Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Software Supply Chain Security та компоненти з відомими вразливостями

120 views

Published on

Video: https://youtu.be/hYcGFs1H6kU

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Software Supply Chain Security та компоненти з відомими вразливостями

  1. 1. Software Supply Chain Security A9: Using Components with Known Vulnerabilities
  2. 2. Agenda • OWASP Top 10. 2017. A9. Using Components with Known Vulnerabilities • Example 1. NodeJS + decompress npm package • Example 2. Ruby on Rails + rubyzip gem • Recommendations and tools • Q&A
  3. 3. Is the Application Vulnerable? • You do not know the versions of all components you use • Software is vulnerable, unsupported, or out of date • You do not scan for vulnerabilities regularly • You do not subscribe to security bulletins • You do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion • Developers do not test the compatibility of updated, upgraded, or patched libraries • you do not secure the components’ configurations (OWASP Top-10 A6:2017-Security Misconfiguration)
  4. 4. Example 1. NodeJS + decompress npm package
  5. 5. Example 1. NodeJS + decompress npm package
  6. 6. Example 1. NodeJS + decompress npm package
  7. 7. Example 1. NodeJS + decompress npm package
  8. 8. Example 2. Ruby on Rails + rubyzip gem
  9. 9. Example 2. Ruby on Rails + rubyzip gem
  10. 10. Example 2. Ruby on Rails + rubyzip gem
  11. 11. SAMM 2.0
  12. 12. OWASP Application Security Verification Standard
  13. 13. Tools • npm audit • Retire.js • Vulners agent/nmap/nessus/etc. • OWASP Dependency-Check • OWASP Dependency-Track
  14. 14. OWASP Dependency-Check • https://owasp.org/www-project-dependency-check/ • Version 5.3.2 • Command Line • Ant Task • Maven Plugin • Gradle Plugin • Jenkins/SBT/Leiningen Plugin
  15. 15. OWASP Dependency-Track • 3.8.0 • Intelligent Supply Chain Component Analysis platform • Open Source • Dashboard • API and Integration
  16. 16. OWASP Dependency-Track
  17. 17. Links https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/ https://owasp.org/www-project-dependency-check/ https://owasp.org/www-project-dependency-track/ https://owasp.org/www-project-application-security-verification- standard/ https://owasp.org/www-project-samm/
  18. 18. Q&A

×