SlideShare uma empresa Scribd logo

Security Vulnerabilities in Third Party Code - Fix All the Things!

Transferir como PPTX, PDF
K
Kymberlee Price

Developer Edition, presented at Philly Emerging Technologies in the Enterprise conference, 2016: increased discussion regarding management of third party libraries during design and development as a part of SDL process, overview of vulnerability management concepts, SDL, Incident Response processes, CVSS, and vulnerability data sources. Attendees were provided with concrete recommendations for each phase of SDL to improve their third party library security. ------- Many developers today are turning to well established third-party libraries to speed the development process and realize quality improvements over creating an in-house proprietary font parsing or image rendering library from the ground up. Efficiency comes at a cost though: a single application may have as many as 100 different third party libraries implemented. The result is that third-party and open source libraries have the ability to spread a single vulnerability across multiple products- exposing enterprises and requiring software vendors and IT organizations to patch the same vulnerability repeatedly. How big of a problem is this? What libraries are the biggest offenders for spreading pestilence? And what can be done to minimize this problem? This presentation will dive deep into vulnerability data and explore the source and spread of these vulnerabilities through products – as well as actions developers, the security research community, and enterprise customers can take to address this problem.

Software
1 de 62
Security Vulnerabilities in Third Party Code: FIX ALL THE THINGS! KYMBERLEE PRICE BUGCROWD
whoami?  Senior Director of a Red Team  PSIRT Case Manager  Data Analyst  Internet Crime Investigator  Security Evangelist  Behavioral Psychologist  Lawful Good @kym_possible
Agenda  Quick overview of problem space  A deeper look at 7 specific libraries  Library Management SDL Recommendations  Case study
Development Realities
Where the Vulns Are “Third-party programs are responsible for 76% of the vulnerabilities discovered in the 50 most popular programs in 2013, say the results of Secunia's Vulnerability Review 2014” http://www.net-security.org/secworld.php?id=16448
Vulnerabilities by Type Source: VulnDB July, 14 2015
bashHOLE?
Shell Shock.. meh
How many vulnerabilities do you think there have been in OpenSSL since Heartbleed? (please don’t use the Secunia counting method!) Lets Play Another Game!
IDåç Disc Date CVSS Title 124300 7/9/2015 4 OpenSSL crypto/x509/x509_vfy.c X509_verify_cert() Function Alternative Certificate Chain Handling Certificate Validation Bypass 123176 6/11/2015 10 OpenSSL DTLS Application Data Buffering Invalid Free Remote Memory Corruption 123175 6/11/2015 7.8 OpenSSL signedData Message Unknown Hash Function Processing Infinte Loop Remote DoS 123174 6/11/2015 7.8 OpenSSL crypto/pkcs7/pk7_doit.c PKCS7_dataDecode() Function ASN.1-encoded PKCS#7 Blob Handling NULL Pointer Dereference Remote DoS 123173 6/11/2015 8.5 OpenSSL crypto/x509/x509_vfy.c X509_cmp_time() Function ASN1_TIME String Handling Out-of-bounds Read Issue 123172 6/11/2015 7.8 OpenSSL crypto/bn/bn_gf2m.c BN_GF2m_mod_inv() Function ECParameters Structure Binary Polynomial Field Parsing Infinite Loop Remote DoS 122875 6/2/2015 10 OpenSSL NewSessionTicket Ticket Re-use Double-free Remote Unspecified Issue 122733 5/26/2015 7.8 OpenSSL crypto/bn/random.c BN_rand() Function Off-by-one Buffer Overflow DoS 122331 5/19/2015 4 Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam) 122984 5/19/2015 7.5 OpenSSL crypto/bn/bn_print.c BN_bn2hex() Function Off-by-one Buffer Overflow Weakness 119692 3/18/2015 7.8 OpenSSL Invalid Signature Algorithms Extension Renegotiation NULL Pointer Dereference Remote DoS 119760 3/16/2015 7.1 OpenSSL ssl/d1_lib.c dtls1_listen() Function SSL Object State Preservation DoS 119757 3/16/2015 7.8 OpenSSL SSLv2 CLIENT-MASTER-KEY Message Handling Assertion Remote DoS 119758 3/16/2015 7.1 OpenSSL ssl/s3_pkt.c ssl3_write_bytes() Function Multiblock Implementation DoS 119614 3/16/2015 7.8 OpenSSL Client Authentication DHE Ciphersuite Zero-length ClientKeyExchange Message Handling Remote DoS 119756 3/16/2015 7.1 OpenSSL PKCS#7 Missing Outer ContentInfo Handling NULL Pointer Dereference DoS 119759 3/16/2015 7.1 OpenSSL crypto/rsa/rsa_ameth.c rsa_item_verify() Function Invalid PSS Parameters Handling NULL Pointer Dereference DoS 119755 3/16/2015 9.3 OpenSSL crypto/asn1/tasn_dec.c ASN1_item_ex_d2i() Function ASN.1 Structure Reuse Memory Corruption 119761 3/16/2015 7.1 OpenSSL crypto/asn1/a_type.c ASN1_TYPE_cmp() Function Invalid Read DoS 119673 3/10/2015 2.6 OpenSSL s3_clnt.c ssl3_client_hello() Function Unseeded PRNG Handshake Completion Predictable Output 120058 3/3/2015 2.6 OpenSSL Malformed TLS Handshake False Start Data Remote MitM Disclosure Weakness 119328 3/2/2015 5.4 OpenSSL crypto/x509/x509_req.c X509_to_X509_REQ() Function Public Key Handling NULL Pointer Dereference DoS 118817 2/25/2015 10 OpenSSL crypto/ec/ec_asn1.c d2i_ECPrivateKey() Function Error Handling Use-after-free DoS 117855 1/19/2015 2.6 Secure Sockets Layer Version 3 (SSLv3) / Transport Layer Security (TLS) Protocols RC4 Cipher Key Invariance Weakness MitM Plaintext Disclosure (BAR-MITZVAH) 116791 1/8/2015 7.8 OpenSSL dtls1_buffer_record() Function DTLS Record Saturation Handling Memory Leak Remote DoS 116793 1/8/2015 7.8 OpenSSL dtls1_get_record DTLS Message Handling NULL Pointer Dereference Remote DoS 116790 1/8/2015 5.1 OpenSSL TLS DH Certificate Missing Certificate Verify Message Handling MitM Spoofing (SKIP-TLS) 116796 1/8/2015 5.1 OpenSSL Bignum Squaring Incorrect Result Weakness 116794 1/6/2015 4 OpenSSL RSA Temporary Key Handling EXPORT_RSA Ciphers Downgrade MitM (FREAK) 116792 1/5/2015 4.3 OpenSSL Signature Algorithm / Signature Encoding Modification Certificate Fingerprint Manipulation Weakness 116795 1/5/2015 5 OpenSSL Missing Server Key Exchange Message Handling ECDH Ciphersuite Downgrade Issue 116423 10/16/2014 7.8 OpenSSL s23_srvr.c ssl23_get_client_hello() Function SSLv3 Handshake Handling NULL Pointer Dereference Remote DoS 113377 10/15/2014 5 OpenSSL no-ssl3 Build Option SSL 3.0 Handshake Handling Weakness 113373 10/14/2014 7.8 OpenSSL DTLS SRTP Extension Parsing Code Handshake Message Handling Memory Leak Remote DoS 113374 10/14/2014 7.8 OpenSSL SSL/TLS/DTLS Server Failed Session Ticket Verification Handling Memory Leak Remote DoS 113251 10/13/2014 2.6 SSL 3.0 Protocol CBC-mode Ciphers Fallback MitM Remote Cleartext Information Disclosure (POODLE) 109892 8/6/2014 7.8 OpenSSL DTLS Handshake Messages Processing Memory Consumption Remote DoS 109893 8/6/2014 7.8 OpenSSL DTLS Packet Handling Double-free Remote DoS 109894 8/6/2014 5 OpenSSL OBJ_obj2txt Multiple Pretty Printing Functions Pretty Printing Output Remote Information Disclosure 109898 8/6/2014 7.1 OpenSSL SRP Ciphersuite NULL Pointer Dereference Remote DoS 109891 8/6/2014 7.8 OpenSSL Crafted DTLS Packet Handling Memory Leak Remote DoS 109897 8/6/2014 10 OpenSSL SRP Protocol Code Multiple Parameter Remote Buffer Overflow 109896 8/6/2014 2.6 OpenSSL SSL/TLS Server Code ClientHello Message Fragmentation Forced TLS Downgrade Weakness 109902 8/6/2014 9.3 OpenSSL ssl_parse_serverhello_tlsext Resumed Session EC Point Format Extension Handling Race Condition Use-after-free Issue 109895 8/6/2014 7.8 OpenSSL Anonymous (EC)DH Ciphersuite Crafted Handshake Messages NULL Pointer Dereference Remote DoS 107731 6/4/2014 7.8 OpenSSL TLS Client Anonymous ECDH Ciphersuite Unspecified Remote DoS 107730 6/4/2014 10 OpenSSL Invalid DTLS Fragment Handling Remote Buffer Overflow 107732 6/4/2014 7.8 OpenSSL ssl/d1_both.c dtls1_get_message_fragment() Function Invalid DTLS Handshake Handling Remote DoS 107729 6/3/2014 4 OpenSSL Crafted Handshake Weak Keying Material Rollback MitM Weakness 119743 5/6/2014 9.3 OpenSSL crypto/evp/encode.c EVP_DecodeUpdate() Function Base64 Decoding Integer Underflow 106531 4/30/2014 7.8 OpenSSL / LibReSSL ssl/s3_pkt.c do_ssl3_write() Function NULL Pointer Dereference Remote DoS 105763 4/11/2014 4 OpenSSL ssl/s3_pkt.c ssl3_read_bytes() Function Use-after-free Remote Content Injection 105465 4/7/2014 5 OpenSSL TLS Heartbeat Extension Packets Handling Out-of-bounds Read Remote Memory Disclosure (Heartbleed) Average CVSS 5.23
