Developer Edition, presented at Philly Emerging Technologies in the Enterprise conference, 2016: increased discussion regarding management of third party libraries during design and development as a part of SDL process, overview of vulnerability management concepts, SDL, Incident Response processes, CVSS, and vulnerability data sources. Attendees were provided with concrete recommendations for each phase of SDL to improve their third party library security.
-------
Many developers today are turning to well established third-party libraries to speed the development process and realize quality improvements over creating an in-house proprietary font parsing or image rendering library from the ground up. Efficiency comes at a cost though: a single application may have as many as 100 different third party libraries implemented. The result is that third-party and open source libraries have the ability to spread a single vulnerability across multiple products- exposing enterprises and requiring software vendors and IT organizations to patch the same vulnerability repeatedly.
How big of a problem is this? What libraries are the biggest offenders for spreading pestilence? And what can be done to minimize this problem? This presentation will dive deep into vulnerability data and explore the source and spread of these vulnerabilities through products – as well as actions developers, the security research community, and enterprise customers can take to address this problem.
2. whoami?
Senior Director of a Red Team
PSIRT Case Manager
Data Analyst
Internet Crime Investigator
Security Evangelist
Behavioral Psychologist
Lawful Good @kym_possible
3. Agenda
Quick overview of problem space
A deeper look at 7 specific libraries
Library Management SDL Recommendations
Case study
8. Where the Vulns Are
“Third-party programs are responsible for 76% of the
vulnerabilities discovered in the 50 most popular
programs in 2013, say the results of Secunia's
Vulnerability Review 2014”
http://www.net-security.org/secworld.php?id=16448
19. How many vulnerabilities do you
think there have been in OpenSSL
since Heartbleed?
(please don’t use the Secunia counting method!)
Lets Play Another Game!
20. IDåç Disc Date CVSS Title
124300 7/9/2015 4 OpenSSL crypto/x509/x509_vfy.c X509_verify_cert() Function Alternative Certificate Chain Handling Certificate Validation Bypass
123176 6/11/2015 10 OpenSSL DTLS Application Data Buffering Invalid Free Remote Memory Corruption
123175 6/11/2015 7.8 OpenSSL signedData Message Unknown Hash Function Processing Infinte Loop Remote DoS
123174 6/11/2015 7.8 OpenSSL crypto/pkcs7/pk7_doit.c PKCS7_dataDecode() Function ASN.1-encoded PKCS#7 Blob Handling NULL Pointer Dereference Remote DoS
123173 6/11/2015 8.5 OpenSSL crypto/x509/x509_vfy.c X509_cmp_time() Function ASN1_TIME String Handling Out-of-bounds Read Issue
123172 6/11/2015 7.8 OpenSSL crypto/bn/bn_gf2m.c BN_GF2m_mod_inv() Function ECParameters Structure Binary Polynomial Field Parsing Infinite Loop Remote DoS
122875 6/2/2015 10 OpenSSL NewSessionTicket Ticket Re-use Double-free Remote Unspecified Issue
122733 5/26/2015 7.8 OpenSSL crypto/bn/random.c BN_rand() Function Off-by-one Buffer Overflow DoS
122331 5/19/2015 4 Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
122984 5/19/2015 7.5 OpenSSL crypto/bn/bn_print.c BN_bn2hex() Function Off-by-one Buffer Overflow Weakness
119692 3/18/2015 7.8 OpenSSL Invalid Signature Algorithms Extension Renegotiation NULL Pointer Dereference Remote DoS
119760 3/16/2015 7.1 OpenSSL ssl/d1_lib.c dtls1_listen() Function SSL Object State Preservation DoS
119757 3/16/2015 7.8 OpenSSL SSLv2 CLIENT-MASTER-KEY Message Handling Assertion Remote DoS
119758 3/16/2015 7.1 OpenSSL ssl/s3_pkt.c ssl3_write_bytes() Function Multiblock Implementation DoS
119614 3/16/2015 7.8 OpenSSL Client Authentication DHE Ciphersuite Zero-length ClientKeyExchange Message Handling Remote DoS
119756 3/16/2015 7.1 OpenSSL PKCS#7 Missing Outer ContentInfo Handling NULL Pointer Dereference DoS
119759 3/16/2015 7.1 OpenSSL crypto/rsa/rsa_ameth.c rsa_item_verify() Function Invalid PSS Parameters Handling NULL Pointer Dereference DoS
119755 3/16/2015 9.3 OpenSSL crypto/asn1/tasn_dec.c ASN1_item_ex_d2i() Function ASN.1 Structure Reuse Memory Corruption
119761 3/16/2015 7.1 OpenSSL crypto/asn1/a_type.c ASN1_TYPE_cmp() Function Invalid Read DoS
119673 3/10/2015 2.6 OpenSSL s3_clnt.c ssl3_client_hello() Function Unseeded PRNG Handshake Completion Predictable Output
120058 3/3/2015 2.6 OpenSSL Malformed TLS Handshake False Start Data Remote MitM Disclosure Weakness
119328 3/2/2015 5.4 OpenSSL crypto/x509/x509_req.c X509_to_X509_REQ() Function Public Key Handling NULL Pointer Dereference DoS
118817 2/25/2015 10 OpenSSL crypto/ec/ec_asn1.c d2i_ECPrivateKey() Function Error Handling Use-after-free DoS
117855 1/19/2015 2.6 Secure Sockets Layer Version 3 (SSLv3) / Transport Layer Security (TLS) Protocols RC4 Cipher Key Invariance Weakness MitM Plaintext Disclosure (BAR-MITZVAH)
116791 1/8/2015 7.8 OpenSSL dtls1_buffer_record() Function DTLS Record Saturation Handling Memory Leak Remote DoS
116793 1/8/2015 7.8 OpenSSL dtls1_get_record DTLS Message Handling NULL Pointer Dereference Remote DoS
116790 1/8/2015 5.1 OpenSSL TLS DH Certificate Missing Certificate Verify Message Handling MitM Spoofing (SKIP-TLS)
116796 1/8/2015 5.1 OpenSSL Bignum Squaring Incorrect Result Weakness
116794 1/6/2015 4 OpenSSL RSA Temporary Key Handling EXPORT_RSA Ciphers Downgrade MitM (FREAK)
116792 1/5/2015 4.3 OpenSSL Signature Algorithm / Signature Encoding Modification Certificate Fingerprint Manipulation Weakness
116795 1/5/2015 5 OpenSSL Missing Server Key Exchange Message Handling ECDH Ciphersuite Downgrade Issue
116423 10/16/2014 7.8 OpenSSL s23_srvr.c ssl23_get_client_hello() Function SSLv3 Handshake Handling NULL Pointer Dereference Remote DoS
113377 10/15/2014 5 OpenSSL no-ssl3 Build Option SSL 3.0 Handshake Handling Weakness
113373 10/14/2014 7.8 OpenSSL DTLS SRTP Extension Parsing Code Handshake Message Handling Memory Leak Remote DoS
113374 10/14/2014 7.8 OpenSSL SSL/TLS/DTLS Server Failed Session Ticket Verification Handling Memory Leak Remote DoS
113251 10/13/2014 2.6 SSL 3.0 Protocol CBC-mode Ciphers Fallback MitM Remote Cleartext Information Disclosure (POODLE)
109892 8/6/2014 7.8 OpenSSL DTLS Handshake Messages Processing Memory Consumption Remote DoS
109893 8/6/2014 7.8 OpenSSL DTLS Packet Handling Double-free Remote DoS
109894 8/6/2014 5 OpenSSL OBJ_obj2txt Multiple Pretty Printing Functions Pretty Printing Output Remote Information Disclosure
109898 8/6/2014 7.1 OpenSSL SRP Ciphersuite NULL Pointer Dereference Remote DoS
109891 8/6/2014 7.8 OpenSSL Crafted DTLS Packet Handling Memory Leak Remote DoS
109897 8/6/2014 10 OpenSSL SRP Protocol Code Multiple Parameter Remote Buffer Overflow
109896 8/6/2014 2.6 OpenSSL SSL/TLS Server Code ClientHello Message Fragmentation Forced TLS Downgrade Weakness
