Secure Software Development with 3rd Party Dependencies
-
Upload
thariyarox -
Category
Software
-
view
286 -
download
3
Transcript of Secure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party Dependencies
Tharindu Edirisinghe, WSO2
Colombo Security Meetup - 15th June 2016http://www.meetup.com/colombo-security-meetup/events/231681389/
tharindue.blogspot.com
@thariyarox
https://lk.linkedin.com/in/ediri
What is a 3rd Party Library ?
A reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform.
The third-party software component market thrives because many programmers believe that component-oriented development improves the efficiency and the quality of developing custom applications. Common third-party software includes macros, bots, and software/scripts to be run as add-ons for popular developing software.
Source : https://en.wikipedia.org/wiki/Third-party_software_component
Using 3rd Party Components in Software Development
C# project dependencies in Microsoft Visual Studio
Java project dependencies in IntelliJ Idea
Direct 3rd Party Dependencies
The external software components (developed by some other organization/s) that your project depends on.
Direct 3rd Party Dependencies with Known Vulnerabilities
The external software components (developed by some other organization/s) with known vulnerabilities that your project depends on.
Transitive 3rd Party Dependencies
The software components that your external dependencies depend on.
Transitive 3rd Party Dependencies with Known Vulnerabilities
The software components with known vulnerabilities that your external dependencies depend on.
Common Vulnerabilities and Exposures (CVE)
What is CVE ?
CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known cyber security issues. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."
Who owns CVE ?
CVE is sponsored by US-CERT (United States Computer Emergency Readiness Team) the office of Cybersecurity and Communications at the U.S. Department of Homeland Security.
Source : https://cve.mitre.org/about/faqs.html
CVE Example
ID : CVE-2015-5262
Overview :
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
Severity: Medium
CVSS Score: 4.3
Source : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262
Common Vulnerability Scoring System (CVSS)
CVSS provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity, as well as a textual representation of that score. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
Source : https://www.first.org/cvss/specification-document
National Vulnerability Database (NVD)
NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.
Source : https://nvd.nist.gov/
Using 3rd Party Dependencies Securely - The Big Picture
NVD
3rd Party Dependencies
In-house Development
All the 3rd party dependencies (including 3rd party transitive dependencies) should be checked in NVD for identifying vulnerabilities.
CVE-2015-5262CVE-2014-3577CVE-2012-6153
Veracode : Software Composition Analysis (SCA)
Source : https://www.veracode.com/products/software-composition-analysis
OWASP Dependency Check
Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently Java, .NET, Ruby, Node.js, and Python projects are supported; additionally, limited support for C/C++ projects is available for projects using CMake or autoconf. This tool can be part of a solution to the OWASP Top 10 2013 A9 - Using Components with Known Vulnerabilities.
Source : https://www.owasp.org/index.php/OWASP_Dependency_Check
OWASP Dependency Check - Useful Resources
Official Website
https://www.owasp.org/index.php/OWASP_Dependency_Check
Vulnerability Detection
http://dontpanic.42.nl/2014/06/checking-framework-vulnerabilities.html
Command Line Tool (CLI)
https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
Suppressing False Positives
https://jeremylong.github.io/DependencyCheck/general/suppression.html
Continuous Vulnerability Detection with Jenkins Integration
https://medium.com/@PrakhashS/checking-vulnerabilities-in-3rd-party-dependencies-using-owasp-dependency-check-plugin-in-jenkins-bedfe8de6ba8#.cvgwcptjm
OWASP Dependency Check - Demo
- Using Maven plugin for Java based projects
- Using Command Line (CLI) tool for identifying vulnerable dependencies
- Analyzing generated reports
- Suppressing vulnerabilities for avoiding false positives
- Dependency Check integration with Jenkins
Continuous Vulnerability Management in a Corporate Environment
Request for using 3rd Party Dependency
Engineering
Engineering Management
NVD
Vulnerability Analysis Report
Approval
Development Team QA TeamBuilder Process
Vulnerability Analysis Report
Getting Rid of Vulnerable Dependencies
NVD
3rd Party Dependencies
In-house Development
- Upgrade direct 3rd party dependencies to a higher version
- For transitive dependencies, check if the directly dependent component has a higher version that depends on a safer
version of the transitive dependency.
- Contact the developers of the component and get the issue fixed.
CVE-2015-5262CVE-2014-3577CVE-2012-6153
Security in Software Development Life Cycle (SDLC)
Source : https://www.checkmarx.com/glossary/a-secure-sdlc-with-static-source-code-analysis-tools/
Challenges : Handling False Positives
Even though the vulnerability analysis tools report that there are vulnerabilities in a 3rd party dependency, there can be cases where those are not applicable to your product because of the way you have used that software component.
Image Source : http://www.123rf.com/photo_30641222_doctor-is-checking-a-fat-man-shoot-in-the-hospital.html
Challenges : Handling False Negatives
Even though the vulnerability analysis tools reports that your external dependencies are safe to use, still there can be unknown vulnerabilities.
Image Source : http://www.whattoexpect.com/pregnancy/pregnancy-health/monthly-doctor-visits-during-pregnancy.aspx
Summary
- Identify the external dependencies of your projects
- Identify the vulnerabilities in the dependency software components.
- Analyze the impact
- Remove false positives
- Prioritize the vulnerabilities based on the severity
- Get rid of vulnerabilities (upgrade versions, use alternatives)
- Provide patches to your products
Thank you !tharindue.blogspot.com
@thariyarox
https://lk.linkedin.com/in/ediri