Secure Software Development with 3rd Party Dependencies

Tharindu Edirisinghe, WSO2

Colombo Security Meetup - 15th June 2016http://www.meetup.com/colombo-security-meetup/events/231681389/

tharindue.blogspot.com

@thariyarox

https://lk.linkedin.com/in/ediri

ediri@live.com

What is a 3rd Party Library ?

A reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform.

The third-party software component market thrives because many programmers believe that component-oriented development improves the efficiency and the quality of developing custom applications. Common third-party software includes macros, bots, and software/scripts to be run as add-ons for popular developing software.

Source : https://en.wikipedia.org/wiki/Third-party_software_component

Using 3rd Party Components in Software Development

C# project dependencies in Microsoft Visual Studio

Java project dependencies in IntelliJ Idea

Direct 3rd Party Dependencies

The external software components (developed by some other organization/s) that your project depends on.

Direct 3rd Party Dependencies with Known Vulnerabilities

The external software components (developed by some other organization/s) with known vulnerabilities that your project depends on.

Transitive 3rd Party Dependencies

The software components that your external dependencies depend on.

Transitive 3rd Party Dependencies with Known Vulnerabilities

The software components with known vulnerabilities that your external dependencies depend on.

Common Vulnerabilities and Exposures (CVE)

What is CVE ?

CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known cyber security issues. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

Who owns CVE ?

CVE is sponsored by US-CERT (United States Computer Emergency Readiness Team) the office of Cybersecurity and Communications at the U.S. Department of Homeland Security.

Source : https://cve.mitre.org/about/faqs.html

CVE Example

ID : CVE-2015-5262

Overview :

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

Severity: Medium

CVSS Score: 4.3

Source : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262

Common Vulnerability Scoring System (CVSS)

CVSS provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity, as well as a textual representation of that score. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Source : https://www.first.org/cvss/specification-document

National Vulnerability Database (NVD)

NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

Source : https://nvd.nist.gov/

Using 3rd Party Dependencies Securely - The Big Picture

NVD

3rd Party Dependencies

In-house Development

All the 3rd party dependencies (including 3rd party transitive dependencies) should be checked in NVD for identifying vulnerabilities.

CVE-2015-5262CVE-2014-3577CVE-2012-6153

Veracode : Software Composition Analysis (SCA)

Source : https://www.veracode.com/products/software-composition-analysis

Source Clear (SRC:CLR)

Source : https://srcclr.com/

OWASP Dependency Check

Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently Java, .NET, Ruby, Node.js, and Python projects are supported; additionally, limited support for C/C++ projects is available for projects using CMake or autoconf. This tool can be part of a solution to the OWASP Top 10 2013 A9 - Using Components with Known Vulnerabilities.

Source : https://www.owasp.org/index.php/OWASP_Dependency_Check

OWASP Dependency Check - Useful Resources

Official Website

https://www.owasp.org/index.php/OWASP_Dependency_Check

Vulnerability Detection

http://dontpanic.42.nl/2014/06/checking-framework-vulnerabilities.html

Command Line Tool (CLI)

https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html

Suppressing False Positives

https://jeremylong.github.io/DependencyCheck/general/suppression.html

Continuous Vulnerability Detection with Jenkins Integration

https://medium.com/@PrakhashS/checking-vulnerabilities-in-3rd-party-dependencies-using-owasp-dependency-check-plugin-in-jenkins-bedfe8de6ba8#.cvgwcptjm

OWASP Dependency Check - Demo

- Using Maven plugin for Java based projects

- Using Command Line (CLI) tool for identifying vulnerable dependencies

- Analyzing generated reports

- Suppressing vulnerabilities for avoiding false positives

- Dependency Check integration with Jenkins

Continuous Vulnerability Management in a Corporate Environment

Request for using 3rd Party Dependency

Engineering

Engineering Management

NVD

Vulnerability Analysis Report

Approval

Development Team QA TeamBuilder Process

Vulnerability Analysis Report

Getting Rid of Vulnerable Dependencies

NVD

3rd Party Dependencies

In-house Development

- Upgrade direct 3rd party dependencies to a higher version

- For transitive dependencies, check if the directly dependent component has a higher version that depends on a safer

version of the transitive dependency.

- Contact the developers of the component and get the issue fixed.

CVE-2015-5262CVE-2014-3577CVE-2012-6153

Security in Software Development Life Cycle (SDLC)

Source : https://www.checkmarx.com/glossary/a-secure-sdlc-with-static-source-code-analysis-tools/

Challenges : Handling False Positives

Even though the vulnerability analysis tools report that there are vulnerabilities in a 3rd party dependency, there can be cases where those are not applicable to your product because of the way you have used that software component.

Image Source : http://www.123rf.com/photo_30641222_doctor-is-checking-a-fat-man-shoot-in-the-hospital.html

Challenges : Handling False Negatives

Even though the vulnerability analysis tools reports that your external dependencies are safe to use, still there can be unknown vulnerabilities.

Image Source : http://www.whattoexpect.com/pregnancy/pregnancy-health/monthly-doctor-visits-during-pregnancy.aspx

Summary

- Identify the external dependencies of your projects

- Identify the vulnerabilities in the dependency software components.

- Analyze the impact

- Remove false positives

- Prioritize the vulnerabilities based on the severity

- Get rid of vulnerabilities (upgrade versions, use alternatives)

- Provide patches to your products

Thank you !tharindue.blogspot.com

@thariyarox

https://lk.linkedin.com/in/ediri

ediri@live.com