Traveling to security conferences from Boston can be like a mini-reunion. On the flight into Las Vegas I ran into former colleagues from @stake, Veracode , Cigital , and Savant Protection (now part of Digital Guardian ). The Boston security community can be pretty insular, so there was also a mix of people that I “should” know, butwasn’t able toput a name on the face.
Black Hat is a new venue forBlack Duck. We made our name in the compliance market; helping companies reduce risk to their IP by identifying open source components with restrictive licenses. The introduction of Black Duck Hub last year marked our full entrance into the application security space, and the reception we’ve received has been overwhelming.Our partnerships with HPE, IBM Security and Red Hat affirm our commitment to application security. Attending Black Hat briefings gives us excellent insight into security and vulnerability updates in the community.Black Hat Briefings
The briefings at Black Hat are always top notch. My favorite on Wednesday was by “Mudge” and Sarah Zaitko on the work they are doing at CYBER ITL a 501(c)3 funded in part by DARPA, Consumer Reports, and others. The goal of their work is to provide consumers of software with a way to “comparison shop” commercial code for security and quality characteristics.
At Black Duck, we’ve talked about the fact that criminal enterprises need to be productive, just like legitimate businesses. Known vulnerabilities in open source are an obvious target, since organizations often aren’t aware of what they are using in their code, so vulnerable components are not remediated. Our study on commercial code this year found that 67% of the commercial applications we tested included vulnerable open source components, with an average age of over 5 years.Know Your Code
CYBER ITL complements this approach, following the rationale that softer targets are easier for our adversaries to exploit. They do so by looking at various metrics across thousands on multiple platforms, including:Code complexity Application armoring in the compiler, linker, and loader Use of safe and unsafe functions (the worst earning the official designation of “ick”)
They also properly recognize that not all customers view a vulnerability in the same way in terms of the results of an exploit. For example, “exploitability” of an issue is critical to financial services companies, whereas “disruptability” is a lesser concern. They would prefer to be offline for a short period of time to being hacked. Other firms may view uptime as more critical to their business model.Key Takeaways
The key takeways from this are identical to what Black Duck has been pushing since the introduction of theBlack Duck Hub. Understand what’s in your code. For CYBER ITL, it includes vulnerabilities but also the functions developers use and armoring. For us, it means having full knowledge of the 3 rd party components you use, and tracking the ongoing security profile of those components.