SlideShare uma empresa Scribd logo

Secure application deployment in the age of continuous delivery

Transferir como PPTX, PDF
Black Duck by Synopsys
Black Duck by Synopsys

As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious. Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: - How known vulnerabilities can make their way into production deployments - How vulnerability impact is maximized - A methodology for ensuring deployment of vulnerable code can be minimized - A methodology to minimize the potential for vulnerable code to be redistributed

Governo e ONGs
1 de 38
Secure Application Deployment in the Age of Continuous Delivery OPENSOURCE: Open Standards
#whoami – Tim Mackey • Current roles: Senior Technical Evangelist; Occasional coder • Previously XenServer Community Manager • Cool things I’ve done • Designed laser communication systems • Early designer of retail self-checkout machines • Embedded special relativity algorithms into industrial control system • Find me • Twitter: @TimInTech ( https://twitter.com/TimInTech ) • SlideShare: slideshare.net/TimMackey • LinkedIn: www.linkedin.com/in/mackeytim
Security reality You can only protect what you know about. Defense in depth matters.
Attacks are big business In 2015, 89% of data breaches had a financial or espionage motive Source: Verizon 2016 Data Breach Report
Attackers decide what’s valuable … … and they have little fear.
EASY ACCESS TO SOURCE CODE Open source ubiquity makes it ready target OPEN SOURCE ISN’T MORE OR LESS SECURE THAN CLOSED SOURCE – ITS JUST EASIER TO ACCESS VULNERABILITIES ARE PUBLICIZED EXPLOITS ARE PUBLISHED
Anatomy of a new attack Potential Attack Iterate Test against platforms Document Don’t forget PR department Deploy
DEVELOPER DOWNLOADS OUTSOURCED DEVELOPMENT THIRD PARTY LIBRARIES CODE REUSE APPROVED COMPONENTS COMMERCIAL APPS OPEN SOURCE CODE Open source enters through many channels… …and vulnerabilities can come with it.
CLOSED SOURCE COMMERCIAL CODE • DEDICATED SECURITY RESEARCHERS • ALERTING AND NOTIFICATION INFRASTRUCTURE • REGULAR PATCH UPDATES • DEDICATED SUPPORT TEAM WITH SLA OPEN SOURCE CODE • “COMMUNITY”-BASED CODE ANALYSIS • MONITOR NEWSFEEDS YOURSELF • NO STANDARD PATCHING MECHANISM • ULTIMATELY, YOU ARE RESPONSIBLE Who is responsible for code and security?
0 500 1000 1500 2000 2500 3000 3500 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd Reference: Black Duck Software Knowledgebase, NVD Increasing number of OSS vulnerabilities
Automated tools miss most open source vulnerabilities Static & Dynamic Analysis Only discover common vulnerabilities 3,000+ disclosed in 2014 Less than 1% found by automated tools Undiscovered vulnerabilities are too complex and nuanced All possible security vulnerabilities
What do these all have in common? Heartbleed Shellshock GhostFreak Venom Since: Discovered: 2011 2014 1989 2014 1990’s 2015 2000 2015 2004 2015 Discovered by: Component: OpenSSL Riku, Antti, Matti, Mehta Bash Chazelas OpenSSL Beurdouche GNU C library Qualys researchers QEMU Geffner
Understand application contents Source: 2016 Open Source Security Report
Misaligned security investment
Distinct areas of risk • Open source license compliance • Ensure project dependencies are understood • Use of vulnerable open source components • Is component a fork or dependency? • How is component linked? • Operational risk • Can you differentiate between “stable” and “dead”? • Is there a significant change set in your future? • API versioning • Security response process for project
Total Quality Management Philosophies • Detect problems before product ships • Select components based on trust • Continuously identify issues and improve • Empower employees to solve problems • Implement the Deming Cycle • Plan for change and analyze risk • Do execute the plan in small steps • Check the results against the plan • Act on results to improve future outcomes • Manage with facts
Software development lifecycle Idea Spec Design Code Test Release
Software development lifecycle – threat model Idea Spec Design Code Test Release • As part of the specification and design, threat models are often created.
Software development lifecycle – static analysis Idea Spec Design Code Test Release • As part of the specification and design, threat models are often created. • During code creation and commits, static analysis is performed
Software development lifecycle – dynamic analysis Idea Spec Design Code Test Release • As part of the specification and design, threat models are often created. • During code creation and commits, static analysis is performed • Testing usually includes some form of dynamic testing
