SlideShare ist ein Scribd-Unternehmen logo

Secure application deployment in the age of continuous delivery

Tim Mackey
Tim Mackey

As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious. Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: - How known vulnerabilities can make their way into production deployments - How vulnerability impact is maximized - A methodology for ensuring deployment of vulnerable code can be minimized - A methodology to minimize the potential for vulnerable code to be redistributed

Regierungs- und gemeinnützige Organisationen
1 von 38
Downloaden Sie, um offline zu lesen
Secure Application Deployment in the Age of Continuous Delivery OPENSOURCE: Open Standards
#whoami – Tim Mackey • Current roles: Senior Technical Evangelist; Occasional coder • Previously XenServer Community Manager • Cool things I’ve done • Designed laser communication systems • Early designer of retail self-checkout machines • Embedded special relativity algorithms into industrial control system • Find me • Twitter: @TimInTech ( https://twitter.com/TimInTech ) • SlideShare: slideshare.net/TimMackey • LinkedIn: www.linkedin.com/in/mackeytim
Security reality You can only protect what you know about. Defense in depth matters.
Attacks are big business In 2015, 89% of data breaches had a financial or espionage motive Source: Verizon 2016 Data Breach Report
Attackers decide what’s valuable … … and they have little fear.
EASY ACCESS TO SOURCE CODE Open source ubiquity makes it ready target OPEN SOURCE ISN’T MORE OR LESS SECURE THAN CLOSED SOURCE – ITS JUST EASIER TO ACCESS VULNERABILITIES ARE PUBLICIZED EXPLOITS ARE PUBLISHED
Anatomy of a new attack Potential Attack Iterate Test against platforms Document Don’t forget PR department Deploy
DEVELOPER DOWNLOADS OUTSOURCED DEVELOPMENT THIRD PARTY LIBRARIES CODE REUSE APPROVED COMPONENTS COMMERCIAL APPS OPEN SOURCE CODE Open source enters through many channels… …and vulnerabilities can come with it.
CLOSED SOURCE COMMERCIAL CODE • DEDICATED SECURITY RESEARCHERS • ALERTING AND NOTIFICATION INFRASTRUCTURE • REGULAR PATCH UPDATES • DEDICATED SUPPORT TEAM WITH SLA OPEN SOURCE CODE • “COMMUNITY”-BASED CODE ANALYSIS • MONITOR NEWSFEEDS YOURSELF • NO STANDARD PATCHING MECHANISM • ULTIMATELY, YOU ARE RESPONSIBLE Who is responsible for code and security?
0 500 1000 1500 2000 2500 3000 3500 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd Reference: Black Duck Software Knowledgebase, NVD Increasing number of OSS vulnerabilities
Automated tools miss most open source vulnerabilities Static & Dynamic Analysis Only discover common vulnerabilities 3,000+ disclosed in 2014 Less than 1% found by automated tools Undiscovered vulnerabilities are too complex and nuanced All possible security vulnerabilities
What do these all have in common? Heartbleed Shellshock GhostFreak Venom Since: Discovered: 2011 2014 1989 2014 1990’s 2015 2000 2015 2004 2015 Discovered by: Component: OpenSSL Riku, Antti, Matti, Mehta Bash Chazelas OpenSSL Beurdouche GNU C library Qualys researchers QEMU Geffner
Understand application contents Source: 2016 Open Source Security Report
Misaligned security investment
Distinct areas of risk • Open source license compliance • Ensure project dependencies are understood • Use of vulnerable open source components • Is component a fork or dependency? • How is component linked? • Operational risk • Can you differentiate between “stable” and “dead”? • Is there a significant change set in your future? • API versioning • Security response process for project
Total Quality Management Philosophies • Detect problems before product ships • Select components based on trust • Continuously identify issues and improve • Empower employees to solve problems • Implement the Deming Cycle • Plan for change and analyze risk • Do execute the plan in small steps • Check the results against the plan • Act on results to improve future outcomes • Manage with facts
Software development lifecycle Idea Spec Design Code Test Release
Software development lifecycle – threat model Idea Spec Design Code Test Release • As part of the specification and design, threat models are often created.
Software development lifecycle – static analysis Idea Spec Design Code Test Release • As part of the specification and design, threat models are often created. • During code creation and commits, static analysis is performed
Software development lifecycle – dynamic analysis Idea Spec Design Code Test Release • As part of the specification and design, threat models are often created. • During code creation and commits, static analysis is performed • Testing usually includes some form of dynamic testing
Traditional operations release process Deploy Measure ScaleMonitor Assess Release Update Spec
Oops – a vulnerability is disclosed – now what? DEVELOP SCM BUILD PACKAGE DEPLOY PRODUCTION BUG TRACKING REMEDIATE AND TRACK LICENSE COMPLIANCE AND SECURITY VULNERABILITIES FULL APP SEC VISIBILITY INTEGRATION BUILD / CI SERVER SCAN APPLICATIONS WITH EACH BUILD VIA CI INTEGRATION DELIVERY PIPELINE SCAN APPLICATIONS AND CONTAINERS BEFORE DELIVERY CONTINUOUS MONITORING OF VULNERABILITIES
Integrations matter …
Containers for application management
Knowledge is key. Can you keep up? glibc Bug Reported July 2015 Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
Knowledge is key. Can you keep up? glibc Bug Reported July 2015 Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
Knowledge is key. Can you keep up? glibc Vuln Introduced May 2008 glibc Bug Reported July 2015 CVE-2015- 7547 CVE Assigned Feb 16-2016 Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
Knowledge is key. Can you keep up? glibc Vuln Introduced May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 glibc Bug Reported July 2015 National Vulnerability Database Vuln Published Feb 18-2016 Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
Knowledge is key. Can you keep up? glibc Vuln Introduced National Vulnerability Database Vuln Published You Find It May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 Feb 18-2016 glibc Bug Reported July 2015 Patches Available You Fix It Highest Security Risk Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
Knowledge is key. Can you keep up? glibc Vuln Introduced National Vulnerability Database Vuln Published You Find It May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 Feb 18-2016 glibc Bug Reported July 2015 Patches Available You Fix It Highest Security Risk Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
Source: Future of Open Source 2016 Survey
A complete solution … Choose Open Source Proactively choose secure, supported open source SELECT Inventory Open Source Map Existing Vulnerabilities Maintain accurate list of open source components throughout the SDL Identify vulnerabilities during development VERIFY Track New Vulnerabilities Alert newly disclosed vulnerabilities in production MONITORREMEDIATE Fix Vulnerabilities Tell developers how to remediate
OVER TWO HUNDRED THIRTY E M P L O Y E E S 27USE BLACK DUCK SOFTWARE AWARD FOR INNOVATION GARTNER GROUP “COOL VENDOR” INNOVATIVE TECHNOLOGY OF THE YEAR - SECURITY 7 YEARS IN A ROW FOR SECURITY INNOVATION RANKED #38 OUT OF 500 SECURITY COMPANIES 7 YEARS IN A ROW 6 of the top 8 mobile handset vendors 7 of the top 10 SOFTWARE COMPANIES (44% OF TOP 100) 24 COUNTRIES 6 of the top 10 banks FORTUNE 100 Black Duck Created an Industry
8,500 WEBSITES 350 BILLION LINES OF CODE 2,400 LICENSE TYPES 1.5 MILLION PROJECTS 76,000 VULNERABILITIES Comprehensive KnowledgeBase • Largest database of open source project information in the world. • Vulnerabilities coverage extended through partnership with Risk Based Security. • The KnowledgeBase is essential for identifying and solving open source issues.
We need your help Knowledge is power • Know what’s running and why • Define proactive vulnerability response process • Don’t let technology hype cycle dictate security Invest in defense in depth models • Don’t rely on perimeter security to do heavy lifting • Do look at hypervisor & container trends in security • Make developers and ops teams part of the solution • Do embed security into deployment process Together we can build a more secure data center
Free tools to help • Docker Container Security Scanner • https://info.blackducksoftware.com/Security-Scan.html • 14 Day Free Trial to Black Duck Hub • https://info.blackducksoftware.com/Demo.html • Red Hat Atomic Host Integration (Requires Black Duck Hub) • atomic scan --scanner blackduck [container]
Secure application deployment in the age of continuous delivery