109902 8/6/2014 9.3 OpenSSL ssl_parse_serverhello_tlsext Resumed Session EC Point Format Extension Handling Race Condition Use-after-free Issue
109895 8/6/2014 7.8 OpenSSL Anonymous (EC)DH Ciphersuite Crafted Handshake Messages NULL Pointer Dereference Remote DoS
107731 6/4/2014 7.8 OpenSSL TLS Client Anonymous ECDH Ciphersuite Unspecified Remote DoS
107730 6/4/2014 10 OpenSSL Invalid DTLS Fragment Handling Remote Buffer Overflow
107732 6/4/2014 7.8 OpenSSL ssl/d1_both.c dtls1_get_message_fragment() Function Invalid DTLS Handshake Handling Remote DoS
107729 6/3/2014 4 OpenSSL Crafted Handshake Weak Keying Material Rollback MitM Weakness
119743 5/6/2014 9.3 OpenSSL crypto/evp/encode.c EVP_DecodeUpdate() Function Base64 Decoding Integer Underflow
106531 4/30/2014 7.8 OpenSSL / LibReSSL ssl/s3_pkt.c do_ssl3_write() Function NULL Pointer Dereference Remote DoS
105763 4/11/2014 4 OpenSSL ssl/s3_pkt.c ssl3_read_bytes() Function Use-after-free Remote Content Injection
105465 4/7/2014 5 OpenSSL TLS Heartbeat Extension Packets Handling Out-of-bounds Read Remote Memory Disclosure (Heartbleed)
Average
CVSS 5.23
22. Vulnerability data
Spreadsheet software
Probably a browser
Putting Data to Use
(without being a data scientist)
23. Data from public sources is limited
FFMPEG: CVE Details vs. VulnDB
CVE Details: 191
VulnDB: 1,000+
DATA CAVEAT
“Fixes the following vulnerabilities [CVE LIST]
…and more security issues that have no
CVE number. Many of these issues can be
exploited when a remote file is played back
and a few are probable arbitrary code
execution vulnerabilities.”
30. Library Vuln
Count
Vulns Per
Year
Releases
Per Year
Average
CVSS
90 10-11 3 5.49
50 6 2 7.43
28 3 2-3 6.65
100 12 5 4.72
522 80 11 8.96
539 98 4 7.07*2010-to present
*2009-to present
2015
Vulns
% total
29 32.2%
0 0%
0 0%
4 4%
135 25.9%
58 10.7%
The Numbers: Jan 2007-July 2015
31.
32. Efficiency At What Cost?
Not just one library impacting many organizations
A single application may have as many as 100
different third party libraries implemented
That is a whole lot of patching to keep up on for both devs
and customers
33. What should you measure library quality on?
Count of vulnerabilities
Frequency of update releases
Average severity of vulns (CVSS or other)
Existence of POC or Exploit
DEBATE
37. Open source is secure
because everyone can review
it - more eyes makes all bugs
shallow.
Everyone *could* look at it,
but they don’t.
Accountability for quality is
deferred.
Code Quality
38. That means closed source is more
secure because no one can review
it and it is supported by big
enterprises, right?
Bad code is just that, bad code.
Bad code exists in Closed Source
software as well.
Code Quality
39.
40. Vulnerability Management
Vulnerability management is the "cyclical practice of identifying, classifying, remediating,
and mitigating vulnerabilities", especially in software and firmware. Vulnerability
management is integral to computer security and network security.
Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in
search of known vulnerabilities, such as open ports, insecure software configuration, and
susceptibility to malware. Unknown vulnerabilities, such as a zero-day attack may be found with fuzz
testing, which can identify certain kinds of vulnerabilities, such as a buffer overflow exploit with
relevant test cases. Such analyses can be facilitated by test automation. In addition, antivirus
software capable of heuristic analysis may discover undocumented malware if it finds software
behaving suspiciously (such as attempting to overwrite a system file).