Traditional operations release process Deploy Measure ScaleMonitor Assess Release Update Spec
Oops – a vulnerability is disclosed – now what? DEVELOP SCM BUILD PACKAGE DEPLOY PRODUCTION BUG TRACKING REMEDIATE AND TRACK LICENSE COMPLIANCE AND SECURITY VULNERABILITIES FULL APP SEC VISIBILITY INTEGRATION BUILD / CI SERVER SCAN APPLICATIONS WITH EACH BUILD VIA CI INTEGRATION DELIVERY PIPELINE SCAN APPLICATIONS AND CONTAINERS BEFORE DELIVERY CONTINUOUS MONITORING OF VULNERABILITIES
Integrations matter …
Containers for application management
Knowledge is key. Can you keep up? glibc Bug Reported July 2015 Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
Knowledge is key. Can you keep up? glibc Bug Reported July 2015 Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
Knowledge is key. Can you keep up? glibc Vuln Introduced May 2008 glibc Bug Reported July 2015 CVE-2015- 7547 CVE Assigned Feb 16-2016 Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
Knowledge is key. Can you keep up? glibc Vuln Introduced May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 glibc Bug Reported July 2015 National Vulnerability Database Vuln Published Feb 18-2016 Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
Knowledge is key. Can you keep up? glibc Vuln Introduced National Vulnerability Database Vuln Published You Find It May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 Feb 18-2016 glibc Bug Reported July 2015 Patches Available You Fix It Highest Security Risk Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
Knowledge is key. Can you keep up? glibc Vuln Introduced National Vulnerability Database Vuln Published You Find It May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 Feb 18-2016 glibc Bug Reported July 2015 Patches Available You Fix It Highest Security Risk Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
Source: Future of Open Source 2016 Survey
A complete solution … Choose Open Source Proactively choose secure, supported open source SELECT Inventory Open Source Map Existing Vulnerabilities Maintain accurate list of open source components throughout the SDL Identify vulnerabilities during development VERIFY Track New Vulnerabilities Alert newly disclosed vulnerabilities in production MONITORREMEDIATE Fix Vulnerabilities Tell developers how to remediate
OVER TWO HUNDRED THIRTY E M P L O Y E E S 27USE BLACK DUCK SOFTWARE AWARD FOR INNOVATION GARTNER GROUP “COOL VENDOR” INNOVATIVE TECHNOLOGY OF THE YEAR - SECURITY 7 YEARS IN A ROW FOR SECURITY INNOVATION RANKED #38 OUT OF 500 SECURITY COMPANIES 7 YEARS IN A ROW 6 of the top 8 mobile handset vendors 7 of the top 10 SOFTWARE COMPANIES (44% OF TOP 100) 24 COUNTRIES 6 of the top 10 banks FORTUNE 100 Black Duck Created an Industry
8,500 WEBSITES 350 BILLION LINES OF CODE 2,400 LICENSE TYPES 1.5 MILLION PROJECTS 76,000 VULNERABILITIES Comprehensive KnowledgeBase • Largest database of open source project information in the world. • Vulnerabilities coverage extended through partnership with Risk Based Security. • The KnowledgeBase is essential for identifying and solving open source issues.
We need your help Knowledge is power • Know what’s running and why • Define proactive vulnerability response process • Don’t let technology hype cycle dictate security Invest in defense in depth models • Don’t rely on perimeter security to do heavy lifting • Do look at hypervisor & container trends in security • Make developers and ops teams part of the solution • Do embed security into deployment process Together we can build a more secure data center
Free tools to help • Docker Container Security Scanner • https://info.blackducksoftware.com/Security-Scan.html • 14 Day Free Trial to Black Duck Hub • https://info.blackducksoftware.com/Demo.html • Red Hat Atomic Host Integration (Requires Black Duck Hub) • atomic scan --scanner blackduck [container]
Secure application deployment in the age of continuous delivery

Recomendados

Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open SourceBlack Duck by Synopsys
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: Black Duck by Synopsys
 
Open Source in Application Security
Open Source in Application SecurityOpen Source in Application Security
Open Source in Application SecurityBlack Duck by Synopsys
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Great Wide Open
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 