Empfohlen

Open Source in Application Security
Open Source in Application SecurityOpen Source in Application Security
Open Source in Application SecurityBlack Duck by Synopsys
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open SourceBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 

Empfohlen

Open Source in Application Security
Open Source in Application SecurityOpen Source in Application Security
Open Source in Application SecurityBlack Duck by Synopsys
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open SourceBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYBlack Duck by Synopsys
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: Black Duck by Synopsys
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to meMichelle Ribeiro
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Black Duck by Synopsys
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Great Wide Open
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskWhiteSource
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source WayBlack Duck by Synopsys
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCIWhiteSource
 
Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Keith Lynch
 
REX sur l'outilage Continuous Delivery
REX sur l'outilage Continuous DeliveryREX sur l'outilage Continuous Delivery
REX sur l'outilage Continuous DeliveryDamien Goldenberg
 
The AppSec Path to Enlightenment
The AppSec Path to EnlightenmentThe AppSec Path to Enlightenment
The AppSec Path to EnlightenmentBlack Duck by Synopsys
 

Weitere ähnliche Inhalte

Was ist angesagt?

Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYBlack Duck by Synopsys
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: Black Duck by Synopsys
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Black Duck by Synopsys
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Great Wide Open
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskWhiteSource
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCIWhiteSource
 

Was ist angesagt? (19)

Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITY
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open Source
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source:
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk Management
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
 

Andere mochten auch

Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Keith Lynch
 
REX sur l'outilage Continuous Delivery
REX sur l'outilage Continuous DeliveryREX sur l'outilage Continuous Delivery
REX sur l'outilage Continuous DeliveryDamien Goldenberg
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
[devops REX 2016] DevOps at Scale : ce qu’on fait, ce que l’on a appris chez ...
[devops REX 2016] DevOps at Scale : ce qu’on fait, ce que l’on a appris chez ...[devops REX 2016] DevOps at Scale : ce qu’on fait, ce que l’on a appris chez ...
[devops REX 2016] DevOps at Scale : ce qu’on fait, ce que l’on a appris chez ...devops REX
 
Docker introduction
Docker introductionDocker introduction
Docker introductiondotCloud
 
2016 Future of Open Source Survey Results
2016 Future of Open Source Survey Results2016 Future of Open Source Survey Results
2016 Future of Open Source Survey ResultsBlack Duck by Synopsys
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker, Inc.
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deploymentMichael Cherny
 
Docker, Pierre angulaire du continuous delivery ?
Docker, Pierre angulaire du continuous delivery ?Docker, Pierre angulaire du continuous delivery ?
Docker, Pierre angulaire du continuous delivery ?Adrien Blind
 

Andere mochten auch (12)

Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016
 
REX sur l'outilage Continuous Delivery
REX sur l'outilage Continuous DeliveryREX sur l'outilage Continuous Delivery
REX sur l'outilage Continuous Delivery
 
The AppSec Path to Enlightenment
The AppSec Path to EnlightenmentThe AppSec Path to Enlightenment
The AppSec Path to Enlightenment
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Open Source By The Numbers
Open Source By The NumbersOpen Source By The Numbers
Open Source By The Numbers
 
[devops REX 2016] DevOps at Scale : ce qu’on fait, ce que l’on a appris chez ...
[devops REX 2016] DevOps at Scale : ce qu’on fait, ce que l’on a appris chez ...[devops REX 2016] DevOps at Scale : ce qu’on fait, ce que l’on a appris chez ...
[devops REX 2016] DevOps at Scale : ce qu’on fait, ce que l’on a appris chez ...
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
2016 Future of Open Source Survey Results
2016 Future of Open Source Survey Results2016 Future of Open Source Survey Results
2016 Future of Open Source Survey Results
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
 
Docker, Pierre angulaire du continuous delivery ?
Docker, Pierre angulaire du continuous delivery ?Docker, Pierre angulaire du continuous delivery ?
Docker, Pierre angulaire du continuous delivery ?
 

