SlideShare a Scribd company logo

Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities

Sonatype
Sonatype

In 2013, the Open Web Application Security Project (OWASP) was updated to include “A9: using components with known vulnerabilities.” This paper explains this new threat with practical ideas for reducing risk from open source components which now comprise 80% of an average application.

Software
1 of 8
Download to read offline
WHITEPAPER Understanding & Addressing OWASP’s Newest Top Ten Threat: USING COMPONENTS WITH KNOWN VULNERABILITIES
Why has managing and securing components become a priority? Simply put, components have become a rich attack vector because of their pervasive reuse. Reuse that makes it easy for hackers to propagate their attack across multiple applications and multiple organizations. Page 2 Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities OVERVIEW Many organizations turn to the Open Web Application Security Project (OWASP) to help en- sure that their code and applications are secure. Recently OWASP’s Top Ten list of application security risks was updated to include“A9: Using components with known vulnerabilities.” The full description from OWASP states“Components, such as libraries, frameworks, and other software mod- ules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may under- mine application defenses and enable a range of possible attacks and impacts.” This means organizations need to expand their security approach to accommodate components – which are re-usable blocks of code that are assem- bled together to create an application. Components can be created and re-used within an organization’s development team – but most often they are down- loaded from public repositories such as the Central Repository. These re-usable components now com- prise approximately 90% of an average application thus exposing organizations to potential security, license and quality risks. Why has managing and securing components become a priority? Simply put, components have become a rich attack vector because of their perva- sive reuse. Reuse that makes it easy for hackers to propagate their attack across multiple applications and multiple organizations. This component chal- lenge is exacerbated by the fact that the applica- tion is the threat vector of choice – and hackers can increase their exploit rate by going after vulnerable components. Instead of identifying an exploit in individual applications (which can’t be reused for exploits against other applications), once a compo- nent vulnerability is discovered, a hacker can blast that exploit across the web looking for other appli- cations that use that same component.
Page 3 Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities CHALLENGE Existing approaches are not designed for how applications are constructed today. For example: • Most existing application security tools are designed for source code, not open source components. Components are binaries so attempts to scan them using traditional applica- tion security tools often yield false positives which drag down development velocity. • Managing components in a development environment is gen- erally a manual, cumbersome effort. Attempts to govern usage often fail to keep up with the variety, complexity and release cadence of components used in an agile environment. • Even though applications have become a primary threat vec- tor, organizations generally focus more budget and energy on network and perimeter defenses. Process and communication need to be re-engineered to ensure trusted applications. Ideas include: • Ensuring developers are educated with respect to security, and that they place a high priority on delivering secure applications. • Ensuring the security team works effectively with the develop- ment team and other constituents on timely collaboration and communication. • Ensuring the integrity of the components that are downloaded (that they have not been compromised – they are what you think they are, they came from who you think they came from). Component usage introduces the need for new development requirements, such as: • Standardizing usage of components based on acceptable security, license and quality risks. However, without the proper tools and processes this is difficult to enforce. OWASP Top Ten, updated 2013 A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
Page 4 Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities • Understanding which components have been used - and where - so that risk can be assessed and remediation efforts are possible. • Updating components as new versions are released and mak- ing those revisions in live production applications. • Monitoring risk to determine which components have vulner- abilities. However, this is generally a manual and time-consum- ing effort since public sources do not provide intelligence in a standard, searchable way and it is often hard to find informa- tion for a specific version number. Continuous monitoring is needed to assure long-term trust. For example: • Hackers are not complacent. Today’s trusted component may be tomorrow’s vulnerability. • Newer component versions not only improve security, but generally also improve overall quality and functionality. OWASP is the tip of the iceberg – it is referenced by other standards, some of which require actual certification. Therefore: • Meeting OWASP guidelines is not only a best practice, but also may be mandatory if your organization is governed by PCI, SANS, BSIMM, NIST and others who rely on OWASP guidelines to be met as part of their certification.
Page 5 Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities SOLUTION Sonatype specializes in open source governance, management and compliance and, therefore, is ideally suited to guide organiza- tions through the new A9 guideline. Nexus Lifecycle (formerly Component Lifecycle Management - CLM) is the first solution to deliver component information, con- trols, and remediation options directly into the tools that develop- ers use every day. By uniquely identifying components, making it easy to fix flaws early, and enforcing policy at every phase of the software development lifecycle, Nexus Lifecycle eliminates security and other risks in open source software. It’s is the first practical way to automate governance of open- source component usage throughout the software lifecycle and eradicate flawed components from production applications. Nexus Lifecycle addresses each of the OWASP A9 recommenda- tions for avoiding the use of insecure components head-on. These include: 1. Identify the components and their versions you are using, including all dependencies. (e.g., the versions plugin). 2. Monitor the security of these components in public databas- es, project mailing lists, and security mailing lists, and keep them up-to-date. 3. Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and meeting license guidelines. Nexus Lifecycle goes beyond these recommendations and is designed for software supply chain automation. Nexus Lifecycle integrates security, licensing and quality information about the components directly in the tools that developers use (repository manager, IDE, build/CI environment), provides early and quick remediation capabilities, and continuously monitors your pro- duction applications. OWASP New Top 10 List Includes Secure Component Requirement “OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted… We advocate approaching application security as a people, pro- cess, and technology problem because the most effective approaches to appli- cation security include improvements in all of these areas.” OWASP has recognized the critical role that components play in today’s applications. OWASP updated their Top 10 list to include A9, which states that applications should avoid using components with known vulnerabili- ties. The standard includes these best practices: • Identify the components and the versions you are using, including all dependencies. • Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up- to-date. • Establish security policies govern- ing component use, such as re- quiring certain software develop- ment practices, passing security tests, and acceptable license.
Page 6 Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities Although Nexus Lifecycle is closely identified with A9, it provides the ability to support the entirety of the OWASP Top 10 as it relates to the components that are being used to construct applications. Nexus Lifecycle does this since the vulnerabilities that are discov- ered for the components include those documented in the Top 10. For example, Injection, Cross-Site Scripting (SXX), Insecure Refer- ences, etc., that are discovered in the components are identified and managed by the solution. WHY SONATYPE? Nexus Lifecycle is uniquely designed to support component-based, agile development and software supply chain automation. • Instead of automating the approval workflow, Nexus Lifecycle automates the actual policies so that organizations can keep pace with the volume, variety, complexity and release cadence of components. • Nexus Lifecycle uses automation to guide and enforce action in the tools that developers use today, freeing up humans to focus on building policies and managing exceptions. Nexus Lifecycle is effective throughout the entire software lifecycle. • Nexus Lifecycle is naturally integrated in the tools that de- velopers use to build applications – out of the box, we don’t just give you an API and an SDK and tell you to build your own integration. • Nexus Lifecycle produces results that are available instanta- neously – developers have the information they need to select the best component from the start, and information necessary to assess their builds or continuous integration efforts. The information is available without the delay associated with tools that are dependent on intensive and time-consuming scans. According to Jeff Williams, founding member of OWASP and CEO of Aspect Security. “The performance, time and cost advantages of agile, open-source de- velopment comes at a price - you have to ensure the components you use are up-to-date and secure. . . . Unfortunately, it’s not trivial to figure out what components you applica- tions are using, and even harder to figure out which vulnerabilities apply to those components. . . . The new OWASP Top Ten has detailed recommendations for locking down your software supply chain, and Sonatype’s tools make them much easier.”
Page 7 Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities Nexus Lifecycle provides guidance that prevents problems and remediates flaws that are discovered. • Nexus Lifecycle aggregates and augments vulnerability data by leveraging multiple sources and doing additional research that pinpoints the vulnerability to specific version numbers. This information is then presented using an intuitive, graphical display directly in the tools that are used to develop, build and release the applications. • Nexus Lifecycle doesn’t stop with problem identification. It prevents and remediates flawed components. Problems are prevented from the start by providing information in the IDE to empower developers to pick the best components from the start. And if policy violations are found, Nexus Lifecycle provides the information necessary to pick the best replace- ment version and to migrate to that version with a single click directly in the IDE. Continuous trust for production applications • Nexus Lifecycle extends support to applications that are in production. Nexus Lifecycle monitors the application inven- tory non-invasively and notifies the appropriate individuals if a new security vulnerability has been detected. It provides information to help triage the flaw, remediation support, and the ability to help manage the release process to get the new application version deployed as quickly as possible. • Nexus Lifecycle provides a complete view of enterprise risk for component-based applications by providing dashboards that include summary and detailed views. Organizations can assess their overall risk exposure and stay abreast of new vulnerabilities. Sonatype provides information to help triage the flaw, provides remediation support, and provides the ability to help manage the release process to get the new application version deployed as quickly as possible.
Page 8 ADDITIONAL INFORMATION OWASP Press Release - http://www.sonatype.com/news/software- component-vulnerability-cited-as-latest-application-security- threat-in-owasp-top-ten-list-sonatype-first-to-provide- comprehensive-solution#.Umkui2RAQ_A Press Release - http://www.sonatype.com/news/sonatype-ushers- in-new-era-of-application-security-aimed-at-eliminating-risk-in- the-modern-software-supply-chain#.UmkuuGRAQ_A Sonatype’s OWASP A9 Blog Post - http://blog.sonatype.com/ people/2013/06/a9_nexusclm/#.Um_ThezD99M OWASP Website - https://www.owasp.org/index.php/ Top_10_2013-A9-Using_Components_with_Known_ Vulnerabilities Sonatype Inc. • 8161 Maple Lawn Drive, Suite 250 • Fulton, MD 20759 • 1.877.866.2836 • www.sonatype.com 2015. Sonatype Inc. All Rights Reserved. Sonatype helps organizations build better software, even faster. Like a traditional supply chain, software applications are built by assembling open source and third party components streaming in from a wide variety of public and internal sources. While re-use is far faster than custom code, the flow of components into and through an organization remains complex and inefficient. Sonatype’s Nexus platform applies proven supply chain principles to increase speed, efficiency and quality by optimizing the component supply chain. Sonatype has been on the forefront of creating tools to to improve developer efficiency and quality since the inception of the Central Repository and Apache Maven in 2001, and the company continues to serve as the steward of the Central Repository serving 17.2 Billion component download requests in 2014 alone. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com

Recommended

White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Sonatype
 
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Sonatype
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Sonatype
 
Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"
Sonatype
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
Sonatype
 
Aliens in Your Apps!
Aliens in Your Apps!Aliens in Your Apps!
Aliens in Your Apps!
All Things Open
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
Mark Sherman
 

Recommended

White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Sonatype
 
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Sonatype
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Sonatype
 
Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"
Sonatype
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
Sonatype
 
Aliens in Your Apps!
Aliens in Your Apps!Aliens in Your Apps!
Aliens in Your Apps!
All Things Open
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
Mark Sherman
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
Sonatype
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Jeff Williams
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - Overview
Stephen Durrant
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Sonatype
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - Inglês
DeServ - Tecnologia e Servços
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
Virtual Forge
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
WhiteSource
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracode
Veracode
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
n|u - The Open Security Community
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 

More Related Content

What's hot

Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Sonatype
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
Virtual Forge
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 

What's hot (20)

A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - Overview
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - Inglês
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracode
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 

Similar to Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities

SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONSSECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
ijseajournal
 
Current Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master CopyCurrent Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master Copy
Tommie Walls
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Aryan G
 

Similar to Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities (20)

Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
vulnerable and outdated components.pptx
vulnerable and outdated components.pptxvulnerable and outdated components.pptx
vulnerable and outdated components.pptx
 