Recomendados

Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open SourceBlack Duck by Synopsys
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: Black Duck by Synopsys
 
Open Source in Application Security
Open Source in Application SecurityOpen Source in Application Security
Open Source in Application SecurityBlack Duck by Synopsys
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Great Wide Open
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYBlack Duck by Synopsys
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceWhiteSource
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
 
The Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityThe Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityBlack Duck by Synopsys
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...WhiteSource
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...WhiteSource
 
Web application security
Web application securityWeb application security
Web application securityVikas Thange
 
Harnessing search engines for KM
Harnessing search engines for KMHarnessing search engines for KM
Harnessing search engines for KMInvotra
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsBlack Duck by Synopsys
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 

Mais conteúdo relacionado

Mais procurados

Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYBlack Duck by Synopsys
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceWhiteSource
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
 
The Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityThe Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityBlack Duck by Synopsys
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...WhiteSource
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...WhiteSource
 

Mais procurados (18)

Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITY
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk Management
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
 
The Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityThe Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and Cybersecurity
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
 

Destaque

Web application security
Web application securityWeb application security
Web application securityVikas Thange
 
Harnessing search engines for KM
Harnessing search engines for KMHarnessing search engines for KM
Harnessing search engines for KMInvotra
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsBlack Duck by Synopsys
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
2016 Future of Open Source Survey Results
2016 Future of Open Source Survey Results2016 Future of Open Source Survey Results
2016 Future of Open Source Survey ResultsBlack Duck by Synopsys
 
Software Development Life Cycle (SDLC)
Software Development Life Cycle (SDLC)Software Development Life Cycle (SDLC)
Software Development Life Cycle (SDLC)Angelin R
 
User Experience for the 100% - making your intranet accessible to everyone!
User Experience for the 100% - making your intranet accessible to everyone!User Experience for the 100% - making your intranet accessible to everyone!
User Experience for the 100% - making your intranet accessible to everyone!Invotra
 

Destaque (8)

Web application security
Web application securityWeb application security
Web application security
 
Harnessing search engines for KM
Harnessing search engines for KMHarnessing search engines for KM
Harnessing search engines for KM
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps Environment
 
Securing Docker Containers
Securing Docker ContainersSecuring Docker Containers
Securing Docker Containers
 
2016 Future of Open Source Survey Results
2016 Future of Open Source Survey Results2016 Future of Open Source Survey Results
2016 Future of Open Source Survey Results
 
Software Development Life Cycle (SDLC)
Software Development Life Cycle (SDLC)Software Development Life Cycle (SDLC)
Software Development Life Cycle (SDLC)
 
User Experience for the 100% - making your intranet accessible to everyone!
User Experience for the 100% - making your intranet accessible to everyone!User Experience for the 100% - making your intranet accessible to everyone!
User Experience for the 100% - making your intranet accessible to everyone!
 

Semelhante a Secure application deployment in the age of continuous delivery

Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksTim Mackey
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for DevopsJerika Phelps
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group
 

Semelhante a Secure application deployment in the age of continuous delivery (20)

Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risks
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
 

Mais de Black Duck by Synopsys

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
 
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys
 
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubFLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubBlack Duck by Synopsys
 
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...Black Duck by Synopsys
 
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...Black Duck by Synopsys
 
Open-Source- Sicherheits- und Risikoanalyse 2018
Open-Source- Sicherheits- und Risikoanalyse 2018Open-Source- Sicherheits- und Risikoanalyse 2018
Open-Source- Sicherheits- und Risikoanalyse 2018Black Duck by Synopsys
 
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...Black Duck by Synopsys
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealFLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealBlack Duck by Synopsys
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...Black Duck by Synopsys
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys
 
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
 
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys
 
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys
 
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...Black Duck by Synopsys
 
Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys
 
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsOpen Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys
 

Mais de Black Duck by Synopsys (20)

Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
 
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
 
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubFLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
 
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
 
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...
 
Open-Source- Sicherheits- und Risikoanalyse 2018
Open-Source- Sicherheits- und Risikoanalyse 2018Open-Source- Sicherheits- und Risikoanalyse 2018
Open-Source- Sicherheits- und Risikoanalyse 2018
 
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealFLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub
 
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
 
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
Open Source Insight: GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...
 
