Best Practices for Managing Risk from Open Source Libraries and Components February 5 th at 1pm ET Jim Routh & Joshua Corman
Apr 24, 2015
Best Practices for Managing Risk from Open Source Libraries and Components
February 5th at 1pm ETJim Routh & Joshua Corman
2 04/11/2023
FEATURED SPEAKERS
JIM ROUTH, CISO JOSHUA CORMAN, CTO
Certified with CSSLP & CISM
Chairman of FS-ISAC Committee
20+ Years in Application Security
Co-founder of Rugged Software
Previously w/ Akamai & 451 Group
Trusted Security Professional @joshcorman
3 04/11/2023
TODAY’S AGENDA
• What is the Third Party Security Working Group
• What are the recommended control types
• Why policy management & enforcement
• What changed?
• Dependence (disproportional)
• Component Lifecycle Management in action
FS-ISAC Third Party Software Security Working Group
Third Party Software Security
Steering Committee Members
1. Jerry Brady, Morgan Stanley2. Mark Connelly, Thomson
Reuters3. Mahi Dontamasetti, DTCC4. Paul Fulton, Citi5. Keith Gordon, Capital One6. Royal Hansen, Goldman
Sachs7. Chauncey Holden, RBS
Citizens Bank8. Rich Jones, JP Morgan Chase9. Ben Miron, GE 10.Jim Routh, Aetna
Working Group Members
1. David Smith, Fidelity2. Don Elkins, Morgan Stanley3. Matt Levine, Goldman
Sachs4. David Hubley, Capital One5. Tim Mathias, Thomson
Reuters6. Rishikesh Pande, Citi
The Third Party Software Security Working Group was established with a mandate to analyze control options and develop specific recommendations on control types for member firms to consider adding to their vendor governance programs.
These recommendations on control types are captured in the FS-ISAC Working Group whitepaper, “Appropriate Software Security Control Types for Third Party Service and Product Providers.”
FS-ISAC Third Party Software Security Working Group
Recommended Control Types
vBSIMM Process Maturity
Binary Static Analysis
Policy management and enforcement for consumption of open source libraries and components
1
2
3
FS-ISAC Third Party Software Security Working Group
Control Types
FS-ISAC Third Party Software Security Working Group
Control 3 - Policy management and enforcement for consumption
of open source libraries and components This control type identifies consumable open source libraries for a given
Financial Institution, identifies the security vulnerabilities by open source component and enables the Financial Institution to apply
controls or governance over the acquisition and use of open source libraries.
FS-ISAC Third Party Software Security Working Group
Component Usage Has Exploded
Control 3 Open Source Policy Management
FS-ISAC Third Party Software Security Working Group
Policy Management Capability
FS-ISAC Third Party Software Security Working Group
FS-ISAC Third Party Software Security Working Group Whitepaper
www.fs-isac.com
WHAT’S CHANGED?
COST, COMPLEXITY, AND RISK
CONSEQUENCES: VALUE & REPLACEABILITY
http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/
Countermeasures
Situational Awareness
Operational ExcellenceDefensible Infrastructure
Countermeasures
Situational Awareness
Operational Excellence
Defensible Infrastructure
Countermeasures
Situational Awareness
Operational Excellence
Defensible Infrastructure
Countermeasures
Situational Awareness
Operational Excellence
Defensible Infrastructure
Life RightsCritInf
r IP PII CCN
Counter-
measures
Situational
Awareness
OperationalExcellence
DefensibleInfrastructure
REPLACEABILITY
90%Assembled
Software Evolution
Written
20
HOW MUCH CODE DO WE “WRITE” THESE DAYS?
90%Assembled
Software Evolution
Written
21
HOW MUCH CODE DO WE “WRITE” THESE DAYS?
Component Selection
Open source usage is
EXPLODING
Yesterday’s source code is today’s
OPEN SOURCE
201320122011200920082007 2010
2B1B500M 4B 6B 8B 13B
A Sea Change in Hacker Targeting
Now that software is assembled…
23
Today’s approaches
AREN’T WORKING
Component Selection
DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT SELECTION
46m vulnerable
components downloaded
!
71% of repos have 1+
critical or severe
vulnerability
!
90% of repos have 1+ critical
vulnerability
!
A Massive Supply Chain Problem
No Visibility
No Control
No Fix
No visibility to what components are used, where they are used and where there is risk
No way to govern/enforce component usage. Policies are not integrated with development .
No efficient way to fix existing flaws.
25
27
FROM THE FS-ISAC WHITE PAPER
• Enabling application architects to control versions of software.
• Accelerating the development process by encouraging the consumption of open source libraries that are resilient.
• Reduce operating costs since the cost of ripping out obsolete components from existing applications is high assuming the older versions can be identified in the first place.
CLM IN ACTION
BACK TO… CONTROL TYPES
Notional Exposure Active Risk
Snapshot Report
Repository Health Check
Application Health Check
What have I downloaded ?
What’s in my repo? Are my apps vulnerable?
31
Global Bank
Software ProviderSoftware
Provider’s Customer
State UniversityThree-Letter
AgencyLarge Financial
Exchange
CVE-2013-2251: WIDESPREAD COMPROMISE
How can we choose the best components
FROM THE START?
Shift Upstream = ZTTR (Zero Time to Remediation)
Analyze all components from within your IDE
License, Security and Architecture data for each component, evaluated against your policy
Software Evolution
33
BIG IMPACT Little Effort,
WE NEED BETTER LEVERAGE!
Most security programs are getting a little bit better everywhere; but not sufficiently better anywhere...
Earlier. Easier. Effective.
35 04/11/2023
DEVELOPERS & APPLICATION SECURITY:
WHO’S RESPONSIBLE?
Take the Survey: https://www.surveymonkey.com/s/Developers_and_App
63% of people concerned with open source
36 04/11/2023
“A new approach in the market is Component Lifecycle Management (CLM) which offers the ability to enforce policies in the development process.”
LEARN MORE
To learn more about the ‘Component Lifecycle Management Approach’, read the OVUM report.
http://www.sonatype.com/resources/whitepapers
BEST PRACTICES FOR MANAGING RISK FROM OPEN SOURCE LIBRARIES AND COMPONENTS Thank you for attending today’s event, please contact us with any questions. http://www.sonatype.com/contact/general-inquiry