SlideShare a Scribd company logo

Create a Unified View of Your Application Security Program – Black Duck Hub and ThreadFix

Denim Group, profile picture
Denim Group

The document discusses the integration of Black Duck Hub and ThreadFix to provide a unified application security program addressing the growing importance of open source in software development. It emphasizes the need for continuous monitoring and a comprehensive approach to managing open source vulnerabilities and highlights the limitations of traditional security tools. Key features include application tracking, vulnerability prioritization, and the ability to alert teams to new vulnerabilities impacting their code.

Technology
1 of 29
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
© 2016 Denim Group – All Rights Reserved Create a Unified View of Your Application Security Program – Black Duck Hub and ThreadFix December 16th, 2016 Dan Cornell CTO, Denim Group Mike Pittenger Vice President of Security Strategy, Black Duck
© 2016 Denim Group – All Rights Reserved Agenda • State of Application Security • Black Duck Hub Overview • ThreadFix Overview • ThreadFix / Black Duck Hub Integration • Components: Open Source and Internal
8 of the top 10 Software Companies (70 of the top 100) 6 of the top 8 Mobile Handset Vendors 6 of the top 10 Investment Banks 24 Countries 250+ Employees 2,000Customers About Black Duck 40Founded 2002 Of The Fortune 100
Up to 90% Open Source TODAY 50% Open Source 2010 20% Open Source 20051998 10% Open Source Open Source Changed the Way Applications are Built Custom & Commercial Code Open Source Software Source Open Source is the modern architecture
OpenSSL Introduced: 2011 Discovered: 2014 Heartbleed GNU C Library Introduced: 2000 Discovered: 2015 Ghost QEMU Introduced: 2004 Discovered: 2015 Venom Bash Introduced: 1989 Discovered: 2014 Shellshock OpenSSL Introduced: 1990's Discovered: 2015 Freak FREAK! Consequences Can Be Costly When You Can’t Control What You Can’t See
Black Duck Open Source Security Audit Report Highlights Security & Management Challenges
Why Aren’t We Finding These in Testing? • Static analysis • Testing of source code or binaries for unknown security vulnerabilities in custom code • Advantages in buffer overflow, some types of SQL injection • Provides results in source code • Dynamic analysis • Testing of compiled application in a staging environment to detect unknown security vulnerabilities in custom code • Advantages in injection errors, XSS • Provides results by URL, must be traced to source What’s Missing?
• Automated testing finds common vulnerabilities in the code you write • They are good, not perfect • Different tools work better on different classes of bugs • Many types of bugs are undetectable except by trained security researchers There Are No Perfect Answers All possible security vulnerabilities FREAK! Identifiab le with Static Analysis Identifiab le with Dynamic Analysis
0 500 1000 1500 2000 2500 3000 3500 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 The Threat Landscape Constantly Changes National Vulnerability Database (NVD) Black Duck Extended Vulnerability Data (EVD) • VulnDB (Open Source Vulnerability Database) • In 2015, over 3,000 new vulnerabilities in open source • Since 2004, over 74,000 vulnerabilities have been disclosed by NVD. • 63 reference automated tools • 50 of those are for vulnerabilities reported in the tools • 13 are for vulnerabilities that could be identified by a fuzzer
DEVELOPER DOWNLOADS OUTSOURCED DEVELOPMENT THIRD PARTY LIBRARIES CODE REUSE APPROVED COMPONENTS COMMERCIAL APPS OPEN SOURCE CODE We Have Little Control Over How Open Source Enters The Code Base
To manage open source risks you need an end-to-end approach INVENTORY Open Source Components in Your Code MAP Components to Known Vulnerabilities IDENTIFY License & Code Quality Risks TRACK Policy Violations & Remediation Progress ALERT When New Vulnerabilities Affect Your Code Automation and policy management Integration with DevOps tools and processes
Black Duck Provides Visibility and Control
Vulnerability Information and Alerts
Key Takeaways • Open source is here to stay (and growing) • Open source saves development costs and accelerates time to market • Open Source Security isn’t covered by traditional tools • Static analysis is good, but doesn't help with open source vulnerabilities • Identify open source with known vulnerabilities, early in the SDL • New paradigm requires new methodologies • Visibility to open source and continuous monitoring is required.
© 2016 Denim Group – All Rights Reserved ThreadFix Overview • Create a consolidated view of your applications and vulnerabilities • Prioritize application risk decisions based on data • Translate vulnerabilities to developers in the tools they are already using
© 2016 Denim Group – All Rights Reserved ThreadFix Overview
© 2016 Denim Group – All Rights Reserved Create a consolidated view of your applications and vulnerabilities
© 2016 Denim Group – All Rights Reserved Application Portfolio Tracking
© 2016 Denim Group – All Rights Reserved Vulnerability Import
© 2016 Denim Group – All Rights Reserved Vulnerability Consolidation
© 2016 Denim Group – All Rights Reserved Prioritize application risk decisions based on data
© 2016 Denim Group – All Rights Reserved Vulnerability Prioritization
© 2016 Denim Group – All Rights Reserved Reporting and Metrics
© 2016 Denim Group – All Rights Reserved Translate vulnerabilities to developers in the tools they are already using
© 2016 Denim Group – All Rights Reserved Defect Tracker Integration
© 2016 Denim Group – All Rights Reserved ThreadFix / Black Duck Hub Integration
© 2016 Denim Group – All Rights Reserved ThreadFix HotSpot Technology
© 2016 Denim Group – All Rights Reserved ThreadFix www.threadfix.it Black Duck Hub www.blackducksoftware.com Questions and Contact
© 2016 Denim Group – All Rights Reserved About Denim Group Denim Group is the leading secure software development firm, serving as a trusted advisor on matters of software risk and security. Our flagship ThreadFix product accelerates the process of software vulnerability remediation, reflecting the company's understanding of what it takes to fix application vulnerabilities faster.

