Go Fast AND Be Secure: Eliminating Application Risk in the Era of Modern, Component-Based Development presented at AppSec USA 2013

by Jeff Williams, Ryan Berg,

Summary : Organizations are exposed to significant risks caused by their increasing reliance on open-source components. Component flaws are exceedingly common – 71 percent of applications contain components with known security flaws classified as severe or critical. Everything from Big Data, to cloud and mobile applications are exposed to unmanaged risk. The pressure to add more features and put applications into production quickly comes at a devastating tradeoff – to go fast or be secure. Using never-before-seen data from the Central Repository – the industry’s primary source for open source components receiving 8 billion requests annually this presentation will examine how modern development is ushering in massive amounts of unmanaged risk demanding a new approach to mitigating the risk in modern, component-based applications – one that is significantly simpler to use, integrated throughout the software lifecycle and shows real, sustainable results.
Like automobile manufacturers, today’s software developers assemble applications using existing components or parts rather than writing applications from scratch. Open source component use has skyrocketed in recent years. In 2012, the Central Repository registered eight billion component downloads, doubling activity from 2011. 90% of a typical application today is now comprised of components, the bulk of these are open source, coming from dozens, if not hundreds, of individual suppliers. Yet, 71 percent of applications contain components with known security flaws classified as severe or critical, pointing to a major breakdown in application security. Unlike manufacturing, the software industry lacks the tools to manage the intricacy and risk associated with a complex and distributed software supply chain. When coupled with a trend toward agile development, enterprises are finding themselves with massive, unmanaged risk.
Few organizations have the controls or processes to identify which components are in use, to govern their usage or to eradicate flawed components from applications. In the annual Open Source Development Survey – the largest study of its kind surveying more than 3,500 developers, architects and IT managers using open source – 76 percent of respondents shared that they have no control over what components are being used in software development projects and more than half cited a failure to maintain an inventory of components used in production applications. Like operating systems or database, open-source components represent a rich attack vector for hackers to exploit given their commonality across organizations and applications.
New to the OWASP Top 10 Guidelines is A9: Use of Insecure Libraries, acknowledging the widespread use of open source components in today’s applications and the significant security risks that exists when organizations lack proper internal controls or fail to address security vulnerabilities throughout the software development lifecycle. Joint research from Aspect Security and Sonatype found the probability of having at least one vulnerability in an application due to a KNOWN insecure library is 95%.
In this presentation, Ryan Berg, CSO of Sonatype and Jeff Williams, CEO of Aspect Security will examine why traditional approaches to application security can’t protect today’s applications. Using exclusive data from the Central Repository and sharing the findings of joint research, Berg and Williams will show why organizations must extend defense-in-depth to the application layer and how to deploy new approaches to software assurance that are simple, quick and continuous.
Key topics and takeaways include: • How to empower developers to become the new frontline of defense in today’s cyber-security war
• Why securing the perimeter is not enough to protect the critical data housed in modern applications
• How to breakdown the traditional walls that exist between development teams and security and risk professionals
• Steps for introducing policy to govern component usage that will actually be adopted by developers
• How organizations can expedite development (go fast) and govern/manage (be secure) the entire application lifecycle to ensure the integrity of the software supply chain
• How to give developers the tools and authority to focus on security in real-time