1 YOU CAN’T MAKE A GOOD OMELETTE WITH ROTTEN EGGS 2015 Triangle InfoSeCon Jonathan Knudsen October 8, 2015 © 2015 All Rights Reserved 9/17/15 2 Today, Up to 90% of an Average SoTware Package Consists of Third-­‐Party Code © 2015 All Rights Reserved 9/17/15 3 First-­‐Party Custom Code Third-­‐Party Code (Commercial Off-­‐The-­‐Shelf) © 2015 All Rights Reserved Third-­‐Party Code (Free Open Source SoTware) 9/17/15 4 HOW MUCH 3RD-­‐PARTY CODE? ROUTER MULTIFUNCTION PRINTER BABY MONITOR 134 16 8 THERMOSTAT 38 3rd-­‐Party SW Components 3rd-­‐Party SW Components 3rd-­‐Party SW Components 3rd-­‐Party SW Components SMART TV WI-­‐FI ACCESS POINT CAR INFOTAINMENT INFUSION PUMP 72 35 35 3 3rd-­‐Party SW Components 3rd-­‐Party SW Components © 2015 All Rights Reserved 3rd-­‐Party SW Components 3rd-­‐Party SW Components 9/17/15 SMART PHONE 123 3rd-­‐Party SW Components SECURITY CAMERA 4 3rd-­‐Party SW Components Buyer’s Cyber Supply Chain Builder’s Cyber Supply Chain pcre sqlite3 postgresql gzip xerces-­‐j Business SoTware libssh2 libxml2 Network Infrastructure zlib raccoon Router expat Others Ipsec-­‐tools gsoap © 2015 All Rights Reserved 9/17/15 logrotate 5 6 Builders and Buyers of SoTware Falsely Assume Security is an Upstream Responsibility, Bearing the Risk of an Unchecked Cyber Supply Chain © 2015 All Rights Reserved 9/17/15 7 THE CYBER SUPPLY CHAIN IN SOFTWARE DEVELOPMENT COMPONENT SELECTION In today’s agile development world, developers build soTware from third-­‐
party components that are sourced from a variety of suppliers. © 2015 All Rights Reserved BUILD Once third-­‐party soTware components are assembled and configured, developers “glue” each components together with custom code. PURCHASE DEPLOY Commonly, buyers of soTware today make purchasing decisions without any knowledge into the bill of materials. The purchased soTware is then deployed into a vast and complex IT ecosystem that host and process crikcal business data. 9/17/15 MAINTENANCE Without a bill of materials, organizakons are expected to conknuously and proackvely update soTware components with security patches. 8 DEFERRED ACCOUNTABILITY IN THE CYBER SUPPLY CHAIN COMPONENT SELECTION Developers falsely assume that “open source is secure...The reality is that while everyone could look at the code, they don’t and accountability for quality is deferred”. © 2015 All Rights Reserved BUILD PURCHASE DEPLOY Up to 90% of an average soTware package consists of third-­‐party code. These components are rarely sourced with security in mind and oTen contain vulnerabilikes. Developers rarely maintain an up-­‐to-­‐date bill of materials for their soTware, making it difficult to idenkfy and remediate vulnerabilikes that affect them and their customers. 99.99% secure = 100% vulnerable. It only takes a single vulnerability in a soTware component to put an enkre ecosystem at risk. 9/17/15 MAINTENANCE As the hacker and research community conknue to probe for new vulnerabilikes, soTware components that were once secure inevitably become insecure due to code decay. 9 HOW MANY VULNERABILITIES? ROUTER 4,269 MULTIFUNCTION PRINTER 407 CVEs affeckng 70 Components CVEs affeckng 6 Components SMART TV WI-­‐FI ACCESS POINT 888 858 CVEs affeckng 26 Components CVEs affeckng 17 Components © 2015 All Rights Reserved BABY MONITOR THERMOSTAT 9 724 CAR INFOTAINMENT INFUSION PUMP CVEs affeckng 18 Components CVEs affeckng 18 Components 1,174 CVEs affeckng 17 Components 9/17/15 54 CVEs affeckng 1 Components SMART PHONE 909 CVEs affeckng 44 Components SECURITY CAMERA 226 CVEs affeckng 3 Components 10 5,767 2,041 Total SoTware Scanned Vulnerable SoTware 35.2% Out of 5,767 pieces of soTware scanned, over ⅓ contained at least 1 vulnerable component. © 2015 All Rights Reserved 49,478 Idenkfied Third-­‐Party Components 13,098 Vulnerable Components 26.5% Out of 49,478 third-­‐party components idenkfied, over ¼ contained at least 1 vulnerability. 