Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
1. A9 – Using Known Vulnerable
Components
ITEC 6873
By Derrick Hunter
2. A9 – USING KNOWN VULNERABLE COMPONENTS
Agenda
• Threat Agents
• Attack Vectors
• Security Weaknesses
• Technical Impacts
• Importance
• How to prevent
• Discussion questions
3. A9 – USING KNOWN
VULNERABLE COMPONENTS
Components, such as libraries, frameworks,
and other software modules, almost always
run with full privileges. If a vulnerable
component is exploited, such an attack can
facilitate serious data loss or server
takeover. Applications using components
with known vulnerabilities may undermine
application defenses and enable a range of
possible attacks and impacts.
4. Threat Agents
Anyone
who can
send
untrusted
data to the
system
Some vulnerable components can be identified
and exploited with automated tools, expanding
the threat agent pool beyond targeted attackers to
include chaotic actors.
8. EXAMPLE
• Apache CXF Authentication Bypass – By failing to
provide an identity token, attackers could invoke any
web service with full permission.
• Spring Remote Code Execution – Abuse of the
Expression Language implementation in Spring
allowed attackers to execute arbitrary code, effectively
taking over the server.
9. WHY IS THIS SO IMPORTANT
• Open source applications allow coders
to quickly create new and innovative
software, but the lack of visibility into
component vulnerabilities and
associated fixes means that vulnerable
components may stay in use long after
the threat has been identified.
10. SOFTWARE THAT HAS A HISTORY OF
KNOWN VULNERABILITIES
STRUTS2
Open source web application
framework was downloaded 80,000
times even after 30+ public
vulnerability announcements.
11. SOFTWARE THAT HAS A HISTORY OF
KNOWN VULNERABILITIES
HTTP CLIENT
Component with broken SSL
validation was downloaded 66,000
times one year after a critical
security alert was issued.
.
12. SOFTWARE THAT HAS A HISTORY OF
KNOWN VULNERABILITIES
BOUNCY
CASTLE
In 2013 this cryptography API with
a Level 10 critical vulnerability was
downloaded 20,000 times—despite
warnings given five years earlier. .
13. HOW TO PREVENT
• Make sure you are using the current application versions.
• Monitor the security of components in databases, project
mailing lists, and security mailing lists, and keep them up to
date.
• Establish security policies governing component use, such as
requiring certain software development practices, passing
security tests, and acceptable licenses.
• Consider adding security wrappers around components to
disable unused functionality and secure weak or vulnerable
aspects of the component.
14. References OWASP
• OWASP Dependency Check (for Java libraries)
• OWASP SafeNuGet (for .NET libraries thru NuGet)
• Good Component Practices Project
• Keyhole Software. (November 18, 2013). Top 10
Web Application Security Risks From OWASP. In
Java Code Geeks. Retrieved October 29, 2014, from
http://www.javacodegeeks.com/2013/11/top-10-web-application-
security-risks-from-owasp.html.
• Sonatype.org. (2008-2014). OWASP Top
TenImproving online software security. In Sonatype.
Retrieved October 29, 2014, from
http://www.sonatype.com/spotlight/owasp-top-ten.
15. QUESTIONS?
• Give an example of a company using a known
vulnerable component in the news.
• How has some companies decided to deal
with this issue?
• What would you add to the list of how to
prevent this issue?