Ever wonder about the mindset of a hacker? What is a Zero day attack? When does the clock start ticking?
As cyber Attacks become an existential threat it’s critical that all software developers understand the role the CVE process plays in helping us keep our defenses strong - and where it can go wrong or be subverted.
In this session, we’ll cover how the CVE process works, explore the timelines of a few famous CVEs, and uncover the truth about ethical reporting. We'll then discuss the practical steps you can take as a developer to write safer software. From bug bounties and bad actors to unsung developer heroes and incredible researchers, it’s time to buckle up for a wild ride as we show you what CVEs are all about.
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
1. A DEVELOPER'S GUIDE TO THE
WORLD OF APPLICATION SECURITY
CVE 101
Theresa Mammarella
2. THERESA MAMMARELLA
• Software Engineer @ IBM
• Eclipse OpenJ9 JVM
• Open source developer, community
member, and speaker
@t_mammarella
linkedin.com/in/tmammarella
3.
4. INSIDER THREAT
The potential for an insider to use their authorized access or understand of an
organization to harm that organization
• When an engineer is compromised by outside influence or dissatisfaction
• When an engineer is poorly trained
• When engineers put backdoors into a product
• When remote development systems are not secured or when protections are
removed
• When accounts and credentials for terminated or inactive personnel remain
available.
Source: media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF
20. The Zero Day Window is Closing
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Average
45
15
2017 2019 2021
Struts2
25. MOST OF THESE STORIES
ARE UNTOLD
Jeremy Long, founder of the
OWASP Dependency Check
project speculates that "only
25% of organizations report
vulnerabilities to users, and
only 10% of vulnerabilities are
reported as Common
Vulnerabilities exposure (CVE)."
Sonatype State of the Software Supply Chain Report 2019
27. HOW DO I DISCLOSE A VULNERABILITY IN A
RESPONSIBLE WAY?
• Company Website
• Security files on servers
• SECURITY.md
• Github private vulnerability reporting
28. Credit: Eddie Knight, Sonatype
THE
MANTRA
01
Does this touch the internet?
If a feature touches the internet, we need to
ensure end-to-end security from the supplier
to the consumer
02
Does this take untrusted input?
If a feature takes untrusted input, we need to
validate it's integrity before use
03
Does this handle sensitive data?
If a feature handles sensitive data, we must pay
special care to encryption, handling, and storage.
36. RECAP
• Vulnerability x Threat = Risk
• CVE’s, CVSS, disclosure process
• The Mantra/OWASP Top 10
• Dependency management
• Release speed
• Security champion programs
37.
38. THANK YOU
JAVAZONE!
• Linux Foundation free course
Developing Secure Software
https://training.linuxfoundation.org/training/devel
oping-secure-software-lfd121/
• OWASP Webgoat
Hands on with the OWASP Top 10
https://owasp.org/www-project-webgoat/
• Foojay security posts
https://foojay.io/today/category/security/
• OWASP’s list of Free for Open Source
Application Security Tools
https://owasp.org/www-
community/Free_for_Open_Source_Application_S
ecurity_Tools
@t_mammarella
linkedin.com/in/tmammarella
KEEP IN TOUCH: