SlideShare a Scribd company logo

Imperva - Hacking encounters of the 3rd kind

Download as PPTX, PDF
Barry Shteiman
Barry Shteiman

In this presentation, I explore the dangers and risks that are tied to the usage of third party software components in modern software infrastructure. We explore the vulnerable vectors that are being forced on our applications simply because we do not own the source code or the SLA to fix it, which means that it may require a compensating control of some sort.

Presentations & Public Speaking
1 of 34
© 2014 Imperva, Inc. All rights reserved. Hacking Encounters of the 3rd Kind Looking Into the Security Impact of 3rd Party Software Confidential1 Barry Shteiman, Director of Security Strategy, Imperva
© 2014 Imperva, Inc. All rights reserved. Agenda Confidential2  Introduction  What is 3rd party software  Latest examples  Hacking of a known component  Addressing the problem  Wrap up
© 2014 Imperva, Inc. All rights reserved. Barry Shteiman, Director of Security Strategy Confidential3  Security Researcher working with the CTO office  Author of several application security tools, including HULK  Open source security projects code contributor  Twitter @bshteiman
© 2014 Imperva, Inc. All rights reserved. What Is 3rd Party Software Confidential4
© 2014 Imperva, Inc. All rights reserved. 3rd Party Software Defined Confidential5 A third-party software component is a reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform. Source: Wikipedia, http://en.wikipedia.org/wiki/Third-party_software_component
© 2014 Imperva, Inc. All rights reserved. Identified by Type Confidential6 • Software created by a 3rd party supplier • Software components created by a 3rd party • Infrastructure/Software as a service
© 2014 Imperva, Inc. All rights reserved.7 Adoption According to Veracode: • “Up to 70% of internally developed code originates outside of the development team” • 28% of assessed applications are identified as created by a 3rd party Confidential 72% 18% 9% 1% Application by supplier type Internally Developed Commercial Open Source Outsourced
© 2014 Imperva, Inc. All rights reserved. Pros vs. Cons Confidential8 • Reduced development time and cost • Smaller R&D team is required • Mature solution used by many • Delayed/No SLA on Patches • SDLC Gap • Patches may introduce new bugs
© 2014 Imperva, Inc. All rights reserved. OWASP Top 10, “Using Known Vulnerable Components” Confidential9 Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. Source: OWASP Top 10 2013 Whitepaper
© 2014 Imperva, Inc. All rights reserved. What’s Vulnerable? Confidential10 Source: Aspect Security’s study “Understanding Security Risks in OSS Components” Aspect Security study: “A recent study by Aspect Security of over 113 million library downloads by developers in 60,000 organizations, showed that 26 percent of those downloads contain known vulnerabilities.”
© 2014 Imperva, Inc. All rights reserved. Landscape Impact Confidential11 Source: Secunia Vulnerability Review 2014 http://secunia.com/company/news/1208-vulnerabilities-in-the-50-most-popular-programs---76-from-third-party-programs-389 Secunia: 1,208 vulnerabilities in the 50 most popular programs - 76% from third-party programs
© 2014 Imperva, Inc. All rights reserved. Into the Wild Confidential12 Looking Into Recent Incidents
© 2014 Imperva, Inc. All rights reserved. A Social Experiment Confidential13 Source: Topsy social analytics
© 2014 Imperva, Inc. All rights reserved. Ever Seen a Bleeding Server? Confidential14 Heartbleed (CVE-2014-0160) • A bug in OpenSSL, allowing data leakage directly from server memory • OpenSSL is used for Web servers, network appliances, and client software packages • OpenSSL runs on 66% of SSL protected websites Sources: - Netcraft - http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html - Heartbleed.com
© 2014 Imperva, Inc. All rights reserved. But I Can Patch It! Can’t I? Confidential15 ChangeCipherSpec (CVE-2014-0224)
© 2014 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential16 Source: ZDNet - http://www.zdnet.com/wordpress-plugin-vulns-affect-over-20-million-downloads-7000031703/ Wordpress Plugin vulnerabilities… A Petri Dish.
© 2014 Imperva, Inc. All rights reserved. From Our Own Threat Advisories Confidential17
© 2014 Imperva, Inc. All rights reserved. Show Me More Confidential18 Hacking of a Known Component
© 2014 Imperva, Inc. All rights reserved. Zero-Days vs. Known Vulnerabilities Confidential19  Zero-Days gets all the glory • Technically interesting • Give rise to some interesting theoretical questions: How to defend the “unknown unknowns?”  But known vulnerabilities are doing a lot of the damage • Provide hackers with a very cost- effective method to exploit applications http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif
© 2014 Imperva, Inc. All rights reserved. Confidential20 Hacking a Known Component Apache Tomcat, running Apache Struts2 library. Target server is running a couple of applications that use the Struts library
© 2014 Imperva, Inc. All rights reserved. Confidential21 Hacking a Known Component Struts2 showcase application, running with the Struts2 library.
© 2014 Imperva, Inc. All rights reserved. Hacking a Known Component Confidential22 Source: www.exploit-db.com Lets find ourselves a nice exploit for Struts Apache has many extension libraries, Struts is amongst the most popular library.
© 2014 Imperva, Inc. All rights reserved. Lets Attack Apache Struts Confidential23 CVE of the day: CVE-2013-2251, Now we need an exploit!
© 2014 Imperva, Inc. All rights reserved. Remote Code Execution Confidential24 Hacker now owns the server. PWN3D! Injection Complete Attempting Remote Code Injection
© 2014 Imperva, Inc. All rights reserved. Botnets Are Targeting Known Components Confidential25 Recently Observed: • Botnets scan public servers for vulnerabilities • Inject Hijack/Drive-by code to vulnerable systems • Onboarding hijacked systems into the botnet
© 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential26 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team
© 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential27 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
© 2014 Imperva, Inc. All rights reserved. Addressing the Problem Confidential28
© 2014 Imperva, Inc. All rights reserved. Explore the Options Confidential29 1. Don’t use 3rd Party Components? 2. Use 3rd Party Components, Responsibly • Identify 3rd party components, Track versions and dependencies • Monitor security state of components • Continuously pentest the application that includes third party components • Create an acceptance process for new components which includes security validation • Disable unused functionality • Introduce compensating controls, such as Web Application Firewalls to reduce risk
© 2014 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should:  Implement policies both on the legal and technical aspects to control data access and data usage  Have processes and controls in place to effectively manage and secure code involving 3rd party components  Continuously monitor Recommendations 30 Confidential30
© 2014 Imperva, Inc. All rights reserved. Wrap Up Confidential31
© 2014 Imperva, Inc. All rights reserved. Webinar Materials 32 Post-Webinar Discussions Answers to Attendee Questions Webinar Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
© 2014 Imperva, Inc. All rights reserved. Questions? Confidential33 www.imperva.com
© 2014 Imperva, Inc. All rights reserved. Thank You 34 Confidential