More Related Content

PPTX
Microsoft azure
Charith Suriyakula
 
PPTX
Radware - WAF (Web Application Firewall)
Deivid Toledo
 
PDF
CMDBあれこれ
OSSラボ株式会社
 
PDF
Microsoft Azure Active Directory
David J Rosenthal
 
PPTX
Cisco umbrella youtube
Dhruv Sharma
 
PPT
Openstack swift - VietOpenStack 6thmeeetup
Vietnam Open Infrastructure User Group
 
PPTX
Zero trust deck 2020
Guido Marchetti
 
PDF
F5 DDoS Protection
MarketingArrowECS_CZ
 
Microsoft azure
Charith Suriyakula
 
Radware - WAF (Web Application Firewall)
Deivid Toledo
 
CMDBあれこれ
OSSラボ株式会社
 
Microsoft Azure Active Directory
David J Rosenthal
 
Cisco umbrella youtube
Dhruv Sharma
 
Openstack swift - VietOpenStack 6thmeeetup
Vietnam Open Infrastructure User Group
 
Zero trust deck 2020
Guido Marchetti
 
F5 DDoS Protection
MarketingArrowECS_CZ
 

What's hot (20)

PDF
DDoS Attack Preparation and Mitigation
Jerod Brennen
 
PPTX
Close your security gaps and get 100% of your traffic protected with Cloudflare
Cloudflare
 
PPTX
Azure Infrastructure as Code and Hashicorp Terraform
Alex Mags
 
PDF
Cloud Computing Using OpenStack
Bangladesh Network Operators Group
 
PPTX
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
PDF
AWS Black Belt Techシリーズ AWS Direct Connect
Amazon Web Services Japan
 
PDF
VMware NSX - Lessons Learned from real project
David Pasek
 
PDF
Azure Security Overview
David J Rosenthal
 
PDF
Five Connectivity and Security Use Cases for Azure VNets
Khash Nakhostin
 
PPTX
ISO 27001 Bilgi Güvenliği Yönetim Sistemi
Emre ERKIRAN
 
PDF
AWS Summit Seoul 2023 | 새로운 금융 서비스 출시 시 Agility 확보 방안
Amazon Web Services Korea
 
