Dev week cloud world conf2021
Your SlideShare is downloading.
×
Check these out next
Open Source Security – A vendor's perspective
- 1. Open Source Security – a vendor's perspective Matthew Wilkes
- 2. Who am I Zope/Plone since 2004 Plone security team leader Former FWT member 2013 board member sprints, conferences, etc Python security at The Code Distillery
- 3. Concepts
- 4. Vulnerability report User emails security@plone.org "Doctor, it hurts when I raise my arm like this…"
- 5. Vulnerability Security team confirms Find the original cause Find variants of the same bug
- 6. Severity Is this bug an emergency? Who knows how to exploit it so far? What damage can an attacker cause?
- 7. Workaround Develop a hotfix Test on supported versions Release hotfix
- 8. Fix Apply changes from the hotfix to core Create new releases for packages
- 9. Workflow
- 10. Workflow 1. Receive notification 2. Add to issue tracker and reply 3. Confirm bug exists 4. Find related problems 5. Request CVE 6. Write hotfix
- 11. Workflow 7. Test on supported versions 8. Release hotfix 9. Provide notes to oss-security 10. Receive allocated CVE 11. Update plone.org with CVE ids 12. Vulnerability shows on NVD
- 12. on CVEs
- 13. The MITRE Corporation CVE “ CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.
- 14. Steve Christey, MITRE CVE ‘ In reality, all of the large vulnerability databases may have missed published vulnerabilities in the product …. We routinely see this.
- 15. National Vulnerability Database CVE ‘ Summary for CVE-2011-0720: Unspecified vulnerability in Plone 2.5 through 4.0, allows remote attackers to obtain administrative access.
- 16. Not all equal Can MERGE under certain circumstances Have to fight for more Many vulns never have one assigned
- 17. Why use CVE? We're expected to Lets us influence what people say about us You can google the number
- 18. CVSSv2
- 19. What is CVSSv2? A systematic way of assigning severity Three sections: Base, Temporal, Environmental Our job to provide Base scores Users can apply the Temporal and Environmental scores
- 20. Comparing CVSSv2s Sometimes vendors release temporal scores not base Very few vendors publish the vectors Vendors often disagree with researchers Not all options always apply
- 21. CVSSv2 for companies Temporal scores let us scale scores over the lifecycle of the bug Environmental scores let you weight scores according to your business goals
- 22. Why use CVSSv2? Lets us influence what people say about us Easier to form policies about what things are urgent We can make stats!
- 23. CWE
- 24. What is CWE? OWASP Top-10 2010 A5 Cross-Site-Request Forgery SANS Top-25 2013 Rank #12 OWASP Top-10 2013 A8 Cross-Site-Request Forgery CWE-352: Cross-Site Request Forgery (CSRF)
- 25. Problems with CWE 940 CWEs currently listed Very granular
- 26. Granularity CWE-759: Use of a One-Way Hash without a Salt CWE-916: Use of Password Hash With Insufficient Computational Effort
- 27. Why use CWE? Lets us influence what people say about us We can make stats
- 28. Databases
- 29. Databases Manually maintained Pull public information and tabulate Some companies have write access Almost all vendors do not
- 30. Latest Plone update NVD: November 2011 OSVDB: June 2010 CVE Details: November 2011
- 31. Statistics
- 32. Statistics
- 33. CVE-2013-4196 No gain information? ‘ Multiple information exposure flaws were found in the way object manager implementation of Plone, a user friendly and powerful content management system, protected access to its internal methods.
- 34. CVE-2012-5505 No gain information? ‘ On some content types an anonymous view lookup returns a private data structure, which under certain circumstances may be used to read out confidential data.
- 35. Fix it!
- 36. Kurt Seifried, RedHat Collaborative databases? ‘ Sadly it probably won't work, most projects barely care about security, even fewer care about doing advisories correctly.
- 37. Open Source Vulnerability Database Collaborative databases? ‘ Use of the OSVDB, and/or API in a commercial atmosphere requires a license from OSF or a commercial partner of our designation. Failure to obtain a license for such use will result in account termination and legal action as necessary.
- 38. Kurt Seifried, RedHat SPOF ‘ Remember this is supposed to be basically a small side part of my job at Red Hat and I sometimes get slammed and grumpy =)
- 39. Recommendations 1. A wiki type vulnerability database 2. Freely available vulnerability ids 3. Direct editing access for vendors 4. Open data
- 40. Recommendations 1. Extend CVSSv2 for webapps 2. Allow the public to tag CWE 3. Decouple vulnerability instances and causes
- 41. Questions?