Open Source Rookies and Community
Open Source Rookies and CommunityOpen Source Rookies and Community
Open Source Rookies and Community
 
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
 
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...
 
Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...Open Source Insight: Happy Birthday Open Source and Application Security for ...
Open Source Insight: Happy Birthday Open Source and Application Security for ...
 
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsOpen Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
 

Último

call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...saminamagar
 
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdfYHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdfyalehistoricalreview
 
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesMadurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best Servicesnajka9823
 
call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...
Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...
Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...narwatsonia7
 
Press Freedom in Europe - Time to turn the tide.
Press Freedom in Europe - Time to turn the tide.Press Freedom in Europe - Time to turn the tide.
Press Freedom in Europe - Time to turn the tide.Christina Parmionova
 
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...ResolutionFoundation
 
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...yalehistoricalreview
 
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.Christina Parmionova
 
2024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 262024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 26JSchaus & Associates
 
Professional Conduct and ethics lecture.pptx
Professional Conduct and ethics lecture.pptxProfessional Conduct and ethics lecture.pptx
Professional Conduct and ethics lecture.pptxjennysansano2
 
Earth Day 2024 - AMC "COMMON GROUND'' movie night.
Earth Day 2024 - AMC "COMMON GROUND'' movie night.Earth Day 2024 - AMC "COMMON GROUND'' movie night.
Earth Day 2024 - AMC "COMMON GROUND'' movie night.Christina Parmionova
 
NO1 Certified kala jadu Love Marriage Black Magic Punjab Powerful Black Magic...
NO1 Certified kala jadu Love Marriage Black Magic Punjab Powerful Black Magic...NO1 Certified kala jadu Love Marriage Black Magic Punjab Powerful Black Magic...
NO1 Certified kala jadu Love Marriage Black Magic Punjab Powerful Black Magic...Amil baba
 
Start Donating your Old Clothes to Poor People
Start Donating your Old Clothes to Poor PeopleStart Donating your Old Clothes to Poor People
Start Donating your Old Clothes to Poor PeopleSERUDS INDIA
 
办理约克大学毕业证成绩单|购买加拿大文凭证书
办理约克大学毕业证成绩单|购买加拿大文凭证书办理约克大学毕业证成绩单|购买加拿大文凭证书
办理约克大学毕业证成绩单|购买加拿大文凭证书zdzoqco
 
High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...
High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...
High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...Christina Parmionova
 
call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...saminamagar
 
2024: The FAR, Federal Acquisition Regulations - Part 25
2024: The FAR, Federal Acquisition Regulations - Part 252024: The FAR, Federal Acquisition Regulations - Part 25
2024: The FAR, Federal Acquisition Regulations - Part 25JSchaus & Associates
 
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 

Último (20)

call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in DLF Phase 1 gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
 
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdfYHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
YHR Fall 2023 Issue (Joseph Manning Interview) (2).pdf
 
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesMadurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Madurai Call Girls 7001305949 WhatsApp Number 24x7 Best Services
 
call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...
Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...
Russian Call Girl Hebbagodi ! 7001305949 ₹2999 Only and Free Hotel Delivery 2...
 
Press Freedom in Europe - Time to turn the tide.
Press Freedom in Europe - Time to turn the tide.Press Freedom in Europe - Time to turn the tide.
Press Freedom in Europe - Time to turn the tide.
 
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
 
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
 
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.
 
2024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 262024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 26
 
Professional Conduct and ethics lecture.pptx
Professional Conduct and ethics lecture.pptxProfessional Conduct and ethics lecture.pptx
Professional Conduct and ethics lecture.pptx
 
Earth Day 2024 - AMC "COMMON GROUND'' movie night.
Earth Day 2024 - AMC "COMMON GROUND'' movie night.Earth Day 2024 - AMC "COMMON GROUND'' movie night.
Earth Day 2024 - AMC "COMMON GROUND'' movie night.
 
NO1 Certified kala jadu Love Marriage Black Magic Punjab Powerful Black Magic...
NO1 Certified kala jadu Love Marriage Black Magic Punjab Powerful Black Magic...NO1 Certified kala jadu Love Marriage Black Magic Punjab Powerful Black Magic...
NO1 Certified kala jadu Love Marriage Black Magic Punjab Powerful Black Magic...
 