Lets Talk Data
 Vulnerability data  Spreadsheet software  Probably a browser Putting Data to Use (without being a data scientist)
 Data from public sources is limited  FFMPEG: CVE Details vs. VulnDB CVE Details: 191 VulnDB: 1,000+ DATA CAVEAT “Fixes the following vulnerabilities [CVE LIST] …and more security issues that have no CVE number. Many of these issues can be exploited when a remote file is played back and a few are probable arbitrary code execution vulnerabilities.”
Vuln Spread: …And multiple products by HP, Oracle (including Java), F-Secure, IBM, MySQL, Novell, OpenBSD, Intel, Juniper, Rapid7, nginx, Huawei, Trend Micro, Linux, Tableau, McAfee, F5, Cisco, Fortinet, Sophos, Python, Citrix, SUSE, Ubuntu, Debian, FreeBSD, RedHat…
Vuln Spread: And also… OSX, Webkit, Firefox, OpenJDK, OpenOffice, StarOffice, Ubuntu, Gentoo, Oracle Solaris, SUSE, Slackware, BlackBerry products, Fedora, RedHat, Debian, Avaya products, PlayStation 3/4/Vita, Opera for Wii, multiple video games…
Vuln Spread: Visio, PowerPoint, Adobe Photoshop/Flash/Illustrator, Webkit, iOS, OSX, Android, GIMP, Fedora, Debian, Ubuntu, Slackware, Red Hat, SUSE, Gentoo, Oracle Solaris, VMWare Server, and countless applications.
Vuln Spread: Tivoli, Fedora, HP-UX, Ubuntu, NetIQ, Attachmate…
Vuln Spread: Linux, Opera, Konqueror, HP, Sony & Logitech Google TVs…
Vuln Spread:
Library Vuln Count Vulns Per Year Releases Per Year Average CVSS 90 10-11 3 5.49 50 6 2 7.43 28 3 2-3 6.65 100 12 5 4.72 522 80 11 8.96 539 98 4 7.07*2010-to present *2009-to present 2015 Vulns % total 29 32.2% 0 0% 0 0% 4 4% 135 25.9% 58 10.7% The Numbers: Jan 2007-July 2015
Efficiency At What Cost?  Not just one library impacting many organizations  A single application may have as many as 100 different third party libraries implemented  That is a whole lot of patching to keep up on for both devs and customers
 What should you measure library quality on?  Count of vulnerabilities  Frequency of update releases  Average severity of vulns (CVSS or other)  Existence of POC or Exploit DEBATE
Take Aways
Open source is secure because everyone can review it - more eyes makes all bugs shallow. Everyone *could* look at it, but they don’t. Accountability for quality is deferred. Code Quality
That means closed source is more secure because no one can review it and it is supported by big enterprises, right? Bad code is just that, bad code. Bad code exists in Closed Source software as well. Code Quality
Vulnerability Management  Vulnerability management is the "cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities", especially in software and firmware. Vulnerability management is integral to computer security and network security.  Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities, such as open ports, insecure software configuration, and susceptibility to malware. Unknown vulnerabilities, such as a zero-day attack may be found with fuzz testing, which can identify certain kinds of vulnerabilities, such as a buffer overflow exploit with relevant test cases. Such analyses can be facilitated by test automation. In addition, antivirus software capable of heuristic analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file).  Correcting vulnerabilities may variously involve the installation of a patch, a change in network security policy, reconfiguration of software (such as a firewall), or educating users about social engineering. https://en.wikipedia.org/wiki/Vulnerability_management
So Vuln Mgmt is A NetSec Issue!
Cost to Fix Vulnerabilities The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 25+ times the cost of fixes performed during the design phase. tl;dr: Pay me now or pay me later… with interest.
“ ” Fix vulnerabilities as early as is practical, resulting in fewer vulnerabilities to patch at the most expensive time - late in the development cycle. THE GOAL OF VULNERABILITY MANAGEMENT
Easy, right? Security versus… Performance Usability Functionality Development cost & time
Secure Development Lifecycle Training Requirements Design Implementation Verification Release Response Vulnerabilities introduced Vulnerabilities identified Vulnerabilities identified OSS Vulnerabilities identified
Vulnerability Management Process Identify Issue1 Assess Impact2 Dev & Test Fix3 Deploy Fix4 Post Release5
Incident Response Identify Issue1 Assess Impact2 Dev & Test Fix3 Public Release w/ CVE 4 Post Release5 Identify Issue1 Assess Impact2 Dev & Test Fix3 Release4 Post Release5So you’re a software vendor… Enterprise admin? Your patch lifecycle starts HERE
Identify Issues  Internal Security Research Team, Consultants – pre-release vuln assessments  External Security Researchers – post release incident response, bug bounties  Third Party Libraries/OSS Disclosures – both pre and post release  Automated Tools & Analysis  Crash log analysis  Lots of vulnerabilities to manage Vulnerability Management Identify Issue1
Assess Impact: Prioritization Matters  You have 150 vulnerabilities open with CVSS 7.5+  Your inbound new vulnerabilities average 15 dev tasks per week, from both internal and external sources  What do you fix first?  Highest CVSS Score?  FIFO? LIFO?  Externally known issues?  Issues with Exploit Presence in Metasploit?  Intelligent prioritization reduces risk Assess Impact2
Dev & Test Fix  “Just ship it, we can patch that later” is not cost effective, but becomes more likely the closer you get to release dates  Vulnerabilities are inevitable. Choose those that you fix pre-release and those you postpone to post-release carefully.  Don’t put off fixing the complicated vulnerabilities – they won’t get easier once the product is in customer hands  Sustainment planning is not just for post-release – you will have to patch vulnerabilities in perfectly functional code before RTM Dev & Test Fix3 Now lets go write some code!
Vulnerability Management in SDL  Define guiding Security principles  Define prioritization model and sustainment plan Requirements Design Implementation Verification  Design for security and reduce attack surface  Evaluate vuln trends in libraries as part of selection criteria  Automated static analysis tools  Deprecate unsafe functions  Code scanning tools to monitor all third party libraries – know what you use and where  Automated static and dynamic analysis tools, fuzzing  Manual pen testing & attack surface review  Update 3rd party libraries regularly
Be Prepared  Analysis of vulnerability trends to predict future workload  How many vulnerabilities are identified per month?  What are their sources?  What are the vulnerability types? Is dev training indicated?  How quickly is your vulnerability backlog growing (or shrinking)?  What is your average Time To Fix?  What early monitoring processes can you put in place to minimize surprises?  Can you identify low friction areas to diminish risk?
Network Admins  Ask potential software vendors about their SDL program and vulnerability trends  Monitor the third party libraries being used in software you deploy and press vendors for security fixes  Make it clear security is a priority
Case Study
 Strong security team in rapidly growing enterprise software company  Attended my OSS talk with Jake Kouns at BlackHat 2014  Requested a copy of our slides for internal use  Shared both their own SIRT data and our data regarding security risk with Leadership Case Study: VMWare
 Already had mature incident response monitoring of 3rd party libraries in released products  Adding proactive evaluation and rating/approval of third party libraries in development phase Case Study: VMWare
 Evaluated and implemented code scanning tool for finding third party libraries in products  MOOSECON internal security conference session on 3rd party library vulnerabilities Case Study: VMWare
 Active testing of third party and OSS libraries along with native code in products  Partnering with dev teams to create proactive plans for routine patching cadence as part of dev lifecycle Case Study: VMWare
Thanks JAKE KOUNS RISK BASED SECURITY
Discussion Kymberlee Price Senior Director of Researcher Operations @kym_possible Bugcrowd

