Taming the Open Source Beast With an Effective Application Security Testing Program May 4, 2017 | By David Marshak

David Marshak Senior Offering Manager, IBM David Marshak focuses on IBM’s Application Security portfolio, including the AppScan product line, cloud offerings and partnerships with companies such as Arxan. Prior to joining IBM in January 2005, Marshak was an internationally known industry analyst and consultant with Patricia Seybold Group for 18 years. Marshak has spoken worldwide to audiences, large and small, on emerging technologies and future trends. He is often called upon to be a featured speaker and panel moderator at numerous industry conferences such as IBM InterConnect, Connect, Pulse, VoiceCon, Collaboration Technologies Conference, Burton Group Catalyst Conference, COMDEX, InternetWorld, Groupware, VON, NetWorld and Lotusphere, among others. He has appeared as an expert commentator on PBS, CNBC and National Public Radio and has lectured on collaboration at Massachusetts Institute of Technology and Babson College. Marshak has been quoted in the Wall Street Journal, Forbes, New York Times, Business Week and Investor’s Business Daily as well as the technical press. Home > Topics > Application Security > Taming the Open Source Beast With an Effective Application Security Testing Program May 4, 2017 | By David Marshak A lion in a circus cage. Bigstock Share Taming the Open Source Beast With an Effective Application Security Testing Program on Twitter Share Taming the Open Source Beast With an Effective Application Security Testing Program on Facebook Share Taming the Open Source Beast With an Effective Application Security Testing Program on LinkedIn Cute Attacks With Acute Impact on Your Application Security Testing Effectiveness Here we go again: Another attack with a cute name is about to make the news. More dangerous than a Ghost, a POODLE, a FREAK, a Heartbleed, a Shellshock or the other 6,000-plus attacks that show up each year, we know at least two things about it: It will probably attack through a vulnerable open source component. It is highly likely you’ll find the open source component in your apps. images for open source appsec blog publishing on May 4 Addressing the Open Source Challenge Should you stop your developers from using open source? You can’t — at least if you want them to be productive. In fact, more and more software is reliant on open source components than ever before. The Forrester report titled “Secure Applications at the Speed of DevOps” states that “approximately 80 to 90 percent of the code in modern applications is from open source components.” Clearly, open source is here to stay. To protect yourself, you must proactively test your code to assure that you don’t have vulnerable libraries. And since it’s extremely likely that your organization is vulnerable in some fashion, you should focus on two specific success factors. Success Factor One: Integrate Open Source Testing Into DevOps The single most important thing you can do is be aware of the open source packages that your developers use, and specifically which ones have vulnerabilities that can be exploited. It is critical that this review be performed as early in the development cycle as possible and that it be done continuously, since threats are constantly changing. Forrester specifically recommended the following: “Insert a software composition analysis (SCA) tool as early in the SDLC as possible and continue to scan applications, including older applications with inconsistent or long release cycles, to ferret out newly discovered vulnerabilities.” The best way to do this is to integrate open source discovery directly into the application security testing that you are already doing — making it an essential part of your DevOps strategy. IBM has made this process easy and transparent. With introduction of IBM Application Security Open Source Analyzer, part of IBM Application Security on Cloud, identifying open source components occurs automatically during static application security testing (SAST). These components are matched against a list of known vulnerabilities and results are returned. The results are not only actionable, but they also include specific remediation recommendations such as substituting more recent versions of the components. Results are directly integrated into reports that contain identification and remediation of vulnerabilities found in your custom code, creating a seamless adoption and use model that best enables your success. images for open source appsec blog publishing on May 4 Figure 2: Open source vulnerabilities (shown in purple) appear as Fix Groups within the scan report. For more on Application Security on Cloud Fix Groups, consult our IFA blog. images for open source appsec blog publishing on May 4 Figure 3: Clicking on the Fix Group shows vulnerability types (in this case, open source CVE), descriptions and links to recommended fixes. Success Factor Two: Use the Most Reliable Source to Detect Open Source Vulnerabilities Of course, no matter how seamless the integration is, it boils down to the quality of your testing results. Quality depends on a number of factors — most notably the completeness, breadth, depth and currency of known vulnerabilities and remediation