SlideShare a Scribd company logo

Are you using an opensource library? There's a good chance you are vulnerable...

Download as ODP, PDF
Bruno Bossola
Bruno Bossola

Do you remember Equifax? How did someone manage to steal the data of almost 200 million users? Well, Equifax simply fell victim to a vulnerability on a framework, Struts, which older developers like me remember well. But you folks, who now use cooler things like Guava or Jackson, do you feel safe? Unfortunately, you are not. After a clear introduction to the problem, with a couple of other illustrious examples, we will perform a couple of exploits together, live, and then take a look at possible prevention strategies. This talk will open your eyes to a problem you did not know you had. Read the full story in my blog post at https://bbossola.wordpress.com/2018/04/14/remotely-execute-java-code-using-json

Software
1 of 20
Are you using an open source library? Bruno Bossola ROME - APRIL 13/14 2018
`@bbossola About me ● Developer 1988+ ● XP coach 2000+ ● Co-founder Jug Torino
`@bbossola Agenda ● Three cases of exploits ● Why do we use opensource libraries? ● What is a vulnerability? ● Sample exploit of CVE-2017-7525 ● Preventive measures ● Common delusions ● Conclusions ● QA
`@bbossola 11/2016 - San Francisco MTA CVE-2015-4852
`@bbossola 03/2017 - Canada Revenue Ag CVE-2017-5638
`@bbossola 05/2017 - Equifax CVE-2017-5638 (yes, again!)
`@bbossola Why open source libraries??? ● you want to deliver code fast ● you do not rewrite code that's already available – logging – serialisation for JSON / XML – communication via common protocols – web frameworks – client frameworks ● you need state-of-the-art algorithms – encryption library like Bouncycastle – recommendations library like librec ● Eighty percent of the code in today’s applications come from libraries and frameworks
`@bbossola How are libraries used? Direct dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
`@bbossola How are libraries used? Transitive dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
`@bbossola CVE-2017-17485 A simplified view :) Sample project 1.0 spring-boot 1.4.7 spring-core 4.3.9 snakeyaml 1.17 logback 1.1.11 slf4j 1.7.25 jackson 2.8.8 CVE-2017-5929 CVE-2018-5968 CVE-2017-15095 CVE-2017-7525 Images courtesy of 1001freedownloads.com
`@bbossola What is a vulnerability? A weakness in a library that will allow an attacker to compromise the underlying system. You may incorporate a vulnerability even if you are using an old version of a library, maybe because you did not upgrade to a major release. Examples: ● vert.x 3.5.1 (latest on 10/04/2018) ● struts 2.5.16 (latest on 10/04/2018) ● spring boot 1.5.9 (released on 09/2017)
`@bbossola Demo Exploiting CVE-2017-7525: how to remotely execute java code – Starring ● Jackson-Databind ● Your server – Supporting actors ● JSON deserialisation ● Xalan
`@bbossola Preventive measures ● Integrate a library scan in your CI/CD ● Different options available – big commercial powerhouses ● blackducksoftware – small commercial targeted solutions ● bithound.io (nodejs) ● hakiri.io (ruby) ● meterian.io (java) – opensource options ● dependency-check ● github SHAMELESS PLUG! Images courtesy of freepik.com WARNING!!! SHAMELESS PLUG HERE!
`@bbossola Preventive measures What a detection system would have said?
`@bbossola Common delusions Images courtesy of freepik.com “Hello, I am the tech savvy engineering leader!"
`@bbossola Common delusions - 1 Images courtesy of freepik.com “My code is not using that function, I am perfectly safe"
`@bbossola Common delusions - 2 Images courtesy of freepik.com “I am shielded by my input validation, I am perfectly safe”
`@bbossola Common delusions - 3 Images courtesy of freepik.com “I am running a periodic penetration test, I am safe”
`@bbossola Conclusions ● Every project uses open source libraries ● Exploits for common vulnerabilities in open source libraries are out there ● They are easily exploitable (c'mon, I did one in two hours!!!) ● The only solution that can work is putting in place a prevention mechanism ● DO IT NOW!
`@bbossola Q&A Public datatabases: https://cve.mitre.org/ https://nvd.nist.gov/ The code used today: https://github.com/bbossola/vulnerability-java-samples OWASP dependency-check: https://www.owasp.org/index.php/OWASP_Dependency_Check Meterian: https://www.meterian.io

