The benefits of including Open Source Software in products and services are very well understood, including many that greatly improve the security of the resultant product. Less well-known or understood, however, is the real security impact of bundling OSS and other third-party software into products. View the blog and on-demand presentation: http://ow.ly/dIZsl

1. Managing the Security Impact
of Bundled Third-Party Software
Tim Sammut
tsammut@cisco.com

2. About me
Cisco Security Research & Gentoo Linux Security Team ICASI Third-Party Software
Operations Member Security Working Group Chair
tsammut@cisco.com underling@gentoo.org

3. About you

4. Do you produce a product, service
or package?

5. Do you disclose vulnerabilities
to your customers?

6. Where is third-party software creating
security problems for you?

7.  Open Source Software vs. Third-Party Software
Quick Level Set  Do we even care about this stuff?
 What are we trying to accomplish?

8. It is not our code, but it is our product!

9. The Challenges

10.  Which packages?
 Which versions?
 Which compile-time options?
Knowing Where
 Which kernel versions?
TPS is Used
Given a vulnerable TPS package can you
reliably determine affected products?
Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development
Used Dependencies Naming Selection Processes Vulnerabilities Partners

11.  Exposure expands in under-understood ways
 Dependencies are equally exposed to
vulnerabilities
Understanding  Tools hide build and run-time dependencies
Dependencies
Focus is often on point requirements without
documenting every TPS package incorporated.
Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development
Used Dependencies Naming Selection Processes Vulnerabilities Partners

12.  No naming scheme
 Even authoritative names change
 Locally modified packages are indistinguishable
Inconsistent
 Simple input variances
Package Naming
 Versioning is itself complex
Are you able to efficiently process large
amounts of TPS usage data?
Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development
Used Dependencies Naming Selection Processes Vulnerabilities Partners

13.  How are development teams choosing which TPS
is used?
 Are the considering stability or security?
Unmanageable  Are they planing for the ongoing maintenance?
Selection Processes
Are you gaining development-time freedoms
at the expense of long-term maintainability?
Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development
Used Dependencies Naming Selection Processes Vulnerabilities Partners

14.  No “Single Source of Truth”
Learning of Newly  Disclosure formats, vehicles and time lines vary
wildly
Disclosed  Monitoring the CVE dictionary is incomplete
Vulnerabilities
Do you learn of new and relevant TPS
vulnerabilities before your customers?
Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development
Used Dependencies Naming Selection Processes Vulnerabilities Partners

15.  Do we wait for a new upstream release?
 Do we upgrade? Can we upgrade?
 Do we patch?
Inconsistent Fixing
 Will an upstream fix ever come?
of Vulnerabilities
 Is the upstream even active?
Solving this one time is easy. Do you know what
you did last time or across many products?
Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development
Used Dependencies Naming Selection Processes Vulnerabilities Partners

16.  Who is responsible to fix the issue?
External  How quickly?
 In what cases?
Development
 And for how long?
Partners  Are each of the previous challenges covered?
Combining TPS and external partners creates
efficiency and vast unknowns that must be
managed.
Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development
Used Dependencies Naming Selection Processes Vulnerabilities Partners

17. What other challenges exist?
Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development
Used Dependencies Naming Selection Processes Vulnerabilities Partners

18. The “Solutions”

19. Absolutely critical and foundational
to success
Build a Strong
Catalog of TPS Use
Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development
Used Dependencies Naming Selection Processes Vulnerabilities Partners

20. Creates tremendous efficiencies
throughout the problem space
Standardize
Everything Possible
Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development
Used Dependencies Naming Selection Processes Vulnerabilities Partners

21. Must produce a consistent vulnerability
feed for internal consumption
Monitor Vulnerability
Disclosure Scalably
Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development
Used Dependencies Naming Selection Processes Vulnerabilities Partners

22. Key to understanding today's impact
and the historic record
Instrument the
Bug Database
Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development
Used Dependencies Naming Selection Processes Vulnerabilities Partners

23. Support and require the equivalent of
internal processes
Require Contract
Language
with Partners
Knowing Where TPS is Understanding Inconsistent Package Unmanageable Learning of Inconsistent Fixes External Development
Used Dependencies Naming Selection Processes Vulnerabilities Partners

24. Questions?
It is not our code, but it is our product!

25. Thank you.
tsammut@cisco.com