While Using Open Source Guy Bar Gil, Product Manager 1 2 3 - - PowerPoint PPT Presentation

while using open source
SMART_READER_LITE
LIVE PREVIEW

While Using Open Source Guy Bar Gil, Product Manager 1 2 3 - - PowerPoint PPT Presentation

Jan 02, 2024 326 likes •740 views

How to Sleep Soundly at Night While Using Open Source Guy Bar Gil, Product Manager 1 2 3 SmallComp s M&A Staying Secure The Equifax Breach 2 Introduction Slide Two dogs + one cat In my free time I enjoy: Sports

slide-1
SLIDE 1

How to Sleep Soundly at Night While Using Open Source

Guy Bar Gil, Product Manager

slide-2
SLIDE 2

The Equifax Breach

2

Staying Secure SmallComp’s M&A

1 2 3

slide-3
SLIDE 3

Introduction Slide

  • Two dogs + one cat
  • In my free time I enjoy:
  • Sports
  • Reading
  • Traveling
3

Guy Bar Gil, Product Manager

slide-4
SLIDE 4 4

1

The Equifax Breach

slide-5
SLIDE 5
  • Consumer credit reporting agency
  • Equifax collects and aggregates information
  • 800M+ individual consumers
  • 88M+ businesses
  • Publicly traded (NYSE), 9.5K+ employees, $3.14B in revenues
(2016)
slide-6
SLIDE 6

Apache Struts

  • Open-source framework, for
creating Java web applications.
  • CVE-2017-5638 allows remote code
execution through the web applications.
slide-7
SLIDE 7

The Equifax Breach – A Timeline

March 9th

  • CVE-2017-5638 was
published.
  • The Apache Software
Foundation released a patch for the vulnerability.
  • Equifax administrators
were told to apply the patch to any affected systems.

March 10th

Hackers gained access to Equifax’s systems.

March 15th

Equifax's IT department ran a series of scans to identify unpatched systems.

May 13th

Hackers begin exfiltrating data.

July 29th

Equifax renews their expired public-key certificate September 7th Equifax publicized the breach
slide-8
SLIDE 8

Incident Aftermath

145 million

People affected by the breach.

$3 billion

The amount Equifax spent upgrading its security and resolving consumer claims
slide-9
SLIDE 9 9

Act Fast

Exploits are public for everyone

Continuously Monitor

300 new vulnerabilities published every month

Get the Basics Right

Millions spent on security gear but it was poorly implemented

#1 #2 #3

What Can We Learn?

slide-10
SLIDE 10 10

2

SmallComp’s M&A

slide-11
SLIDE 11

SmallComp’s M&A

  • SmallComp required to do an open-
source audit.
  • Found a dependency licensed under
AGPL. 11
slide-12
SLIDE 12

$4M Dollars in Escrow

12
  • Terms of the escrow:
  • Remove any trace of AGPL from the
software.
  • 80% of customers must deploy the
updated software to production.
  • Two year timeframe.
  • Development/deployment-related
costs taken from the escrow.
slide-13
SLIDE 13 13

Solving The Problem Isn’t So Easy

Two main obstacles:

  • Development + QA time is 1 year for 1 person.
  • SmallComp’s customers are hospitals, where
solutions are often manually deployed and technicians are required to train staff.
slide-14
SLIDE 14

They Did It!

SmallComp was able to fulfill the terms of the escrow after 1 year and 8 months!

14
slide-15
SLIDE 15 15

Set Clear Policies

for the whole company in regards to licensing

Communicate

the company’s policies to developers

Enforce

make sure your policies are being enforced

#1 #2 #3

How Do We Avoid This Situation?

slide-16
SLIDE 16 16

3

Staying Secure
slide-17
SLIDE 17

Step 1: Create Transparency

  • Transparency is the baseline to everything
  • Understand exactly what you’re using:
  • Direct Dependencies
  • Transitive Dependencies
  • Source files
17
slide-18
SLIDE 18 18

Lots of jars

?

slide-19
SLIDE 19 19

Lots of jars, but lots more java beans

?

slide-20
SLIDE 20

Step 2: Detect Potential Issues

  • Match your components to the most
comprehensive DB possible:
  • Published CVEs
  • Vulnerabilities published in security advisories
  • Vulnerabilities detected by research teams
  • Thorough license detection
20
slide-21
SLIDE 21

Step 3: Prioritize

How would you prioritize your vulnerabilities?

21
slide-22
SLIDE 22

Step 3: Prioritize

  • Prioritize by:
  • Business risk
  • Exploitability
  • Severity
  • Availability of fixes
  • Effectiveness
22
slide-23
SLIDE 23 23

Vulnerabilities Prioritization

slide-24
SLIDE 24 24

After testing 2,000 Java applications, WhiteSource found that 85% of all detected vulnerabilities were deemed ineffective.

slide-25
SLIDE 25

Step 4: Execution

Understand the best path to remediation
  • Upgrade the component’s version?
  • Change the component?
  • Set up an external defense?
25
slide-26
SLIDE 26 26

Create Transparency Detect Issues Prioritize Execute

1 2 3 4

slide-27
SLIDE 27

Let’s Talk About Implementation!

slide-28
SLIDE 28

Step 1 : Creating Transparency

Identify the processes in your software development lifecycle (SDLC) 28
slide-29
SLIDE 29

Step 2: Detect

  • Where you want to implement security checks
  • Where you can automate
29
slide-30
SLIDE 30

Development

30
slide-31
SLIDE 31

Build

31
slide-32
SLIDE 32

Deploy

32
slide-33
SLIDE 33

Maintain

33 New vulnerabilities are constantly being published
slide-34
SLIDE 34 34

Step 3: Prioritize

  • Act on early -> Shifting left
  • Avoid allowing vulnerable components
reach deployment
slide-35
SLIDE 35 35

Detect Issues As Early As Possible

slide-36
SLIDE 36

Step 4: Execution

Who’s responsibility is it?
  • Security team:
  • Setting policies
  • Educating developers
  • Development team:
  • Execution
36
slide-37
SLIDE 37 37

Developers need robust tools, that fit into their workflows

slide-38
SLIDE 38 38

Educate

On the basics of open-source security & compliance

Empower Teams

By providing them the right tools

Enable Success

By creating a shared mission

#1 #2 #3

slide-39
SLIDE 39 Don’t Be That Guy 39

slide-40
SLIDE 40

Q & A

slide-41
SLIDE 41

Thank You!

41 For any questions, please contact me: Guy.bar-gil@whitesourcesoftware.com