Correcting vulnerabilities may variously involve the installation of a patch, a change in network
security policy, reconfiguration of software (such as a firewall), or educating users about social
engineering.
https://en.wikipedia.org/wiki/Vulnerability_management
43. Cost to Fix Vulnerabilities
The National Institute of Standards
and Technology (NIST) estimates that
code fixes performed after release
can result in 25+ times the cost of
fixes performed during the design
phase.
tl;dr: Pay me now or pay me later…
with interest.
44. “
”
Fix vulnerabilities as early as is practical,
resulting in fewer vulnerabilities to patch
at the most expensive time - late in the
development cycle.
THE GOAL OF VULNERABILITY MANAGEMENT
48. Incident Response
Identify
Issue1 Assess
Impact2 Dev &
Test Fix3
Public
Release
w/ CVE
4 Post
Release5
Identify
Issue1 Assess
Impact2 Dev & Test
Fix3 Release4 Post
Release5So you’re a
software vendor…
Enterprise admin?
Your patch lifecycle
starts HERE
49. Identify Issues
Internal Security Research Team, Consultants – pre-release vuln assessments
External Security Researchers – post release incident response, bug bounties
Third Party Libraries/OSS Disclosures – both pre and post release
Automated Tools & Analysis
Crash log analysis
Lots of vulnerabilities to manage Vulnerability Management
Identify
Issue1
50. Assess Impact: Prioritization Matters
You have 150 vulnerabilities open with CVSS 7.5+
Your inbound new vulnerabilities average 15 dev tasks per
week, from both internal and external sources
What do you fix first?
Highest CVSS Score?
FIFO? LIFO?
Externally known issues?
Issues with Exploit Presence in Metasploit?
Intelligent prioritization reduces risk
Assess
Impact2
51.
52. Dev & Test Fix
“Just ship it, we can patch that later” is not cost effective, but becomes
more likely the closer you get to release dates
Vulnerabilities are inevitable. Choose those that you fix pre-release and
those you postpone to post-release carefully.
Don’t put off fixing the complicated vulnerabilities – they won’t get easier
once the product is in customer hands
Sustainment planning is not just for post-release – you will have to patch
vulnerabilities in perfectly functional code before RTM
Dev &
Test Fix3
Now lets go write some code!
53. Vulnerability Management in SDL
Define guiding
Security principles
Define prioritization
model and
sustainment plan
Requirements Design Implementation Verification
Design for security
and reduce attack
surface
Evaluate vuln trends
in libraries as part of
selection criteria
Automated static
analysis tools
Deprecate unsafe
functions
Code scanning tools
to monitor all third
party libraries –
know what you use
and where
Automated static and
dynamic analysis
tools, fuzzing
Manual pen testing &
attack surface review
Update 3rd party
libraries regularly
54. Be Prepared
Analysis of vulnerability trends to predict future workload
How many vulnerabilities are identified per month?
What are their sources?
What are the vulnerability types? Is dev training indicated?
How quickly is your vulnerability backlog growing (or shrinking)?
What is your average Time To Fix?
What early monitoring processes can you put in place to minimize
surprises?
Can you identify low friction areas to diminish risk?
55. Network Admins
Ask potential software vendors about their SDL program and
vulnerability trends
Monitor the third party libraries being used in software you
deploy and press vendors for security fixes
Make it clear security is a priority
57. Strong security team in rapidly growing enterprise software
company
Attended my OSS talk with Jake Kouns at BlackHat 2014
Requested a copy of our slides for internal use
Shared both their own SIRT data and our data regarding
security risk with Leadership
Case Study: VMWare
58. Already had mature incident response monitoring of 3rd party
libraries in released products
Adding proactive evaluation and rating/approval of third party
libraries in development phase
Case Study: VMWare
59. Evaluated and implemented
code scanning tool for finding
third party libraries in products
MOOSECON internal security conference session on 3rd party
library vulnerabilities
Case Study: VMWare
60. Active testing of third party and OSS libraries along with native
code in products
Partnering with dev teams to create proactive plans for routine
patching cadence as part of dev lifecycle
Case Study: VMWare
(Jake) This is a hard issue for an organization to get their heads around.