PDF
AWS Black Belt online seminar 2017 Snowball
Amazon Web Services Japan
 
DOCX
VERİTABANI SIZMA TESTLERİ
BGA Cyber Security
 
PDF
Özgür yazılımlarla DDOS Engelleme
BGA Cyber Security
 
PPTX
cn-series-se-presentation.pptx
eli lama sabachtani sinaga
 
PDF
Microsoft Windows Server 2022 Overview
David J Rosenthal
 
PDF
Az 104 session 3 azure compute
AzureEzy1
 
PPTX
Implementando DRP en AWS
Amazon Web Services LATAM
 
PPTX
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
PDF
Cybersecurity concepts & Defense best practises
WAJAHAT IQBAL
 
DDoS Attack Preparation and Mitigation
Jerod Brennen
 
Close your security gaps and get 100% of your traffic protected with Cloudflare
Cloudflare
 
Azure Infrastructure as Code and Hashicorp Terraform
Alex Mags
 
Cloud Computing Using OpenStack
Bangladesh Network Operators Group
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
AWS Black Belt Techシリーズ AWS Direct Connect
Amazon Web Services Japan
 
VMware NSX - Lessons Learned from real project
David Pasek
 
Azure Security Overview
David J Rosenthal
 
Five Connectivity and Security Use Cases for Azure VNets
Khash Nakhostin
 
ISO 27001 Bilgi Güvenliği Yönetim Sistemi
Emre ERKIRAN
 
AWS Summit Seoul 2023 | 새로운 금융 서비스 출시 시 Agility 확보 방안
Amazon Web Services Korea
 
AWS Black Belt online seminar 2017 Snowball
Amazon Web Services Japan
 
VERİTABANI SIZMA TESTLERİ
BGA Cyber Security
 
Özgür yazılımlarla DDOS Engelleme
BGA Cyber Security
 
cn-series-se-presentation.pptx
eli lama sabachtani sinaga
 
Microsoft Windows Server 2022 Overview
David J Rosenthal
 
Az 104 session 3 azure compute
AzureEzy1
 
Implementando DRP en AWS
Amazon Web Services LATAM
 
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
Cybersecurity concepts & Defense best practises
WAJAHAT IQBAL
 
Ad

Viewers also liked (12)

PDF
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
PDF
What a locked down law firm looks like updated
Denim Group
 
PDF
Clear AppSec Visibility with AppSpider and ThreadFix
Denim Group
 
PDF
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
PDF
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
Denim Group
 
PDF
Running a High-Efficiency, High-Visibility Application Security Program with...
Denim Group
 
PDF
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
PDF
Optimizing Your Application Security Program with Netsparker and ThreadFix
Denim Group
 
PDF
SecDevOps: Development Tools for Security Pros
Denim Group
 
PDF
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
PDF
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
PDF
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
What a locked down law firm looks like updated
Denim Group
 
Clear AppSec Visibility with AppSpider and ThreadFix
Denim Group
 
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
Denim Group
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Denim Group
 
SecDevOps: Development Tools for Security Pros
Denim Group
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
Ad

Similar to Create a Unified View of Your Application Security Program – Black Duck Hub and ThreadFix (20)

PDF
Q1 2016 Open Source Security Report: Glibc and Beyond
Black Duck by Synopsys
 
PDF
Application Security in the Age of Open Source
Black Duck by Synopsys
 
PPTX
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
PPTX
Secure application deployment in the age of continuous delivery
Tim Mackey
 
PDF
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
PDF
3/ Black Duck @ OPEN'16
Kangaroot
 
PDF
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
PPTX
RVAsec Bill Weinberg Open Source Hygiene Presentation
Black Duck by Synopsys
 
PDF
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
PPTX
September 13, 2016: Security in the Age of Open Source:
Black Duck by Synopsys
 
PDF
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
PPTX
OSS has taken over the enterprise: The top five OSS trends of 2015
Rogue Wave Software
 
PDF
Building Blocks of Secure Development: How to Make Open Source Work for You
SBWebinars
 