Start Donating your Old Clothes to Poor People
Start Donating your Old Clothes to Poor PeopleStart Donating your Old Clothes to Poor People
Start Donating your Old Clothes to Poor People
 
办理约克大学毕业证成绩单|购买加拿大文凭证书
办理约克大学毕业证成绩单|购买加拿大文凭证书办理约克大学毕业证成绩单|购买加拿大文凭证书
办理约克大学毕业证成绩单|购买加拿大文凭证书
 
High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...
High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...
High-Level Thematic Event on Tourism - SUSTAINABILITY WEEK 2024- United Natio...
 
call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
 
2024: The FAR, Federal Acquisition Regulations - Part 25
2024: The FAR, Federal Acquisition Regulations - Part 252024: The FAR, Federal Acquisition Regulations - Part 25
2024: The FAR, Federal Acquisition Regulations - Part 25
 
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 

Secure application deployment in the age of continuous delivery

  • 1. Secure Application Deployment in the Age of Continuous Delivery OPENSOURCE: Open Standards
  • 2. #whoami – Tim Mackey • Current roles: Senior Technical Evangelist; Occasional coder • Previously XenServer Community Manager • Cool things I’ve done • Designed laser communication systems • Early designer of retail self-checkout machines • Embedded special relativity algorithms into industrial control system • Find me • Twitter: @TimInTech ( https://twitter.com/TimInTech ) • SlideShare: slideshare.net/TimMackey • LinkedIn: www.linkedin.com/in/mackeytim
  • 3. Security reality You can only protect what you know about. Defense in depth matters.
  • 4. Attacks are big business In 2015, 89% of data breaches had a financial or espionage motive Source: Verizon 2016 Data Breach Report
  • 5. Attackers decide what’s valuable … … and they have little fear.
  • 6. EASY ACCESS TO SOURCE CODE Open source ubiquity makes it ready target OPEN SOURCE ISN’T MORE OR LESS SECURE THAN CLOSED SOURCE – ITS JUST EASIER TO ACCESS VULNERABILITIES ARE PUBLICIZED EXPLOITS ARE PUBLISHED
  • 7. Anatomy of a new attack Potential Attack Iterate Test against platforms Document Don’t forget PR department Deploy
  • 8. DEVELOPER DOWNLOADS OUTSOURCED DEVELOPMENT THIRD PARTY LIBRARIES CODE REUSE APPROVED COMPONENTS COMMERCIAL APPS OPEN SOURCE CODE Open source enters through many channels… …and vulnerabilities can come with it.
  • 9. CLOSED SOURCE COMMERCIAL CODE • DEDICATED SECURITY RESEARCHERS • ALERTING AND NOTIFICATION INFRASTRUCTURE • REGULAR PATCH UPDATES • DEDICATED SUPPORT TEAM WITH SLA OPEN SOURCE CODE • “COMMUNITY”-BASED CODE ANALYSIS • MONITOR NEWSFEEDS YOURSELF • NO STANDARD PATCHING MECHANISM • ULTIMATELY, YOU ARE RESPONSIBLE Who is responsible for code and security?
  • 10. 0 500 1000 1500 2000 2500 3000 3500 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd Reference: Black Duck Software Knowledgebase, NVD Increasing number of OSS vulnerabilities
  • 11. Automated tools miss most open source vulnerabilities Static & Dynamic Analysis Only discover common vulnerabilities 3,000+ disclosed in 2014 Less than 1% found by automated tools Undiscovered vulnerabilities are too complex and nuanced All possible security vulnerabilities
  • 12. What do these all have in common? Heartbleed Shellshock GhostFreak Venom Since: Discovered: 2011 2014 1989 2014 1990’s 2015 2000 2015 2004 2015 Discovered by: Component: OpenSSL Riku, Antti, Matti, Mehta Bash Chazelas OpenSSL Beurdouche GNU C library Qualys researchers QEMU Geffner
  • 13. Understand application contents Source: 2016 Open Source Security Report
  • 14.
  • 16. Distinct areas of risk • Open source license compliance • Ensure project dependencies are understood • Use of vulnerable open source components • Is component a fork or dependency? • How is component linked? • Operational risk • Can you differentiate between “stable” and “dead”? • Is there a significant change set in your future? • API versioning • Security response process for project
  • 17. Total Quality Management Philosophies • Detect problems before product ships • Select components based on trust • Continuously identify issues and improve • Empower employees to solve problems • Implement the Deming Cycle • Plan for change and analyze risk • Do execute the plan in small steps • Check the results against the plan • Act on results to improve future outcomes • Manage with facts
  • 19. Software development lifecycle – threat model Idea Spec Design Code Test Release • As part of the specification and design, threat models are often created.