Recommended

Tools to create a secure build pipeline
Tools to create a secure build pipelineTools to create a secure build pipeline
Tools to create a secure build pipeline
Bruno Bossola
 
Distributed Systems
Distributed SystemsDistributed Systems
Distributed Systems
Bruno Bossola
 
Microservices, the lean way
Microservices, the lean wayMicroservices, the lean way
Microservices, the lean way
Bruno Bossola
 
jp06_bossola
jp06_bossolajp06_bossola
jp06_bossola
Bruno Bossola
 
Microservices - the lean way
Microservices - the lean wayMicroservices - the lean way
Microservices - the lean way
Bruno Bossola
 
Geecon11 - Git: a Gentle InTroduction
Geecon11 - Git: a Gentle InTroductionGeecon11 - Git: a Gentle InTroduction
Geecon11 - Git: a Gentle InTroduction
Bruno Bossola
 
Git - (a) Gentle InTroduction
Git - (a) Gentle InTroductionGit - (a) Gentle InTroduction
Git - (a) Gentle InTroduction
Bruno Bossola
 
Geecon10: Object Oriented for nonbelievers
Geecon10: Object Oriented for nonbelieversGeecon10: Object Oriented for nonbelievers
Geecon10: Object Oriented for nonbelievers
Bruno Bossola
 

Recommended

Tools to create a secure build pipeline
Tools to create a secure build pipelineTools to create a secure build pipeline
Tools to create a secure build pipeline
Bruno Bossola
 
Distributed Systems
Distributed SystemsDistributed Systems
Distributed Systems
Bruno Bossola
 
Microservices, the lean way
Microservices, the lean wayMicroservices, the lean way
Microservices, the lean way
Bruno Bossola
 
jp06_bossola
jp06_bossolajp06_bossola
jp06_bossola
Bruno Bossola
 
Microservices - the lean way
Microservices - the lean wayMicroservices - the lean way
Microservices - the lean way
Bruno Bossola
 
Geecon11 - Git: a Gentle InTroduction
Geecon11 - Git: a Gentle InTroductionGeecon11 - Git: a Gentle InTroduction
Geecon11 - Git: a Gentle InTroduction
Bruno Bossola
 
Git - (a) Gentle InTroduction
Git - (a) Gentle InTroductionGit - (a) Gentle InTroduction
Git - (a) Gentle InTroduction
Bruno Bossola
 
Geecon10: Object Oriented for nonbelievers
Geecon10: Object Oriented for nonbelieversGeecon10: Object Oriented for nonbelievers
Geecon10: Object Oriented for nonbelievers
Bruno Bossola
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
masabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
WSO2
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
masabamasaba
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
lanshi9
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
Shane Coughlan
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
masabamasaba
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 

More Related Content

Recently uploaded

Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 

Recently uploaded (20)

WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 

Featured

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Are you using an opensource library? There's a good chance you are vulnerable...

