Successfully reported this slideshow.

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities

4

Share

Aug. 21, 2015
4 likes 5,066 views
Upcoming SlideShare
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Loading in …3
×
1 of 52
1 of 52

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities

Aug. 21, 2015
4 likes 5,066 views

4

Share

Download to read offline

Technology

c0c0n 2015 Presentation. This talk discussed about the impact of using components with known vulnerabilities along with various tips and tools for software developer or administrator to facilitate identification of vulnerable components.

c0c0n 2015 Presentation. This talk discussed about the impact of using components with known vulnerabilities along with various tips and tools for software developer or administrator to facilitate identification of vulnerable components.

Technology
License: CC Attribution-NonCommercial-ShareAlike License

Recommended

More Related Content

Viewers also liked

Defending Servers - Cyber security webinar part 3
F-Secure Corporation
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
Cyber security webinar part 1 - Threat Landscape
F-Secure Corporation
Owasp top 10 vulnerabilities
OWASP Delhi
Defending Workstations - Cyber security webinar part 2
F-Secure Corporation
[OWASP Poland Day] Saving private token
OWASP
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
Security testing fundamentals
Cygnet Infotech
So Your Company Hired A Pentester
NorthBayWeb
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam A
[OWASP Poland Day] A study of Electron security
OWASP
CSE-Ethical-Hacking-ppt.pptx
AnshumaanTiwari2
Owasp mobile top 10
Pawel Rzepa
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
Pentesting Mobile Applications (Prashant Verma)
ClubHack
Web Application Vulnerabilities
Preetish Panda

Similar to Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities

OSSF 2018 - Jeff Luszcz of Flexera - Day 2 - Open Source Culture, Standards, ...
FINOS
Collaborative security : Securing open source software
Priyanka Aash
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Codenomicon
Open Source Software (OSS/FLOSS) and Security
Joshua L. Davis
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
Open Source Licensing: Types, Strategies and Compliance
All Things Open
Introduction to the CII Badge Programe, OW2con'16, Paris.
OW2
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
Bridging the gap - Security and Software Testing
Roberto Suggi Liverani
Implementing and Managing an Open Source Compliance Program: A Crash Course
FINOS
Protect Your Drupal Site Against Common Security Attacks
Acquia
Application security meetup 27012021
lior mazor
Top 10 static code analysis tool
scmGalaxy Inc
JavaOne2013: Secure Engineering Practices for Java
Chris Bailey
Application Security in the Age of Open Source
Black Duck by Synopsys
Building world-class security response and secure development processes
David Jorm
Cyber security - It starts with the embedded system
Rogue Wave Software
Matteo meucci Software Security - Napoli 10112016
Minded Security
Discussion Paper: Bugs Tracking
Deny Prasetia
Videos about static code analysis
PVS-Studio

More from Anant Shrivastava

Diverseccon keynote: My 2 Paisa's on Infosec World
Anant Shrivastava
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
Android Tamer BH USA 2016 : Arsenal Presentation
Anant Shrivastava
Android Tamer: Virtual Machine for Android (Security) Professionals
Anant Shrivastava
Slides null puliya linux basics
Anant Shrivastava
Exploiting publically exposed Version Control System
Anant Shrivastava
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
My tryst with sourcecode review
Anant Shrivastava
Snake bites : Python for Pentesters
Anant Shrivastava
OWASP Bangalore : OWTF demo : 13 Dec 2014
Anant Shrivastava
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
When the internet bleeded : RootConf 2014
Anant Shrivastava
Raspberry pi Beginners Session
Anant Shrivastava
Career In Information security
Anant Shrivastava
WhitePaper : Security issues in android custom rom
Anant Shrivastava
Security Issues in Android Custom ROM
Anant Shrivastava
Web application finger printing - whitepaper
Anant Shrivastava
Battle Underground NullCon 2011 Walkthrough
Anant Shrivastava
Nullcon Hack IM 2011 walk through
Anant Shrivastava
Web2.0 : an introduction
Anant Shrivastava