Recommended

Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindImperva
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3F-Secure Corporation
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 

Recommended

Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindImperva
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3F-Secure Corporation
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Av is dead long live managed endpoint security
Av is dead long live managed endpoint securityAv is dead long live managed endpoint security
Av is dead long live managed endpoint securitySolarwinds N-able
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Sonatype
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not MarketingArrowECS_CZ
 
Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Tom Kranz
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security TestingMohamed Ridha CHEBBI, CISSP
 
FireEye Engineering
FireEye Engineering FireEye Engineering
FireEye Engineering Lauren Traurig
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityTop 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityPraetorian
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsSonatype
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocolKirti Ahirrao
 
The steps of the scientific method
The steps of the scientific methodThe steps of the scientific method
The steps of the scientific methodGrover Cleveland Middle School
 
Science Safety Guidebook
Science Safety GuidebookScience Safety Guidebook
Science Safety GuidebookJennifer Baron
 
What Is Science Chapter Notes
What Is Science Chapter NotesWhat Is Science Chapter Notes
What Is Science Chapter Notestkim
 

More Related Content

What's hot

Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Av is dead long live managed endpoint security
Av is dead long live managed endpoint securityAv is dead long live managed endpoint security
Av is dead long live managed endpoint securitySolarwinds N-able
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Sonatype
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not MarketingArrowECS_CZ
 
Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Tom Kranz
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityTop 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityPraetorian
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsSonatype
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocolKirti Ahirrao
 

What's hot (19)

Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Av is dead long live managed endpoint security
Av is dead long live managed endpoint securityAv is dead long live managed endpoint security
Av is dead long live managed endpoint security
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not
 
Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
 
FireEye Engineering
FireEye Engineering FireEye Engineering
FireEye Engineering
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
 
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityTop 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocol
 

Viewers also liked

Science Safety Guidebook
Science Safety GuidebookScience Safety Guidebook
Science Safety GuidebookJennifer Baron
 
What Is Science Chapter Notes
What Is Science Chapter NotesWhat Is Science Chapter Notes
What Is Science Chapter Notestkim
 
The Nature of Science and Technology Chapter 1
The Nature of Science and Technology Chapter 1The Nature of Science and Technology Chapter 1
The Nature of Science and Technology Chapter 1Jennifer Baron
 
Scientific methods
Scientific methodsScientific methods
Scientific methodsphysics101
 
Bm 10 mr and e-marketing
Bm 10 mr and e-marketingBm 10 mr and e-marketing
Bm 10 mr and e-marketingphysics101
 

Viewers also liked (6)