  • 1. Are you using an open source library? Bruno Bossola ROME - APRIL 13/14 2018
  • 2. `@bbossola About me ● Developer 1988+ ● XP coach 2000+ ● Co-founder Jug Torino
  • 3. `@bbossola Agenda ● Three cases of exploits ● Why do we use opensource libraries? ● What is a vulnerability? ● Sample exploit of CVE-2017-7525 ● Preventive measures ● Common delusions ● Conclusions ● QA
  • 4. `@bbossola 11/2016 - San Francisco MTA CVE-2015-4852
  • 5. `@bbossola 03/2017 - Canada Revenue Ag CVE-2017-5638
  • 7. `@bbossola Why open source libraries??? ● you want to deliver code fast ● you do not rewrite code that's already available – logging – serialisation for JSON / XML – communication via common protocols – web frameworks – client frameworks ● you need state-of-the-art algorithms – encryption library like Bouncycastle – recommendations library like librec ● Eighty percent of the code in today’s applications come from libraries and frameworks
  • 8. `@bbossola How are libraries used? Direct dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
  • 9. `@bbossola How are libraries used? Transitive dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
  • 10. `@bbossola CVE-2017-17485 A simplified view :) Sample project 1.0 spring-boot 1.4.7 spring-core 4.3.9 snakeyaml 1.17 logback 1.1.11 slf4j 1.7.25 jackson 2.8.8 CVE-2017-5929 CVE-2018-5968 CVE-2017-15095 CVE-2017-7525 Images courtesy of 1001freedownloads.com
  • 11. `@bbossola What is a vulnerability? A weakness in a library that will allow an attacker to compromise the underlying system. You may incorporate a vulnerability even if you are using an old version of a library, maybe because you did not upgrade to a major release. Examples: ● vert.x 3.5.1 (latest on 10/04/2018) ● struts 2.5.16 (latest on 10/04/2018) ● spring boot 1.5.9 (released on 09/2017)
  • 12. `@bbossola Demo Exploiting CVE-2017-7525: how to remotely execute java code – Starring ● Jackson-Databind ● Your server – Supporting actors ● JSON deserialisation ● Xalan
  • 13. `@bbossola Preventive measures ● Integrate a library scan in your CI/CD ● Different options available – big commercial powerhouses ● blackducksoftware – small commercial targeted solutions ● bithound.io (nodejs) ● hakiri.io (ruby) ● meterian.io (java) – opensource options ● dependency-check ● github SHAMELESS PLUG! Images courtesy of freepik.com WARNING!!! SHAMELESS PLUG HERE!
  • 14. `@bbossola Preventive measures What a detection system would have said?
  • 15. `@bbossola Common delusions Images courtesy of freepik.com “Hello, I am the tech savvy engineering leader!"
  • 16. `@bbossola Common delusions - 1 Images courtesy of freepik.com “My code is not using that function, I am perfectly safe"
  • 17. `@bbossola Common delusions - 2 Images courtesy of freepik.com “I am shielded by my input validation, I am perfectly safe”
  • 18. `@bbossola Common delusions - 3 Images courtesy of freepik.com “I am running a periodic penetration test, I am safe”
  • 19. `@bbossola Conclusions ● Every project uses open source libraries ● Exploits for common vulnerabilities in open source libraries are out there ● They are easily exploitable (c'mon, I did one in two hours!!!) ● The only solution that can work is putting in place a prevention mechanism ● DO IT NOW!
  • 20. `@bbossola Q&A Public datatabases: https://cve.mitre.org/ https://nvd.nist.gov/ The code used today: https://github.com/bbossola/vulnerability-java-samples OWASP dependency-check: https://www.owasp.org/index.php/OWASP_Dependency_Check Meterian: https://www.meterian.io

Editor's Notes

  1. Introduce meterian clearly“we help companies to ship software without vulnerabilities” startup, I am a cofounder with Vivian (PM)
  2. San Francisco Metropolitan Transit Agency 2,112 systems impacted A weekend of free rides Exploit on object serialisation issue in apache commons-collections, sending crafted binary traffic over the T3 protocol Operation Rosebud: a team of 50 Google employees used GitHub to patch the “Apache Commons Collections Deserialization Vulnerability” in thousands of open source projects Note that the attack was in 2016 while the vulnerability was from 2015!
  3. Canada Revenue Agency Undisclosed impact (or “nothing happened, trust us”) Exploit a vulnerability in the multipart parser in Apache Struts2which allows remote attackers to execute arbitrary commands via a crafted header Zero day vulnerability
  4. Equifax, one of the three biggest credit rating agencies in the USA 143 millions US citizens impacted 44 millions UK citizens impacted Exploit (again) a vulnerability in the multipart parser in Apache Struts2 almost 3 months after it was public (remember CRA?) announced only in September
  5. logging (jokes logging and his history, about NIH syndrome) web: spring, jersey, dropwizard js: jquery, bootstrap, angular Bouncycastle: more cipher suites and algorithms, ability to read arcane formats like PEM and ASN.1 librec (more than 70 algorithms)
  6. spring is #1 on hotframeworks.com / java struts is #5 on hotframeworks.com vert.x is #6 on hotframeworks.com