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
System Identification: Tutorials Presented at the 5th IFAC Symposium on Identification and System Parameter Estimation, F.R. Germany, September 1979 Elsevier Books Reference
(4/5)
Free
Energy Conservation in Buildings: The Achievement of 50% Energy Saving: An Environmental Challenge? Elsevier Books Reference
(4/5)
Free
Young Men and Fire: Twenty-fifth Anniversary Edition Norman Maclean
(4.5/5)
Free
Longitude: The True Story of a Lone Genius Who Solved the Greatest Scientific Problem of His Time Dava Sobel
(4/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
Spooked: The Trump Dossier, Black Cube, and the Rise of Private Spies Barry Meier
(4/5)
Free
Second Nature: Scenes from a World Remade Nathaniel Rich
(5/5)
Free
Test Gods: Virgin Galactic and the Making of a Modern Astronaut Nicholas Schmidle
(5/5)
Free
Driven: The Race to Create the Autonomous Car Alex Davies
(4.5/5)
Free
Dignity in a Digital Age: Making Tech Work for All of Us Ro Khanna
(4/5)
Free
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities

  1. 1. UNDERSTANDING THE KNOWN A9 : USING COMPONENTS WITH KNOWN VULNERABILITIES   BY ANANT SHRIVASTAVA
  2. 2. ANANT SHRIVASTAVA Information Security Consultant Admin - Dev - Security null + OWASP + G4H and @anantshri Trainer / Speaker : Blackhat USA, NullCon, g0s, c0c0n, Clubhack, RootConf http://anantshri.info      
  3. 3. WHAT IS A COMPONENT Any piece of code that is reusable Paid or OpenSource Either by same developer or other developers Its lot more then what you know
  4. 4. PYTHON PACKAGES Programming Language
  5. 5. RUBY GEMS Programming Language
  6. 6. MICROSOFT .NET PACKAGES Programming Language
  7. 7. WORDPRESS PLUGINS Web Application
  8. 8. CISCO SECURITY MANAGER Cisco Security Manager
  9. 9. CISCO ASA Cisco ASA Hardware
  10. 10. AND MANY MORE
  11. 11. WHY COMPONENTS Unix Philosophy : Do one thing and do it well Code Reuse : "Less Development Overhead" "Potentially" Combined and Faster evolution Higher cost to develop from scratch
  12. 12. IN SHORT Any component which is not developed by you is a 3rd party package in use
  13. 13. NOT DEVELOPED BY YOU
  14. 14. NOT DEVELOPED BY YOU 1. OpenSSL 2. Bash 3. Apache 4. NGINX and many more
  15. 15. UNDERSTANDING THE KNOWN USING COMPONENTS WITH KNOWN VULNERABILITIES
  16. 16. TWO DISTINCT PROBLEMS 1. Component has known vulnerability 2. Licensing Policies Talk focus only on the first part
  17. 17. COMPONENT WITH KNOWN VULNERABILITY Marked as 9/10 in OWASP Top 10 Vulnerabilities in 2013 Attacks can range from basic web attacks to Remote Code Execution
  18. 18. SOME EXAMPLES
  19. 19. HEARTBLEED
  20. 20. VULNERABLE VENDOR Credits: Jake & Kymberlee : Stranger Danger! What Is The Risk From 3rd Party
  21. 21. Libraries? : Blackhat USA 2015 MORE Credits: Jake & Kymberlee : Stranger Danger! What Is The Risk From 3rd Party Libraries? : Blackhat USA 2015
  22. 22. REMEMBER We rely on 3rd party to 1. patch 2. maintain security 3. accept security issues 4. in short "NOT SCREWUP"
  23. 23. WHAT ARE THE CONCERNS 1. Open Source Software 1. Developer has scratched his itch and will not want to work on it 2. Developer doesn't understand security implications and ignore reports 3. Developer is genuinely not in a position to work on project 2. Closed Source Software 1. Company shifted focus 2. Not enough money
  24. 24. WHAT IF THEY DO ALL THE FIXES IN TIME