Recomendados

Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionComparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionCSCJournals
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian MalwareKaspersky
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question CollectionManish Luintel
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsAnton Chuvakin
 
Отчет Executive penetration RAPID 7
Отчет Executive penetration RAPID 7Отчет Executive penetration RAPID 7
Отчет Executive penetration RAPID 7Sergey Yrievich
 
Report on Heartbleed
Report on HeartbleedReport on Heartbleed
Report on HeartbleedShiva Sagar
 

Recomendados

Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionComparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionCSCJournals
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian MalwareKaspersky
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question CollectionManish Luintel
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsAnton Chuvakin
 
Отчет Executive penetration RAPID 7
Отчет Executive penetration RAPID 7Отчет Executive penetration RAPID 7
Отчет Executive penetration RAPID 7Sergey Yrievich
 
Report on Heartbleed
Report on HeartbleedReport on Heartbleed
Report on HeartbleedShiva Sagar
 
Security in the Development Lifecycle - lessons learned
Security in the Development Lifecycle - lessons learnedSecurity in the Development Lifecycle - lessons learned
Security in the Development Lifecycle - lessons learnedBoaz Shunami
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
Developer guidelines for using third-party code
Developer guidelines for using third-party codeDeveloper guidelines for using third-party code
Developer guidelines for using third-party codeEpic
 
AtomPub, beyond blogs
AtomPub, beyond blogsAtomPub, beyond blogs
AtomPub, beyond blogsMohan Krishnan
 
Enterprise Spice Scope
Enterprise Spice ScopeEnterprise Spice Scope
Enterprise Spice Scopeespice
 
ネットワーク家電と脆弱性 by 堀部 千壽
ネットワーク家電と脆弱性 by 堀部 千壽ネットワーク家電と脆弱性 by 堀部 千壽
ネットワーク家電と脆弱性 by 堀部 千壽CODE BLUE
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...Mail.ru Group
 
Touchpoints and security
Touchpoints and securityTouchpoints and security
Touchpoints and securityMohan Datar
 
とある脆弱性の永い議論
とある脆弱性の永い議論とある脆弱性の永い議論
とある脆弱性の永い議論Mtikutea
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modelingPrabath Siriwardena
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Private Cloud
 
Agile Software Security
Agile Software SecurityAgile Software Security
Agile Software SecurityFuturice
 
Software development lifecycle: final security review and automatization, Tar...
Software development lifecycle: final security review and automatization, Tar...Software development lifecycle: final security review and automatization, Tar...
Software development lifecycle: final security review and automatization, Tar...OWASP Russia
 
Management for Security Life Cycle (日本語版)
Management for Security Life Cycle (日本語版)Management for Security Life Cycle (日本語版)
Management for Security Life Cycle (日本語版)Akitsugu Ito
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
SSE
SSESSE
SSESagehenCapitalManagement
 
DIGA向けサービスを実現するAPIと新たなサービス活性化構想
DIGA向けサービスを実現するAPIと新たなサービス活性化構想DIGA向けサービスを実現するAPIと新たなサービス活性化構想
DIGA向けサービスを実現するAPIと新たなサービス活性化構想API Meetup
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands OnSplunk
 
Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersJiri Danihelka
 
How to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsHow to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsShain Singh
 

Mais conteúdo relacionado

Destaque

Security in the Development Lifecycle - lessons learned
Security in the Development Lifecycle - lessons learnedSecurity in the Development Lifecycle - lessons learned
Security in the Development Lifecycle - lessons learnedBoaz Shunami
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
Developer guidelines for using third-party code
Developer guidelines for using third-party codeDeveloper guidelines for using third-party code
Developer guidelines for using third-party codeEpic
 
Enterprise Spice Scope
Enterprise Spice ScopeEnterprise Spice Scope
Enterprise Spice Scopeespice
 
ネットワーク家電と脆弱性 by 堀部 千壽
ネットワーク家電と脆弱性 by 堀部 千壽ネットワーク家電と脆弱性 by 堀部 千壽
ネットワーク家電と脆弱性 by 堀部 千壽CODE BLUE
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...Mail.ru Group
 
Touchpoints and security
Touchpoints and securityTouchpoints and security
Touchpoints and securityMohan Datar
 
とある脆弱性の永い議論
とある脆弱性の永い議論とある脆弱性の永い議論
とある脆弱性の永い議論Mtikutea
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Private Cloud
 
Agile Software Security
Agile Software SecurityAgile Software Security
Agile Software SecurityFuturice
 
Software development lifecycle: final security review and automatization, Tar...
Software development lifecycle: final security review and automatization, Tar...Software development lifecycle: final security review and automatization, Tar...
Software development lifecycle: final security review and automatization, Tar...OWASP Russia
 
Management for Security Life Cycle (日本語版)
Management for Security Life Cycle (日本語版)Management for Security Life Cycle (日本語版)
Management for Security Life Cycle (日本語版)Akitsugu Ito
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
DIGA向けサービスを実現するAPIと新たなサービス活性化構想
DIGA向けサービスを実現するAPIと新たなサービス活性化構想DIGA向けサービスを実現するAPIと新たなサービス活性化構想
DIGA向けサービスを実現するAPIと新たなサービス活性化構想API Meetup
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands OnSplunk
 

Destaque (20)

Security in the Development Lifecycle - lessons learned
Security in the Development Lifecycle - lessons learnedSecurity in the Development Lifecycle - lessons learned
Security in the Development Lifecycle - lessons learned
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
Developer guidelines for using third-party code
Developer guidelines for using third-party codeDeveloper guidelines for using third-party code
Developer guidelines for using third-party code
 
AtomPub, beyond blogs
AtomPub, beyond blogsAtomPub, beyond blogs
AtomPub, beyond blogs
 
Enterprise Spice Scope
Enterprise Spice ScopeEnterprise Spice Scope
Enterprise Spice Scope
 
ネットワーク家電と脆弱性 by 堀部 千壽
ネットワーク家電と脆弱性 by 堀部 千壽ネットワーク家電と脆弱性 by 堀部 千壽
ネットワーク家電と脆弱性 by 堀部 千壽
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
 
Touchpoints and security
Touchpoints and securityTouchpoints and security
Touchpoints and security
 
とある脆弱性の永い議論
とある脆弱性の永い議論とある脆弱性の永い議論
とある脆弱性の永い議論
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
 
Agile Software Security
Agile Software SecurityAgile Software Security
Agile Software Security
 
Software development lifecycle: final security review and automatization, Tar...
Software development lifecycle: final security review and automatization, Tar...Software development lifecycle: final security review and automatization, Tar...
Software development lifecycle: final security review and automatization, Tar...
 
Management for Security Life Cycle (日本語版)
Management for Security Life Cycle (日本語版)Management for Security Life Cycle (日本語版)
Management for Security Life Cycle (日本語版)
 
Security best practices
Security best practicesSecurity best practices
Security best practices
 
SSE
SSESSE
SSE
 
DIGA向けサービスを実現するAPIと新たなサービス活性化構想
DIGA向けサービスを実現するAPIと新たなサービス活性化構想DIGA向けサービスを実現するAPIと新たなサービス活性化構想
DIGA向けサービスを実現するAPIと新たなサービス活性化構想
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands On
 

Semelhante a Security Vulnerabilities in Third Party Code - Fix All the Things!

Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersJiri Danihelka
 
How to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsHow to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsShain Singh
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 
Segurança da era do ssl everywhere
Segurança da era do ssl everywhereSegurança da era do ssl everywhere
Segurança da era do ssl everywhererodolfovillordo
 
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Amazon Web Services
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamAdam Pennington
 
Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures ijcsa
 
10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blockerakila_mano
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsCisco Canada
 
A Framework for Infrastructure Visibility, Analytics & Operational Intelligence
A Framework for Infrastructure Visibility, Analytics & Operational IntelligenceA Framework for Infrastructure Visibility, Analytics & Operational Intelligence
A Framework for Infrastructure Visibility, Analytics & Operational IntelligenceStephen Collins
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsAll Things Open
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
LogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationLogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationAnton Chuvakin
 

Semelhante a Security Vulnerabilities in Third Party Code - Fix All the Things! (20)

Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developers
 
How to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted ThreatsHow to Gain Visibility into Encrypted Threats
How to Gain Visibility into Encrypted Threats
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
 
Segurança da era do ssl everywhere
Segurança da era do ssl everywhereSegurança da era do ssl everywhere
Segurança da era do ssl everywhere
 
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
 
Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures Impact of HeartBleed Bug in Android and Counter Measures
Impact of HeartBleed Bug in Android and Counter Measures
 
10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA Compliance
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
A Framework for Infrastructure Visibility, Analytics & Operational Intelligence
A Framework for Infrastructure Visibility, Analytics & Operational IntelligenceA Framework for Infrastructure Visibility, Analytics & Operational Intelligence
A Framework for Infrastructure Visibility, Analytics & Operational Intelligence
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
LogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationLogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log Standardization
 

Último

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 

Último (20)

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 

Security Vulnerabilities in Third Party Code - Fix All the Things!