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONSSECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3
 
7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application
 
5 Challenges of Moving Applications to the Cloud
5 Challenges of Moving Applications to the Cloud5 Challenges of Moving Applications to the Cloud
5 Challenges of Moving Applications to the Cloud
 
Current Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master CopyCurrent Topics paper A4 submission 4.30.2015 Master Copy
Current Topics paper A4 submission 4.30.2015 Master Copy
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
DevOps Architecture
DevOps ArchitectureDevOps Architecture
DevOps Architecture
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Owasp top 10_-_2013
Owasp top 10_-_2013Owasp top 10_-_2013
Owasp top 10_-_2013
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Proposal Defense Presentation Template.pptx
Proposal Defense Presentation Template.pptxProposal Defense Presentation Template.pptx
Proposal Defense Presentation Template.pptx
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
6 Best Practices to Ensure Secure Web_Mobile Apps.pptx.pdf
6 Best Practices to Ensure Secure Web_Mobile Apps.pptx.pdf6 Best Practices to Ensure Secure Web_Mobile Apps.pptx.pdf
6 Best Practices to Ensure Secure Web_Mobile Apps.pptx.pdf
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
 
Dependency check
Dependency checkDependency check
Dependency check
 

More from Sonatype

Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
Sonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
Sonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Sonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
Sonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
Sonatype
 

More from Sonatype (20)

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
 

Recently uploaded

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 

Recently uploaded (20)