Ähnlich wie Secure application deployment in the age of continuous delivery

Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksTim Mackey
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for DevopsJerika Phelps
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 

Ähnlich wie Secure application deployment in the age of continuous delivery (20)

Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risks
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 

Mehr von Tim Mackey

Open Source 360 Survey Results
Open Source 360 Survey ResultsOpen Source 360 Survey Results
Open Source 360 Survey ResultsTim Mackey
 
XenServer Design Workshop
XenServer Design WorkshopXenServer Design Workshop
XenServer Design WorkshopTim Mackey
 
XenServer Virtualization In Cloud Environments
XenServer Virtualization In Cloud EnvironmentsXenServer Virtualization In Cloud Environments
XenServer Virtualization In Cloud EnvironmentsTim Mackey
 
Selecting the correct hypervisor for CloudStack 4.5
Selecting the correct hypervisor for CloudStack 4.5Selecting the correct hypervisor for CloudStack 4.5
Selecting the correct hypervisor for CloudStack 4.5Tim Mackey
 
User Transparent Service Migration to the Cloud
User Transparent Service Migration to the CloudUser Transparent Service Migration to the Cloud
User Transparent Service Migration to the CloudTim Mackey
 
CloudOpen Japan - Controlling the cost of your first cloud
CloudOpen Japan - Controlling the cost of your first cloudCloudOpen Japan - Controlling the cost of your first cloud
CloudOpen Japan - Controlling the cost of your first cloudTim Mackey
 
CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5
CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5
CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5Tim Mackey
 
Taming the cost of your first cloud - CCCEU 2014
Taming the cost of your first cloud - CCCEU 2014Taming the cost of your first cloud - CCCEU 2014
Taming the cost of your first cloud - CCCEU 2014Tim Mackey
 
Using Packer to Migrate XenServer Infrastructure to CloudStack
Using Packer to Migrate XenServer Infrastructure to CloudStackUsing Packer to Migrate XenServer Infrastructure to CloudStack
Using Packer to Migrate XenServer Infrastructure to CloudStackTim Mackey
 
Hypervisor Selection in Apache CloudStack 4.4
Hypervisor Selection in Apache CloudStack 4.4Hypervisor Selection in Apache CloudStack 4.4
Hypervisor Selection in Apache CloudStack 4.4Tim Mackey
 
OSCON2014: Understanding Hypervisor Selection in Apache CloudStack
OSCON2014: Understanding Hypervisor Selection in Apache CloudStackOSCON2014: Understanding Hypervisor Selection in Apache CloudStack
OSCON2014: Understanding Hypervisor Selection in Apache CloudStackTim Mackey
 
Make your first CloudStack Cloud successful
Make your first CloudStack Cloud successfulMake your first CloudStack Cloud successful
Make your first CloudStack Cloud successfulTim Mackey
 
Decisions behind hypervisor selection in CloudStack 4.3
Decisions behind hypervisor selection in CloudStack 4.3Decisions behind hypervisor selection in CloudStack 4.3
Decisions behind hypervisor selection in CloudStack 4.3Tim Mackey
 
Hypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStackHypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStackTim Mackey
 
Hypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStackHypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStackTim Mackey
 
Hypervisor Capabilities in Apache CloudStack 4.3
Hypervisor Capabilities in Apache CloudStack 4.3Hypervisor Capabilities in Apache CloudStack 4.3
Hypervisor Capabilities in Apache CloudStack 4.3Tim Mackey
 
Hypervisor selection in CloudStack
Hypervisor selection in CloudStackHypervisor selection in CloudStack
Hypervisor selection in CloudStackTim Mackey
 
Planning a successful private cloud - CloudStack Collaboration Europe 2013
Planning a successful private cloud - CloudStack Collaboration Europe 2013Planning a successful private cloud - CloudStack Collaboration Europe 2013
Planning a successful private cloud - CloudStack Collaboration Europe 2013Tim Mackey
 

Mehr von Tim Mackey (18)

Open Source 360 Survey Results
Open Source 360 Survey ResultsOpen Source 360 Survey Results
Open Source 360 Survey Results
 
XenServer Design Workshop
XenServer Design WorkshopXenServer Design Workshop
XenServer Design Workshop
 
XenServer Virtualization In Cloud Environments
XenServer Virtualization In Cloud EnvironmentsXenServer Virtualization In Cloud Environments
XenServer Virtualization In Cloud Environments
 
Selecting the correct hypervisor for CloudStack 4.5
Selecting the correct hypervisor for CloudStack 4.5Selecting the correct hypervisor for CloudStack 4.5
Selecting the correct hypervisor for CloudStack 4.5
 
User Transparent Service Migration to the Cloud
User Transparent Service Migration to the CloudUser Transparent Service Migration to the Cloud
User Transparent Service Migration to the Cloud
 
CloudOpen Japan - Controlling the cost of your first cloud
CloudOpen Japan - Controlling the cost of your first cloudCloudOpen Japan - Controlling the cost of your first cloud
CloudOpen Japan - Controlling the cost of your first cloud
 
CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5
CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5
CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5
 
Taming the cost of your first cloud - CCCEU 2014
Taming the cost of your first cloud - CCCEU 2014Taming the cost of your first cloud - CCCEU 2014
Taming the cost of your first cloud - CCCEU 2014
 
Using Packer to Migrate XenServer Infrastructure to CloudStack
Using Packer to Migrate XenServer Infrastructure to CloudStackUsing Packer to Migrate XenServer Infrastructure to CloudStack
Using Packer to Migrate XenServer Infrastructure to CloudStack
 
Hypervisor Selection in Apache CloudStack 4.4
Hypervisor Selection in Apache CloudStack 4.4Hypervisor Selection in Apache CloudStack 4.4
Hypervisor Selection in Apache CloudStack 4.4
 
OSCON2014: Understanding Hypervisor Selection in Apache CloudStack
OSCON2014: Understanding Hypervisor Selection in Apache CloudStackOSCON2014: Understanding Hypervisor Selection in Apache CloudStack
OSCON2014: Understanding Hypervisor Selection in Apache CloudStack
 
Make your first CloudStack Cloud successful
Make your first CloudStack Cloud successfulMake your first CloudStack Cloud successful
Make your first CloudStack Cloud successful
 
Decisions behind hypervisor selection in CloudStack 4.3
Decisions behind hypervisor selection in CloudStack 4.3Decisions behind hypervisor selection in CloudStack 4.3
Decisions behind hypervisor selection in CloudStack 4.3
 
Hypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStackHypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStack
 
Hypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStackHypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStack
 
Hypervisor Capabilities in Apache CloudStack 4.3
Hypervisor Capabilities in Apache CloudStack 4.3Hypervisor Capabilities in Apache CloudStack 4.3
Hypervisor Capabilities in Apache CloudStack 4.3
 
Hypervisor selection in CloudStack
Hypervisor selection in CloudStackHypervisor selection in CloudStack
Hypervisor selection in CloudStack
 
Planning a successful private cloud - CloudStack Collaboration Europe 2013
Planning a successful private cloud - CloudStack Collaboration Europe 2013Planning a successful private cloud - CloudStack Collaboration Europe 2013
Planning a successful private cloud - CloudStack Collaboration Europe 2013
 

Kürzlich hochgeladen

Build Tomorrow’s India Today By Making Charity For Poor Students
Build Tomorrow’s India Today By Making Charity For Poor StudentsBuild Tomorrow’s India Today By Making Charity For Poor Students
Build Tomorrow’s India Today By Making Charity For Poor StudentsSERUDS INDIA
 
Item # 4&5 - 415 & 423 Evans Ave. Replat
Item # 4&5 - 415 & 423 Evans Ave. ReplatItem # 4&5 - 415 & 423 Evans Ave. Replat
Item # 4&5 - 415 & 423 Evans Ave. Replatahcitycouncil
 
In credit? Assessing where Universal Credit’s long rollout has left the benef...
In credit? Assessing where Universal Credit’s long rollout has left the benef...In credit? Assessing where Universal Credit’s long rollout has left the benef...
In credit? Assessing where Universal Credit’s long rollout has left the benef...ResolutionFoundation
 
Item # 1a --- March 25, 2024 CCM Minutes
Item # 1a --- March 25, 2024 CCM MinutesItem # 1a --- March 25, 2024 CCM Minutes
Item # 1a --- March 25, 2024 CCM Minutesahcitycouncil
 
Press Freedom in Europe - Time to turn the tide.
Press Freedom in Europe - Time to turn the tide.Press Freedom in Europe - Time to turn the tide.
Press Freedom in Europe - Time to turn the tide.Christina Parmionova
 
Youth shaping sustainable and innovative solution - Reinforcing the 2030 agen...
Youth shaping sustainable and innovative solution - Reinforcing the 2030 agen...Youth shaping sustainable and innovative solution - Reinforcing the 2030 agen...
Youth shaping sustainable and innovative solution - Reinforcing the 2030 agen...Christina Parmionova
 
ISEIDP in Chikkaballapura, Karnataka, India
ISEIDP in Chikkaballapura, Karnataka, IndiaISEIDP in Chikkaballapura, Karnataka, India
ISEIDP in Chikkaballapura, Karnataka, IndiaTrinity Care Foundation
 
Uk-NO1 Black magic Specialist Expert in Uk Usa Uae London Canada England Amer...
Uk-NO1 Black magic Specialist Expert in Uk Usa Uae London Canada England Amer...Uk-NO1 Black magic Specialist Expert in Uk Usa Uae London Canada England Amer...
Uk-NO1 Black magic Specialist Expert in Uk Usa Uae London Canada England Amer...Amil baba
 
PPT Item # 7 - Demolition & Replacement Structure Processes
PPT Item # 7 - Demolition & Replacement Structure ProcessesPPT Item # 7 - Demolition & Replacement Structure Processes
PPT Item # 7 - Demolition & Replacement Structure Processesahcitycouncil
 
ECOSOC YOUTH FORUM 2024 - Side Events Schedule -16 April.
ECOSOC YOUTH FORUM 2024 - Side Events Schedule -16 April.ECOSOC YOUTH FORUM 2024 - Side Events Schedule -16 April.
ECOSOC YOUTH FORUM 2024 - Side Events Schedule -16 April.Christina Parmionova
 
GOVERNMENT OF NCT OF DELHI DIRECTORATE OF EDUCATION
GOVERNMENT OF NCT OF DELHI DIRECTORATE OF EDUCATIONGOVERNMENT OF NCT OF DELHI DIRECTORATE OF EDUCATION
GOVERNMENT OF NCT OF DELHI DIRECTORATE OF EDUCATIONShivamShukla147857
 
European Court of Human Rights: Judgment Verein KlimaSeniorinnen Schweiz and ...
European Court of Human Rights: Judgment Verein KlimaSeniorinnen Schweiz and ...European Court of Human Rights: Judgment Verein KlimaSeniorinnen Schweiz and ...
European Court of Human Rights: Judgment Verein KlimaSeniorinnen Schweiz and ...Energy for One World
 
Digital Transformation of the Heritage Sector and its Practical Implications
Digital Transformation of the Heritage Sector and its Practical ImplicationsDigital Transformation of the Heritage Sector and its Practical Implications
Digital Transformation of the Heritage Sector and its Practical ImplicationsBeat Estermann
 
23rd Infopoverty World Conference - Agenda programme
23rd Infopoverty World Conference - Agenda programme23rd Infopoverty World Conference - Agenda programme
23rd Infopoverty World Conference - Agenda programmeChristina Parmionova
 