PPTX
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Black Duck by Synopsys
 
PPTX
Software Security Assurance for DevOps
Black Duck by Synopsys
 
PPTX
Software Security Assurance for Devops
Jerika Phelps
 
PPTX
(Isc)² secure johannesburg
Tunde Ogunkoya
 
PDF
комплексная защита от современных интернет угроз с помощью Check point sandblast
Diana Frolova
 
PPTX
Scalar Security Roadshow - Calgary Presentation
Scalar Decisions
 
PPTX
Scalar Security Roadshow - Vancouver Presentation
Scalar Decisions
 
Q1 2016 Open Source Security Report: Glibc and Beyond
Black Duck by Synopsys
 
Application Security in the Age of Open Source
Black Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Tim Mackey
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
3/ Black Duck @ OPEN'16
Kangaroot
 
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
RVAsec Bill Weinberg Open Source Hygiene Presentation
Black Duck by Synopsys
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
September 13, 2016: Security in the Age of Open Source:
Black Duck by Synopsys
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
OSS has taken over the enterprise: The top five OSS trends of 2015
Rogue Wave Software
 
Building Blocks of Secure Development: How to Make Open Source Work for You
SBWebinars
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Black Duck by Synopsys
 
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Software Security Assurance for Devops
Jerika Phelps
 
(Isc)² secure johannesburg
Tunde Ogunkoya
 
комплексная защита от современных интернет угроз с помощью Check point sandblast
Diana Frolova
 
Scalar Security Roadshow - Calgary Presentation
Scalar Decisions
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Decisions
 

More from Denim Group (20)

PDF
Long-term Impact of Log4J
Denim Group
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PDF
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
PDF
Application Asset Management with ThreadFix
Denim Group
 
PDF
OWASP San Antonio Meeting 10/2/20
Denim Group
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
PDF
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
PDF
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
PDF
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
PDF
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
PDF
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
PPTX
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
PDF
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
PDF
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
PDF
AppSec in a World of Digital Transformation
Denim Group
 
PDF
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
PDF
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
PDF
AppSec in a World of Digital Transformation
Denim Group
 
PDF
Enumerating Enterprise Attack Surface
Denim Group
 
Long-term Impact of Log4J
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Application Asset Management with ThreadFix
Denim Group
 
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Denim Group
 

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Cloud computing and distributed systems.
kkkkkhan
 
KodekX | Application Modernization Development
KodekX
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 

Create a Unified View of Your Application Security Program – Black Duck Hub and ThreadFix

