In its aftermath, Log4j vulnerabilities put the spotlight on vendor management and supply chain security practices. Now that the dust has settled and the worst of the fallout has passed, this talk presents perspectives on likely mid- and long-term changes that the security industry will see as a result of dealing with the Log4j issue as the latest in an escalating series of open source and software supply chain incidents.
2. OWASP FOUNDATION owasp.org
Bio
• Developer by background
• OWASP Global Membership
Committee (long time ago)
• OWASP San Antonio Chapter Co-
Lead
• Founder/CTO at Denim Group
• VP Product Strategy, Coalfire
5. OWASP FOUNDATION owasp.org
Log4j Background
• Other presenters from today’s
event
• Also resources from the folks at
Jemurai (slides, video)
• https://jemurai.com/2021/12
/15/log4j-security-issue/
6. OWASP FOUNDATION owasp.org
Short-Term Impacts
• Christmas: ruined
• This happens in InfoSec every
year…
• Lot of scrambling
• What applications do we have
using log4j?
• Which of them are exploitable?
• How do we upgrade?
• Wait a minute – what applications
do we have – just in general?!
7. OWASP FOUNDATION owasp.org
OWASP: Here to Help
• What applications do I have?
• OWASP Amass https://owasp.org/www-project-amass/
• Attack surface detection and management
• Of those applications, which are vulnerable?
• OWASP ZAP https://www.zaproxy.org/
• Web proxy and DAST scanner
• OWASP ZAP and Log4Shell https://www.zaproxy.org/blog/2021-12-10-zap-and-log4shell/
• OWASP ZAP detecting Log4Shell https://www.zaproxy.org/blog/2021-12-14-log4shell-detection-with-zap/
8. OWASP FOUNDATION owasp.org
Predicted Medium/Long-Term Impacts
• Thesis: The Log4j vulnerabilities will further accelerate some
previously-emerging trends in vendor security management
• SBOMs
• Upgrade or remove
• Questionnaires
• See this blog post for more info:
• https://www.coalfire.com/the-coalfire-blog/the-long-term-impact-of-log4j
9. OWASP FOUNDATION owasp.org
SBOMs – Literally the Least We Can Do
• SBOM = Software Bill of Materials
• What is included with this software I am deploying?
• Being able to articulate what is in software you have people deploy is
• Literally
• The
• Least
• We
• Can
• Do
10. OWASP FOUNDATION owasp.org
SBOMs – Literally the Least We Can Do
• We have seen this from sophisticated shops for a couple years
• Usually a list of open-source components and versions in an Excel sheet
• Easy to generate – IF you are running an SCA tool or other utilities
• Biden Executive Order on Improving the Nation’s Cybersecurity also
mentions SBOMs
• https://www.whitehouse.gov/briefing-room/presidential-
actions/2021/05/12/executive-order-on-improving-the-nations-
cybersecurity/
11. OWASP FOUNDATION owasp.org
SBOMs – Literally the Least We Can Do
• Van Halen Concert Rider: No Brown M&Ms
• https://www.entrepreneur.com/article/232420
• Why?
• When you’re a rock star you can do crazy
stuff? Maybe, but…
• If nobody read the contract rider close
enough to know to remove brown M&Ms,
what else did they forget/ignore?
• So what about vendors who can’t/won’t produce
SBOMs?
• What else is all %$&^’d up?
12. OWASP FOUNDATION owasp.org
SBOMs for Software Producers
• Expect increasing requests for SBOMs
• Expect increasing scrutiny on the contents of SBOMs
• Augment your tooling and development practices accordingly
13. OWASP FOUNDATION owasp.org
SBOMs for Software Consumers
• Start asking for SBOMs
• You got a bunch of SBOMs – now what?
• Need to deploy tooling to manage them and monitor their status
• Need to develop practices in place to deal with alerts
14. OWASP FOUNDATION owasp.org
OWASP: Here to Help
• CycloneDX https://cyclonedx.org/
• Standardized data format for SBOMs seeing great adoption
• OWASP DependencyTrack https://owasp.org/www-project-dependency-track/
• Platform for managing SBOMs across your application portfolio
15. OWASP FOUNDATION owasp.org
No Risk Assessments – Upgrade or Remove
• SCA tools have traditionally only flagged the
presence of vulnerable versions of
components
• Flags a lot of non-issues, can be very
disruptive
• SCA tool augmented to characterize the usage
of vulnerable components
• Great because this helps to better
prioritize upgrades
• Expect software consumers to not care
• “Get to a known non-vulnerable version
or remove the component”
16. OWASP FOUNDATION owasp.org
“No Risk Assessments” for Software Producers
• Prepare to come armed with better data on exploitability
• “Trust us” will be a less compelling argument
• Evaluate how you handle technical debt from open-source
components
• Incredible opportunities for automation
• Some SCA vendors are providing automated “patches”
• Your CI/CD pipeline should be able to validate builds
• Fix stuff in the background until something breaks – only focus on the hard
stuff
17. OWASP FOUNDATION owasp.org
“No Risk Assessments” for Software Consumers
• Be realistic, consistent, and clear about what you require
• (But if everyone is a jerk then the industry will advance faster)
18. OWASP FOUNDATION owasp.org
OWASP: Here to Help
• Using Vulnerability Exploitability eXchange (VEX) with CycloneDX
• https://cyclonedx.org/capabilities/vex/
• Purpose of VEX: Do the included vulnerable components actually expose the
software to exploitation?
• More info on VEX https://blog.adolus.com/what-is-vex-and-what-does-it-have-to-do-with-sboms
• Good luck!
20. OWASP FOUNDATION owasp.org
MOAR Bigger Questionnaires!
• Vendor security management has been a
thing for some time
• With questionnaires being the primary
tool of the trade
• Questionnaires use for vendor security
management are going to get ROUGH
• Greater scope – more topic areas
including application security practices
• Greater depth – more invasive and
specific questions
21. OWASP FOUNDATION owasp.org
Questionnaires for Software Producers
• Build a library of answers that can be reused and repurposed
• Have a regular cadence of updating and maintaining
• Remember: “Business lying is fraud”
22. OWASP FOUNDATION owasp.org
Questionnaires for Software Consumers
• Rely on standardization wherever possible
• Your organization is not a special snowflake
• Makes the process more efficient all-around
• Be clear on your criteria and decision-making process
• What is required and what is nice-to-do for different types of software?
• If everything is “most important” then nothing is important and you will get
data that is not helpful in evaluating risk
23. OWASP FOUNDATION owasp.org
OWASP: Here to Help
• OWASP SAMM – Software Assurance Maturity Model
• https://owasp.org/www-project-samm/
• How mature are application security practices for a product team?
• OWASP ASVS – Application Security Verification Standard
• https://owasp.org/www-project-application-security-verification-standard/
• What level of security inspection has been performed on a release of a
software application and what vulnerabilities were identified?
24. OWASP FOUNDATION owasp.org
Other Resources: Software Supply Chain
• BlackHat CISO Forum 2021
• Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain
Security
• Conference slides https://www.slideshare.net/denimgroup/threat-modeling-
the-cicd-pipeline-to-improve-software-supply-chain-security-blackhat-ciso-
summit-2021
• ”Raw” slides: https://www.slideshare.net/denimgroup/threat-modeling-the-
cicd-pipeline-to-improve-software-supply-chain-security-raw-slides
• RSA Security
• Coming up in June
• Specific agenda TBD https://www.rsaconference.com/experts/Dan%20Cornell