ECOSOC YOUTH FORUM 2024 Side Events Schedule-18 April.
ECOSOC YOUTH FORUM 2024 Side Events Schedule-18 April.ECOSOC YOUTH FORUM 2024 Side Events Schedule-18 April.
ECOSOC YOUTH FORUM 2024 Side Events Schedule-18 April.Christina Parmionova
 
Phase 8 Hope For Venezuelan Refugees Soup Meal Program-Periods 4-6.
Phase 8 Hope For Venezuelan Refugees Soup Meal Program-Periods 4-6.Phase 8 Hope For Venezuelan Refugees Soup Meal Program-Periods 4-6.
Phase 8 Hope For Venezuelan Refugees Soup Meal Program-Periods 4-6.Cristal Montañéz
 
NL-FR Partnership - Water management roundtable 20240403.pdf
NL-FR Partnership - Water management roundtable 20240403.pdfNL-FR Partnership - Water management roundtable 20240403.pdf
NL-FR Partnership - Water management roundtable 20240403.pdfBertrand Coppin
 
1- Phase 8 Hope For Venezuelan Refugees Soup Program-Periods 4-6.pdf
1- Phase 8 Hope For Venezuelan Refugees Soup Program-Periods 4-6.pdf1- Phase 8 Hope For Venezuelan Refugees Soup Program-Periods 4-6.pdf
1- Phase 8 Hope For Venezuelan Refugees Soup Program-Periods 4-6.pdfCristal Montañéz
 
PPT Item # 6 - TBG Partners Landscape Architectural Design Services.pdf
PPT Item # 6 - TBG Partners Landscape Architectural Design Services.pdfPPT Item # 6 - TBG Partners Landscape Architectural Design Services.pdf
PPT Item # 6 - TBG Partners Landscape Architectural Design Services.pdfahcitycouncil
 

Kürzlich hochgeladen (20)

Build Tomorrow’s India Today By Making Charity For Poor Students
Build Tomorrow’s India Today By Making Charity For Poor StudentsBuild Tomorrow’s India Today By Making Charity For Poor Students
Build Tomorrow’s India Today By Making Charity For Poor Students
 
Item # 4&5 - 415 & 423 Evans Ave. Replat
Item # 4&5 - 415 & 423 Evans Ave. ReplatItem # 4&5 - 415 & 423 Evans Ave. Replat
Item # 4&5 - 415 & 423 Evans Ave. Replat
 
In credit? Assessing where Universal Credit’s long rollout has left the benef...
In credit? Assessing where Universal Credit’s long rollout has left the benef...In credit? Assessing where Universal Credit’s long rollout has left the benef...
In credit? Assessing where Universal Credit’s long rollout has left the benef...
 
Item # 1a --- March 25, 2024 CCM Minutes
Item # 1a --- March 25, 2024 CCM MinutesItem # 1a --- March 25, 2024 CCM Minutes
Item # 1a --- March 25, 2024 CCM Minutes
 
Press Freedom in Europe - Time to turn the tide.
Press Freedom in Europe - Time to turn the tide.Press Freedom in Europe - Time to turn the tide.
Press Freedom in Europe - Time to turn the tide.
 
Youth shaping sustainable and innovative solution - Reinforcing the 2030 agen...
Youth shaping sustainable and innovative solution - Reinforcing the 2030 agen...Youth shaping sustainable and innovative solution - Reinforcing the 2030 agen...
Youth shaping sustainable and innovative solution - Reinforcing the 2030 agen...
 
ISEIDP in Chikkaballapura, Karnataka, India
ISEIDP in Chikkaballapura, Karnataka, IndiaISEIDP in Chikkaballapura, Karnataka, India
ISEIDP in Chikkaballapura, Karnataka, India
 
Uk-NO1 Black magic Specialist Expert in Uk Usa Uae London Canada England Amer...
Uk-NO1 Black magic Specialist Expert in Uk Usa Uae London Canada England Amer...Uk-NO1 Black magic Specialist Expert in Uk Usa Uae London Canada England Amer...
Uk-NO1 Black magic Specialist Expert in Uk Usa Uae London Canada England Amer...
 
PPT Item # 7 - Demolition & Replacement Structure Processes
PPT Item # 7 - Demolition & Replacement Structure ProcessesPPT Item # 7 - Demolition & Replacement Structure Processes
PPT Item # 7 - Demolition & Replacement Structure Processes
 
ECOSOC YOUTH FORUM 2024 - Side Events Schedule -16 April.
ECOSOC YOUTH FORUM 2024 - Side Events Schedule -16 April.ECOSOC YOUTH FORUM 2024 - Side Events Schedule -16 April.
ECOSOC YOUTH FORUM 2024 - Side Events Schedule -16 April.
 
GOVERNMENT OF NCT OF DELHI DIRECTORATE OF EDUCATION
GOVERNMENT OF NCT OF DELHI DIRECTORATE OF EDUCATIONGOVERNMENT OF NCT OF DELHI DIRECTORATE OF EDUCATION
GOVERNMENT OF NCT OF DELHI DIRECTORATE OF EDUCATION
 
European Court of Human Rights: Judgment Verein KlimaSeniorinnen Schweiz and ...
European Court of Human Rights: Judgment Verein KlimaSeniorinnen Schweiz and ...European Court of Human Rights: Judgment Verein KlimaSeniorinnen Schweiz and ...
European Court of Human Rights: Judgment Verein KlimaSeniorinnen Schweiz and ...
 
Digital Transformation of the Heritage Sector and its Practical Implications
Digital Transformation of the Heritage Sector and its Practical ImplicationsDigital Transformation of the Heritage Sector and its Practical Implications
Digital Transformation of the Heritage Sector and its Practical Implications
 
Housing For All - Fair Housing Choice Report
Housing For All - Fair Housing Choice ReportHousing For All - Fair Housing Choice Report
Housing For All - Fair Housing Choice Report
 
23rd Infopoverty World Conference - Agenda programme
23rd Infopoverty World Conference - Agenda programme23rd Infopoverty World Conference - Agenda programme
23rd Infopoverty World Conference - Agenda programme
 
ECOSOC YOUTH FORUM 2024 Side Events Schedule-18 April.
ECOSOC YOUTH FORUM 2024 Side Events Schedule-18 April.ECOSOC YOUTH FORUM 2024 Side Events Schedule-18 April.
ECOSOC YOUTH FORUM 2024 Side Events Schedule-18 April.
 