  • 1. Security Vulnerabilities in Third Party Code: FIX ALL THE THINGS! KYMBERLEE PRICE BUGCROWD
  • 2. whoami?  Senior Director of a Red Team  PSIRT Case Manager  Data Analyst  Internet Crime Investigator  Security Evangelist  Behavioral Psychologist  Lawful Good @kym_possible
  • 3. Agenda  Quick overview of problem space  A deeper look at 7 specific libraries  Library Management SDL Recommendations  Case study
  • 4.
  • 5.
  • 7.
  • 8. Where the Vulns Are “Third-party programs are responsible for 76% of the vulnerabilities discovered in the 50 most popular programs in 2013, say the results of Secunia's Vulnerability Review 2014” http://www.net-security.org/secworld.php?id=16448
  • 9. Vulnerabilities by Type Source: VulnDB July, 14 2015
  • 10.
  • 11.
  • 12.
  • 13.
  • 16.
  • 17.
  • 18.
  • 19. How many vulnerabilities do you think there have been in OpenSSL since Heartbleed? (please don’t use the Secunia counting method!) Lets Play Another Game!
  • 20. IDåç Disc Date CVSS Title 124300 7/9/2015 4 OpenSSL crypto/x509/x509_vfy.c X509_verify_cert() Function Alternative Certificate Chain Handling Certificate Validation Bypass 123176 6/11/2015 10 OpenSSL DTLS Application Data Buffering Invalid Free Remote Memory Corruption 123175 6/11/2015 7.8 OpenSSL signedData Message Unknown Hash Function Processing Infinte Loop Remote DoS 123174 6/11/2015 7.8 OpenSSL crypto/pkcs7/pk7_doit.c PKCS7_dataDecode() Function ASN.1-encoded PKCS#7 Blob Handling NULL Pointer Dereference Remote DoS 123173 6/11/2015 8.5 OpenSSL crypto/x509/x509_vfy.c X509_cmp_time() Function ASN1_TIME String Handling Out-of-bounds Read Issue 123172 6/11/2015 7.8 OpenSSL crypto/bn/bn_gf2m.c BN_GF2m_mod_inv() Function ECParameters Structure Binary Polynomial Field Parsing Infinite Loop Remote DoS 122875 6/2/2015 10 OpenSSL NewSessionTicket Ticket Re-use Double-free Remote Unspecified Issue 122733 5/26/2015 7.8 OpenSSL crypto/bn/random.c BN_rand() Function Off-by-one Buffer Overflow DoS 122331 5/19/2015 4 Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam) 122984 5/19/2015 7.5 OpenSSL crypto/bn/bn_print.c BN_bn2hex() Function Off-by-one Buffer Overflow Weakness 119692 3/18/2015 7.8 OpenSSL Invalid Signature Algorithms Extension Renegotiation NULL Pointer Dereference Remote DoS 119760 3/16/2015 7.1 OpenSSL ssl/d1_lib.c dtls1_listen() Function SSL Object State Preservation DoS 119757 3/16/2015 7.8 OpenSSL SSLv2 CLIENT-MASTER-KEY Message Handling Assertion Remote DoS 119758 3/16/2015 7.1 OpenSSL ssl/s3_pkt.c ssl3_write_bytes() Function Multiblock Implementation DoS 119614 3/16/2015 7.8 OpenSSL Client Authentication DHE Ciphersuite Zero-length ClientKeyExchange Message Handling Remote DoS 119756 3/16/2015 7.1 OpenSSL PKCS#7 Missing Outer ContentInfo Handling NULL Pointer Dereference DoS 119759 3/16/2015 7.1 OpenSSL crypto/rsa/rsa_ameth.c rsa_item_verify() Function Invalid PSS Parameters Handling NULL Pointer Dereference DoS 119755 3/16/2015 9.3 OpenSSL crypto/asn1/tasn_dec.c ASN1_item_ex_d2i() Function ASN.1 Structure Reuse Memory Corruption 119761 3/16/2015 7.1 OpenSSL crypto/asn1/a_type.c ASN1_TYPE_cmp() Function Invalid Read DoS 119673 3/10/2015 2.6 OpenSSL s3_clnt.c ssl3_client_hello() Function Unseeded PRNG Handshake Completion Predictable Output 120058 3/3/2015 2.6 OpenSSL Malformed TLS Handshake False Start Data Remote MitM Disclosure Weakness 119328 3/2/2015 5.4 OpenSSL crypto/x509/x509_req.c X509_to_X509_REQ() Function Public Key Handling NULL Pointer Dereference DoS 118817 2/25/2015 10 OpenSSL crypto/ec/ec_asn1.c d2i_ECPrivateKey() Function Error Handling Use-after-free DoS 117855 1/19/2015 2.6 Secure Sockets Layer Version 3 (SSLv3) / Transport Layer Security (TLS) Protocols RC4 Cipher Key Invariance Weakness MitM Plaintext Disclosure (BAR-MITZVAH) 116791 1/8/2015 7.8 OpenSSL dtls1_buffer_record() Function DTLS Record Saturation Handling Memory Leak Remote DoS 116793 1/8/2015 7.8 OpenSSL dtls1_get_record DTLS Message Handling NULL Pointer Dereference Remote DoS 116790 1/8/2015 5.1 OpenSSL TLS DH Certificate Missing Certificate Verify Message Handling MitM Spoofing (SKIP-TLS) 116796 1/8/2015 5.1 OpenSSL Bignum Squaring Incorrect Result Weakness 116794 1/6/2015 4 OpenSSL RSA Temporary Key Handling EXPORT_RSA Ciphers Downgrade MitM (FREAK) 116792 1/5/2015 4.3 OpenSSL Signature Algorithm / Signature Encoding Modification Certificate Fingerprint Manipulation Weakness 116795 1/5/2015 5 OpenSSL Missing Server Key Exchange Message Handling ECDH Ciphersuite Downgrade Issue 116423 10/16/2014 7.8 OpenSSL s23_srvr.c ssl23_get_client_hello() Function SSLv3 Handshake Handling NULL Pointer Dereference Remote DoS 113377 10/15/2014 5 OpenSSL no-ssl3 Build Option SSL 3.0 Handshake Handling Weakness 113373 10/14/2014 7.8 OpenSSL DTLS SRTP Extension Parsing Code Handshake Message Handling Memory Leak Remote DoS 113374 10/14/2014 7.8 OpenSSL SSL/TLS/DTLS Server Failed Session Ticket Verification Handling Memory Leak Remote DoS 113251 10/13/2014 2.6 SSL 3.0 Protocol CBC-mode Ciphers Fallback MitM Remote Cleartext Information Disclosure (POODLE) 109892 8/6/2014 7.8 OpenSSL DTLS Handshake Messages Processing Memory Consumption Remote DoS 109893 8/6/2014 7.8 OpenSSL DTLS Packet Handling Double-free Remote DoS 109894 8/6/2014 5 OpenSSL OBJ_obj2txt Multiple Pretty Printing Functions Pretty Printing Output Remote Information Disclosure 109898 8/6/2014 7.1 OpenSSL SRP Ciphersuite NULL Pointer Dereference Remote DoS 109891 8/6/2014 7.8 OpenSSL Crafted DTLS Packet Handling Memory Leak Remote DoS 109897 8/6/2014 10 OpenSSL SRP Protocol Code Multiple Parameter Remote Buffer Overflow 109896 8/6/2014 2.6 OpenSSL SSL/TLS Server Code ClientHello Message Fragmentation Forced TLS Downgrade Weakness 109902 8/6/2014 9.3 OpenSSL ssl_parse_serverhello_tlsext Resumed Session EC Point Format Extension Handling Race Condition Use-after-free Issue 109895 8/6/2014 7.8 OpenSSL Anonymous (EC)DH Ciphersuite Crafted Handshake Messages NULL Pointer Dereference Remote DoS 107731 6/4/2014 7.8 OpenSSL TLS Client Anonymous ECDH Ciphersuite Unspecified Remote DoS 107730 6/4/2014 10 OpenSSL Invalid DTLS Fragment Handling Remote Buffer Overflow 107732 6/4/2014 7.8 OpenSSL ssl/d1_both.c dtls1_get_message_fragment() Function Invalid DTLS Handshake Handling Remote DoS 107729 6/3/2014 4 OpenSSL Crafted Handshake Weak Keying Material Rollback MitM Weakness 119743 5/6/2014 9.3 OpenSSL crypto/evp/encode.c EVP_DecodeUpdate() Function Base64 Decoding Integer Underflow 106531 4/30/2014 7.8 OpenSSL / LibReSSL ssl/s3_pkt.c do_ssl3_write() Function NULL Pointer Dereference Remote DoS 105763 4/11/2014 4 OpenSSL ssl/s3_pkt.c ssl3_read_bytes() Function Use-after-free Remote Content Injection 105465 4/7/2014 5 OpenSSL TLS Heartbeat Extension Packets Handling Out-of-bounds Read Remote Memory Disclosure (Heartbleed) Average CVSS 5.23
  • 22.  Vulnerability data  Spreadsheet software  Probably a browser Putting Data to Use (without being a data scientist)
  • 23.  Data from public sources is limited  FFMPEG: CVE Details vs. VulnDB CVE Details: 191 VulnDB: 1,000+ DATA CAVEAT “Fixes the following vulnerabilities [CVE LIST] …and more security issues that have no CVE number. Many of these issues can be exploited when a remote file is played back and a few are probable arbitrary code execution vulnerabilities.”
  • 24. Vuln Spread: …And multiple products by HP, Oracle (including Java), F-Secure, IBM, MySQL, Novell, OpenBSD, Intel, Juniper, Rapid7, nginx, Huawei, Trend Micro, Linux, Tableau, McAfee, F5, Cisco, Fortinet, Sophos, Python, Citrix, SUSE, Ubuntu, Debian, FreeBSD, RedHat…
