1 of 51

Open Source Software (OSS)

is amazing, and risky.

Let’s secure what you are using!

2 of 51

Nicole Schwartz

I speak about DevSecOps, Agile, Diversity & Inclusion, and Women in Technology.

I am currently a Senior Product Manager of Security at ActiveState, Staff for The Diana Initiative, Skytalks, and BSides Edmonton.

3 of 51

What is OSS?

“Open source software is software with source code that anyone can inspect, modify, and enhance.”

https://opensource.com/resources/what-open-source

Open Source Software (OSS)

“

”

4 of 51

Why Use OSS?

OSS has enabled the acceleration of software development

Don’t write everything from scratch
Open source projects solve hard problems
Domain specific expertise
“Free”

5 of 51

Who Uses OSS?

Most companies!

https://www.synopsys.com/blogs/software-security/open-source-trends-ossra-report.html

“Seventy-seven percent of all code in the codebases originated from open source. Every industry codebase scanned contained open source—most at percentages from 99% to 100%.”

“

”

6 of 51

What risks come with OSS?

License Obligations (Legal)
Defects / Vulnerabilities (CVE)
Introduces more software supply chain threats
Community Abandonment of Project

7 of 51

License Obligations

We can build really complex things because we have an entire lego kit to work with.

Risk: Licenses copy-left

8 of 51

XKCD 927

9 of 51

Defects / Vulnerabilities (CVE)

Accidental (heartbleed)

Intentional

(XZ Utils)

10 of 51

Introduces more software supply chain threats

Your source code uses OSS

OSS uses OSS

That OSS uses OSS

11 of 51

Open Source Vulnerabilities and the Software Supply Chain

Source

Build

Artifacts

Cloud

Commit Malicious Code

Hardcoded Secrets

Bad IaC Templates

Code Leaks

Modify Code

Compromise Build Systems

Bypass CI/CD

Compromise Package Repository

Use Bad Package

Insecure Configurations

Dependencies

Infrastructure Drift

Use Bad Dependencies

Commit Malicious Code

12 of 51

Vulnerabilities vs Supply Chain Threats

Vulnerabilities

13 of 51

Community Abandonment of Project

Free like puppies

14 of 51

XKCD 2347

15 of 51

What OSS are you using?

Knowing what you have and where it is is critical for being able to monitor and respond to issues.

16 of 51

Ways to get an inventory

Restrict access - controlled repository
Automatically scan
Require Approval
Have each team report in and self certify
Combination

17 of 51

Third-Party (Commercial)

TJ pointed out this morning you can ask your commercial third-party suppliers for security assessments
Not something you can require from OSS
But there are some that will provide Attestations (SBOM, SLSA,) or have things like PyPi Trusted Publisher

18 of 51

I Know What I Have…

18

19 of 51

How do you mitigate the risks?

Secure by Design
Security Scanners
OpenSSF Scorecard
SLSA, Trusted Publishers, GUAC, Attestations
Restrict / Monitor Repositories
Vuln triage & remediation process, MTTR targets
Keep (somewhat) up to date
What outgoing calls are happening?

20 of 51

Secure by design

CISA is advocating for Secure by Design & Secure by Default
This means considering security from the start

Influence your choice of language, framework, architecture
Threat modeling
Defense in Depth

Urging prioritization “prioritize the features, mechanisms, and implementation of tools that protect customers rather than [prioritizing] product features.”

21 of 51

Security Scanners

Software composition analysis (SCA) - GitHub code scanning
Secret detection - TruffleHog
Static application security testing (SAST) - SemGrep
Container scanning - Trivy
Dynamic application security testing (DAST) - ZAP
Open source license scanning - FOSSology
Malware scanning - OpenSSF package-analysis

22 of 51

Security Scanners

Software composition analysis (SCA) - GitHub code scanning
Secret detection - TruffleHog
Static application security testing (SAST) - SemGrep
Container scanning - Trivy
Dynamic application security testing (DAST) - ZAP
Open source license scanning - FOSSology
Malware scanning - OpenSSF package-analysis

23 of 51

SAST - SemGrep

Language & Framework Specific
Runs against the source code
Finds: SQL injection, etc.

24 of 51

Secret Detection - TruffleHog

Runs against the source code
Pattern Matching
Finds: API keys, etc.

Secret detection - TruffleHog
So if certain secrets, like your SSH keys, API key, your authorization tokens, follow specific patterns you can use pattern matching to detect if they are included in your code. If they have been checked in - they’ve been leaked, once that is known you can promptly rotate them to reduce your risk.
Inadvertently committing credentials to a shared repository can have serious consequences, yet it is a simple mistake to make. Once an attacker gets your password or API key, they can take over your account, lock you out, and fraudulently spend money. This can even lead to a domino effect where access to one account grants access to others. With the stakes so high, it’s of paramount importance to learn as quickly as possible if secrets have been leaked.
https://about.gitlab.com/blog/2019/03/22/gitlab-11-9-released/
https://pxhere.com/en/photo/1292320

25 of 51

Container Scanning - Trivy

Scans container images
Finds: known CVEs for the components that make up the image

26 of 51

License Compliance - FOSSology

Package manager specific
Runs against the source code
Finds: licenses

27 of 51

DAST - ZAP

Language agnostic
Runs against the running application
Finds: SAST plus Configuration issues, etc.

28 of 51

Malware Scanning - OpenSSF package-analysis

Usually pattern or behaviour
Runs against the running application
Finds: known malware patterns

29 of 51

Fuzzing - fuzzy lop

Language agnostic
Runs against the running application
Finds: buffer overflow, memory leaks

30 of 51

SCA

Package manager specific
Runs against the source code
Finds: vulnerable or out of date libraries

31 of 51

Speaking of SCA

SCA works with or can work from - SBOM

Openssf protobom (CycloneDX, SPDX)

DaggerBoard

Vulnerability Exploitability Exchange (VEX)

32 of 51

OpenSSF Scorecard

OpenSSF Scorecard assesses open source projects for security risks through a series of automated checks. It was created by OSS developers to help improve the health of critical projects that the community depends on.

33 of 51

Frameworks

Supply-chain Levels for Software Artifacts SLSA
Graph for Understanding Artifact Composition GUAC
Attestations
PyPi Trusted Publisher

Supply-chain Levels for Software Artifacts, or SLSA is a framework, a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. Currently a shared language and standard levels for builds processes.

- GUAC (Graph for Understanding Artifact Composition) aims to fill in the gaps by ingesting software metadata, like SBOMs, and mapping out relationships between software. When you know how one piece of software affects another, you’ll be able to fully understand your software security position and act as needed.

- these all rely on Attestations or documentation - which can be signed. A common format is in-toto

- there is also the pypi Trusted Publisher - PyPI package maintainers can adopt a new, more secure publishing method that does not require long-lived passwords or API tokens to be shared with external systems.

34 of 51

Restrict / Monitor Repositories

DIY

JFrog

GitLab

ActiveState

35 of 51

Vuln triage & remediation process

Vulnerability Triage

Tune the noise

Focused based on Threat Models

Vulnerability Remediation

Mean Time to Remediation (MTTR)

36 of 51

Keep (somewhat) up to date

Patches are less painful when it’s muscle memory

37 of 51

Other Tools

OWASP Dependency-Track
Open Source Management Platform (ActiveState)
Open Policy Agent (OPA)
Vuln disclosure programs (use and have)

38 of 51

But I *really* want to be safe…

EU’s Cyber Resilience Act
NIST SSDF
Canadian Centre for Cyber Security – ITSM.10.071
Build from source
Scan OSS like you would your own code
Participate in the community contributing patches

39 of 51

How can I help (everyone)?

Contribute time, money to an OSS Project
Join an (OpenSSF) Working Group
Secure by design
Collaborative Information Sharing

Alberta Cyber Security Community of Interest

40 of 51

Demo

41 of 51

Scenario: you get an email about two pressing issues

Latest PyYaml must be used, no other versions of are allowed.�
Please report any use of wheel.

CVE-2022-40898 https://nvd.nist.gov/vuln/detail/CVE-2022-40898

An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.

41

42 of 51

ActiveState Platform �- Find OSS

42

43 of 51

Risks in the OSS

43

44 of 51

Package/CVE Search

45 of 51

46 of 51

47 of 51

Recap

Know what you have, and where it is (OSS)

SCA, SBOMs, Excel sheet, whatever!

Be aware of the different risks OSS introduces

Typosquatting, Vulnerabilities, etc

De-risk your use of OSS

Secure by Design, Threat Model, Security Scans, Vulnerability Triage and Remediation

48 of 51

Adam said

Risk:

Asset inventory, Vulnerability, Access, Attacker

Tabletop;

What happens if it this thing goes

Why are you in business?

Don't stand in the way of of business

49 of 51

TJ said

3rd party Risk is Unavoidable

You can't DIY everything

It not IF but WHEN you will have a issue

Incident doesn't need to become a breach

The more suppliers you have the larger the attack surface

Inventory
Assess
Monitor

50 of 51

Q&A

50

51 of 51

Thank you

Try the ActiveState Platform for free:

https://platform.activestate.com/