recommendations. IBM Application Security Open Source Analyzer is able to generate a comprehensive set of open source packages for evaluation by analyzing the file level during application code analysis. Those files are then compared with known open source vulnerabilities and vulnerable ones are identified, along with specific remediation advice. The quality of IBM Application Security Open Source Analyzer data is differentiated in several important ways. The solution: Supports a large number of languages: Open Source Analyzer does not merely work on a small set of languages like other solutions do. It supports a very large set, including Java, .NET, JavaScript, PHP, Node.JS, C/C++, Ruby, Python, ObjectiveC, SWIFT, Go, Scala, Clojure, Groovy, Android, Perl and Pascal. Identifies a huge set of open source libraries: Across these languages, Open Source Analyzer understands more than 3.5 million binary components and nearly a half billion nonbinary source libraries. Leverages a database of more than 230,000 vulnerabilities from public and private sources: IBM Application Security Open Source Analyzer has access to 12 different sources, in addition to the commonly used National Vulnerability Database (NVD). By comparison, it is estimated NVD includes fewer than 10,000 identified open source vulnerabilities. The Open Source Analyzer database is continually updated with thousands of newly discovered vulnerabilities added each month. Provides actionable remediation recommendations: Our offering combines information from nearly a dozen authoritative sources, including research from the IBM X-Force team, links to patches, specific source files and newer versions that fix issues. Peace of Mind With Application Security Testing Embarking on a program to test your open source exposure level is the easiest and fastest way to increase your application security posture — not to mention keep your name out of the press the next time that a cute attack (or an acute attack) threatens to tarnish your organization’s good name. Our advice is to access our complimentary trial of IBM Application Security on Cloud featuring Open Source Analyzer today, and see for yourself how easy it is to obtain the peace of mind you desire. START A FREE TRIAL OF APPLICATION SECURITY ON CLOUD NOW Tags: Application Security | DevOps | Open Source | Static Application Security Testing (SAST) | Vulnerabilities | Vulnerability Share this Article:Share Taming the Open Source Beast With an Effective Application Security Testing Program on Twitter Share Taming the Open Source Beast With an Effective Application Security Testing Program on Facebook Share Taming the Open Source Beast With an Effective Application Security Testing Program on LinkedIn RECOMMENDED FOR YOU Application Security Intelligent Finding Analytics: Your Cognitive Computing Application Security Expert By David Marshak CISO Current Trends in Identity and Access Management: July 2017 By Brett Valentine Malware A ‘Wiper’ in Ransomware Clothing: Global Attacks Intended for Destruction Versus Financial Gain By Mike Oppenheim David Marshak Senior Offering Manager, IBM David Marshak focuses on IBM’s Application Security portfolio, including the AppScan product line, cloud offerings and partnerships with companies such as Arxan. Prior to joining IBM in January 2005, Marshak was an internationally known industry analyst and consultant with Patricia Seybold Group for 18 years. Marshak has spoken worldwide to audiences, large and small, on emerging technologies and future trends. He is often called upon to be a featured speaker and panel moderator at numerous industry conferences such as IBM InterConnect, Connect, Pulse, VoiceCon, Collaboration Technologies Conference, Burton Group Catalyst Conference, COMDEX, InternetWorld, Groupware, VON, NetWorld and Lotusphere, among others. He has appeared as an expert commentator on PBS, CNBC and National Public Radio and has lectured on collaboration at Massachusetts Institute of Technology and Babson College. Marshak has been quoted in the Wall Street Journal, Forbes, New York Times, Business Week and Investor’s Business Daily as well as the technical press. SEE ALL POSTS FOLLOW DAVID MARSHAK READERS ALSO LIKE The 10 Most Common Application Attacks in Action Read More The Emergence of Virtual Reality and Augmented Reality in the Security Operations Center Read More Spot (and Remedy) the Rotten Apple Before It Spoils the SIEM Barrel Read More How STIX, TAXII and CybOX Can Help With Standardizing Threat Information Read More Using SIEM Solutions to Connect the Security Dots and Detect Ransomware Read More On-Demand Webinar An Incident Responder’s POV: Inside the Latest Petya Variant Security Intelligence Analysis and Insight for Information Security Professionals The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of IBM. NEWS TOPICS INDUSTRIES X-FORCE RESEARCH MEDIA EVENTS & WEBINARS CONTRIBUTORS BECOME A CONTRIBUTOR Subscribe to Security Intelligence Follow Security Intelligence on Twitter Follow Security Intelligence on Facebook Follow Security Intelligence on Youtube Follow Security Intelligence on LinkedIn Follow Security Intelligence on Slideshare Follow Security Intelligence on Quora © 2017 IBM |Contact |Privacy |Terms Of Use |Accessibility