q1 2016 open source security report: glibc and beyond

© 2016 Black Duck Software, Inc. All Rights Reserved.

Secure and Manage Your Open Source Software

OPEN SOURCE VULNERABILITY REVIEW

Q1, 2016

2 © 2016 Black Duck Software, Inc. All Rights Reserved.

HOW ARE VULNERABILITIES FOUND AND

DISCLOSED?

Over 6,000 new vulnerabilities in open source since 2014 Over 76,000 total vulnerabilities in NVD, only 63 reference automated tools • 50 of those are for

vulnerabilities reported in the tools

• 13 are for vulnerabilities that could be identified by a fuzzer

0

200

400

600

800

1,000

1,200

NVD Open Source Vulnerability Disclosures by Month

Heartbleed

Disclosure


WHAT’S NEW IN THE FIRST 90 DAYS OF 2016

960 new vulnerabilities in open source

components

• ~20% increase over Q1 2015

• ~35% increase in high and critical

vulnerabilities

Popular components continue to be targets for

research

• Firefox – 61 new vulnerabilities

• Debian Linux – 24 new vulnerabilities

• OpenSSL – 11 new vulnerabilities

• Apache Tomcat – 7 new vulnerabilities

Good News!

• WordPress – 0 new vulnerabilities

• Drupal – 0 new vulnerabilities


MOST COMMON VULNERABILITY TYPES

CWE Frequency

Buffer Errors 262

Information Leak/Disclosure 142

Input Validation 133

Cross Site Scripting 124

Improper Access Control 32

Cross Site Request Forgery 22

Credentials Management 21

Cryptographic Issues 16

Data Handling 16

Code 11

0

50

100

150

200

250

300

NVD - Top Ten CWE's Q1, 2016


TOP “HONORS” FOR Q1

glibc and DROWN


GLIBC VULNERABILITY

CVE-2015-7547

Component: GNU C Standard Library

CWE 119 – Buffer Errors

Introduced to code base: 2008

Vulnerability disclosed: 02/18/2016

Recommendation: Upgrade immediately

• Central component in all Linux distros • IT infrastructure

• Mission critical applications

• Internet of Things

• Vulnerability affects a universally used protocol (DNS)

• Attack can force an affected client to look up a malicious domain, then return a payload that exploits the buffer overflow in glibc

• Can result in complete takeover of the system

glibc

Source: https://dankaminsky.com/2016/02/20/skeleton/#ciso

Galaxy map of Ubunto Linux


DROWN VULNERABILITY

CVE-2016-0800

Component: OpenSSL

CWE 200 – Information Leak/Disclosure

Introduced to code base: 2010

Vulnerability disclosed: 03/01/2016

Recommendation: Upgrade immediately

• Widely used encryption protocol

• Apache and NGINX comprise 85% of web servers

• Many Linux distros

• Internet of Things

• IT Infrastructure

• Attacker can force “agreement” to a very weak cypher (SSL v2)

• Man-in-the-middle can intercept/modify any

communications between users and server

Vulnerable

at Disclosure

(March 1)

Vulnerable

March 26

HTTPS — Top one

million domains 25% 15%

HTTPS — All browser-

trusted sites 22% 16%

HTTPS — All sites 33% 28%

Source: https://drownattack.com/ * http://http://www.w3cook.com/webserver/summary/


HONORABLE MENTION

The Panama Papers

Mossack Fonseca

• 11.5 million (2.6 TB) confidential

documents stolen

• Details of over 200,000 off-shore

entities and shell companies

• Suspected attack vectors

• Drupal 7.23 (2013)

• 611 known vulnerabilities

(including DROWN)

• WordPress 4.1 (2014)

• 435 known vulnerabilities

• Outlook Web Access

• Unpatched since 2009

• No encryption enabled


WHAT IS SPECIAL ABOUT OPEN

SOURCE VULNERABILITIES?


WE HAVE LITTLE CONTROL OVER HOW OPEN

SOURCE ENTERS THE CODE BASE

Open Source

Community

Internally

Developed

Code

Outsourced

Code

Legacy

Code

Reused Code

Supply

Chain

Code

Third

Party

Code

Delivered Code

Open source code introduced

i a y ways…

…a d absorbed i to final code.


OPEN SOURCE: EASY TARGETS

Used everywhere

Easy access to code

Vulnerabilities are

publicized

Exploits readily available


WHO’S RESPONSIBLE FOR SECURITY?

Commercial Code Open Source Code

• Dedicated security researchers

• Alerting and notification infrastructure

• Regular patch updates

• Dedicated support team with SLA

• “community”-based code analysis

• Monitor newsfeeds yourself

• No standard patching mechanism

• Ultimately, you are responsible


HOW ARE COMPANIES ADDRESSING

THIS TODAY? NOT WELL.

Manual tabulation

• Architectural Review Board

• End of SDLC • High effort and low accuracy

• No controls

Spreadsheet-based inventory

• Dependent on developer best

effort or memory • Difficult maintenance

• Not source of truth

Tracking vulnerabilities

• No single responsible entity

• Manual effort and labor intensive • Unmanageable (11/day)

• Match applications, versions,

components, vulnerabilities

Vulnerability detection

• Run monthly/quarterly

vulnerability assessment

tools (e.g., Nessus, Nexpose)

against all applications to

identify exploitable instances


WHAT SECURITY TEAMS CAN DO


A SOFTWARE BILL OF MATERIALS SOLVES THE PROBLEM

• Components and serial

numbers

• Unique to each vehicle VIN

• Can track defective parts to

unique vehicles

• Complete analysis of open source components

• Unique to each project or application

• Security, license, and operational risk surfaced


A SOLUTION TO SOLVING THIS PROBLEM WOULD

INCLUDE THESE COMPONENTS

Choose Open

Source

Inventory

Open Source

Map Existing

Vulnerabilities Track New

Vulnerabilities

Maintain accurate list of

open source

components throughout

the SDL

Identify

vulnerabilities during

development Alert on new

vulnerabilities and

map to applications

Proactively choose

secure, supported

open source

GUIDE VERIFY/ENFORCE MONITOR


KEY TAKEAWAYS

1. Use appropriate tools to identify bugs in the code you write

• Understand the strengths and weakness of each

2. Create and maintain an inventory (Bill of Materials) of all open

source

• Update with each build or release

3. Monitor the threat space for information on new vulnerabilities

• New vulnerabilities change your security profile

4. Patch quickly

• Attackers respond quickly, we must also


WHAT CAN YOU DO TOMORROW?

Speak with your head of application development and find out:

• What policies exist?

• Is there a list of components?

• How are they creating the list?

• What controls do they have to ensure nothing gets through?

• How are they tracking vulnerabilities for all components over time?


7 of the top 10 Software companies,

and 44 of the top 100

6 of the top 8 Mobile handset vendors

6 of the top 10 Investment Banks

24 Countries

230 Employees

1,600 Customers

27 of the Fortune 100

ABOUT BLACK DUCK

Award for

Innovation Four Years in the “Software

500” Largest Software Companies

Six Years in a row

for Innovation

Gartner Group

“Cool Vendor” “Top Place to Work,” The Boston Globe

2014