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 

Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities

  • 1. WHITEPAPER Understanding & Addressing OWASP’s Newest Top Ten Threat: USING COMPONENTS WITH KNOWN VULNERABILITIES
  • 2. Why has managing and securing components become a priority? Simply put, components have become a rich attack vector because of their pervasive reuse. Reuse that makes it easy for hackers to propagate their attack across multiple applications and multiple organizations. Page 2 Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities OVERVIEW Many organizations turn to the Open Web Application Security Project (OWASP) to help en- sure that their code and applications are secure. Recently OWASP’s Top Ten list of application security risks was updated to include“A9: Using components with known vulnerabilities.” The full description from OWASP states“Components, such as libraries, frameworks, and other software mod- ules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may under- mine application defenses and enable a range of possible attacks and impacts.” This means organizations need to expand their security approach to accommodate components – which are re-usable blocks of code that are assem- bled together to create an application. Components can be created and re-used within an organization’s development team – but most often they are down- loaded from public repositories such as the Central Repository. These re-usable components now com- prise approximately 90% of an average application thus exposing organizations to potential security, license and quality risks. Why has managing and securing components become a priority? Simply put, components have become a rich attack vector because of their perva- sive reuse. Reuse that makes it easy for hackers to propagate their attack across multiple applications and multiple organizations. This component chal- lenge is exacerbated by the fact that the applica- tion is the threat vector of choice – and hackers can increase their exploit rate by going after vulnerable components. Instead of identifying an exploit in individual applications (which can’t be reused for exploits against other applications), once a compo- nent vulnerability is discovered, a hacker can blast that exploit across the web looking for other appli- cations that use that same component.
  • 3. Page 3 Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities CHALLENGE Existing approaches are not designed for how applications are constructed today. For example: • Most existing application security tools are designed for source code, not open source components. Components are binaries so attempts to scan them using traditional applica- tion security tools often yield false positives which drag down development velocity. • Managing components in a development environment is gen- erally a manual, cumbersome effort. Attempts to govern usage often fail to keep up with the variety, complexity and release cadence of components used in an agile environment. • Even though applications have become a primary threat vec- tor, organizations generally focus more budget and energy on network and perimeter defenses. Process and communication need to be re-engineered to ensure trusted applications. Ideas include: • Ensuring developers are educated with respect to security, and that they place a high priority on delivering secure applications. • Ensuring the security team works effectively with the develop- ment team and other constituents on timely collaboration and communication. • Ensuring the integrity of the components that are downloaded (that they have not been compromised – they are what you think they are, they came from who you think they came from). Component usage introduces the need for new development requirements, such as: • Standardizing usage of components based on acceptable security, license and quality risks. However, without the proper tools and processes this is difficult to enforce. OWASP Top Ten, updated 2013 A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
  • 4. Page 4 Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities • Understanding which components have been used - and where - so that risk can be assessed and remediation efforts are possible. • Updating components as new versions are released and mak- ing those revisions in live production applications. • Monitoring risk to determine which components have vulner- abilities. However, this is generally a manual and time-consum- ing effort since public sources do not provide intelligence in a standard, searchable way and it is often hard to find informa- tion for a specific version number. Continuous monitoring is needed to assure long-term trust. For example: • Hackers are not complacent. Today’s trusted component may be tomorrow’s vulnerability. • Newer component versions not only improve security, but generally also improve overall quality and functionality. OWASP is the tip of the iceberg – it is referenced by other standards, some of which require actual certification. Therefore: • Meeting OWASP guidelines is not only a best practice, but also may be mandatory if your organization is governed by PCI, SANS, BSIMM, NIST and others who rely on OWASP guidelines to be met as part of their certification.
  • 5. Page 5 Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities SOLUTION Sonatype specializes in open source governance, management and compliance and, therefore, is ideally suited to guide organiza- tions through the new A9 guideline. Nexus Lifecycle (formerly Component Lifecycle Management - CLM) is the first solution to deliver component information, con- trols, and remediation options directly into the tools that develop- ers use every day. By uniquely identifying components, making it easy to fix flaws early, and enforcing policy at every phase of the software development lifecycle, Nexus Lifecycle eliminates security and other risks in open source software. It’s is the first practical way to automate governance of open- source component usage throughout the software lifecycle and eradicate flawed components from production applications. Nexus Lifecycle addresses each of the OWASP A9 recommenda- tions for avoiding the use of insecure components head-on. These include: 1. Identify the components and their versions you are using, including all dependencies. (e.g., the versions plugin). 2. Monitor the security of these components in public databas- es, project mailing lists, and security mailing lists, and keep them up-to-date. 3. Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and meeting license guidelines. Nexus Lifecycle goes beyond these recommendations and is designed for software supply chain automation. Nexus Lifecycle integrates security, licensing and quality information about the components directly in the tools that developers use (repository manager, IDE, build/CI environment), provides early and quick remediation capabilities, and continuously monitors your pro- duction applications. OWASP New Top 10 List Includes Secure Component Requirement “OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted… We advocate approaching application security as a people, pro- cess, and technology problem because the most effective approaches to appli- cation security include improvements in all of these areas.” OWASP has recognized the critical role that components play in today’s applications. OWASP updated their Top 10 list to include A9, which states that applications should avoid using components with known vulnerabili- ties. The standard includes these best practices: • Identify the components and the versions you are using, including all dependencies. • Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up- to-date. • Establish security policies govern- ing component use, such as re- quiring certain software develop- ment practices, passing security tests, and acceptable license.
  • 6. Page 6 Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities Although Nexus Lifecycle is closely identified with A9, it provides the ability to support the entirety of the OWASP Top 10 as it relates to the components that are being used to construct applications. Nexus Lifecycle does this since the vulnerabilities that are discov- ered for the components include those documented in the Top 10. For example, Injection, Cross-Site Scripting (SXX), Insecure Refer- ences, etc., that are discovered in the components are identified and managed by the solution. WHY SONATYPE? Nexus Lifecycle is uniquely designed to support component-based, agile development and software supply chain automation. • Instead of automating the approval workflow, Nexus Lifecycle automates the actual policies so that organizations can keep pace with the volume, variety, complexity and release cadence of components. • Nexus Lifecycle uses automation to guide and enforce action in the tools that developers use today, freeing up humans to focus on building policies and managing exceptions. Nexus Lifecycle is effective throughout the entire software lifecycle. • Nexus Lifecycle is naturally integrated in the tools that de- velopers use to build applications – out of the box, we don’t just give you an API and an SDK and tell you to build your own integration. • Nexus Lifecycle produces results that are available instanta- neously – developers have the information they need to select the best component from the start, and information necessary to assess their builds or continuous integration efforts. The information is available without the delay associated with tools that are dependent on intensive and time-consuming scans. According to Jeff Williams, founding member of OWASP and CEO of Aspect Security. “The performance, time and cost advantages of agile, open-source de- velopment comes at a price - you have to ensure the components you use are up-to-date and secure. . . . Unfortunately, it’s not trivial to figure out what components you applica- tions are using, and even harder to figure out which vulnerabilities apply to those components. . . . The new OWASP Top Ten has detailed recommendations for locking down your software supply chain, and Sonatype’s tools make them much easier.”
  • 7. Page 7 Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities Nexus Lifecycle provides guidance that prevents problems and remediates flaws that are discovered. • Nexus Lifecycle aggregates and augments vulnerability data by leveraging multiple sources and doing additional research that pinpoints the vulnerability to specific version numbers. This information is then presented using an intuitive, graphical display directly in the tools that are used to develop, build and release the applications. • Nexus Lifecycle doesn’t stop with problem identification. It prevents and remediates flawed components. Problems are prevented from the start by providing information in the IDE to empower developers to pick the best components from the start. And if policy violations are found, Nexus Lifecycle provides the information necessary to pick the best replace- ment version and to migrate to that version with a single click directly in the IDE. Continuous trust for production applications • Nexus Lifecycle extends support to applications that are in production. Nexus Lifecycle monitors the application inven- tory non-invasively and notifies the appropriate individuals if a new security vulnerability has been detected. It provides information to help triage the flaw, remediation support, and the ability to help manage the release process to get the new application version deployed as quickly as possible. • Nexus Lifecycle provides a complete view of enterprise risk for component-based applications by providing dashboards that include summary and detailed views. Organizations can assess their overall risk exposure and stay abreast of new vulnerabilities. Sonatype provides information to help triage the flaw, provides remediation support, and provides the ability to help manage the release process to get the new application version deployed as quickly as possible.
  • 8. Page 8 ADDITIONAL INFORMATION OWASP Press Release - http://www.sonatype.com/news/software- component-vulnerability-cited-as-latest-application-security- threat-in-owasp-top-ten-list-sonatype-first-to-provide- comprehensive-solution#.Umkui2RAQ_A Press Release - http://www.sonatype.com/news/sonatype-ushers- in-new-era-of-application-security-aimed-at-eliminating-risk-in- the-modern-software-supply-chain#.UmkuuGRAQ_A Sonatype’s OWASP A9 Blog Post - http://blog.sonatype.com/ people/2013/06/a9_nexusclm/#.Um_ThezD99M OWASP Website - https://www.owasp.org/index.php/ Top_10_2013-A9-Using_Components_with_Known_ Vulnerabilities Sonatype Inc. • 8161 Maple Lawn Drive, Suite 250 • Fulton, MD 20759 • 1.877.866.2836 • www.sonatype.com 2015. Sonatype Inc. All Rights Reserved. Sonatype helps organizations build better software, even faster. Like a traditional supply chain, software applications are built by assembling open source and third party components streaming in from a wide variety of public and internal sources. While re-use is far faster than custom code, the flow of components into and through an organization remains complex and inefficient. Sonatype’s Nexus platform applies proven supply chain principles to increase speed, efficiency and quality by optimizing the component supply chain. Sonatype has been on the forefront of creating tools to to improve developer efficiency and quality since the inception of the Central Repository and Apache Maven in 2001, and the company continues to serve as the steward of the Central Repository serving 17.2 Billion component download requests in 2014 alone. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com