bug
80% of developers need not prove the security of OSS
they’re using Only 7% of organizations have an OSS policy around security
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Application code
3rd party components If you’re using open source, security verification is up to you
Do you know all the open source you are using?
Test your code
Look for flaws early
Make security a
priority
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
24
25
Use only trusted packages Notify and update security fixes
Maintain with OSS support
Automated, repeatable way to locate OSS packages (and packages within packages!) and licensing obligations
Look for scanning tools that are SaaS and protect your IP by not requiring source code upload
Know your inventory with OSS scanning
Reducing open source risk
Get notified of latest patches, risks, and bugs
Establish an OSS policy to minimize risk
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
26
Open source management: OpenLogic
Commercial-grade technical support for hundreds of open source packages
Web-based platform for open source governance
Open source scanning solutions
Library of certified open source software with proactive security notifications
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
27
Security vulnerability example
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
28
Scan results example
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
29
Conclusions
Tooling
Notification processes OSS security notifications, latest patches
Mitigation planShift from security as a service to
security at the developer, correcting vulnerabilities as early
as possible
Code analysis and OSS scanning
© 2015 Rogue Wave Software, Inc. All Rights Reserved.