Phase 8 Hope For Venezuelan Refugees Soup Meal Program-Periods 4-6.
Phase 8 Hope For Venezuelan Refugees Soup Meal Program-Periods 4-6.Phase 8 Hope For Venezuelan Refugees Soup Meal Program-Periods 4-6.
Phase 8 Hope For Venezuelan Refugees Soup Meal Program-Periods 4-6.
 
NL-FR Partnership - Water management roundtable 20240403.pdf
NL-FR Partnership - Water management roundtable 20240403.pdfNL-FR Partnership - Water management roundtable 20240403.pdf
NL-FR Partnership - Water management roundtable 20240403.pdf
 
1- Phase 8 Hope For Venezuelan Refugees Soup Program-Periods 4-6.pdf
1- Phase 8 Hope For Venezuelan Refugees Soup Program-Periods 4-6.pdf1- Phase 8 Hope For Venezuelan Refugees Soup Program-Periods 4-6.pdf
1- Phase 8 Hope For Venezuelan Refugees Soup Program-Periods 4-6.pdf
 
PPT Item # 6 - TBG Partners Landscape Architectural Design Services.pdf
PPT Item # 6 - TBG Partners Landscape Architectural Design Services.pdfPPT Item # 6 - TBG Partners Landscape Architectural Design Services.pdf
PPT Item # 6 - TBG Partners Landscape Architectural Design Services.pdf
 

Secure application deployment in the age of continuous delivery

  • 1. Secure Application Deployment in the Age of Continuous Delivery OPENSOURCE: Open Standards
  • 2. #whoami – Tim Mackey • Current roles: Senior Technical Evangelist; Occasional coder • Previously XenServer Community Manager • Cool things I’ve done • Designed laser communication systems • Early designer of retail self-checkout machines • Embedded special relativity algorithms into industrial control system • Find me • Twitter: @TimInTech ( https://twitter.com/TimInTech ) • SlideShare: slideshare.net/TimMackey • LinkedIn: www.linkedin.com/in/mackeytim
  • 3. Security reality You can only protect what you know about. Defense in depth matters.
  • 4. Attacks are big business In 2015, 89% of data breaches had a financial or espionage motive Source: Verizon 2016 Data Breach Report
  • 5. Attackers decide what’s valuable … … and they have little fear.
  • 6. EASY ACCESS TO SOURCE CODE Open source ubiquity makes it ready target OPEN SOURCE ISN’T MORE OR LESS SECURE THAN CLOSED SOURCE – ITS JUST EASIER TO ACCESS VULNERABILITIES ARE PUBLICIZED EXPLOITS ARE PUBLISHED
  • 7. Anatomy of a new attack Potential Attack Iterate Test against platforms Document Don’t forget PR department Deploy
  • 8. DEVELOPER DOWNLOADS OUTSOURCED DEVELOPMENT THIRD PARTY LIBRARIES CODE REUSE APPROVED COMPONENTS COMMERCIAL APPS OPEN SOURCE CODE Open source enters through many channels… …and vulnerabilities can come with it.
  • 9. CLOSED SOURCE COMMERCIAL CODE • DEDICATED SECURITY RESEARCHERS • ALERTING AND NOTIFICATION INFRASTRUCTURE • REGULAR PATCH UPDATES • DEDICATED SUPPORT TEAM WITH SLA OPEN SOURCE CODE • “COMMUNITY”-BASED CODE ANALYSIS • MONITOR NEWSFEEDS YOURSELF • NO STANDARD PATCHING MECHANISM • ULTIMATELY, YOU ARE RESPONSIBLE Who is responsible for code and security?
  • 10. 0 500 1000 1500 2000 2500 3000 3500 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd Reference: Black Duck Software Knowledgebase, NVD Increasing number of OSS vulnerabilities
  • 11. Automated tools miss most open source vulnerabilities Static & Dynamic Analysis Only discover common vulnerabilities 3,000+ disclosed in 2014 Less than 1% found by automated tools Undiscovered vulnerabilities are too complex and nuanced All possible security vulnerabilities
  • 12. What do these all have in common? Heartbleed Shellshock GhostFreak Venom Since: Discovered: 2011 2014 1989 2014 1990’s 2015 2000 2015 2004 2015 Discovered by: Component: OpenSSL Riku, Antti, Matti, Mehta Bash Chazelas OpenSSL Beurdouche GNU C library Qualys researchers QEMU Geffner
  • 13. Understand application contents Source: 2016 Open Source Security Report
  • 14.
  • 16. Distinct areas of risk • Open source license compliance • Ensure project dependencies are understood • Use of vulnerable open source components • Is component a fork or dependency? • How is component linked? • Operational risk • Can you differentiate between “stable” and “dead”? • Is there a significant change set in your future? • API versioning • Security response process for project
  • 17. Total Quality Management Philosophies • Detect problems before product ships • Select components based on trust • Continuously identify issues and improve • Empower employees to solve problems • Implement the Deming Cycle • Plan for change and analyze risk • Do execute the plan in small steps • Check the results against the plan • Act on results to improve future outcomes • Manage with facts