  • 20. Software development lifecycle – static analysis Idea Spec Design Code Test Release • As part of the specification and design, threat models are often created. • During code creation and commits, static analysis is performed
  • 21. Software development lifecycle – dynamic analysis Idea Spec Design Code Test Release • As part of the specification and design, threat models are often created. • During code creation and commits, static analysis is performed • Testing usually includes some form of dynamic testing
  • 22. Traditional operations release process Deploy Measure ScaleMonitor Assess Release Update Spec
  • 23. Oops – a vulnerability is disclosed – now what? DEVELOP SCM BUILD PACKAGE DEPLOY PRODUCTION BUG TRACKING REMEDIATE AND TRACK LICENSE COMPLIANCE AND SECURITY VULNERABILITIES FULL APP SEC VISIBILITY INTEGRATION BUILD / CI SERVER SCAN APPLICATIONS WITH EACH BUILD VIA CI INTEGRATION DELIVERY PIPELINE SCAN APPLICATIONS AND CONTAINERS BEFORE DELIVERY CONTINUOUS MONITORING OF VULNERABILITIES
  • 26. Knowledge is key. Can you keep up? glibc Bug Reported July 2015 Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
  • 27. Knowledge is key. Can you keep up? glibc Bug Reported July 2015 Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
  • 28. Knowledge is key. Can you keep up? glibc Vuln Introduced May 2008 glibc Bug Reported July 2015 CVE-2015- 7547 CVE Assigned Feb 16-2016 Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
  • 29. Knowledge is key. Can you keep up? glibc Vuln Introduced May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 glibc Bug Reported July 2015 National Vulnerability Database Vuln Published Feb 18-2016 Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
  • 30. Knowledge is key. Can you keep up? glibc Vuln Introduced National Vulnerability Database Vuln Published You Find It May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 Feb 18-2016 glibc Bug Reported July 2015 Patches Available You Fix It Highest Security Risk Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
  • 31. Knowledge is key. Can you keep up? glibc Vuln Introduced National Vulnerability Database Vuln Published You Find It May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 Feb 18-2016 glibc Bug Reported July 2015 Patches Available You Fix It Highest Security Risk Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
  • 32. Source: Future of Open Source 2016 Survey
  • 33. A complete solution … Choose Open Source Proactively choose secure, supported open source SELECT Inventory Open Source Map Existing Vulnerabilities Maintain accurate list of open source components throughout the SDL Identify vulnerabilities during development VERIFY Track New Vulnerabilities Alert newly disclosed vulnerabilities in production MONITORREMEDIATE Fix Vulnerabilities Tell developers how to remediate
  • 34. OVER TWO HUNDRED THIRTY E M P L O Y E E S 27USE BLACK DUCK SOFTWARE AWARD FOR INNOVATION GARTNER GROUP “COOL VENDOR” INNOVATIVE TECHNOLOGY OF THE YEAR - SECURITY 7 YEARS IN A ROW FOR SECURITY INNOVATION RANKED #38 OUT OF 500 SECURITY COMPANIES 7 YEARS IN A ROW 6 of the top 8 mobile handset vendors 7 of the top 10 SOFTWARE COMPANIES (44% OF TOP 100) 24 COUNTRIES 6 of the top 10 banks FORTUNE 100 Black Duck Created an Industry
  • 35. 8,500 WEBSITES 350 BILLION LINES OF CODE 2,400 LICENSE TYPES 1.5 MILLION PROJECTS 76,000 VULNERABILITIES Comprehensive KnowledgeBase • Largest database of open source project information in the world. • Vulnerabilities coverage extended through partnership with Risk Based Security. • The KnowledgeBase is essential for identifying and solving open source issues.
  • 36. We need your help Knowledge is power • Know what’s running and why • Define proactive vulnerability response process • Don’t let technology hype cycle dictate security Invest in defense in depth models • Don’t rely on perimeter security to do heavy lifting • Do look at hypervisor & container trends in security • Make developers and ops teams part of the solution • Do embed security into deployment process Together we can build a more secure data center
  • 37. Free tools to help • Docker Container Security Scanner • https://info.blackducksoftware.com/Security-Scan.html • 14 Day Free Trial to Black Duck Hub • https://info.blackducksoftware.com/Demo.html • Red Hat Atomic Host Integration (Requires Black Duck Hub) • atomic scan --scanner blackduck [container]

