Sattose keynote 2015: Managing Socio-Technical Dependencies in Dsitributed Software Development
Managing Security in External Software Dependencies
-
Upload
thariyarox -
Category
Software
-
view
89 -
download
1
Transcript of Managing Security in External Software Dependencies
![Page 1: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/1.jpg)
Managing Security in External Software
DependenciesBy Tharindu Edirisinghe
http://www.meetup.com/wso2srilanka/events/233915649/
tharindue.blogspot.com @thariyarox https://lk.linkedin.com/in/ediri [email protected]
![Page 2: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/2.jpg)
What is a 3rd Party Library ?
A reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform.The third-party software component market thrives because many programmers believe that component-oriented development improves the efficiency and the quality of developing custom applications. Common third-party software includes macros, bots, and software/scripts to be run as add-ons for popular developing software.Source : https://en.wikipedia.org/wiki/Third-party_software_component
![Page 3: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/3.jpg)
Using 3rd Party Components in Software Development
C# project dependencies in Microsoft Visual Studio
Java project dependencies in IntelliJ Idea
![Page 4: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/4.jpg)
Direct 3rd Party Dependencies
The external software components (developed by some other organization/s) that your project depends on.
![Page 5: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/5.jpg)
Direct 3rd Party Dependencies with Known Vulnerabilities
The external software components (developed by some other organization/s) with known vulnerabilities that your project depends on.
![Page 6: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/6.jpg)
Transitive 3rd Party Dependencies
The software components that your external dependencies depend on.
![Page 7: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/7.jpg)
Transitive 3rd Party Dependencies with Known Vulnerabilities
The software components with known vulnerabilities that your external dependencies depend on.
![Page 8: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/8.jpg)
Common Vulnerabilities and Exposures (CVE)
What is CVE ?CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known cyber security issues. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."
Who owns CVE ?CVE is sponsored by US-CERT (United States Computer Emergency Readiness Team) the office of Cybersecurity and Communications at the U.S. Department of Homeland Security.Source : https://cve.mitre.org/about/faqs.html
![Page 9: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/9.jpg)
CVE Example
ID : CVE-2015-5262
Overview :http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
Severity: MediumCVSS Score: 4.3Source : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262
![Page 10: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/10.jpg)
Common Vulnerability Scoring System (CVSS) CVSS provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity, as well as a textual representation of that score. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
Source : https://www.first.org/cvss/specification-document
![Page 11: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/11.jpg)
National Vulnerability Database (NVD)
NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.
Source : https://nvd.nist.gov/
![Page 12: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/12.jpg)
Using 3rd Party Dependencies Securely - The Big Picture
NVD
3rd Party Dependencies
In-house Development
All the 3rd party dependencies (including 3rd party transitive dependencies) should be checked in NVD for identifying vulnerabilities.
CVE-2015-5262CVE-2014-3577CVE-2012-6153
![Page 13: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/13.jpg)
Veracode : Software Composition Analysis (SCA)
Source : https://www.veracode.com/products/software-composition-analysis
![Page 15: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/15.jpg)
OWASP Dependency Check
Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently Java, .NET, Ruby, Node.js, and Python projects are supported; additionally, limited support for C/C++ projects is available for projects using CMake or autoconf. This tool can be part of a solution to the OWASP Top 10 2013 A9 - Using Components with Known Vulnerabilities.Source : https://www.owasp.org/index.php/OWASP_Dependency_Check
![Page 16: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/16.jpg)
OWASP Dependency Check - Useful Resources
Official Websitehttps://www.owasp.org/index.php/OWASP_Dependency_Check
Vulnerability Detection http://dontpanic.42.nl/2014/06/checking-framework-vulnerabilities.html
Command Line Tool (CLI)https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html http://tharindue.blogspot.com/2016/10/owasp-dependency-check-cli-analyzing.html
Suppressing False Positives https://jeremylong.github.io/DependencyCheck/general/suppression.html
Continuous Vulnerability Detection with Jenkins Integration https://medium.com/@PrakhashS/checking-vulnerabilities-in-3rd-party-dependencies-using-owasp-dependency-check-plugin-in-jenkins-bedfe8de6ba8#.cvgwcptjm
![Page 17: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/17.jpg)
OWASP Dependency Check - Demo
- Using Maven plugin for Java based projects
- Using Command Line (CLI) tool for identifying vulnerable dependencies
- Analyzing generated reports
- Suppressing vulnerabilities for avoiding false positives
- Dependency Check integration with Jenkins
More Info : http://tharindue.blogspot.com/2016/10/owasp-dependency-check-cli-analyzing.html
![Page 18: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/18.jpg)
Continuous Vulnerability Management in a Corporate Environment
Request for using 3rd Party Dependency
Engineering
Engineering Management
NVD
Vulnerability Analysis Report
Approval
Development Team QA TeamBuilder Process
Vulnerability Analysis Report
![Page 19: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/19.jpg)
Getting Rid of Vulnerable Dependencies
NVD
3rd Party Dependencies
In-house Development
- Upgrade direct 3rd party dependencies to a higher version
- For transitive dependencies, check if the directly dependent component has a higher version that
depends on a safer version of the transitive dependency.
- Contact the developers of the component and get the issue fixed.
CVE-2015-5262CVE-2014-3577CVE-2012-6153
![Page 20: Managing Security in External Software Dependencies](https://reader036.fdocuments.in/reader036/viewer/2022081605/58e941f31a28ab84768b5fef/html5/thumbnails/20.jpg)
Summary
- Identify the external dependencies of your projects
- Identify the vulnerabilities in the dependency software components.
- Analyze the impact
- Remove false positives
- Prioritize the vulnerabilities based on the severity
- Get rid of vulnerabilities (upgrade versions, use alternatives)
- Provide patches to your products