Más contenido relacionado
La actualidad más candente (20)
Similar a How Components Increase Speed and Risk (20)
Más de CA Technologies (20)
How Components Increase Speed and Risk
- 1. How Open Source Components
Increase Speed and Risk
Tim Jarrett
DST50T
DEVSECOPS
Director, Product Management
Veracode
- 2. 2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
© 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type
of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of This Presentation
- 3. 3 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Agenda
DEVELOPERS AND OPEN SOURCE COMPONENTS: FREE AS IN …
THE JAVA COMPONENT ECOSYSTEM: SOFTWARE AGES LIKE…
CASE STUDY: APACHE STRUTS, AKA “STRUTS-SHOCK”
STRATEGIES FOR MANAGING OPEN SOURCE RISK
1
2
3
4
- 4. 4 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Developers and
Open Source Components
- 5. 5 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Software development:
from artisanal craft to industrial revolution
5 #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
- 6. 6 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Today’s Applications Are Assembled
Proprietary
Code
Open
Source
Open
Source
Open
Source
Open
Source
Open
Source
Open
Source
Open
Source
Open
Source
Open
Source
Open
Source
Open
Source
Open
Source Food for Thought
How do you inventory
open source libraries in
your applications today?
- 7. ‹#› #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
Why open
source? It’s
about quality
Faster time to market requires
fewer defects and more
functional code. Developers
don’t have to write common
functions themselves.
7 #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
- 8. 8 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
1983 1988 1993 1998 2003 2008 2013 2018
Open Source Ecosystem Timeline
GNU project
Linux
Google
SourceForge
Maven
GitHub
- 9. 9 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
The Java Open Source Ecosystem
- 10. 10 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Java Component Ecosystem
Maven – standard for invoking, storing, and sharing components
250 indexed
repositories –
Maven Central
2.2M indexed
Java archives
(JARs)
540K JARs
published in
2016
JUnit used in
63,321 other
projects
SOURCE: Maven component repository, https://mvnrepository.com/, accessed 2017-10-06.
- 11. 11 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Publicly Disclosed Vulnerabilities
National Vulnerability Database
95K total
vulnerabilities
(CVEs)
11K new CVEs
published this
year to date
35K High
severity CVEs,
2650 Critical
SOURCE: National Vulnerability Database, https://nvd.nist.gov/, accessed 2017-10-06.
- 12. 12 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Speed of Development vs. Risk Management
“Third-party source code libraries increase
development speed and risk. […] Heartbleed
made dependency risk plain for all to see.”
SOURCE: Tyler Shields and Jeffrey Hammond, Forrester Research, ”Vendor Landscape: Software Composition Analysis,”
Forrester Research, October 1, 2015.
- 13. 13 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Sizing the Problem
80% of developers are using open
source in deployed apps.
Source: Forrester
46 Java applications have an average
of 46 components.
Source: Veracode
44% of Java applications contain critical
vulnerabilities.
Source: Veracode
SOURCES: Tyler Shields and Jeffrey Hammond, Forrester Research, ”Vendor Landscape: Software Composition Analysis,”
Forrester Research, October 1, 2015; Veracode reports1
- 14. 14 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Case Study: “Struts-Shock”
- 15. 15 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
How do we get this data?
- 16. 16 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Most Prevalent Java Components
LIBRARY VERSION % of JAVA APPLICATIONS
aopalliance-1.0.jar 1.0 49.9%
dom4j-1.6.1.jar 1.6.1 33.9%
commons-httpclient-3.1.jar 3.1 27.8%
commons-lang-2.6.jar 2.6 27.4%
commons-logging-1.1.1.jar 1.1.1 26.4%
activation-1.1.jar 1.1 25.3%
commons-collections-3.2.1.jar 3.2.1 24.9%
log4j-1.2.17.jar 1.2.17 22.8%
antlr-2.7.7.jar 2.7.7 21.4%
commons-io-2.4.jar 2.4 20.9%
SOURCE: Veracode, State of Software Security, Volume 8, 18 Oct 2017.
- 17. 17 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Most Prevalent Vulnerable Java Components
LIBRARY VERSION % of JAVA APPLICATIONS
commons-collections-3.2.1.jar 3.2.1 26.3%
commons-beanutils-1.8.3.jar 1.8.3 12.8%
commons-collections-3.1.jar 3.1 12.8%
commons-fileupload-1.2.jar 1.2 12.2%
commons-collections-3.2.jar 3.2 11.2%
xalan-2.7.0.jar 2.7.0 8.5%
xalan-2.7.1.jar 2.7.1 8.5%
commons-beanutils-1.8.0.jar 1.8.0 7.7%
commons-fileupload-1.3.1.jar 1.3.1 7.2%
commons-fileupload1.2.1.jar 1.2.1 7.1%
SOURCE: Veracode, State of Software Security, Volume 8, 18 Oct 2017.
- 18. 18 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
SOURCE: Veracode, State of Software Security, Volume 8, 18 Oct 2017.
Case Study: Struts-Shock
- 19. 19 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Case Study: Apache Commons Collections
SOURCE: Veracode, State of Software Security, Volume 8, 18 Oct 2017.
- 20. 20 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
The Commons Collections Family Tree
Needs a footer?
No… it is an animation.
- 21. 21 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Strategies for Managing
Open Source Risk
- 22. 22 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Addressing Component Risks in the SDLC
1 Policy first
2 Build an inventory
3 Developer education
4 Integrate testing
- 23. ‹#› #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
1
Policy
First
23 #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
- 24. ‹#› #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
2
Build an
Inventory
24 #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
- 25. ‹#› #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
3
Developer
Education
25 #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
- 26. 26 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Skills Training Has Measurable esults: eLearning
SOURCE: Veracode, State of Software Security, Volume 8, 18 Oct 2017.
- 27. 27 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Skills Training Has Measurable Results: Coaching
SOURCE: Veracode, State of Software Security, Volume 8, 18 Oct 2017.
- 28. ‹#› #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
4
Integrate
Testing
28 #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
- 29. ‹#› #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
No Free
Lunch
29 #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
- 30. 30 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Recommended Sessions
SESSION # TITLE DATE/TIME
DST40T
Scale Your Application Security Program Effectively
with the Right Program Management Model
11/15/2017 at 3:30 pm
SCT40T
Don’t Overreact: How to Respond to Vulnerability
Disclosures
11/15/2017 at 3:30 pm
DST38T
Shifting Security to the Left – Watch End-to-End
DevSecOps Solution in Action
11/15/2017 at 4:15 pm
DST39T DevOps: Security’s Chance to Get It Right 11/16/2017 at 12:45 pm
SCT41T
Testing the Fences: Recent Attacks Are Harbingers
of a More Serious Threat
11/16/2017 at 4:15 pm
- 31. 31 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Must See Demos – Wed & Thurs
Securing
Apps from
Dev to
Production
CA Veracode Static Analysis
CA Veracode Greenlight
CA Veracode Remediation
Guidance
Manage
Your
Software Risk
Open Sourced Component
Scanning
Developer Training on Secure
Coding
Integrations into Your Dev
Tools
301
Manage
Your
Software Risk
CA Veracode Static Analysis
CA Veracode Web Application
Scanning
CA Veracode Greenlight
CA Veracode Static Analysis
CA Veracode Greenlight
CA Veracode Remediation
Guidance
506P 509P
DevOps-CD SecuritySecurity
- 32. 32 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Stay connected at https://community.veracode.com
Thank you.
- 33. 33 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
DevSecOps
For more information on DevSecOps,
please visit: http://cainc.to/CAW17-DevSecOps