understanding the known: owasp a9 using components with known vulnerabilities
TRANSCRIPT
![Page 1: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/1.jpg)
UNDERSTANDING THE KNOWNA9 : USING COMPONENTS WITH KNOWN
VULNERABILITIES
BYANANT SHRIVASTAVA
![Page 2: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/2.jpg)
ANANT SHRIVASTAVAInformation Security ConsultantAdmin - Dev - Securitynull + OWASP + G4H
and @anantshriTrainer / Speaker : Blackhat USA, NullCon, g0s, c0c0n, Clubhack, RootConfhttp://anantshri.info
![Page 3: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/3.jpg)
WHAT IS A COMPONENTAny piece of code that is reusablePaid or OpenSourceEither by same developer or other developersIts lot more then what you know
![Page 4: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/4.jpg)
PYTHON PACKAGES
Programming Language
![Page 5: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/5.jpg)
RUBY GEMS
Programming Language
![Page 6: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/6.jpg)
MICROSOFT .NET PACKAGES
Programming Language
![Page 7: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/7.jpg)
WORDPRESS PLUGINS
Web Application
![Page 8: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/8.jpg)
CISCO SECURITY MANAGER
Cisco Security Manager
![Page 9: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/9.jpg)
CISCO ASA
Cisco ASA Hardware
![Page 10: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/10.jpg)
AND MANY MORE
![Page 11: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/11.jpg)
WHY COMPONENTSUnix Philosophy : Do one thing and do it wellCode Reuse : "Less Development Overhead""Potentially" Combined and Faster evolutionHigher cost to develop from scratch
![Page 12: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/12.jpg)
IN SHORTAny component which is not developed by you is a 3rd party package in use
![Page 13: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/13.jpg)
NOT DEVELOPED BY YOU
![Page 14: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/14.jpg)
NOT DEVELOPED BY YOU1. OpenSSL2. Bash3. Apache4. NGINX
and many more
![Page 15: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/15.jpg)
![Page 16: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/16.jpg)
UNDERSTANDING THE KNOWNUSING COMPONENTS WITH KNOWN
VULNERABILITIES
![Page 17: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/17.jpg)
TWO DISTINCT PROBLEMS1. Component has known vulnerability2. Licensing Policies
Talk focus only on the first part
![Page 18: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/18.jpg)
COMPONENT WITH KNOWNVULNERABILITY
Marked as 9/10 in OWASP Top 10 Vulnerabilities in 2013Attacks can range from basic web attacks to Remote Code Execution
![Page 19: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/19.jpg)
![Page 20: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/20.jpg)
SOME EXAMPLES
![Page 21: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/21.jpg)
HEARTBLEED
![Page 22: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/22.jpg)
VULNERABLE VENDOR
Credits: Jake & Kymberlee : Stranger Danger! What Is The Risk From 3rd PartyLibraries? : Blackhat USA 2015
![Page 23: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/23.jpg)
Libraries? : Blackhat USA 2015
MORE
Credits: Jake & Kymberlee : Stranger Danger! What Is The Risk From 3rd PartyLibraries? : Blackhat USA 2015
![Page 24: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/24.jpg)
Libraries? : Blackhat USA 2015
![Page 25: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/25.jpg)
REMEMBERWe rely on 3rd party to
1. patch2. maintain security3. accept security issues4. in short "NOT SCREWUP"
![Page 26: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/26.jpg)
WHAT ARE THE CONCERNS1. Open Source Software
1. Developer has scratched his itch and will not want to work on it
2. Developer doesn't understand security implications and ignore reports
3. Developer is genuinely not in a position to work on project
2. Closed Source Software
1. Company shifted focus
2. Not enough money
![Page 27: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/27.jpg)
WHAT IF THEY DO ALL THEFIXES IN TIME
![Page 28: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/28.jpg)
PATCH PROCESS1. Someone disclosed a vulnerability2. 3rd party vendor fixes code3. A public advisory is released informing about the update and hopefully security
issue4. Developer has to update the dependencies in actual project (believe me when i
say its not easy task) (backword compatibility, regression, feature support etc)5. Sysadmin / user has to update the software to receive the update
![Page 29: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/29.jpg)
LOOKS COMPLEX
![Page 30: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/30.jpg)
ANDROID OTA PROCESS1. Google released PDK to Vendor for evaluation2. Google Announces new version3. Google send source code to Chipset manufacturer and Vendor4. Chipset manufactures provides drivers and BSP or stops support5. Vendor evaluates requirement for device if no driver then no update6. Vendor updates its own softwares (SENSE, TouchWiz etc)
Cont.