  • 1. © 2016 Denim Group – All Rights Reserved Create a Unified View of Your Application Security Program – Black Duck Hub and ThreadFix December 16th, 2016 Dan Cornell CTO, Denim Group Mike Pittenger Vice President of Security Strategy, Black Duck
  • 2. © 2016 Denim Group – All Rights Reserved Agenda • State of Application Security • Black Duck Hub Overview • ThreadFix Overview • ThreadFix / Black Duck Hub Integration • Components: Open Source and Internal
  • 3. 8 of the top 10 Software Companies (70 of the top 100) 6 of the top 8 Mobile Handset Vendors 6 of the top 10 Investment Banks 24 Countries 250+ Employees 2,000Customers About Black Duck 40Founded 2002 Of The Fortune 100
  • 4. Up to 90% Open Source TODAY 50% Open Source 2010 20% Open Source 20051998 10% Open Source Open Source Changed the Way Applications are Built Custom & Commercial Code Open Source Software Source Open Source is the modern architecture
  • 5. OpenSSL Introduced: 2011 Discovered: 2014 Heartbleed GNU C Library Introduced: 2000 Discovered: 2015 Ghost QEMU Introduced: 2004 Discovered: 2015 Venom Bash Introduced: 1989 Discovered: 2014 Shellshock OpenSSL Introduced: 1990's Discovered: 2015 Freak FREAK! Consequences Can Be Costly When You Can’t Control What You Can’t See
  • 6. Black Duck Open Source Security Audit Report Highlights Security & Management Challenges
  • 7. Why Aren’t We Finding These in Testing? • Static analysis • Testing of source code or binaries for unknown security vulnerabilities in custom code • Advantages in buffer overflow, some types of SQL injection • Provides results in source code • Dynamic analysis • Testing of compiled application in a staging environment to detect unknown security vulnerabilities in custom code • Advantages in injection errors, XSS • Provides results by URL, must be traced to source What’s Missing?
  • 8. • Automated testing finds common vulnerabilities in the code you write • They are good, not perfect • Different tools work better on different classes of bugs • Many types of bugs are undetectable except by trained security researchers There Are No Perfect Answers All possible security vulnerabilities FREAK! Identifiab le with Static Analysis Identifiab le with Dynamic Analysis
  • 9. 0 500 1000 1500 2000 2500 3000 3500 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 The Threat Landscape Constantly Changes National Vulnerability Database (NVD) Black Duck Extended Vulnerability Data (EVD) • VulnDB (Open Source Vulnerability Database) • In 2015, over 3,000 new vulnerabilities in open source • Since 2004, over 74,000 vulnerabilities have been disclosed by NVD. • 63 reference automated tools • 50 of those are for vulnerabilities reported in the tools • 13 are for vulnerabilities that could be identified by a fuzzer
  • 10. DEVELOPER DOWNLOADS OUTSOURCED DEVELOPMENT THIRD PARTY LIBRARIES CODE REUSE APPROVED COMPONENTS COMMERCIAL APPS OPEN SOURCE CODE We Have Little Control Over How Open Source Enters The Code Base
  • 11. To manage open source risks you need an end-to-end approach INVENTORY Open Source Components in Your Code MAP Components to Known Vulnerabilities IDENTIFY License & Code Quality Risks TRACK Policy Violations & Remediation Progress ALERT When New Vulnerabilities Affect Your Code Automation and policy management Integration with DevOps tools and processes
  • 12. Black Duck Provides Visibility and Control
  • 14. Key Takeaways • Open source is here to stay (and growing) • Open source saves development costs and accelerates time to market • Open Source Security isn’t covered by traditional tools • Static analysis is good, but doesn't help with open source vulnerabilities • Identify open source with known vulnerabilities, early in the SDL • New paradigm requires new methodologies • Visibility to open source and continuous monitoring is required.
  • 15. © 2016 Denim Group – All Rights Reserved ThreadFix Overview • Create a consolidated view of your applications and vulnerabilities • Prioritize application risk decisions based on data • Translate vulnerabilities to developers in the tools they are already using
  • 16. © 2016 Denim Group – All Rights Reserved ThreadFix Overview
  • 17. © 2016 Denim Group – All Rights Reserved Create a consolidated view of your applications and vulnerabilities
  • 18. © 2016 Denim Group – All Rights Reserved Application Portfolio Tracking
  • 19. © 2016 Denim Group – All Rights Reserved Vulnerability Import
  • 20. © 2016 Denim Group – All Rights Reserved Vulnerability Consolidation
  • 21. © 2016 Denim Group – All Rights Reserved Prioritize application risk decisions based on data
  • 22. © 2016 Denim Group – All Rights Reserved Vulnerability Prioritization
  • 23. © 2016 Denim Group – All Rights Reserved Reporting and Metrics
  • 24. © 2016 Denim Group – All Rights Reserved Translate vulnerabilities to developers in the tools they are already using
  • 25. © 2016 Denim Group – All Rights Reserved Defect Tracker Integration
  • 26. © 2016 Denim Group – All Rights Reserved ThreadFix / Black Duck Hub Integration
  • 27. © 2016 Denim Group – All Rights Reserved ThreadFix HotSpot Technology
  • 28. © 2016 Denim Group – All Rights Reserved ThreadFix www.threadfix.it Black Duck Hub www.blackducksoftware.com Questions and Contact
  • 29. © 2016 Denim Group – All Rights Reserved About Denim Group Denim Group is the leading secure software development firm, serving as a trusted advisor on matters of software risk and security. Our flagship ThreadFix product accelerates the process of software vulnerability remediation, reflecting the company's understanding of what it takes to fix application vulnerabilities faster.