  • 25. Vuln Spread: And also… OSX, Webkit, Firefox, OpenJDK, OpenOffice, StarOffice, Ubuntu, Gentoo, Oracle Solaris, SUSE, Slackware, BlackBerry products, Fedora, RedHat, Debian, Avaya products, PlayStation 3/4/Vita, Opera for Wii, multiple video games…
  • 26. Vuln Spread: Visio, PowerPoint, Adobe Photoshop/Flash/Illustrator, Webkit, iOS, OSX, Android, GIMP, Fedora, Debian, Ubuntu, Slackware, Red Hat, SUSE, Gentoo, Oracle Solaris, VMWare Server, and countless applications.
  • 27. Vuln Spread: Tivoli, Fedora, HP-UX, Ubuntu, NetIQ, Attachmate…
  • 28. Vuln Spread: Linux, Opera, Konqueror, HP, Sony & Logitech Google TVs…
  • 30. Library Vuln Count Vulns Per Year Releases Per Year Average CVSS 90 10-11 3 5.49 50 6 2 7.43 28 3 2-3 6.65 100 12 5 4.72 522 80 11 8.96 539 98 4 7.07*2010-to present *2009-to present 2015 Vulns % total 29 32.2% 0 0% 0 0% 4 4% 135 25.9% 58 10.7% The Numbers: Jan 2007-July 2015
  • 31.
  • 32. Efficiency At What Cost?  Not just one library impacting many organizations  A single application may have as many as 100 different third party libraries implemented  That is a whole lot of patching to keep up on for both devs and customers
  • 33.  What should you measure library quality on?  Count of vulnerabilities  Frequency of update releases  Average severity of vulns (CVSS or other)  Existence of POC or Exploit DEBATE
  • 35.
  • 36.
  • 37. Open source is secure because everyone can review it - more eyes makes all bugs shallow. Everyone *could* look at it, but they don’t. Accountability for quality is deferred. Code Quality
  • 38. That means closed source is more secure because no one can review it and it is supported by big enterprises, right? Bad code is just that, bad code. Bad code exists in Closed Source software as well. Code Quality
  • 39.
  • 40. Vulnerability Management  Vulnerability management is the "cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities", especially in software and firmware. Vulnerability management is integral to computer security and network security.  Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities, such as open ports, insecure software configuration, and susceptibility to malware. Unknown vulnerabilities, such as a zero-day attack may be found with fuzz testing, which can identify certain kinds of vulnerabilities, such as a buffer overflow exploit with relevant test cases. Such analyses can be facilitated by test automation. In addition, antivirus software capable of heuristic analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file).  Correcting vulnerabilities may variously involve the installation of a patch, a change in network security policy, reconfiguration of software (such as a firewall), or educating users about social engineering. https://en.wikipedia.org/wiki/Vulnerability_management
  • 41.
  • 42. So Vuln Mgmt is A NetSec Issue!
  • 43. Cost to Fix Vulnerabilities The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 25+ times the cost of fixes performed during the design phase. tl;dr: Pay me now or pay me later… with interest.
  • 44. “ ” Fix vulnerabilities as early as is practical, resulting in fewer vulnerabilities to patch at the most expensive time - late in the development cycle. THE GOAL OF VULNERABILITY MANAGEMENT
  • 46. Secure Development Lifecycle Training Requirements Design Implementation Verification Release Response Vulnerabilities introduced Vulnerabilities identified Vulnerabilities identified OSS Vulnerabilities identified
  • 48. Incident Response Identify Issue1 Assess Impact2 Dev & Test Fix3 Public Release w/ CVE 4 Post Release5 Identify Issue1 Assess Impact2 Dev & Test Fix3 Release4 Post Release5So you’re a software vendor… Enterprise admin? Your patch lifecycle starts HERE
  • 49. Identify Issues  Internal Security Research Team, Consultants – pre-release vuln assessments  External Security Researchers – post release incident response, bug bounties  Third Party Libraries/OSS Disclosures – both pre and post release  Automated Tools & Analysis  Crash log analysis  Lots of vulnerabilities to manage Vulnerability Management Identify Issue1
  • 50. Assess Impact: Prioritization Matters  You have 150 vulnerabilities open with CVSS 7.5+  Your inbound new vulnerabilities average 15 dev tasks per week, from both internal and external sources  What do you fix first?  Highest CVSS Score?  FIFO? LIFO?  Externally known issues?  Issues with Exploit Presence in Metasploit?  Intelligent prioritization reduces risk Assess Impact2
  • 51.
  • 52. Dev & Test Fix  “Just ship it, we can patch that later” is not cost effective, but becomes more likely the closer you get to release dates  Vulnerabilities are inevitable. Choose those that you fix pre-release and those you postpone to post-release carefully.  Don’t put off fixing the complicated vulnerabilities – they won’t get easier once the product is in customer hands  Sustainment planning is not just for post-release – you will have to patch vulnerabilities in perfectly functional code before RTM Dev & Test Fix3 Now lets go write some code!
  • 53. Vulnerability Management in SDL  Define guiding Security principles  Define prioritization model and sustainment plan Requirements Design Implementation Verification  Design for security and reduce attack surface  Evaluate vuln trends in libraries as part of selection criteria  Automated static analysis tools  Deprecate unsafe functions  Code scanning tools to monitor all third party libraries – know what you use and where  Automated static and dynamic analysis tools, fuzzing  Manual pen testing & attack surface review  Update 3rd party libraries regularly
  • 54. Be Prepared  Analysis of vulnerability trends to predict future workload  How many vulnerabilities are identified per month?  What are their sources?  What are the vulnerability types? Is dev training indicated?  How quickly is your vulnerability backlog growing (or shrinking)?  What is your average Time To Fix?  What early monitoring processes can you put in place to minimize surprises?  Can you identify low friction areas to diminish risk?
  • 55. Network Admins  Ask potential software vendors about their SDL program and vulnerability trends  Monitor the third party libraries being used in software you deploy and press vendors for security fixes  Make it clear security is a priority
  • 57.  Strong security team in rapidly growing enterprise software company  Attended my OSS talk with Jake Kouns at BlackHat 2014  Requested a copy of our slides for internal use  Shared both their own SIRT data and our data regarding security risk with Leadership Case Study: VMWare
  • 58.  Already had mature incident response monitoring of 3rd party libraries in released products  Adding proactive evaluation and rating/approval of third party libraries in development phase Case Study: VMWare
  • 59.  Evaluated and implemented code scanning tool for finding third party libraries in products  MOOSECON internal security conference session on 3rd party library vulnerabilities Case Study: VMWare
  • 60.  Active testing of third party and OSS libraries along with native code in products  Partnering with dev teams to create proactive plans for routine patching cadence as part of dev lifecycle Case Study: VMWare
  • 62. Discussion Kymberlee Price Senior Director of Researcher Operations @kym_possible Bugcrowd