  • 19. Software development lifecycle – threat model Idea Spec Design Code Test Release • As part of the specification and design, threat models are often created.
  • 20. Software development lifecycle – static analysis Idea Spec Design Code Test Release • As part of the specification and design, threat models are often created. • During code creation and commits, static analysis is performed
  • 21. Software development lifecycle – dynamic analysis Idea Spec Design Code Test Release • As part of the specification and design, threat models are often created. • During code creation and commits, static analysis is performed • Testing usually includes some form of dynamic testing
  • 22. Traditional operations release process Deploy Measure ScaleMonitor Assess Release Update Spec
  • 23. Oops – a vulnerability is disclosed – now what? DEVELOP SCM BUILD PACKAGE DEPLOY PRODUCTION BUG TRACKING REMEDIATE AND TRACK LICENSE COMPLIANCE AND SECURITY VULNERABILITIES FULL APP SEC VISIBILITY INTEGRATION BUILD / CI SERVER SCAN APPLICATIONS WITH EACH BUILD VIA CI INTEGRATION DELIVERY PIPELINE SCAN APPLICATIONS AND CONTAINERS BEFORE DELIVERY CONTINUOUS MONITORING OF VULNERABILITIES
  • 26. Knowledge is key. Can you keep up? glibc Bug Reported July 2015 Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
  • 27. Knowledge is key. Can you keep up? glibc Bug Reported July 2015 Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
  • 28. Knowledge is key. Can you keep up? glibc Vuln Introduced May 2008 glibc Bug Reported July 2015 CVE-2015- 7547 CVE Assigned Feb 16-2016 Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
  • 29. Knowledge is key. Can you keep up? glibc Vuln Introduced May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 glibc Bug Reported July 2015 National Vulnerability Database Vuln Published Feb 18-2016 Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
  • 30. Knowledge is key. Can you keep up? glibc Vuln Introduced National Vulnerability Database Vuln Published You Find It May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 Feb 18-2016 glibc Bug Reported July 2015 Patches Available You Fix It Highest Security Risk Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
  • 31. Knowledge is key. Can you keep up? glibc Vuln Introduced National Vulnerability Database Vuln Published You Find It May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 Feb 18-2016 glibc Bug Reported July 2015 Patches Available You Fix It Highest Security Risk Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack- based buffer overflow
  • 32. Source: Future of Open Source 2016 Survey
  • 33. A complete solution … Choose Open Source Proactively choose secure, supported open source SELECT Inventory Open Source Map Existing Vulnerabilities Maintain accurate list of open source components throughout the SDL Identify vulnerabilities during development VERIFY Track New Vulnerabilities Alert newly disclosed vulnerabilities in production MONITORREMEDIATE Fix Vulnerabilities Tell developers how to remediate
  • 34. OVER TWO HUNDRED THIRTY E M P L O Y E E S 27USE BLACK DUCK SOFTWARE AWARD FOR INNOVATION GARTNER GROUP “COOL VENDOR” INNOVATIVE TECHNOLOGY OF THE YEAR - SECURITY 7 YEARS IN A ROW FOR SECURITY INNOVATION RANKED #38 OUT OF 500 SECURITY COMPANIES 7 YEARS IN A ROW 6 of the top 8 mobile handset vendors 7 of the top 10 SOFTWARE COMPANIES (44% OF TOP 100) 24 COUNTRIES 6 of the top 10 banks FORTUNE 100 Black Duck Created an Industry
  • 35. 8,500 WEBSITES 350 BILLION LINES OF CODE 2,400 LICENSE TYPES 1.5 MILLION PROJECTS 76,000 VULNERABILITIES Comprehensive KnowledgeBase • Largest database of open source project information in the world. • Vulnerabilities coverage extended through partnership with Risk Based Security. • The KnowledgeBase is essential for identifying and solving open source issues.
  • 36. We need your help Knowledge is power • Know what’s running and why • Define proactive vulnerability response process • Don’t let technology hype cycle dictate security Invest in defense in depth models • Don’t rely on perimeter security to do heavy lifting • Do look at hypervisor & container trends in security • Make developers and ops teams part of the solution • Do embed security into deployment process Together we can build a more secure data center
  • 37. Free tools to help • Docker Container Security Scanner • https://info.blackducksoftware.com/Security-Scan.html • 14 Day Free Trial to Black Duck Hub • https://info.blackducksoftware.com/Demo.html • Red Hat Atomic Host Integration (Requires Black Duck Hub) • atomic scan --scanner blackduck [container]