  25. 25. PATCH PROCESS 1. Someone disclosed a vulnerability 2. 3rd party vendor fixes code 3. A public advisory is released informing about the update and hopefully security issue 4. Developer has to update the dependencies in actual project (believe me when i say its not easy task) (backword compatibility, regression, feature support etc) 5. Sysadmin / user has to update the software to receive the update
  26. 26. LOOKS COMPLEX
  27. 27. ANDROID OTA PROCESS 1. Google released PDK to Vendor for evaluation 2. Google Announces new version 3. Google send source code to Chipset manufacturer and Vendor 4. Chipset manufactures provides drivers and BSP or stops support 5. Vendor evaluates requirement for device if no driver then no update 6. Vendor updates its own softwares (SENSE, TouchWiz etc) Cont.
  28. 28. ANDROID OTA PROCESS... 1. Vendor works with carrier for modification 2. Final build is submitted for Lab Entry and testing 3. If bug found patch and resubmit. 4. Take approvals from 1. Regulatory 2. Industry 3. Google 5. Prepare OTA for the Device 6. User Downloads OTA and updates the device
  29. 29. BIGGEST QUESTION WHAT WE CAN DO
  30. 30. 3 KEY PLAYERS 1. Component Code Developer 2. Programmer reusing component 3. Enduser/sysadmin using the final program
  31. 31. THEN THERE IS PENTESTER
  32. 32. LETS EVALUATE ONE BY ONE
  33. 33. SYSADMIN / ENDUSER Monitor your software feeds to ensure you do not miss security updates never ignore update from shared library Keep an eye on how shared resources are holding up
  34. 34. DEVELOPERS (SOFTWARE AND 3RD PARTY) 1. Identify and catalogue your components 2. Never ignore pull requests and security issue bug report 3. Proactively test software and at-least if a fix is released publicly accept security issue
  35. 35. ANY AVAILABLE TOOLS
  36. 36. VULNERABLE COMPONENT IDENTIFICATION
  37. 37. IDENTIFICATION
  38. 38. IDENTIFICATION
  39. 39. IDENTIFICATION
  40. 40. IS THIS ENOUGH 1. Not yet 2. We still lack method to track it for every third party library 3. Manual tracking is still required
  41. 41. COMPONENT CODE DEVELOPER 1. Be clear about support status 2. If out of support, release and updated version clearly stating support status 3. Clearly accept the security issues and inform about fix
  42. 42. PENTESTER 1. Follow steps for Admin to identify all components 2. Cross reference with known disclosures (use dependency trackers) 3. Profit
  43. 43. REFERENCES 1. BlackHat 2015 : Stranger Danger! What Is The Risk From 3rd Party Libraries? : DO CHECK VTEM 2. The Unfortunate Reality of Insecure Libraries: Jeff Williams,Arshan Dabirsiaghi : March 2012 3. 4. https://www.gov.uk/service-manual/making-software/dependency- management.html http://swreflections.blogspot.in/2013/10/dont-let-somebody-elses-technical- debt.html
  44. 44. REFERENCES 1. 2. 3. https://prezi.com/g-01vdbth1co/sonatype-survey-2013/ http://blog.softfluent.com/2011/08/19/leveraging-third-party-components-or- reducing-dependencies/ https://img.en25.com/Web/SonatypeInc/%7Bb2fa5ed8-938d-4bce-8a9c- d08ebeba826d%7D_Executive_Brief_-_Study- _Understanding_Security_Risks_in_OSS_Components-1.pdf
  45. 45. ANY QUESTIONS
  46. 46. ANANT SHRIVASTAVA Information Security Consultant Admin - Dev - Security null + OWASP + G4H and @anantshri Trainer / Speaker : Blackhat USA, NullCon, g0s, c0c0n, Clubhack, RootConf http://anantshri.info      
  47. 47. THANK YOU

×