Notas do Editor

  1. (Jake) This is a hard issue for an organization to get their heads around.
  2. Who here is familiar with a CVSS Score? Does your company have an active SDL program? Do you use the STRIDE Model or another vulnerability impact classification system? Do you know who at your company handles product security incident response? Do you have a product security incident response team?
  3. Security is a subset of quality, but with often overlooked costs. This is very much a pay me now or pay me later situation.
  4. (Jake) There are lies, damned lies, and statistics, and while this talk is stats heavy there will be a lot of contextual discussion about validity. Starting off with vulnerability trends, . But seeing trends can help here are some from us! =) If we take a step back and look at code quality. It is clear that vulns are not decreasing, we are still producing poor code. Doesn’t matter the complexity for this point but not all vulns are equal as we know. You can still see here that we are seeing around 10k vulns a year and this isn’t even showing cloud / multi-tenet issues or vulns produced at organizations.
  5. (Jake) Prior to Heartbleed, we were not hearing very much about third party libraries A fancy logo can go a long way!
  6. FREAK
  7. POODLE – scary!
  8. Logjam
  9. (Jake) BASH
  10. (Jake) BASH – ShellShock lame ------ BashBleed lives! https://news.ycombinator.com/item?id=8361574
  11. Not just openssl…….. Other sexy logos to fear at well! And we recycle names of vulns! 117579 2013-01-12 GNU C Library (glibc) nss/digits_dots.c __nss_hostname_digits_dots() Function Heap Buffer Overflow (GHOST) 79214 2005-06-08 Opera Script Code Obfuscation (Ghost)  17334 2005-06-08 Microsoft IE Script Code Obfuscation (Ghost) GHOST: glibc vulnerability (CVE-2015-0235) GHOST is a 'buffer overflow' bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.
  12. (Jake) How much was impacted by Heartbleed? Lets just agree a lot….
  13. (Jake) Counting vulns part 2
  14. (Kymberlee) 7 minutes for section – will see how long this section is when analysis is completed.
  15. (Kymberlee) Minimum requirements to start talking to your engineering partners about third party library vulnerability trends. There are several sources of free vulnerability data. You can go straight to the vendor advisories, NVD, CVEDetails, OSVDB… It will be better than no data. Of course this IS easier with a paid vulnerability data source that is higher quality and a database and some SQLskills, but you CAN do this without those if you don’t know how to write SQL but are a Pivot Table Ninja.
  16. NVD and OSVDB are making a valiant effort but you get what you pay for, and vuln data is no different. Here is an example: We e.g. know FFmpeg is a library of concern to many orgs. Compare our info on that library to CVEDetails/CVE/NVD. That should say it all. http://www.cvedetails.com/vendor/3611/Ffmpeg.html <-- CVE Details has total of 191 https://vulndb.cyberriskanalytics.com/vulnerabilities/search?vendor_id=157346  <-- VulnDB has over 1000
  17. (Kymberlee) So who uses OpenSSL? Gmail, Tor, LastPass, AWS, GitHub, Bitcoin, Yahoo, Instagram, Flickr, Etsy, Tumbler, Netflix, GoDaddy, YouTube, WordPress, Pinterest, Dell, VMWare, BlackBerry, and Dropbox. Oh, wait, that’s not 100. Let’s add these to the list. And multiple products by HP, Oracle (including Java), F-Secure, IBM, MySQL, Dell, Novell, OpenBSD, Intel, Juniper, VMWare, Rapid7, nginx, Huawei, Trend Micro, Linux, Tableau, McAfee, F5, Cisco, Fortinet, Sophos, Python, Citrix, SUSE, Ubuntu, Debian, FreeBSD, RedHat…
  18. CVE2011-0226 is a CVSS 9.3 vulnerability in the FreeType library that was used in JailbreakMe for the iPhone in 2011. If this were a locally exploitable vulnerability, the jailbreak would primarily be a terms of use violation. But it wasn’t. A missing parameter check allowed a malicious font program to move a stack pointer outside of its bounds, providing read and write access to various fields of the stack. This vulnerability was remotely exploitable via anything that uses FreeType to parse fonts.
  19. (Kymberlee) We’ve tracked LibPNG to over 130 applications including products from Google, Apple, Adobe, Microsoft, VMWare, BlackBerry, Linux, and Oracle. This thing is eeeeverywhere. Oh, and one of those icons? That’s Webkit. That’s right, another third-party library in a third-party library.
  20. Adobe’s efforts to bring Flash to connected TVs, Blu-ray players and other devices, like its mobile Flash plans, were part of its Open Screen Project, which aimed to create a consistent app runtime across multiple devices. The idea was that developers would be able to create a Flash application once and be able to distribute it across web browsers, mobile devices and TVs. “Adobe will continue to support existing licensees who are planning on supporting Flash Player for web browsing on digital home devices and are using the Flash Player Porting Kit to do so.” -2011
  21. I think we can all agree that Java wins the vulnerability spread competition, its on Mars.
  22. METHODOLOGY: Used free public data, each individual vendor’s release notes. Paid intelligence feeds like VulnDB will have higher counts, because they are actually analyzing the updates to uncover silently patched vulnerabilities the vendor did not publicly acknowledge For example, 71 listed for OpenSSL, VulnDB has 84 as FYI. (Kymberlee) Let’s start with the poster child, OpenSSL.
  23. Just because Java and Flash have the highest counts of vulnerabilities does NOT necessarily mean their libraries are less secure than Freetype or libpng. Both Oracle and Adobe have the resources to hire dedicated security teams, consultants, run bug bounty programs, etc. The point of sharing this data is so you can have a conversation with your development teams during the design phase of SDL about their vulnerability management plan for the libraries they choose to integrate.
  24. So you’re saying “I thought we weren’t supposed to be using vuln counts or number of releases as the measure of security” and we totally agree. Today there is no One Measure to Rule Them All, just a group of metrics about cadence of release, volume of code churn, severity of issues, and to help you make informed SDL decisions. BUT WHAT ABOUT WINDOW OF OPPORTUNITY? Does it matter how long the vulnerability was known for? (transition to Jake)
  25. (Jake) There are some current attempts at accountability already in place.
  26. Customers don’t really feel this way about your products.
  27. (Jake) Companies that consume third party libraries are not allocating dev resources to security test ‘someone else’s code’. Right or wrong, everyone seems to think that someone else will find the vulns.
  28. (Jake) Companies that consume third party libraries are not allocating dev resources to security test ‘someone else’s code’. Right or wrong, everyone seems to think that someone else will find the vulns.
  29. (Jake) There are some current attempts at accountability already in place.
