OWASP Dependency-Track
-
Upload
steve-springett -
Category
Software
-
view
402 -
download
3
Transcript of OWASP Dependency-Track
Introduction 20 years software development experience
5 years information security experience
Principal Application Security Engineer
Provide direction, best practices & education
Project leader of OWASP Dependency-Track
Contributor to OWASP Dependency-Check
about.me/stevespringett
History of the Problem 88% of code in today’s applications come from
libraries and frameworks
113 million downloads analyzed for the 31 most popular Java libraries and frameworks
26% had known vulnerabilities (29 million)
Most vulnerabilities are undiscoveredJeff Williams & Arshan Dabirsiaghi
The Unfortunate Reality of Insecure LibrariesAspect Security (March 2012)
History of the Problem 88% of code in today’s applications come from
libraries and frameworks
113 million downloads analyzed for the 31 most popular Java libraries and frameworks
26% had known vulnerabilities (29 million)
Most vulnerabilities are undiscoveredJeff Williams & Arshan Dabirsiaghi
The Unfortunate Reality of Insecure LibrariesContrast Security (July 2014)
OWASP Top Ten 2013
A9 – Using Components With Known Vulnerabilities
Prevalence: Widespread
Detectability: Difficult
Why Should You Care? Vulnerabilities in third party components may include:
Cross-Site Scripting
Denial of Service
Injection (Command, SQL, XML)
Insecure cryptographic function
Execution of arbitrary code
Unauthorized reading and writing of files
…
What is OWASP Dependency-Check
Open Source – Licensed under Apache 2.0 license
Identify component using evidence-based analysis
Component name, vendor, version, etc.
Determines if evidence matches CVEs in National Vulnerability Database
Output report in HTML and XML format
Dependency-Check Availability
https://www.owasp.org/index.php/OWASP_Dependency_Check
Dependency-Check Use Cases
Continuous Security Environment Execution of Ant, Maven or Jenkins plugin during Continuous
Integration with automatic visibility of newly discovered vulnerabilities
Application Security Assessment and Audit Execution of Command Line interface against an installed application
for the purpose of reconnaissance during a security assessment or audit
What is OWASP Dependency-Track
Open Source – Licensed under GNU GPLv3
Track third-party components across multiple applications and versions
It’s an asset management application for components
Integrates Dependency-Check core engine
Uses asset database as sole source of evidence
Access to files or build system not required
Dependency-Track Features Tracks applications and their versions Document component vendors, versions, and licenses Document components used by applications Provides cross-reference capabilities Incorporates OWASP Dependency-Check Tracks vulnerabilities in applications over time Dynamically generates native Dependency-Check reports Mirrors NVD data feed for faster access on Intranets Active Directory integration
Dependency-Track Availability
https://www.owasp.org/index.php/OWASP_Dependency_Track_Project
Packaged as Java Web Archive (WAR)
Runs on any modern Servlet 3.0 container Tomcat 7+, Jetty 8+, etc
Requires Java 7 or higher
Dependency-Track Use Cases Independent Software Vendors
Track component vulnerabilities in product portfolio
Proactively mitigate applications using vulnerable components
Increase technical support’s effectiveness in security escalations
Custom Software Vendors Track custom applications and third party components for every customer
Provide mitigation plan for affected customers Decreased risk to customer
Increase customer satisfaction and billable hours
Dependency-Track Use Cases
Hardware Vendors (home router, IP camera, IoT device, etc)
Document software used in all embedded device hardware revisions
Mitigate vulnerabilities as they arise
Notify consumers of updated firmware
Enterprise Consumers Document applications and their dependencies used in the enterprise
Monitor Dependency-Track for newly discovered vulnerabilities
Consult application vendors (internal or external) that are affected
Software Roadmap 1.0 – First general availability release
2.0
Spartan browser support
Auto-population of database (i.e. from Dependency-Check)
Track end-of-life / end-of-support dates per component
Publish per-application results to ThreadFix
Enhancements to user interface
Configurable alerting system
Refactor to use more modern frameworks and web technologies
Project Roadmap Promote use of OWASP Dependency-Track
Promote use of OWASP Dependency-Check as a coherent ecosystem
Expand community involvement
Localization into other languages
UI/UX gurus
Automation of import data via APIs