The steps of the scientific method
The steps of the scientific methodThe steps of the scientific method
The steps of the scientific method
 
Science Safety Guidebook
Science Safety GuidebookScience Safety Guidebook
Science Safety Guidebook
 
What Is Science Chapter Notes
What Is Science Chapter NotesWhat Is Science Chapter Notes
What Is Science Chapter Notes
 
The Nature of Science and Technology Chapter 1
The Nature of Science and Technology Chapter 1The Nature of Science and Technology Chapter 1
The Nature of Science and Technology Chapter 1
 
Scientific methods
Scientific methodsScientific methods
Scientific methods
 
Bm 10 mr and e-marketing
Bm 10 mr and e-marketingBm 10 mr and e-marketing
Bm 10 mr and e-marketing
 

Similar to Imperva - Hacking encounters of the 3rd kind

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised InsiderImperva
 
Follow the Money, Follow the Crime
Follow the Money, Follow the CrimeFollow the Money, Follow the Crime
Follow the Money, Follow the CrimeIBM Security
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security RisksImperva
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesImperva
 
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM Security
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
RVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationRVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationBlack Duck by Synopsys
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsMalware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsIBM Security
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsFireEye, Inc.
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalImperva
 
Lessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackLessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackImperva
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
CMS Hacking 101
CMS Hacking 101CMS Hacking 101
CMS Hacking 101Imperva
 

Similar to Imperva - Hacking encounters of the 3rd kind (20)

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised Insider
 
Follow the Money, Follow the Crime
Follow the Money, Follow the CrimeFollow the Money, Follow the Crime
Follow the Money, Follow the Crime
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
 
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
 
CMS Hacking
CMS Hacking CMS Hacking
CMS Hacking
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
RVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationRVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene Presentation
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsMalware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security Teams
 
Application security
Application securityApplication security
Application security
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
 
Lessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackLessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! Hack
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
CMS Hacking 101
CMS Hacking 101CMS Hacking 101
CMS Hacking 101
 
Gg2511351142
Gg2511351142Gg2511351142
Gg2511351142
 

Recently uploaded

BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Salam Al-Karadaghi
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...NETWAYS
 
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝soniya singh
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024eCommerce Institute
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfhenrik385807
 
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrsaastr
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMoumonDas2
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 

Recently uploaded (20)

BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
 
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
 
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
 
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 

Imperva - Hacking encounters of the 3rd kind

  • 1. © 2014 Imperva, Inc. All rights reserved. Hacking Encounters of the 3rd Kind Looking Into the Security Impact of 3rd Party Software Confidential1 Barry Shteiman, Director of Security Strategy, Imperva
  • 2. © 2014 Imperva, Inc. All rights reserved. Agenda Confidential2  Introduction  What is 3rd party software  Latest examples  Hacking of a known component  Addressing the problem  Wrap up
  • 3. © 2014 Imperva, Inc. All rights reserved. Barry Shteiman, Director of Security Strategy Confidential3  Security Researcher working with the CTO office  Author of several application security tools, including HULK  Open source security projects code contributor  Twitter @bshteiman
  • 4. © 2014 Imperva, Inc. All rights reserved. What Is 3rd Party Software Confidential4
  • 5. © 2014 Imperva, Inc. All rights reserved. 3rd Party Software Defined Confidential5 A third-party software component is a reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform. Source: Wikipedia, http://en.wikipedia.org/wiki/Third-party_software_component
  • 6. © 2014 Imperva, Inc. All rights reserved. Identified by Type Confidential6 • Software created by a 3rd party supplier • Software components created by a 3rd party • Infrastructure/Software as a service
  • 7. © 2014 Imperva, Inc. All rights reserved.7 Adoption According to Veracode: • “Up to 70% of internally developed code originates outside of the development team” • 28% of assessed applications are identified as created by a 3rd party Confidential 72% 18% 9% 1% Application by supplier type Internally Developed Commercial Open Source Outsourced
  • 8. © 2014 Imperva, Inc. All rights reserved. Pros vs. Cons Confidential8 • Reduced development time and cost • Smaller R&D team is required • Mature solution used by many • Delayed/No SLA on Patches • SDLC Gap • Patches may introduce new bugs
  • 9. © 2014 Imperva, Inc. All rights reserved. OWASP Top 10, “Using Known Vulnerable Components” Confidential9 Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. Source: OWASP Top 10 2013 Whitepaper
  • 10. © 2014 Imperva, Inc. All rights reserved. What’s Vulnerable? Confidential10 Source: Aspect Security’s study “Understanding Security Risks in OSS Components” Aspect Security study: “A recent study by Aspect Security of over 113 million library downloads by developers in 60,000 organizations, showed that 26 percent of those downloads contain known vulnerabilities.”
  • 11. © 2014 Imperva, Inc. All rights reserved. Landscape Impact Confidential11 Source: Secunia Vulnerability Review 2014 http://secunia.com/company/news/1208-vulnerabilities-in-the-50-most-popular-programs---76-from-third-party-programs-389 Secunia: 1,208 vulnerabilities in the 50 most popular programs - 76% from third-party programs
  • 12. © 2014 Imperva, Inc. All rights reserved. Into the Wild Confidential12 Looking Into Recent Incidents
  • 13. © 2014 Imperva, Inc. All rights reserved. A Social Experiment Confidential13 Source: Topsy social analytics
  • 14. © 2014 Imperva, Inc. All rights reserved. Ever Seen a Bleeding Server? Confidential14 Heartbleed (CVE-2014-0160) • A bug in OpenSSL, allowing data leakage directly from server memory • OpenSSL is used for Web servers, network appliances, and client software packages • OpenSSL runs on 66% of SSL protected websites Sources: - Netcraft - http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html - Heartbleed.com
  • 15. © 2014 Imperva, Inc. All rights reserved. But I Can Patch It! Can’t I? Confidential15 ChangeCipherSpec (CVE-2014-0224)
  • 16. © 2014 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential16 Source: ZDNet - http://www.zdnet.com/wordpress-plugin-vulns-affect-over-20-million-downloads-7000031703/ Wordpress Plugin vulnerabilities… A Petri Dish.
  • 17. © 2014 Imperva, Inc. All rights reserved. From Our Own Threat Advisories Confidential17
  • 18. © 2014 Imperva, Inc. All rights reserved. Show Me More Confidential18 Hacking of a Known Component
  • 19. © 2014 Imperva, Inc. All rights reserved. Zero-Days vs. Known Vulnerabilities Confidential19  Zero-Days gets all the glory • Technically interesting • Give rise to some interesting theoretical questions: How to defend the “unknown unknowns?”  But known vulnerabilities are doing a lot of the damage • Provide hackers with a very cost- effective method to exploit applications http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif
  • 20. © 2014 Imperva, Inc. All rights reserved. Confidential20 Hacking a Known Component Apache Tomcat, running Apache Struts2 library. Target server is running a couple of applications that use the Struts library
  • 21. © 2014 Imperva, Inc. All rights reserved. Confidential21 Hacking a Known Component Struts2 showcase application, running with the Struts2 library.
  • 22. © 2014 Imperva, Inc. All rights reserved. Hacking a Known Component Confidential22 Source: www.exploit-db.com Lets find ourselves a nice exploit for Struts Apache has many extension libraries, Struts is amongst the most popular library.
  • 23. © 2014 Imperva, Inc. All rights reserved. Lets Attack Apache Struts Confidential23 CVE of the day: CVE-2013-2251, Now we need an exploit!
  • 24. © 2014 Imperva, Inc. All rights reserved. Remote Code Execution Confidential24 Hacker now owns the server. PWN3D! Injection Complete Attempting Remote Code Injection
  • 25. © 2014 Imperva, Inc. All rights reserved. Botnets Are Targeting Known Components Confidential25 Recently Observed: • Botnets scan public servers for vulnerabilities • Inject Hijack/Drive-by code to vulnerable systems • Onboarding hijacked systems into the botnet
  • 26. © 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential26 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team
  • 27. © 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential27 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
  • 28. © 2014 Imperva, Inc. All rights reserved. Addressing the Problem Confidential28
  • 29. © 2014 Imperva, Inc. All rights reserved. Explore the Options Confidential29 1. Don’t use 3rd Party Components? 2. Use 3rd Party Components, Responsibly • Identify 3rd party components, Track versions and dependencies • Monitor security state of components • Continuously pentest the application that includes third party components • Create an acceptance process for new components which includes security validation • Disable unused functionality • Introduce compensating controls, such as Web Application Firewalls to reduce risk
  • 30. © 2014 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should:  Implement policies both on the legal and technical aspects to control data access and data usage  Have processes and controls in place to effectively manage and secure code involving 3rd party components  Continuously monitor Recommendations 30 Confidential30
  • 31. © 2014 Imperva, Inc. All rights reserved. Wrap Up Confidential31
  • 32. © 2014 Imperva, Inc. All rights reserved. Webinar Materials 32 Post-Webinar Discussions Answers to Attendee Questions Webinar Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
  • 33. © 2014 Imperva, Inc. All rights reserved. Questions? Confidential33 www.imperva.com
  • 34. © 2014 Imperva, Inc. All rights reserved. Thank You 34 Confidential

Editor's Notes

  1. Organizations choose to outsource code knowingly or unknowingly Using 3rd party code means faster development lifecycle, sometimes more mature NOT more secure
  2. http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif