Embed Size (px)
Citation preview
1Protecode Inc. 2014
Reducing the Risk of
Open Source Security Vulnerabilities
June 18th 2014
Protecode Inc. 2014 2
Agenda
Definitions
NIST (National Institute of Standards and Technology)
and the NVD (National Vulnerability Database)
– Understanding the data– Sources of vulnerabilities (OSS vs. Proprietary)
Strategies for discovering vulnerabilities
Addressing the root cause
Q & A
Normand Glaude,COO, Protecode
Arthur Hicken,Evangelist, Parasoft
Protecode Inc. 2014 3
What is a Security Vulnerability?
According to NIST:“Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.”
Source: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf
According to Microsoft:“A security vulnerability is a weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of that product.”
Source: http://technet.microsoft.com/en-us/library/cc751383.aspx
Protecode Inc. 2014 4
NVD Nomenclature
CVE: Common Vulnerabilities and Exposures– Known Vulnerability
CCSS: Common Configuration Scoring System– A severity
CPE: Common Platform Enumeration– An owner, product and version.
CCE: Common Configuration Enumeration– A system configuration
CWE: Common Weakness Enumeration– A code, design or architecture weakness
Protecode Inc. 2014 5
Security Vulnerabilities (CVEs)
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
0
1000
2000
3000
4000
5000
6000
7000
8000
TotalNon-OSSOSS
Protecode Inc. 2014 6
OSS Inside
OSS Inside
OSS Inside
OSS Inside
OSS Inside
OSS Inside
OSS Inside
OSS Inside
OSS Inside
OSS Inside
OSS Inside OSS Inside
OSS Inside
OSS Inside ?
OSS Inside
OSS Inside
OSS Inside
Top 10 ListHighest number of CVEs (last 15 years)
Open Source ProjectLinux KernelMozilla FirefoxMozilla SeaMonkeyMozilla ThunderbirdRedHatPHPFreeBSDWiresharkMySQLMoodle
Proprietary ProductsMicrosoft WindowsGoogle ChromeApple MacOSMicrosoft Internet ExplorerSun/Oracle JRE/JDKSun/Oracle SolarisApple SafariOracle DatabaseCisco IOSApple iPhone OS
Protecode Inc. 2014 7
Finding Security Vulnerabilitiesin your Code
Find reported vulnerabilities posted on public databases– Consider the OSS components as part of your code– Build an up-to-date BOM (Bill of materials) for your software– Cross-reference vulnerability databases with the 3rd party
content in your BOM– Tools: open source content management tooling that
automatically cross-reference to public vulnerability databases
Uncover unreported vulnerabilities by doing code inspection– Extract all source code potentially exposed to external inputs– Look for code patterns known as prone to be vulnerable– Tools: static and flow analysis tooling that automatically scan
your code
Protecode Inc. 2014 8
Discovering Security Vulnerabilities
Protecode Inc. 2014 9
Addressing Known Security Vulnerabilities in OSS
Does it apply?
Upgrade!
Fix it yourself!
Find an alternative
Ignore and hope for the best???
Protecode Inc. 2014 10
Protecode Inc. 2014 11
Security Resources
CWE – Common Weakness Enumeration • http://cwe.mitre.org
OWASP - Open Web Application Security Project • http://www.owasp.org
PCI – Payment Card Industry Security Standards • https://www.pcisecuritystandards.org
Hack.me – Community based security learning project• https://hack.me
SAMATE - Software Assurance Metrics And Tool Evaluation• http://samate.nist.gov
Build Security In – Collaborative security effort • https://buildsecurityin.us-cert.gov
SWAMP• https://continuousassurance.org
Contact Us:
[email protected]://protecode.com
[email protected]://parasoft.com
Please type your questions into the chat box to the right.
![[論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits](https://img.dokumen.tips/doc/110x75/58f2ed121a28ab91388b4611/-vcc-finder-finding-potential-vulnerabilities-in-open-source.jpg)
