Building software today involves more assembly than actual coding. Much of our code is in fact pulled in open source packages, and the applications heavily rely on surrounding third party binaries. These third parties make us more productive - but they also introduce an enormous risk. Each third party component is a potential source of vulnerabilities or malicious code, each third party service a potential door into our system. This talk contains more information about this risk, create a framework for digesting and tackling it, and lists a myriad of tools that can help.

1. snyk.io
Stranger Danger
Guy Podjarny, Snyk
@guypod

2. snyk.io
Open Source Is Awesome
Share Your Work
Reuse What Others Built
Focus on Creating Your Own New Thing

3. snyk.io
Open Source Usage
Has Exploded

4. snyk.io
78% of Enterprises
use Open Source

5. snyk.io
Is Security a Concern
When Adopting OSS?
Number 1 concern: 13%
Number 2 concern: 29%
Number 3 concern: 21%
(Total: 63%)
Source: Wipro

6. snyk.io
Open Source != Closely Inspected

7. snyk.io
Open Source != Secure
Open Source != Insecure Either!

8. snyk.io
Heartbleed

9. snyk.io
Shellshock

10. snyk.io
Logjam

11. snyk.io
Open Source is
Less Tested For Security
OS Project Owners not aware/budgeted for security
OS consumers not engaged/aware of code

12. snyk.io
Attackers Are
Targeting Open Source
One vulnerability, many victims

13. snyk.io
How Do We Consume OSS?

14. snyk.io
2000:
Select Open Source Providers
Apache, Linux, IBM, OpenSSL…

15. snyk.io
2015:
Open Source Marketplaces
Everybody is a provider

16. snyk.io
Ubuntu apt:
~54,000 packages
(trusty/LTS 14)

17. snyk.io
Docker Hub:
~150,000 repos
~150M pulls (to-date)

18. snyk.io
Node.js npm:
~250,000 packages
~10M downloads/day

19. snyk.io
Your App

20. snyk.io
Your Code
Your App

21. snyk.io
Each Dependency Is A
Security Risk

22. snyk.io
Do You Know
Which Dependencies
You Have?

23. snyk.io
Do you know, for
EVERY SINGLE DEPENDENCY
if its developers have any
Security Expertise?

24. snyk.io
Do you know, for
EVERY SINGLE DEPENDENCY
if it went through any
Security Testing?

25. snyk.io
Do you know, for
EVERY SINGLE DEPENDENCY
if it has
Known Vulnerabilities?

26. snyk.io
~30%
of Docker Hub images carry
Known Vulnerabilities
High Priority known vulnerabilites, to be exact
Source: BanyanOps Analysis

27. snyk.io
~14%
of npm Packages Carry
Known Vulnerabilities
~80% of Snyk users found vulns in their apps
Source: Snyk data, Mar 2016

28. snyk.io
~59% of Reported Vulnerabilities
in Maven Packages
Remain Unfixed
Mean Time to Repair: 390 days
MTTR for CVSS 10: 265 days
Source: Josh Corman & Dan Geer

29. snyk.io
Do You Have Known
Vulnerabilities In Your Code?
Do you even know?

30. snyk.io
What Can You Do?

31. snyk.io
Not Use Third Parties

32. snyk.io
Third Party
Binaries
Third Party
Code

33. snyk.io
1. Track & Update Your Dep’s

34. snyk.io
Aptitude-based (Ubuntu, Debian, etc): dpkg -l
RPM-based (Fedora, RHEL, etc): rpm -qa
pkg*-based (OpenBSD, FreeBSD, etc): pkg_info
Portage-based (Gentoo, etc): equery list or eix -I
pacman-based (Arch Linux, etc): pacman -Q
Cygwin: cygcheck --check-setup --dump-only *
Slackware: slapt-get --installed
http://unix.stackexchange.com/questions/20979/how-do-i-list-all-installed-programs
Tracking Outdated Binaries

35. snyk.io
Node/Ruby
npm/bundle outdated
Track Outdated Code
(command line)
Python
pip list --outdated
Java
Maven Dep's Plugin

36. snyk.io
Track Outdated Code
(SaaS)
GreenKeeper (Node.js)
Gemnasium (Ruby)
Requires.io (Python)
Libraries.io (all)

37. snyk.io
1. Know What You’re Using
2. Drop What You Don’t Need

38. snyk.io
Find Unused Binaries
(sort by last use date)
Ubuntu
UnusedPkg
Fedora
rpmusage

39. snyk.io
Find Unused Code
(show unreferenced packages)
Node.js
depcheck
Ruby
gem stale
Java
Maven Dep's Plugin

40. snyk.io
1. Know What You’re Using
2. Drop What You Don’t Need
3. Find & Fix Current Vulns

41. snyk.io
Find Known Vulnerabilities
in Binaries
(by checking security updates)
Ubuntu
usn
Auto Sec Updates
Fedora
yum security
Auto Sec Updates

42. snyk.io
Find Known Vulnerabilities
in Code
(Looking in vuln DB, upgrade to fix)
Client Side JS
RetireJS
Ruby
rubysec
Java
OWASP Dep's Check

43. snyk.io
Find & Fix
Known Vulnerabilities
in npm dep’s

44. snyk.io
To Fix, Upgrade
Could be hard for
indirect dependencies

45. snyk.io
Can’t Upgrade? You can:
- Drop The Dependency
- Apply a security patch
- Prevent Exploits via WAF rules

46. snyk.io
Test for Known Vulnerabilities
in Build (CI)& Deploys (CD)

47. snyk.io
1. Know What You’re Using
2. Drop What You Don’t Need
3. Find & Fix Current Vulns
4. Monitor For New Vulns

48. snyk.io
Newly Disclosed Vulnerabilities
Are Found On Old Code

49. snyk.io
Register to Security Alerts
Platform Specific
Ubuntu
Node.js
OpenSSL
(your vendor sec list)
Broad Lists
US-CERT
NVD
OSVDB

50. snyk.io
Snyk Monitor

51. snyk.io
1. Know What You’re Using
2. Drop What You Don’t Need
3. Find & Fix Current Vulns
4. Monitor For New Vulns
5. Stay Alert

52. snyk.io
The Risk Doesn’t End with
Known Vulnerabilities

53. snyk.io
Your Code
Your App

54. snyk.io
npm has 65,000+ publishers

55. snyk.io
Do you know, for
EVERY SINGLE CONTRIBUTOR
if they’ve been…
Compromised?

56. snyk.io
Developers are targeted as a
Distribution Channel
Ex: iOS Malware via Xcode Ghost

57. snyk.io
Do you know, for
EVERY SINGLE CONTRIBUTOR
if they are…
MALICIOUS?

58. snyk.io
Open Source Maintenance
is… complicated.

59. snyk.io
If one component was evil,
Would you know?

60. snyk.io
Isolate each system

61. snyk.io
use low-privilege users

62. snyk.io
Monitor Outbound
Communication

63. snyk.io
Don’t Trust Your Own App
To the extent you can…

64. snyk.io
Stay Alert

65. snyk.io
1. Know What You’re Using
2. Drop What You Don’t Need
3. Find & Fix Current Vulns
4. Monitor For New Vulns
5. Stay Alert

66. snyk.io
Open Source Is Awesome

67. snyk.io
Open Source Is Awesome
Please Enjoy Responsibly
Questions?
Guy Podjarny, Snyk
@guypod