Who here is familiar with a CVSS Score?
Does your company have an active SDL program?
Do you use the STRIDE Model or another vulnerability impact classification system?
Do you know who at your company handles product security incident response?
Do you have a product security incident response team?
Security is a subset of quality, but with often overlooked costs. This is very much a pay me now or pay me later situation.
(Jake) There are lies, damned lies, and statistics, and while this talk is stats heavy there will be a lot of contextual discussion about validity. Starting off with vulnerability trends, . But seeing trends can help here are some from us! =) If we take a step back and look at code quality. It is clear that vulns are not decreasing, we are still producing poor code. Doesn’t matter the complexity for this point but not all vulns are equal as we know. You can still see here that we are seeing around 10k vulns a year and this isn’t even showing cloud / multi-tenet issues or vulns produced at organizations.
(Jake) Prior to Heartbleed, we were not hearing very much about third party libraries
A fancy logo can go a long way!
Not just openssl…….. Other sexy logos to fear at well! And we recycle names of vulns!
117579 2013-01-12 GNU C Library (glibc) nss/digits_dots.c __nss_hostname_digits_dots() Function Heap Buffer Overflow (GHOST)
79214 2005-06-08 Opera Script Code Obfuscation (Ghost) 17334 2005-06-08 Microsoft IE Script Code Obfuscation (Ghost)
GHOST: glibc vulnerability (CVE-2015-0235)
GHOST is a 'buffer overflow' bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.
(Jake) How much was impacted by Heartbleed? Lets just agree a lot….
(Jake) Counting vulns part 2
(Kymberlee) 7 minutes for section – will see how long this section is when analysis is completed.
(Kymberlee) Minimum requirements to start talking to your engineering partners about third party library vulnerability trends. There are several sources of free vulnerability data. You can go straight to the vendor advisories, NVD, CVEDetails, OSVDB… It will be better than no data.
Of course this IS easier with a paid vulnerability data source that is higher quality and a database and some SQLskills, but you CAN do this without those if you don’t know how to write SQL but are a Pivot Table Ninja.
NVD and OSVDB are making a valiant effort but you get what you pay for, and vuln data is no different. Here is an example: We e.g. know FFmpeg is a library of concern to many orgs. Compare our info on that library to CVEDetails/CVE/NVD. That should say it all.
http://www.cvedetails.com/vendor/3611/Ffmpeg.html <-- CVE Details has total of 191
https://vulndb.cyberriskanalytics.com/vulnerabilities/search?vendor_id=157346 <-- VulnDB has over 1000
(Kymberlee)
So who uses OpenSSL? Gmail, Tor, LastPass, AWS, GitHub, Bitcoin, Yahoo, Instagram, Flickr, Etsy, Tumbler, Netflix, GoDaddy, YouTube, WordPress, Pinterest, Dell, VMWare, BlackBerry, and Dropbox.
Oh, wait, that’s not 100. Let’s add these to the list.
And multiple products by HP, Oracle (including Java), F-Secure, IBM, MySQL, Dell, Novell, OpenBSD, Intel, Juniper, VMWare, Rapid7, nginx, Huawei, Trend Micro, Linux, Tableau, McAfee, F5, Cisco, Fortinet, Sophos, Python, Citrix, SUSE, Ubuntu, Debian, FreeBSD, RedHat…
CVE2011-0226 is a CVSS 9.3 vulnerability in the FreeType library that was used in JailbreakMe for the iPhone in 2011. If this were a locally exploitable vulnerability, the jailbreak would primarily be a terms of use violation. But it wasn’t. A missing parameter check allowed a malicious font program to move a stack pointer outside of its bounds, providing read and write access to various fields of the stack. This vulnerability was remotely exploitable via anything that uses FreeType to parse fonts.