9/17/15 954,964 Idenkfied Vulnerabilikes 72.9 Average # of vulns in each Vulnerable Components A total of 954,964 vulnerabilikes were idenkfied. On average, each vulnerable component contained 73 vulnerabilikes. 11 Code Decays Exponenkally Over Time © 2015 All Rights Reserved 9/17/15 12 HOW CURRENT IS CURRENT? Unique CVEs Product: •  Smart phone Released: •  Oct. 2013 Firmware Update: •  Dec. 2014 MSRP: •  $300-­‐600 (U) POINTS OF INTEREST •  118 unique 3rd party components •  Latest firmware released with 692 unique CVEs •  76 of which were CVSS 10 •  Affeckng 32 components (27.11%) •  Oldest component compiled in 2008 700 600 500 400 300 200 100 0 4/2/2008 © 2015 All Rights Reserved Latest Firmware Release (12/2014) BACKGROUND INFORMATION Compilakon Date for Oldest Components (2/2008) 800 4/2/2009 9/17/15 4/2/2010 4/2/2011 4/2/2012 4/2/2013 4/2/2014 13 WHEN HARDWARE OUTLASTS SOFTWARE MSRP: Released: •  Nov./Dec. 2011 •  $2899 600 500 400 POINTS OF INTEREST •  “Flat-­‐panel LCD TVs have a lifespan approaching 100,000 hours on average” – this is over 11 yrs. •  Smart TVs have 1 year product cycles. SoTware from newer models rarely run in older models due to hardware incompakbilikes. •  Latest soTware is affected by 584 unique CVEs as of Mar. 2015 •  Smart TVs should be good for another 8 yrs. How many CVEs then? © 2015 All Rights Reserved 300 200 Approx. 0.58 new CVEs per day over the source of 23 months 100 0 6/1/2011 12/1/2011 6/1/2012 12/1/2012 9/17/15 6/1/2013 12/1/2013 6/1/2014 584 unique CVEs in 23 components (3/2015) 700 Security update to patch curl, openssl, flash_player, ffmpeg , libpng and freetype (Nov. 2014) Firmware Update: •  Mar. 2013 Last Firmware/SoTware Update (3/2013): Approx. 178 unique CVEs at the moment of SW EoL Product: •  Smart TV 2012 Smart TV Lineup Launch (Nov./Dec. 2011) BACKGROUND INFORMATION Unique CVEs 12/1/2014 Eskmated 2,276 CVEs by 11/2023 based on historic 0.58 CVEs per day rate 7 more years of expected operakon 14 “How can I protect my company and my customers from security breaches and cyber avacks?” C-­‐SUITE “How can I ensure that the soTware/firmware my company purchases is secure and vulnerability free?” PROCUREMENT “How can I check the security and robustness of third-­‐party components without compromising on kme?” “How can I determine if vulnerabilikes in my infrastructure pose a risk to my organizakon?” “How can I help my company mikgate liability?” © 2015 All Rights Reserved 9/17/15 INTERNAL PRODUCT TEAM OPERATIONS AND IT STAFF LEGAL AND MERGER AND ACQUISITION 15 How can you make informed risk decisions without having visibility into your supply chain? © 2015 All Rights Reserved 9/17/15 16 SoTware Composikon Analysis (SCA) For SoTware Supply Chain Management © 2015 All Rights Reserved 9/17/15 SOFTWARE COMPOSITION ANALYSIS (SCA) •  A.k.a. stakc binary analysis • 
• 
• 
• 
Find the SoTware Bill of Materials for executable code Find known vulnerabilikes in used components Find soTware licenses for components Other types of analysis also possible © 2015 All Rights Reserved 9/17/15 17 18 SCA FOR BUILDERS •  If you’re the builder, don’t you already know which components you used? •  Not necessarily •  Somekmes builders track this manually •  Imagine a downtrodden project manager in front of a big spreadsheet •  It’s hard to keep your supply chain current •  Automakon, ked in to your build, is a big step forward •  Licenses are important © 2015 All Rights Reserved 9/17/15 19 SCA FOR BUYERS •  Do you trust your vendor? •  Does your vendor use a process that ensures a high level of safety, security, and robustness •  SCA gives you visibility, like an X-­‐ray for soTware •  Check up on your vendor’s supply chain management © 2015 All Rights Reserved 9/17/15 20 Thank You Jonathan Knudsen [email protected] October 8, 2015 © 2015 All Rights Reserved 9/17/15