  30. https://en.wikipedia.org/wiki/Vulnerability_management This is the entirity of the wikipedia entry on vuln mgmt The second paragraph starts with network security, mentions using fuzzing to identify buffer overflow test cases, and then goes back to network security for the remainder of the article. Its pretty awful, I should edit this and clean it up so Appsec and Netsec are not conflated.
  31. There are even some very fancy models online for Vulnerability Management. Intrusion Monitoring, Event Correlation, Asset and Patch Management…
  32. Well ok, so fixing code you haven’t written yet IS pretty low cost. The main thing to take away from this is that the earlier you fix vulnerabilities, the lower the development cost. Many people think of Vulnerability Management as post-release patch management, but effective vulnerability management starts during development and is an integral part of the Secure Development Lifecycle. Next slide: GOAL, not SDL
  33. This sounds simple, but
  34. This sounds simple, but some development and security teams take an adversarial approach or worse, development just ignores their security team entirely. Why does this happen? Is it just that developers want to work on cool new features and security professionals are holding them back, always saying no to their neat new designs and telling them how bad their code is? It might be some of that, but fundamentally there is a lack of understanding between builders and breakers. This leads to a lack of respect in some cases, which is counterproductive. And vulnerability management is a space where partnership and mutual respect is crucial.
  35. Some SDL models merge Requirements & Design for a 6 Phase Lifecycle instead of 7 Where are vulnerabilities introduced in products? Design and Implementation When are they identified? Verification and Response. But wait… Do you use third party libraries in your development? Then vulnerabilities are being identified all the time, even before you’ve started the design process.
  36. How does vuln mgmt in app sec compare to net sec? In Network Security you frequently see the first step in Vuln Mgmt as “Scan for Vulns”. That’s just a very specific way of saying “identify an issue”. We’ll come back to scanners in a moment. The second step in most Net Sec Vuln Mgmt process flows is to assess vulnerabilities for criticality. Triage, repro, and prioritization. Net Sec Vuln Mgmt models typically then go to “Patch Applications”, without acknowledging that testing is required prior to deployment Fourth in NSVM is to report on patch deployment, which is typically to executives and leadership teams, not customers. In application security if you are pre-release, internal reporting is consistent, but if the issue was identified externally after product release you’ll have to document it publicly with an advisory.
  37. in addition to planning regular maintenance to keep your third party library up to date, you have to have robust reactive incident response for when your third party libraries have an emergency event. How does vuln mgmt in app sec compare to net sec? In Network Security you frequently see the first step in Vuln Mgmt as “Scan for Vulns”. That’s just a very specific way of saying “identify an issue”. We’ll come back to scanners in a moment. The second step in most Net Sec Vuln Mgmt process flows is to assess vulnerabilities for criticality. Triage, repro, and prioritization. Net Sec Vuln Mgmt models typically then go to “Patch Applications”, without acknowledging that testing is required prior to deployment Fourth in NSVM is to report on patch deployment, which is typically to executives and leadership teams, not customers. In application security if you are pre-release, internal reporting is consistent, but if the issue was identified externally after product release you’ll have to document it publicly with an advisory.
  38. So lets talk about where those vulnerabilities come from. Internal Security Team may be FTEs or consultants, but typically they are doing white box vulnerability assessments, running static analysis tools, fuzzing source code… Depending on your organizational structure they may be in a centralized security team, embedded in your product development team, or both. External Security researchers typically report after product release to your SIRT team on exploitable vulnerabilities they’ve found through black box testing. Maybe they’ve run some tools, but unless your product is open source this is typically black box testing. Who owns monitoring and managing vulnerability reports in your third party libraries?
  39. If your internal security team found a CVSS 9.0 is that higher priority for your dev team to fix than a CVSS 7.5 in a third party library that you use? What if that CVSS 7.5 vulnerability is being actively exploited on a competitor’s platform? I give a whole talk on vulnerability prioritization with Michael Roytman of RiskIO and David Severski of Seattle Children’s Hospital, I could spend an hour on this alone. You need to determine what your priorities are beyond just CVSS score which is inherently flawed and is not a meaningful predictor of exploitability.
  40. Sustainment Planning? Yeah, especially if you use third party libraries or are re-using code from a legacy product that external security researchers are looking for vulnerabilities in. Who is responsible for monitoring 3rd party libraries? Who is repro testing newly found vulns in legacy products? Do you know every component that uses OpenSSL? The versions? When is the last time you patched OpenSSL? And the time before that? Do you have any idea how often OpenSSL releases updates? If you only patched OpenSSL last week, during Shellshock, and Heartbleed, you missed patching a bunch of critical vulnerabilities in between.
  41. You can’t prioritize your vulnerabilities if you don’t have early agreement on what is and is not acceptable to ship with. This is where you also define SLAs for time to fix based on vulnerability priority. The legal team is your friend, they want to know what you use where for compliance reasons – partnership can help you secure your products! Blackduck, Palamida, Sonatype, others also offer source code scanning for 3rd party libraries.
  42. You can have a very real impact on how software vendors handle vulnerabilities by making it clear that you care about security. Vendors have goals around satisfied customers. If you’re unhappy with how many issues are not getting fixed prior to and asking hard questions that makes a difference.
  43. (Kymberlee) Your legal team is your friend here – both for documentation as well as funding for better tooling like these: Legal team: compliance requires documentation, this is how we got started.
  44. (Kymberlee)
  45. (Kymberlee) Can’t implement a scanning tool? You can still monitor security releases for the libraries you are impacted by. Some of these are higher quality than others.
  46. (Kymberlee) Don’t know if anyone from VMWare is here today, but we’d be interested in working with them on VTEM data modeling.