(Kymberlee)
We’ve tracked LibPNG to over 130 applications including products from Google, Apple, Adobe, Microsoft, VMWare, BlackBerry, Linux, and Oracle. This thing is eeeeverywhere.
Oh, and one of those icons? That’s Webkit. That’s right, another third-party library in a third-party library.
Adobe’s efforts to bring Flash to connected TVs, Blu-ray players and other devices, like its mobile Flash plans, were part of its Open Screen Project, which aimed to create a consistent app runtime across multiple devices. The idea was that developers would be able to create a Flash application once and be able to distribute it across web browsers, mobile devices and TVs.
“Adobe will continue to support existing licensees who are planning on supporting Flash Player for web browsing on digital home devices and are using the Flash Player Porting Kit to do so.” -2011
I think we can all agree that Java wins the vulnerability spread competition, its on Mars.
METHODOLOGY: Used free public data, each individual vendor’s release notes. Paid intelligence feeds like VulnDB will have higher counts, because they are actually analyzing the updates to uncover silently patched vulnerabilities the vendor did not publicly acknowledge For example, 71 listed for OpenSSL, VulnDB has 84 as FYI.
(Kymberlee) Let’s start with the poster child, OpenSSL.
Just because Java and Flash have the highest counts of vulnerabilities does NOT necessarily mean their libraries are less secure than Freetype or libpng. Both Oracle and Adobe have the resources to hire dedicated security teams, consultants, run bug bounty programs, etc. The point of sharing this data is so you can have a conversation with your development teams during the design phase of SDL about their vulnerability management plan for the libraries they choose to integrate.
So you’re saying “I thought we weren’t supposed to be using vuln counts or number of releases as the measure of security” and we totally agree. Today there is no One Measure to Rule Them All, just a group of metrics about cadence of release, volume of code churn, severity of issues, and to help you make informed SDL decisions.
BUT WHAT ABOUT WINDOW OF OPPORTUNITY? Does it matter how long the vulnerability was known for? (transition to Jake)
(Jake) There are some current attempts at accountability already in place.
Customers don’t really feel this way about your products.
(Jake) Companies that consume third party libraries are not allocating dev resources to security test ‘someone else’s code’. Right or wrong, everyone seems to think that someone else will find the vulns.
(Jake) Companies that consume third party libraries are not allocating dev resources to security test ‘someone else’s code’. Right or wrong, everyone seems to think that someone else will find the vulns.
(Jake) There are some current attempts at accountability already in place.
https://en.wikipedia.org/wiki/Vulnerability_management
This is the entirity of the wikipedia entry on vuln mgmt
The second paragraph starts with network security, mentions using fuzzing to identify buffer overflow test cases, and then goes back to network security for the remainder of the article. Its pretty awful, I should edit this and clean it up so Appsec and Netsec are not conflated.
There are even some very fancy models online for Vulnerability Management. Intrusion Monitoring, Event Correlation, Asset and Patch Management…
Well ok, so fixing code you haven’t written yet IS pretty low cost. The main thing to take away from this is that the earlier you fix vulnerabilities, the lower the development cost.
Many people think of Vulnerability Management as post-release patch management, but effective vulnerability management starts during development and is an integral part of the Secure Development Lifecycle. Next slide: GOAL, not SDL
This sounds simple, but
This sounds simple, but some development and security teams take an adversarial approach or worse, development just ignores their security team entirely. Why does this happen? Is it just that developers want to work on cool new features and security professionals are holding them back, always saying no to their neat new designs and telling them how bad their code is?
It might be some of that, but fundamentally there is a lack of understanding between builders and breakers. This leads to a lack of respect in some cases, which is counterproductive. And vulnerability management is a space where partnership and mutual respect is crucial.
Some SDL models merge Requirements & Design for a 6 Phase Lifecycle instead of 7
Where are vulnerabilities introduced in products? Design and Implementation
When are they identified? Verification and Response.
But wait…
Do you use third party libraries in your development?
Then vulnerabilities are being identified all the time, even before you’ve started the design process.
How does vuln mgmt in app sec compare to net sec?