![Page 31: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/31.jpg)
ANDROID OTA PROCESS...1. Vendor works with carrier for modification2. Final build is submitted for Lab Entry and testing3. If bug found patch and resubmit.4. Take approvals from
1. Regulatory2. Industry3. Google
5. Prepare OTA for the Device6. User Downloads OTA and updates the device
![Page 32: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/32.jpg)
BIGGEST QUESTION WHAT WECAN DO
![Page 33: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/33.jpg)
3 KEY PLAYERS1. Component Code Developer2. Programmer reusing component3. Enduser/sysadmin using the final program
![Page 34: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/34.jpg)
THEN THERE IS PENTESTER
![Page 35: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/35.jpg)
LETS EVALUATE ONE BY ONE
![Page 36: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/36.jpg)
SYSADMIN / ENDUSERMonitor your software feeds to ensure you do not miss security updatesnever ignore update from shared libraryKeep an eye on how shared resources are holding up
![Page 37: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/37.jpg)
DEVELOPERS(SOFTWARE AND 3RD PARTY)
1. Identify and catalogue your components2. Never ignore pull requests and security issue bug report3. Proactively test software and at-least if a fix is released publicly accept security
issue
![Page 38: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/38.jpg)
ANY AVAILABLE TOOLS
![Page 39: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/39.jpg)
VULNERABLE COMPONENTIDENTIFICATION
![Page 40: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/40.jpg)
IDENTIFICATION
![Page 41: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/41.jpg)
IDENTIFICATION
![Page 42: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/42.jpg)
IDENTIFICATION
![Page 43: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/43.jpg)
IS THIS ENOUGH1. Not yet2. We still lack method to track it for every third party library3. Manual tracking is still required
![Page 44: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/44.jpg)
COMPONENT CODE DEVELOPER1. Be clear about support status2. If out of support, release and updated version clearly stating support status3. Clearly accept the security issues and inform about fix
![Page 45: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/45.jpg)
![Page 46: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/46.jpg)
![Page 47: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/47.jpg)
PENTESTER1. Follow steps for Admin to identify all components2. Cross reference with known disclosures (use dependency trackers)3. Profit
![Page 48: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/48.jpg)
REFERENCES1. BlackHat 2015 : Stranger Danger! What Is The Risk From 3rd Party Libraries? :
DO CHECK VTEM
2. The Unfortunate Reality of Insecure Libraries: Jeff Williams,Arshan Dabirsiaghi :March 2012
3.
4.
https://www.gov.uk/service-manual/making-software/dependency-management.html
http://swreflections.blogspot.in/2013/10/dont-let-somebody-elses-technical-debt.html
![Page 49: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/49.jpg)
REFERENCES1.
2.
3.
https://prezi.com/g-01vdbth1co/sonatype-survey-2013/
http://blog.softfluent.com/2011/08/19/leveraging-third-party-components-or-reducing-dependencies/
https://img.en25.com/Web/SonatypeInc/%7Bb2fa5ed8-938d-4bce-8a9c-d08ebeba826d%7D_Executive_Brief_-_Study-_Understanding_Security_Risks_in_OSS_Components-1.pdf
![Page 50: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/50.jpg)
ANY QUESTIONS
![Page 51: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/51.jpg)
ANANT SHRIVASTAVAInformation Security ConsultantAdmin - Dev - Securitynull + OWASP + G4H
and @anantshriTrainer / Speaker : Blackhat USA, NullCon, g0s, c0c0n, Clubhack, RootConfhttp://anantshri.info
![Page 52: Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities](https://reader031.vdocuments.us/reader031/viewer/2022021507/58f361521a28abbd0f8b45f1/html5/thumbnails/52.jpg)
THANK YOU