Notas do Editor

  1. Image: http://morguefile.com/p/209940
  2. http://www.istockphoto.com/photo/computer-crime-concept-gm516607038-89059287?st=9174601 Source: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ Every year since 2008, Verizon have published a report on the attempted data breaches occurring within their data centers. For 2015, they found close to 90% of them had either a financial or espionage component to them. This report is well worth the read, and there are a few key findings in this report we should all be aware of. Costs of data breaches are heavily skewed towards legal consultation and forensics, and not to the public components of credit monitoring or lawsuits Despite some vulnerabilities having been public for years, there remain vulnerable components in use Some of those components simply may not have a patch forthcoming for a variety of reasons.
  3. Despite years of organizations spending energy protecting against attacks, it remains up to the attacker to define what’s valuable. Consider the case of ransomware. A police department in the town next to where I live was subjected to a raonsomeware attack. For roughly 500 USD in bitcoin, the attackers would decrypt the booking and evidence records they had just crypto locked. As an attacker, they likely had no knowledge of who they had attacked or what they had locked up. What mattered was the ransom, and that they had a police organization’s files didn’t factor into the equation.
  4. https://www.cesg.gov.uk/guidance/open-source-software-%E2%80%93-exploring-risk-good-practice-guide-38
  5. Let’s take a little bit of time and look at how an attack is created. Potential attackers have a number of tools at their disposal, and use a number of different tactics. In this case, the attacker wishes to create an attack on a given component. In order to be effective, they have two primary models. First they can actively contribute code in a highly active area of the component with an objective of planting a back door of some form. The hope being that their code will fail to be recognized as suspect given how quickly the area of code is evolving. Second they can look for areas of code which are stable, and the longer they’ve bene stable, the better. The reason for this is simple, old code is likely written by someone who isn’t with the project any longer, or perhaps doesn’t recall all assumptions present at the time the code was written. After all, its been long understood that even with the best developers, assumptions change and old code doesn’t keep up. The goal in both cases being to create an attack against the component, so they test, and fail, and iterate against the component until they’re successful or move on. Assuming they’re successful, they create a deployment tool and document the tool for others. Of course, given the publicity received by some recent vulnerabilities, a little PR goes a long way. Now there are responsible researchers who follow a similar workflow, and they legitimately attempt to work with component creators to disclose vulnerabilities. They too will publish results, but are less interested in creating the an attack beyond a proof of concept. http://www.istockphoto.com/photo/person-in-hooded-sweater-using-a-laptop-on-wooden-table-gm464503138-58544934?st=cf78f31 http://www.istockphoto.com/photo/cloud-computing-gm518556682-90104967
  6. https://www.cesg.gov.uk/guidance/open-source-software-%E2%80%93-exploring-risk-good-practice-guide-38 If you’re using commercial software, the vendor is responsible for best practice deployment guidance, the notification of any security vulnerabilities and ultimately patches and workarounds for disclosed vulnerabilities. This is part of the deliverable they provide in return for their license fee. If you’re using open source software, that process becomes partly your responsibility. To illustrate the level of information you have to work with, let’s look at a media-wiki maintenance release from December 2015. “various special pages resulted in fata errors” – this clearly is something which needs resolution, but which pages? How do you test? “1.24.6 marks the end of support for 1.24.x” – this is good to know, but I hope it was published elsewhere. “However, 1.24.5 had issues (along with other versions) so it was thought fair to fix them” – This is a good thing, but can we expect this treatment in the future? From the title, we also have a fix for 1.23.x, but what other versions?
  7. There is one thing we should all notice from this data: The vulnerable code was present for years until discovery. What may not be known, is that these vulnerabilities were found by researchers, not analysis tools.
  8. Source: https://info.blackducksoftware.com/OpenSourceSA_LP.html
  9. Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow On July 13 2015, the bug report associated with what would ultimately become CVE-2015-7547 was created. https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/bugzilla/show_bug.cgi?id=18665 https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT) http://cve.mitre.org/cve/cna.html https://openclipart.org/detail/200681/primary-patch