In Network Security you frequently see the first step in Vuln Mgmt as “Scan for Vulns”. That’s just a very specific way of saying “identify an issue”. We’ll come back to scanners in a moment.
The second step in most Net Sec Vuln Mgmt process flows is to assess vulnerabilities for criticality. Triage, repro, and prioritization.
Net Sec Vuln Mgmt models typically then go to “Patch Applications”, without acknowledging that testing is required prior to deployment
Fourth in NSVM is to report on patch deployment, which is typically to executives and leadership teams, not customers. In application security if you are pre-release, internal reporting is consistent, but if the issue was identified externally after product release you’ll have to document it publicly with an advisory.
in addition to planning regular maintenance to keep your third party library up to date, you have to have robust reactive incident response for when your third party libraries have an emergency event.
How does vuln mgmt in app sec compare to net sec?
In Network Security you frequently see the first step in Vuln Mgmt as “Scan for Vulns”. That’s just a very specific way of saying “identify an issue”. We’ll come back to scanners in a moment.
The second step in most Net Sec Vuln Mgmt process flows is to assess vulnerabilities for criticality. Triage, repro, and prioritization.
Net Sec Vuln Mgmt models typically then go to “Patch Applications”, without acknowledging that testing is required prior to deployment
Fourth in NSVM is to report on patch deployment, which is typically to executives and leadership teams, not customers. In application security if you are pre-release, internal reporting is consistent, but if the issue was identified externally after product release you’ll have to document it publicly with an advisory.
So lets talk about where those vulnerabilities come from.
Internal Security Team may be FTEs or consultants, but typically they are doing white box vulnerability assessments, running static analysis tools, fuzzing source code… Depending on your organizational structure they may be in a centralized security team, embedded in your product development team, or both.
External Security researchers typically report after product release to your SIRT team on exploitable vulnerabilities they’ve found through black box testing. Maybe they’ve run some tools, but unless your product is open source this is typically black box testing.
Who owns monitoring and managing vulnerability reports in your third party libraries?
If your internal security team found a CVSS 9.0 is that higher priority for your dev team to fix than a CVSS 7.5 in a third party library that you use? What if that CVSS 7.5 vulnerability is being actively exploited on a competitor’s platform?
I give a whole talk on vulnerability prioritization with Michael Roytman of RiskIO and David Severski of Seattle Children’s Hospital, I could spend an hour on this alone. You need to determine what your priorities are beyond just CVSS score which is inherently flawed and is not a meaningful predictor of exploitability.
Sustainment Planning? Yeah, especially if you use third party libraries or are re-using code from a legacy product that external security researchers are looking for vulnerabilities in.
Who is responsible for monitoring 3rd party libraries? Who is repro testing newly found vulns in legacy products?
Do you know every component that uses OpenSSL? The versions?
When is the last time you patched OpenSSL? And the time before that? Do you have any idea how often OpenSSL releases updates?
If you only patched OpenSSL last week, during Shellshock, and Heartbleed, you missed patching a bunch of critical vulnerabilities in between.
You can’t prioritize your vulnerabilities if you don’t have early agreement on what is and is not acceptable to ship with. This is where you also define SLAs for time to fix based on vulnerability priority.
The legal team is your friend, they want to know what you use where for compliance reasons – partnership can help you secure your products! Blackduck, Palamida, Sonatype, others also offer source code scanning for 3rd party libraries.
You can have a very real impact on how software vendors handle vulnerabilities by making it clear that you care about security. Vendors have goals around satisfied customers. If you’re unhappy with how many issues are not getting fixed prior to and asking hard questions that makes a difference.
(Kymberlee) Your legal team is your friend here – both for documentation as well as funding for better tooling like these:
Legal team: compliance requires documentation, this is how we got started.
(Kymberlee)
(Kymberlee) Can’t implement a scanning tool? You can still monitor security releases for the libraries you are impacted by. Some of these are higher quality than others.
(Kymberlee) Don’t know if anyone from VMWare is here today, but we’d be interested in working with them on VTEM data modeling.