All You need to Know about Secure Coding with Open Source Software
Download as PPTX, PDF1 like86 views
This document provides an overview of secure coding with open source software. It discusses that open source software is now mainstream, used in many modern innovations. It describes what open source software is, the explosive growth of open source, and popular open source libraries and dependencies. The document outlines roles in open source projects and how to contribute. It discusses security considerations like vulnerabilities in open source libraries and the increased risk with reusing libraries. The document provides examples of popular open source projects like Angular.js and their contributions and vulnerabilities. It emphasizes the real risk is not a lack of fixes but the lack of speed in applying fixes. The importance of software composition analysis and vulnerability management for open source is highlighted.
All You need to Know about Secure Coding with Open Source Software
- 1. All You Need To Know about Secure Coding with Open Source Software Javier Perez - javierperez.mozello.com
- 2. Open Source Software is Mainstream ● Latest Innovations are all Open Source AI, Machine Learning, Deep Learning, Blockchain, Virtual Assistance,… ● Millions of Open Source Libraries, all programming languages 2 Augmented Reality Virtual RealityAutonomous Cars
- 3. What is Open Source Software? ● Source code is publicly available ● Open to collaboration ● Source code available with a license that permits users to freely run, study, modify and redistribute OSS
- 4. Explosive Grow of Open Source 50M+ Developers Worldwide 2.9M+ * Organizations 100M+ * Repositories * Source: State of the Octoverse, GitHub, November 2019 44M+ * Repositories Created in 2019 1.3M+ * First Time Contributors in 2019
- 5. App Development in Open Source 1.2M + NPM Modules with 859 new/day 337K + Maven Central Modules with 144 new/day 265K + Packagist Modules with 112 new/day 210K + PyPI Modules with 117 new/day 202K + NuGet Modules with 153 new/day 159K + RubyGems Modules with 18 new/day * Source: Modulecounts as of May 5, 2020
- 6. What’s in Open Source Software? 1. Open Source License 2. README 3. Contribution Guidelines 4. Code of Conduct
- 7. Roles in Open Source Software ● Maintainer ○ ”Owner” and Administrator, publish code, website, social media. ● Committer ○ Becoming a Committer in projects like Cordova, Node.js, Linux, and others is a highly regarded and respected role. ● Contributor ○ Opportunity to learn, join a community and meet people.
- 8. Open Source Software Contributions ● Contribute Upstream ● Company Sponsored or Individually ○ Enhancements, Bug Fixes and Vulnerability Fixes ● Modified code not contributed back becomes close code Top Open Source Projects 2019 Number of Contributors Visual Studio Code 19.1K Azure Docs 14K Flutter 13K First Contributions 11.6K TensorFlow 9.9K React Native 9.1K Kubernetes 6.9K DefinitelyTyped 6.9K Ansible 6.8K Home-Assistant 6.3K * Source: State of the Octoverse, GitHub, November 2019
- 9. Open Source Libraries and Dependencies ● Popular Open Source Libraries have many contributors and they are dependencies for millions of repositories ● Depending on the Programming Language Open Source Libraries can have from a few to 1000’s of dependencies ● There are Direct Dependencies and Transitive Dependencies
- 10. Security in Open Source Software
- 11. Vulnerability Vulnerability Discovered Vulnerabilities in Open Source Libraries ● Security is about identify Vulnerabilities ● Vulnerable Method in the Library ● Common Vulnerability and Exposures (CVE) ● Common Vulnerability Score System (CVSS) ● Vulnerabilities outside CVE and NVD
- 12. Let’s Review a Popular OSS: Angular.JS ● JavaScript Framework that lets you write client-side web applications and use HTML. ● Over 1,500 direct contributors, 8,971 Commits
- 13. Other Popular Projects: Tensorflow ● Newer but with more participation
- 14. Other Popular Projects: Kubernetes
- 15. Back to Angular.JS: Contributions ● Contributors with hundreds of commits ● Top Committers added 1,438 and 842 commits
- 16. Angular.JS: Versions and Vulnerabilities ● 140 versions since Mar 2012 ● 22 Vulnerabilities, 139 Versions Affected by Vulnerabilities ● Only one “safe version” the latest 1.7.9 ● 6 Critical/High Risk Vulnerabilities
- 17. Angular.JS: Versions and Vulnerabilities ● High-Risk Vulnerabilities with Versions affected
- 18. Open Source Software Security ● Does you company has this many Developers? ○ ”Given enough eyeballs, all bugs are shallow” - Linus’ Law - Linus Torvalds ● Large Open Source Projects don’t have a Single Unified Architecture ○ Top developers are contributors ○ It is not the developer’s fault ● Visibility to more Security Champions ● Same security practices used on close software, i.e. the top 10 OWASP Proactive Controls
- 19. Not a Single Unified Architecture
- 20. Increased Risk with Reuse of Libraries Apache Commons IO Library: Used by: 18,595 artifacts Apache Commons Lang 16,281 ScalaTest 12,779 Spring Web 5,475 Apache Log4j Fastjson Snake YAML Hadoop Common Zoo Keeper Selenium Java * Source: MavenRepository.com
- 21. More on Open Source Security ● New vulnerabilities are constantly being discovered in Open Source code ● Most vulnerabilities are unintentional ● Much smaller risk of malicious code being injected ● The smart way to make them public is when you have a fix (public disclosure) ● More than 98% of public vulnerabilities have a fix ● But you have to keep up with the latest fixes
- 22. The Real Risk: Not Lack of Fix, Lack of Speed ● Once a vulnerability is disclosed, exploiting it becomes far easier. The attacker has the full detail of the vulnerability and how it can be invoked ● Most attacks exploit known vulnerabilities that have never been patched despite patches being available ● Symantec predicts that "Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year"
- 23. Salt Framework Vulnerabilities Example ● Open Source Framework used to monitor and update the state of servers ● IBM Cloud, LinkedIn, and eBay, use Salt to configure servers, relay messages from the "master server" and issue commands to a specific time schedule. ● Two high severity vulnerabilities ○ CVE-2020-11651 (an authentication bypass) ○ CVE-2020-11652 (a directory traversal) ○ When combined, could allow attackers to bypass login procedures and run code on Salt master servers left exposed on the internet ● Disclosed publicly on April 30 by researchers at F-Secure Labs and SaltStack had released updated versions that fixed it the previous day. ● Exploits at: LineageOS, Ghost blog platform, Xen Orchestra and most likely more
- 24. Manage your Open Source Usage: SCA ● Visibility of all your Open Source usage ● Visibility of license and vulnerability risk based on policies. ● Vulnerabilities prioritization will reduce significant risk. ● Make SCA scans part of SDLC, and part of CI/CD ● SCA provides insight into remediation and act to prevent security breaches ● Do not scan once, new vulnerabilities are introduced all the time
- 25. Apply What You Have Learned Today ● Keep promoting Open Source, keep promoting innovation in your organization ● Keep and active inventory of the open source you use ● Detect vulnerabilities from NVD and other sources ● Prioritize fixes: Update vulnerable libraries ● SCA Scan Automation: DevSecOps
- 26. THANK YOU! Javier Perez - javierperez.mozello.com