  10. Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow The report indicated that a traditional buffer management issue was present. Specifically it said “this change causes the thisanssizp pointer variable used in the recvfrom function on line 1282 to use the wrong size if a new buffer is created after the thisanssizp address has been changed at line 1257” and indicated that the result would be “The program will crash if the calculated size of the buffer used is 0. The recvfrom function will not crash, but any further accesses to the buffer where the bytes read was 0 from the recvfrom function will crash the program. ” https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/bugzilla/show_bug.cgi?id=18665 https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT) http://cve.mitre.org/cve/cna.html https://openclipart.org/detail/200681/primary-patch
  11. Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow On Feb 16, 2016, a CVE assignment was made to the bug list, and it further indicated the problem was introduced in May of 2008 in version 2.9. https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/bugzilla/show_bug.cgi?id=18665 https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT) http://cve.mitre.org/cve/cna.html https://openclipart.org/detail/200681/primary-patch
  12. Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow It wasn’t until two days later that the NVD (national vulnerability database) was updated to reflect the vulnerability. This meant that a staggered awareness situation ensued. When disclosures are staggered, there is an increased potential that a bad actor can take advantage of the situation. It’s important to note that this NVD entry came through US-CERT. One important thing to notice is that unlike the bug report, the overview contains significantly more actionable information (e.g. indicating that DNS is impacted “a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module” https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/bugzilla/show_bug.cgi?id=18665 https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT) http://cve.mitre.org/cve/cna.html https://openclipart.org/detail/200681/primary-patch
  13. Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow Of course all most data center operators really want is to secure their environment, so the question really becomes “how to do that”. For an indication of how that plays out, we’ll look at VMware’s response as an example. The first thing most vendors do is create some form of security advisory, which in this case is “VMware Knowledge Base article 2144032”. In it they list the then current information about their exposure to the vulnerability. Often times, it’s minimal, but as they investigate, details are fleshed out. On February 22nd, they amended the KB article and created a security advisory “VMware Security Advisory VMSA-2016-0002” which included details on a patch for ESXi 5.5 and then updated a day later for a patch in ESXi 6.0. It’s not the least bit uncommon for some subordinate products, including older versions, to take longer to patch and on March 29th updates were announced to cover “vCenter Server Appliance (VCSA), 5.0 U3f, 5.1 U3c, and 5.5 U3c” Once you’ve a patch, then you can start working on resolving the issue in your infrastructure. https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/bugzilla/show_bug.cgi?id=18665 https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT) http://cve.mitre.org/cve/cna.html https://openclipart.org/detail/200681/primary-patch https://www.youtube.com/watch?v=hkryI6eapOA http://blogs.vmware.com/security/2016/02/vmware-products-and-cve-2015-7547-glibc-getaddrinfo-security-issue.html
  14. Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow From a timeline perspective, we’re looking at close to eight years from time of bug to vulnerability resolution. For much of that time, the impact was unknown. Starting in July of 2015, the scope of the issue started to be known, but close to seven months were required for investigation, triage, development of a fix and public disclosure to occur. Once the bug was known, the risk of exploitation increased slightly until that disclosure, but following the disclosure risk goes up dramatically. That’s one reason why knowing what’s running in your environment is so important. The overall goal being to reduce the time between disclosure and fix. https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/bugzilla/show_bug.cgi?id=18665 https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT) http://cve.mitre.org/cve/cna.html https://openclipart.org/detail/200681/primary-patch https://www.youtube.com/watch?v=hkryI6eapOA
  15. Source: Future of Open Source 2016 survey: https://www.blackducksoftware.com/2016-future-of-open-source
  16. http://www.istockphoto.com/photo/strength-in-unity-gm514713440-88219133?st=af7fa36
  17. Docker Container Security Scanner https://info.blackducksoftware.com/Security-Scan.html 14 Day Free Trial to Black Duck Hub https://info.blackducksoftware.com/Demo.html Red Hat Atomic Host Integration (Requires Black Duck Hub) atomic scan --scanner blackduck [container]