OSS Security Maturity: Time to Put On Your Big Boy Pants!

Presented at Black Hat USA 2016, Aug. 4, 2016, 2:30 p.m. (50 minutes)

Open source software (OSS) usage is on the rise and also continues to be a major source of risk for companies. OSS and 3rd party code may be inexpensive to use to build products but it comes with significant liability and maintenance costs. Even after high profile vulnerabilities in OpenSSL and other critical libraries, tracking and understanding exposure continues to challenge even at the most mature enterprise company. It doesn't matter if you are a software vendor or not, development and the use of OSS in your organization is most likely significant. It also doesn't matter if you have been developing software for years or are just getting started, or whether you have one product or one hundred, it can feel to many nearly impossible to keep up with OSS vulnerabilities or more important ensure they are properly mitigated.

This presentation looks at the real risk of using OSS and the best way to manage its use within your organization and more specifically the Product Development Lifecycle. We will examine all the current hype around OSS and separate out what are the real risks, and what organizations should be the most concerned about. We explore the true cost of using OSS and review the various factors that can be used to evaluate if a particular product or library should be used at your organization, including analyzing Vulnerability Metrics including Time to Patch. Getting your head wrapped around the issues and the need to improve OSS security is challenging, but then taking action at your organization can feel impossible. This presentation provides several real world examples that have been successful at a including: A case study of a single third party libraries vulnerability across several products will help to show why the result of investigating actual impact against your different products is valuable intelligence. We will provide learnings from your incident response function and why understanding the vulnerabilities in your current software can gain you valuable insight into creating smarter products to avoid maintenance costs. Finally, we will introduce a customized OSS Maturity Model and walk through the stages of maturity for organization developing software with regards to how they prioritize and internalize the risk presented by OSS.

Presenters:

• Christine Gadsby - BlackBerry
  Christine Gadsby is the Director of BlackBerry's global Product Security Incident Response Team (SIRT). This highly respected team monitors the security threat landscape and responds rapidly to emerging threats for all of BlackBerry's products and services and those of its subsidiaries and consulting customers. Christine played a critical role in creating BlackBerry's 30-day Android patching strategy and monthly customer advisory program. She has presented security response strategies and services to several high assurance governments including the NSA, CESG, CSE, and GCHQ as well as several enterprise organizations. She has contributed to publications such as CSO magazine and sits on several boards of industry response organizations and programs. She holds a Bachelors of Science degree in Information Technology and in Business Management from Western Governors University.
• Jake Kouns - Risk Based Security
  Jake Kouns is the CISO for Risk Based Security that provides vulnerability and data breach intelligence. Mr. Kouns has presented at many well-known security conferences including Black Hat, DEF CON, CISO Executive Summit, EntNet IEEE GlobeCom, DerbyCon, FIRST, CanSecWest, RSA, SOURCE, SyScan and many more. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He has briefed the DHS and Pentagon on Cyber Liability Insurance issues and is frequently interviewed as an expert in the security industry by Information Week, eWeek, Forbes, PC World, CSO, CIO and SC Magazine. He has appeared on CNN as well as the Brian Lehrer Show and was featured on the cover of SCMagazine. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.

Links:

• https://www.blackhat.com/us-16/briefings.html#oss-security-maturity-time-to-put-on-your-big-boy-pants
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2016/OSS Security Maturity - Time to Put on Your Big Boy Pants.mp4
• https://www.youtube.com/watch?v=QEAr6yu_Pgc
• https://www.blackhat.com/docs/us-16/materials/us-16-Kouns-OSS-Security-Maturity-Time-To-Put-On-Your-Big-Boy-Pants.pdf

Similar Presentations:

• Black Hat USA 2022 / Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All
• RVAsec 2018 / Let’s build an OSS vulnerability management program!
• LocoMocoSec 2019 / Who wants a thousand free puppies? Managing open source software security in the enterprise