Open Source Security – A vendor's perspective
-
Upload
matthew-wilkes -
Category
Technology
-
view
592 -
download
0
description
Transcript of Open Source Security – A vendor's perspective
![Page 1: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/1.jpg)
Open Source Security – a vendor'sperspective
Matthew Wilkes
![Page 2: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/2.jpg)
Who am I
Zope/Plone since 2004Plone security team leaderFormer FWT member2013 board membersprints, conferences, etcPython security at The Code Distillery
![Page 3: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/3.jpg)
Concepts
![Page 5: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/5.jpg)
Vulnerability
Security team confirmsFind the original causeFind variants of the same bug
![Page 6: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/6.jpg)
Severity
Is this bug an emergency?Who knows how to exploit it so far?What damage can an attacker cause?
![Page 7: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/7.jpg)
Workaround
Develop a hotfixTest on supported versionsRelease hotfix
![Page 8: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/8.jpg)
Fix
Apply changes from the hotfix to coreCreate new releases for packages
![Page 9: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/9.jpg)
Workflow
![Page 10: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/10.jpg)
Workflow
1. Receive notification2. Add to issue tracker and reply3. Confirm bug exists4. Find related problems5. Request CVE6. Write hotfix
![Page 11: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/11.jpg)
Workflow
7. Test on supported versions8. Release hotfix9. Provide notes to oss-security
10. Receive allocated CVE11. Update plone.org with CVE ids12. Vulnerability shows on NVD
![Page 12: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/12.jpg)
on CVEs
![Page 13: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/13.jpg)
The MITRE Corporation
CVE
“ CVE's common identifiers enable dataexchange between security products and provide abaseline index point for evaluating coverage of toolsand services.
![Page 14: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/14.jpg)
Steve Christey, MITRE
CVE
‘ In reality, all of the large vulnerability databasesmay have missed published vulnerabilities in theproduct …. We routinely see this.
![Page 15: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/15.jpg)
National Vulnerability Database
CVE
‘ Summary for CVE-2011-0720: Unspecifiedvulnerability in Plone 2.5 through 4.0, allows remoteattackers to obtain administrative access.
![Page 16: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/16.jpg)
Not all equal
Can MERGE under certain circumstancesHave to fight for moreMany vulns never have one assigned
![Page 17: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/17.jpg)
Why use CVE?
We're expected toLets us influence what people say about usYou can google the number
![Page 18: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/18.jpg)
CVSSv2
![Page 19: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/19.jpg)
What is CVSSv2?
A systematic way of assigning severityThree sections: Base, Temporal,EnvironmentalOur job to provide Base scoresUsers can apply the Temporal andEnvironmental scores
![Page 20: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/20.jpg)
Comparing CVSSv2s
Sometimes vendors release temporal scoresnot baseVery few vendors publish the vectorsVendors often disagree with researchersNot all options always apply
![Page 21: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/21.jpg)
CVSSv2 for companies
Temporal scores let us scale scores over thelifecycle of the bugEnvironmental scores let you weight scoresaccording to your business goals
![Page 22: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/22.jpg)
Why use CVSSv2?
Lets us influence what people say about usEasier to form policies about what things areurgentWe can make stats!
![Page 23: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/23.jpg)
CWE
![Page 24: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/24.jpg)
What is CWE?
OWASP Top-10 2010A5 Cross-Site-Request ForgerySANS Top-25 2013 Rank #12OWASP Top-10 2013A8 Cross-Site-Request ForgeryCWE-352: Cross-Site Request Forgery(CSRF)
![Page 25: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/25.jpg)
Problems with CWE
940 CWEs currently listedVery granular
![Page 26: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/26.jpg)
Granularity
CWE-759: Use of a One-Way Hash withouta SaltCWE-916: Use of Password Hash WithInsufficient Computational Effort
![Page 27: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/27.jpg)
Why use CWE?
Lets us influence what people say about usWe can make stats
![Page 28: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/28.jpg)
Databases
![Page 29: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/29.jpg)
Databases
Manually maintainedPull public information and tabulateSome companies have write accessAlmost all vendors do not
![Page 30: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/30.jpg)
Latest Plone update
NVD: November 2011OSVDB: June 2010CVE Details: November 2011
![Page 31: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/31.jpg)
Statistics
![Page 32: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/32.jpg)
Statistics
![Page 33: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/33.jpg)
CVE-2013-4196
No gain information?
‘ Multiple information exposure flaws werefound in the way object manager implementation ofPlone, a user friendly and powerful contentmanagement system, protected access to its internalmethods.
![Page 34: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/34.jpg)
CVE-2012-5505
No gain information?
‘ On some content types an anonymous viewlookup returns a private data structure, which undercertain circumstances may be used to read outconfidential data.
![Page 35: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/35.jpg)
Fix it!
![Page 36: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/36.jpg)
Kurt Seifried, RedHat
Collaborativedatabases?
‘ Sadly it probably won't work, most projectsbarely care about security, even fewer care aboutdoing advisories correctly.
![Page 37: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/37.jpg)
Open Source Vulnerability Database
Collaborativedatabases?
‘ Use of the OSVDB, and/or API in a commercialatmosphere requires a license from OSF or acommercial partner of our designation. Failure toobtain a license for such use will result in accounttermination and legal action as necessary.
![Page 38: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/38.jpg)
Kurt Seifried, RedHat
SPOF
‘ Remember this is supposed to be basically asmall side part of my job at Red Hat and I sometimesget slammed and grumpy =)
![Page 39: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/39.jpg)
Recommendations
1. A wiki type vulnerability database2. Freely available vulnerability ids3. Direct editing access for vendors4. Open data
![Page 40: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/40.jpg)
Recommendations
1. Extend CVSSv2 for webapps2. Allow the public to tag CWE3. Decouple vulnerability instances and causes
![Page 41: Open Source Security – A vendor's perspective](https://reader034.fdocuments.in/reader034/viewer/2022051609/546c445bb4af9f932c8b4f18/html5/thumbnails/41.jpg)
Questions?