Hinweis der Redaktion

  1. Image: http://morguefile.com/p/209940
  2. http://www.istockphoto.com/photo/computer-crime-concept-gm516607038-89059287?st=9174601 Source: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ Every year since 2008, Verizon have published a report on the attempted data breaches occurring within their data centers. For 2015, they found close to 90% of them had either a financial or espionage component to them. This report is well worth the read, and there are a few key findings in this report we should all be aware of. Costs of data breaches are heavily skewed towards legal consultation and forensics, and not to the public components of credit monitoring or lawsuits Despite some vulnerabilities having been public for years, there remain vulnerable components in use Some of those components simply may not have a patch forthcoming for a variety of reasons.
  3. Despite years of organizations spending energy protecting against attacks, it remains up to the attacker to define what’s valuable. Consider the case of ransomware. A police department in the town next to where I live was subjected to a raonsomeware attack. For roughly 500 USD in bitcoin, the attackers would decrypt the booking and evidence records they had just crypto locked. As an attacker, they likely had no knowledge of who they had attacked or what they had locked up. What mattered was the ransom, and that they had a police organization’s files didn’t factor into the equation.
  4. https://www.cesg.gov.uk/guidance/open-source-software-%E2%80%93-exploring-risk-good-practice-guide-38
  5. Let’s take a little bit of time and look at how an attack is created. Potential attackers have a number of tools at their disposal, and use a number of different tactics. In this case, the attacker wishes to create an attack on a given component. In order to be effective, they have two primary models. First they can actively contribute code in a highly active area of the component with an objective of planting a back door of some form. The hope being that their code will fail to be recognized as suspect given how quickly the area of code is evolving. Second they can look for areas of code which are stable, and the longer they’ve bene stable, the better. The reason for this is simple, old code is likely written by someone who isn’t with the project any longer, or perhaps doesn’t recall all assumptions present at the time the code was written. After all, its been long understood that even with the best developers, assumptions change and old code doesn’t keep up. The goal in both cases being to create an attack against the component, so they test, and fail, and iterate against the component until they’re successful or move on. Assuming they’re successful, they create a deployment tool and document the tool for others. Of course, given the publicity received by some recent vulnerabilities, a little PR goes a long way. Now there are responsible researchers who follow a similar workflow, and they legitimately attempt to work with component creators to disclose vulnerabilities. They too will publish results, but are less interested in creating the an attack beyond a proof of concept. http://www.istockphoto.com/photo/person-in-hooded-sweater-using-a-laptop-on-wooden-table-gm464503138-58544934?st=cf78f31 http://www.istockphoto.com/photo/cloud-computing-gm518556682-90104967
  6. https://www.cesg.gov.uk/guidance/open-source-software-%E2%80%93-exploring-risk-good-practice-guide-38 If you’re using commercial software, the vendor is responsible for best practice deployment guidance, the notification of any security vulnerabilities and ultimately patches and workarounds for disclosed vulnerabilities. This is part of the deliverable they provide in return for their license fee. If you’re using open source software, that process becomes partly your responsibility. To illustrate the level of information you have to work with, let’s look at a media-wiki maintenance release from December 2015. “various special pages resulted in fata errors” – this clearly is something which needs resolution, but which pages? How do you test? “1.24.6 marks the end of support for 1.24.x” – this is good to know, but I hope it was published elsewhere. “However, 1.24.5 had issues (along with other versions) so it was thought fair to fix them” – This is a good thing, but can we expect this treatment in the future? From the title, we also have a fix for 1.23.x, but what other versions?
  7. There is one thing we should all notice from this data: The vulnerable code was present for years until discovery. What may not be known, is that these vulnerabilities were found by researchers, not analysis tools.
  8. Source: https://info.blackducksoftware.com/OpenSourceSA_LP.html
  9. Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow On July 13 2015, the bug report associated with what would ultimately become CVE-2015-7547 was created. https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/bugzilla/show_bug.cgi?id=18665 https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT) http://cve.mitre.org/cve/cna.html https://openclipart.org/detail/200681/primary-patch
  10. Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow The report indicated that a traditional buffer management issue was present. Specifically it said “this change causes the thisanssizp pointer variable used in the recvfrom function on line 1282 to use the wrong size if a new buffer is created after the thisanssizp address has been changed at line 1257” and indicated that the result would be “The program will crash if the calculated size of the buffer used is 0. The recvfrom function will not crash, but any further accesses to the buffer where the bytes read was 0 from the recvfrom function will crash the program. ” https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/bugzilla/show_bug.cgi?id=18665 https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT) http://cve.mitre.org/cve/cna.html https://openclipart.org/detail/200681/primary-patch
  11. Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow On Feb 16, 2016, a CVE assignment was made to the bug list, and it further indicated the problem was introduced in May of 2008 in version 2.9. https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/bugzilla/show_bug.cgi?id=18665 https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT) http://cve.mitre.org/cve/cna.html https://openclipart.org/detail/200681/primary-patch
  12. Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow It wasn’t until two days later that the NVD (national vulnerability database) was updated to reflect the vulnerability. This meant that a staggered awareness situation ensued. When disclosures are staggered, there is an increased potential that a bad actor can take advantage of the situation. It’s important to note that this NVD entry came through US-CERT. One important thing to notice is that unlike the bug report, the overview contains significantly more actionable information (e.g. indicating that DNS is impacted “a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module” https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/bugzilla/show_bug.cgi?id=18665 https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT) http://cve.mitre.org/cve/cna.html https://openclipart.org/detail/200681/primary-patch
  13. Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow Of course all most data center operators really want is to secure their environment, so the question really becomes “how to do that”. For an indication of how that plays out, we’ll look at VMware’s response as an example. The first thing most vendors do is create some form of security advisory, which in this case is “VMware Knowledge Base article 2144032”. In it they list the then current information about their exposure to the vulnerability. Often times, it’s minimal, but as they investigate, details are fleshed out. On February 22nd, they amended the KB article and created a security advisory “VMware Security Advisory VMSA-2016-0002” which included details on a patch for ESXi 5.5 and then updated a day later for a patch in ESXi 6.0. It’s not the least bit uncommon for some subordinate products, including older versions, to take longer to patch and on March 29th updates were announced to cover “vCenter Server Appliance (VCSA), 5.0 U3f, 5.1 U3c, and 5.5 U3c” Once you’ve a patch, then you can start working on resolving the issue in your infrastructure. https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/bugzilla/show_bug.cgi?id=18665 https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT) http://cve.mitre.org/cve/cna.html https://openclipart.org/detail/200681/primary-patch https://www.youtube.com/watch?v=hkryI6eapOA http://blogs.vmware.com/security/2016/02/vmware-products-and-cve-2015-7547-glibc-getaddrinfo-security-issue.html
  14. Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow From a timeline perspective, we’re looking at close to eight years from time of bug to vulnerability resolution. For much of that time, the impact was unknown. Starting in July of 2015, the scope of the issue started to be known, but close to seven months were required for investigation, triage, development of a fix and public disclosure to occur. Once the bug was known, the risk of exploitation increased slightly until that disclosure, but following the disclosure risk goes up dramatically. That’s one reason why knowing what’s running in your environment is so important. The overall goal being to reduce the time between disclosure and fix. https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/bugzilla/show_bug.cgi?id=18665 https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 (published via US-CERT) http://cve.mitre.org/cve/cna.html https://openclipart.org/detail/200681/primary-patch https://www.youtube.com/watch?v=hkryI6eapOA
  15. Source: Future of Open Source 2016 survey: https://www.blackducksoftware.com/2016-future-of-open-source
  16. http://www.istockphoto.com/photo/strength-in-unity-gm514713440-88219133?st=af7fa36
  17. Docker Container Security Scanner https://info.blackducksoftware.com/Security-Scan.html 14 Day Free Trial to Black Duck Hub https://info.blackducksoftware.com/Demo.html Red Hat Atomic Host Integration (Requires Black Duck Hub) atomic scan --scanner blackduck [container]