while using open source
play

While Using Open Source Guy Bar Gil, Product Manager 1 2 3 - PowerPoint PPT Presentation

How to Sleep Soundly at Night While Using Open Source Guy Bar Gil, Product Manager 1 2 3 SmallComp s M&A Staying Secure The Equifax Breach 2 Introduction Slide Two dogs + one cat In my free time I enjoy: Sports


  1. How to Sleep Soundly at Night While Using Open Source Guy Bar Gil, Product Manager

  2. 1 2 3 SmallComp ’ s M&A Staying Secure The Equifax Breach 2

  3. Introduction Slide • Two dogs + one cat • In my free time I enjoy: • Sports • Reading • Traveling Guy Bar Gil, Product Manager 3

  4. 1 The Equifax Breach 4

  5. • Consumer credit reporting agency • Equifax collects and aggregates information • 800M+ individual consumers • 88M+ businesses • Publicly traded (NYSE), 9.5K+ employees, $3.14B in revenues (2016)

  6. Apache Struts • Open-source framework, for creating Java web applications. • CVE-2017-5638 allows remote code execution through the web applications.

  7. The Equifax Breach – A Timeline Hackers gained access to Equifax ’ s Hackers begin Equifax publicized March 15 th July 29 th March 9 th exfiltrating data. the breach systems. May 13 th September 7 th March 10 th Equifax renews their Equifax's IT CVE-2017-5638 was • expired public-key published. department ran a certificate series of scans to The Apache Software • Foundation released a identify unpatched patch for the systems. vulnerability. Equifax administrators • were told to apply the patch to any affected systems.

  8. Incident Aftermath $3 billion 145 million The amount Equifax spent upgrading its People affected by the breach . security and resolving consumer claims

  9. What Can We Learn? #1 Act Fast Exploits are public for everyone #2 Continuously Monitor 300 new vulnerabilities published every month #3 Get the Basics Right Millions spent on security gear but it was poorly implemented 9

  10. 2 SmallComp’s M&A 10

  11. SmallComp ’ s M&A • SmallComp required to do an open- source audit. • Found a dependency licensed under AGPL. 11

  12. $4M Dollars in Escrow • Terms of the escrow: • Remove any trace of AGPL from the software. • 80% of customers must deploy the updated software to production. • Two year timeframe. • Development/deployment-related costs taken from the escrow. 12

  13. Solving The Problem Isn’t So Easy Two main obstacles: Development + QA time is 1 year for 1 person. • SmallComp ’ s customers are hospitals, where • solutions are often manually deployed and technicians are required to train staff. 13

  14. They Did It! SmallComp was able to fulfill the terms of the escrow after 1 year and 8 months! 14

  15. How Do We Avoid This Situation? #1 Set Clear Policies for the whole company in regards to licensing #2 Communicate the company ’ s policies to developers #3 Enforce make sure your policies are being enforced 15

  16. 3 Staying Secure 16

  17. Step 1: Create Transparency Transparency is the baseline to everything • Understand exactly what you’re using: • Direct Dependencies • Transitive Dependencies • Source files • 17

  18. Lots of jars ? 18

  19. Lots of jars, but lots more java beans ? 19

  20. Step 2: Detect Potential Issues • Match your components to the most comprehensive DB possible: • Published CVEs • Vulnerabilities published in security advisories • Vulnerabilities detected by research teams • Thorough license detection 20

  21. Step 3: Prioritize How would you prioritize your vulnerabilities? 21

  22. Step 3: Prioritize • Prioritize by: • Business risk • Exploitability • Severity • Availability of fixes • Effectiveness 22

  23. Vulnerabilities Prioritization 23

  24. After testing 2,000 Java applications, WhiteSource found that 85% of all detected vulnerabilities were deemed ineffective. 24

  25. Step 4: Execution Understand the best path to remediation Upgrade the component ’ s version? • Change the component? • Set up an external defense? • 25

  26. 2 3 4 1 Create Detect Issues Prioritize Execute Transparency 26

  27. Let’s Talk About Implementation!

  28. Step 1 : Creating Transparency Identify the processes in your software development lifecycle (SDLC) 28

  29. Step 2: Detect Where you want to implement security checks • Where you can automate • 29

  30. Development 30

  31. Build 31

  32. Deploy 32

  33. Maintain New vulnerabilities are constantly being published 33

  34. Step 3: Prioritize Act on early -> Shifting left • Avoid allowing vulnerable components • reach deployment 34

  35. Detect Issues As Early As Possible 35

  36. Step 4: Execution Who ’ s responsibility is it? Security team: • Setting policies • Educating developers • Development team: • Execution • 36

  37. Developers need robust tools, that fit into their workflows 37

  38. #1 Educate On the basics of open-source security & compliance Empower Teams #2 By providing them the right tools #3 Enable Success By creating a shared mission 38

  39. “ Don ’ t Be That Guy 39

  40. Q & A

  41. Thank You! For any questions, please contact me: Guy.bar-gil@whitesourcesoftware.com 41

Recommend


More recommend